GLBA: Raising Email Security Awareness by CipherTrust
Corporations are under the gun to protect financial information and consumers are
watching!
Just a few weeks ago, one of the world's largest banks announced that it had
lost computer data containing the personal information of an estimated 1.2
million federal employees, including some members of the U.S. Senate. The
missing information includes Social Security numbers and account data for
government employees who use the bank's charge cards for travel and expenses.
In the aftermath of these revelations, the ability of banks and other financial
institutions to safeguard our personal information has been called into
question by consumers and government alike. Predictably, we are beginning to
hear the rumblings of additional legislation, but there have been laws
protecting consumer financial information on the books for years - laws such as
the Gramm-Leach-Bliley Act (GLBA).
The effect of this legislation and consumer awareness hits squarely on the
issue of email security. Customers receive their bank statements via email;
bank officers pass countless sensitive email messages back and forth to one
another; financial spreadsheets are included in email communication on a
regular basis. This reliance on email is bringing information privacy and
security into the spotlight.
With international attention now focused on privacy and information security,
executives are scrambling to ensure that their enterprises are not only
compliant with the law, but that they also convey a sense of security to
consumers who ultimately vote with their pocketbooks. As an email security
company, our interest is in understanding how these issues affect an
organization's email system.
The Gramm-Leach-Bliley Act was signed by former President Clinton in 1999 and
made fully effective on July 1, 2001. GLBA requires financial institutions
(including banks, brokerage firms, insurance companies and tax preparation
firms), as well as all of their business partners and contractors, to protect
the private financial information that passes through their enterprises.
GLBA Requirements GLBA requires financial institutions and their partners to
make various information security best practices part of everyday operations.
This includes:
-
Ensuring that email messages containing confidential information are kept
secure when transmitted over an unprotected link
-
Ensuring that email systems and users are properly authenticated so that
confidential information does not get into the wrong hands
-
Protecting email servers and network drives where confidential information may
be stored
Even without government regulations defining acceptable communication behavior,
financial institutions are faced with the need to protect confidential data and
keep their networks operational and secure. The consequences of a failure to
perform in any of these areas could have devastating effects on the business
itself - potentially causing existing and potential customers to lose faith in
the company's ability to protect their identities and financial information. If
that doesn't strike fear into your heart, GLBA provides for imprisonment of
company officers and steep monetary fines for non-compliance.
Components of GLBA Compliance There are five general sections of the
"safeguards" rule contained in GLBA. They outline, at a very high level, what
to implement to meet these requirements - not how to implement them. In fact,
nowhere does the safeguards rule mention specific technologies or products such
as firewalls, encryption, and content filtering that must be in place in order
to contribute to compliance. However, the use of each of these technologies is
necessary in order to properly secure the email gateway against compliance
violations. On the same note, experience and time have shown that technology
alone is not an information security catch-all.
An effective information security program also needs specific policies and
procedures in place to assist with managing information risks on an ongoing
basis. Once these policies and procedures have been defined, the technology
should provide automated implementation, enablement and enforcement of them.
Obviously, no single email security component can be used to secure all
information; a solid information security infrastructure must consist of a
combination of several technologies:
-
Firewalls and intrusion prevention systems accept or deny traffic into and out
of networks.
-
Encryption ensures data integrity and confidentiality during transport across
the Internet.
-
Content filtering monitors the conversations traveling into and out of the
network, scanning for terms that could indicate a violation of regulatory or
corporate policy.
-
Attachment filtering provides inspection of files sent within email messages to
ensure that no confidential data is transmitted without proper safeguards in
place.
The need to establish centralized policy-based governance over the
transmission, encryption, and archival of sensitive information requires a
secure gateway-based solution. The solution should be capable of interfacing
with all of an organization's business partners regardless of the partner's
technological capabilities, and it should be transparent to the user in order
to maximize the efficiency and utility of email and encourage adoption of
acceptable means of corporate communication.
IronMail: The Compliance Appliance The award-winning IronMail email security
appliance from CipherTrust is widely recognized as the benchmark by which all
others are measured. IronMail's Compliance Control allows organizations to set
customize policies to easily and automatically manage non-compliant messages as
soon as they are detected. Because Compliance Control is policy-driven, most
functions are automated, with exceptions handled directly by a decision-maker
such as the compliance officer, rather than by an intermediary such as a
network administrator interpreting rules made by another party. In addition,
powerful reporting and monitoring tools give executives and administrators
access to real-time information pertaining to non-compliant email messages.
To learn more about IronMail's Compliance Control and how it can help your
organization comply with the stringent GLBA legislation, download CipherTrust's
free whitepaper,
"IronMail Compliance Control: Contributing to Corporate Regulatory Compliance".
About the Author
CipherTrust is the leader in anti-spam and email security. Learn more by
downloading our free whitepaper, "IronMail
Compliance Control: Contributing to Corporate Regulatory Compliance" or
by visiting www.ciphertrust.com.
|
