Financial Services – Gramm Leach Bliley Act

Gramm Leach Bliley Act security compliance standards require All Appropriate Cyber, Physical and Operational  Protection Measures be taken. The following are quotations from the Federal Financial Institution Examination Council’s IT Examination Handbook as of July 2015:

Cybersecurity Controls

“The institution should have a documented testing and evaluation plan that addresses the integration of security controls, level of assurance desired, and strategies and activities performed in obtaining that assurance.”

Physical Access Control

“Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks…An institution should implement policies and procedures to prevent the removal of sensitive electronic information and data. These policies should address the use of laptop computers, personal digital assistants, and portable electronic storage devices.”

Environmental Monitoring and Control

“Every operations center should have adequate heating, ventilation, and air conditioning (HVAC) systems in order for personnel and equipment to function properly. Older computer equipment produces a significant amount of heat, requiring cooling capacity exceeding that of a standard office building. Some newer models do not produce as much heat and thus do not require as much air conditioning. Organizations should plan their HVAC systems with the requirements of their computer systems in mind. Back-up sources of electricity should be able to sustain HVAC systems, because inadequate cooling could render computer equipment inoperable in a short period of time.”

Backup Power Monitoring and Control

“Computing equipment should have a continuous uninterrupted power source. Management should take reasonable action to protect computing equipment power sources. Consequently management should monitor and condition the voltage of electricity sources to prevent power fluctuations…Management should configure the UPS to provide sufficient electricity within milliseconds to power equipment until there is an orderly shutdown…Power surges can also damage computer equipment. Consequently management should monitor and condition or stabilize the voltage of electricity sources to prevent power fluctuations.”

Financial Services - Gramm Leach Bliley Act