GLBA: Raising Email Security Awareness

Written by CipherTrust

Corporations are underrepparttar gun to protect financial information and consumers are watching!

Just a few weeks ago, one ofrepparttar 135969 world’s largest banks announced that it had lost computer data containingrepparttar 135970 personal information of an estimated 1.2 million federal employees, including some members ofrepparttar 135971 U.S. Senate. The missing information includes Social Security numbers and account data for government employees who userepparttar 135972 bank’s charge cards for travel and expenses. Inrepparttar 135973 aftermath of these revelations,repparttar 135974 ability of banks and other financial institutions to safeguard our personal information has been called into question by consumers and government alike. Predictably, we are beginning to hearrepparttar 135975 rumblings of additional legislation, but there have been laws protecting consumer financial information onrepparttar 135976 books for years – laws such asrepparttar 135977 Gramm-Leach-Bliley Act (GLBA).

The effect of this legislation and consumer awareness hits squarely onrepparttar 135978 issue of email security. Customers receive their bank statements via email; bank officers pass countless sensitive email messages back and forth to one another; financial spreadsheets are included in email communication on a regular basis. This reliance on email is bringing information privacy and security intorepparttar 135979 spotlight.

With international attention now focused on privacy and information security, executives are scrambling to ensure that their enterprises are not only compliant withrepparttar 135980 law, but that they also convey a sense of security to consumers who ultimately vote with their pocketbooks. As an email security company, our interest is in understanding how these issues affect an organization’s email system.

The Gramm-Leach-Bliley Act was signed by former President Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions (including banks, brokerage firms, insurance companies and tax preparation firms), as well as all of their business partners and contractors, to protectrepparttar 135981 private financial information that passes through their enterprises.

GLBA Requirements GLBA requires financial institutions and their partners to make various information security best practices part of everyday operations. This includes:

  • Ensuring that email messages containing confidential information are kept secure when transmitted over an unprotected link
  • Ensuring that email systems and users are properly authenticated so that confidential information does not get intorepparttar 135982 wrong hands
  • Protecting email servers and network drives where confidential information may be stored
Even without government regulations defining acceptable communication behavior, financial institutions are faced withrepparttar 135983 need to protect confidential data and keep their networks operational and secure. The consequences of a failure to perform in any of these areas could have devastating effects onrepparttar 135984 business itself – potentially causing existing and potential customers to lose faith inrepparttar 135985 company’s ability to protect their identities and financial information. If that doesn’t strike fear into your heart, GLBA provides for imprisonment of company officers and steep monetary fines for non-compliance.

Components of GLBA Compliance There are five general sections ofrepparttar 135986 “safeguards” rule contained in GLBA. They outline, at a very high level, what to implement to meet these requirements – not how to implement them. In fact, nowhere doesrepparttar 135987 safeguards rule mention specific technologies or products such as firewalls, encryption, and content filtering that must be in place in order to contribute to compliance. However,repparttar 135988 use of each of these technologies is necessary in order to properly securerepparttar 135989 email gateway against compliance violations. Onrepparttar 135990 same note, experience and time have shown that technology alone is not an information security catch-all.

Sarbanes-Oxley: A Cross-Industry Email Compliance Challenge

Written by CipherTrust

Is your enterprise followingrepparttar rules?

The bulk of financial information in many companies is created, stored and transmitted electronically, maintained by IT and controlled via information integrity procedures and practices. For these reasons, compliance with federal requirements such asrepparttar 135968 Sarbanes-Oxley Act (SOX) is heavily dependent on IT. Companies that must comply with SOX are U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. Ultimately accountable for SOX compliance arerepparttar 135969 corporate CEO and CFO, who will depend on company finance operations and IT to provide critical support when they comply withrepparttar 135970 SOX requirement to report onrepparttar 135971 effectiveness of internal control over financial reporting.

Sound practices include corporate-wide information security policies and enforced implementation of those policies for employees at all levels. Information security policies should govern network security, access controls, authentication, encryption, logging, monitoring and alerting, pre-planned coordinated incident response, and forensics. These components enable information integrity and data retention, while enabling IT audits and business continuity.

Complying with Sarbanes-Oxley The changes required to ensure SOX compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to callrepparttar 135972 Act “the most sweeping legislation to affect publicly traded companies sincerepparttar 135973 reforms duringrepparttar 135974 Great Depression.” Sincerepparttar 135975 bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders a lion’s share ofrepparttar 135976 responsibility for SOX compliance. Enterprise IT departments are responsible for ensuring that sound practices, including corporate-wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern:

  • Network security
  • Access controls
  • Authentication
  • Encryption
  • Logging
  • Monitoring and alerting
  • Pre-planning coordinated incident response
  • Forensics

These components enable information integrity and data retention, while enabling IT audits and business continuity.

In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that:

  • They have reviewed quarterly and annual financial reports;
  • The information is complete and accurate;
  • Effective disclosure controls and procedures are in place and maintained to ensure that material information aboutrepparttar 135977 company is made known to them.

Sarbanes-Oxley Section 404 Section 404 regulates enforcement of internal controls, requiring management to show that it has established an effective internal control structure and procedures for accurate and complete financial reporting. In addition,repparttar 135978 company must produce documented evidence of an annual assessment ofrepparttar 135979 internal control structure’s effectiveness, validated by a registered public accounting firm. By instituting effective email controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are also taking a giant step inrepparttar 135980 right direction with regards to overall email security.

Effective Email Controls Email has evolved into a business-critical application unlike any other. Unfortunately, it is also one ofrepparttar 135981 most exposed areas of a technology infrastructure. Enterprises must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.

Cont'd on page 2 ==> © 2005
Terms of Use