GLBA Policy References:
GLBA Policies
The section provides templates for an Information Security Program Charter and supporting policies that define the specific objectives required to create, implement, and maintain an Information Security Program that complies with GLBA (Interagency Guidelines). Also, additional best practices policies are provided for financial organizations that wish to exceed GLBA requirements and establish a more comprehensive Policy Framework.
- 1. Sample GLBA Information Security Program Charter
- The Information Security Program Charter is required to comply with GLBA (Interagency Guidelines II.A and II.B), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.
- 2. Sample GLBA Asset Identification and Classification Policy
- The Asset Identification and Classification Policy is not explicitly required by GLBA but is needed to support GLBA-specific protection objectives (Interagency Guidelines II.A and II.B) that require sensitive information such as customer data to be identified and classified as Confidential. More specifically, this policy builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label sensitive information assets such as customer information.
- 3. Sample GLBA Asset Protection Policy
- The Asset Protection Policy is required to comply with GLBA (Interagency Guidelines II.A, II.B, and III.C.1a-h) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security and confidentiality of customer information, as well as protect against threats or unauthorized access to such information.
- 4. Sample GLBA Threat Assessment and Monitoring Policy
- The Threat Assessment and Monitoring Policy is required to comply with GLBA (Interagency Guidelines III.B.1-2 and III.C.1f-g), and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring activities are performed.
- 5. Sample GLBA Security Awareness Policy
- The Security Awareness Policy is required to comply with GLBA (Interagency Guideline III.C.2), and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure that a formal Security Awareness Program is established, as well ensure that Information Security objectives (that is, Program Charter and policies) and requirements (standards) are properly communicated and understood throughout the organization.
- 6. Sample GLBA Vulnerability Assessment and Management Policy
- The Vulnerability Assessment and Management Policy is required to comply with GLBA (Interagency Guideline III.E), and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.
- 7. Additional Best Practices Policies
- This section provides links to additional best practices policies for financial organizations that wish to exceed GLBA requirements (Interagency Guidelines) and establish a more comprehensive Policy Framework.