FFIEC Compliance

Companies in the Financial Services industry have to comply with a number of regulations such as GLBA or California Security Breach Information Act (SB 1386) to ensure that they are providing increased protection to customer information. As a result, there has been a significant increase in demand for products that increase customer privacy, data reliability, integrity, and security.

The Relationship between FFIEC and GLBA

The Gramm-Leach-Bliley Act (GLBA) requires financial services institutions to develop precautions to ensure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to, or use of, such records or information which could result in substantial harm or inconvenience to any customer. Since GLBA is not prescriptive, the companies use the Federal Financial Institutions Examination Council (FFIEC) guidelines as a framework to comply with the information security requirements of GLBA. The guidelines also afford the FFIEC agencies with enforcement options if financial institutions do not establish and maintain adequate information security.

Agiliance addresses GLBA Compliance using FFIEC standards

The Agiliance IT-GRC Platform was specifically developed to address security compliance issues in the Financial Services industry. Key capabilities include:

• Maintain a repository of all assets (hardware, software, physical IT infrastructure, IT processes) that contain relevant data. Asset information can either be imported from external systems or populated through asset discovery technology. The system supports a comprehensive asset data model to document relationships between assets, organizations, processes and people.
• Enabling the organization to evaluate how critical an asset is to maintaining the integrity and confidentiality of relevant information and then assess its overall risk.
• Maintain a library of controls based on FFIEC
• Provide an infrastructure for assessing compliance with controls
  • Automate the process of distributing and collecting periodic surveys and self assessments to evaluate compliance
  • Integrate with monitoring tools, compare asset configuration against controls and policies to identify non-compliance on a continuous basis
• Report on asset compliance scores – both for status purposes, as well as evidence of compliance for internal and external auditors.
• Compute an asset’s composite risk score based on multiple criteria, including business impact of its impairment, compliance with policies, including security policies, and its vulnerability based on external feeds. The risk score allows users to prioritize which non-compliant assets need to be addressed first for remediation.
• Trigger the remediation process.