Gramm Leach Bliley Act (GLBA) Compliance Risk Assessment Templates for Banking and Financial Institution

Download Free GLBA Compliance Risk Assessment Templates for Banking and Financial Institution.
Administrative Safeguards
1) Do you check references prior to hiring employees who will have access to customer information?
2) Do you ask every new employee to sign an agreement to follow your organization's confidentiality and security standards for handling customer information
3) Do you train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
a. locking rooms and file cabinets where paper records are kept;
b. using password-activated screensavers;
c. using strong passwords (at least eight characters long);
d. changing passwords periodically, and not posting passwords near employees' computers;
e. encrypting sensitive or confidential customer information when it is transmitted electronically over networks or stored online;
f. referring calls or other requests for customer information to designated individuals who have had safeguards training; and
g. recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
4) Do you instruct and regularly remind all employees of your organization's policy - and the legal requirement - to keep customer information secure and confidential. This includes providing employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and posting reminders about their responsibility for security in areas where such information is stored - in file rooms, for example?
5) Do you limit access to customer information to employees who have a business reason for seeing it? For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.
6) Do you impose disciplinary measures for any breaches?
7) Do you use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information? For example, supplement each of your customer lists with at least one entry (such as an account number or address) that you control, and monitor use of this entry to detect all unauthorized contacts or charges.
8) Do you maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users? For example, use tools like passwords combined with personal identifiers to authenticate the identity of customers and others seeking to do business with the financial institution electronically.
9) Do you notify customers promptly if their nonpublic personal information is subject to loss, damage or unauthorized access?

Technical Safeguards
1) Do you provide for secure data transmission (with clear instructions and simple security tools) when you collect or transmit customer information? Specifically:
a. if you collect credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection so that the information is encrypted in transit;
b. if you collect information directly from consumers, make secure transmission automatic. Caution consumers against transmitting sensitive or confidential data, like account numbers, via electronic mail; and
c. if you must transmit sensitive or confidential data by electronic mail, ensure that such messages are password protected so that only authorized employees have access.
2) Do you take steps to preserve the security, confidentiality and integrity of customer information in the event of a computer or other technological failure? For example, back up all customer data regularly.
3) Do you maintain up-to-date and appropriate programs and controls by:
a. following a written contingency plan to address any breaches of your physical, administrative or technical safeguards;
b. checking with software vendors regularly to obtain and install patches that resolve software vulnerabilities;
c. using anti-virus software that updates automatically;
d. maintaining up-to-date firewalls, particularly if you use broadband Internet access or allow employees to connect to your network from home or other off-site locations; and
e. providing central management of security tools for your employees and passing along updates about any security risks or breaches.

Physical and Other Safeguards
1) Do you store records in a secure area and make sure only authorized employees have access to the area? For example:
a. store paper records in a room, cabinet, or other container that is locked when unattended;
b. ensure that storage areas are protected against destruction or potential damage from physical hazards, like fire or floods;
c. store electronic customer information on a secure server that is accessible only with a password - or has other security protections - and is kept in a physically-secure area;
d. don't store sensitive or confidential customer data on a machine with an Internet connection; and
e. maintain secure backup media and keep archived data secure, for example, by storing off-line or in a physically-secure area.
2) Do you dispose of customer information in a secure manner? For example:
a. hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information;
b. shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up;
c. erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information;
d. promptly dispose of outdated customer information.
3) Do you maintain a close inventory of your computers?