Java Reference
In-Depth Information
5.3.2.5 GLBA
he Gramm-Leach-Bliley Act or the GLBA was enacted in 1999. he primary aim of the act was
the modernization of inancial services. GLBA ended the reign of prohibitive and restrictive regu-
lations in the inancial services industry. Regulations prior to the GLBA prevented the mergers of
banks, stock brokerage companies, and insurance companies. he GLBA consists of several rules,
which are imposed on the inancial services industry. he GLBA rules apply to organizations such
as banks, insurance companies, stock brokerage companies, and investment banking companies.
he Privacy Rule of the GLBA focuses on the privacy of customer information to be main-
tained by inancial institutions. It applies to inancial institutions that collect
nonpublic informa-
tion
(NPI) from their customers. NPI may be equated with personally identiiable information,
which has a similar meaning with the HIPAA. hese data usually consist of the name, Social
Security number, address, income, and the individual's choice of inancial products opted for.
Financial institutions have to make several statements to their customers assuring the privacy of
the NPI collected by the inancial institutions. Financial institutions also have an obligation to
protect the NPI collected from their customers, which is where the safeguards rule of the GLBA
comes into play.
he safeguards rule of the GLBA has been laid out to ensure that inancial institutions pro-
tect their customer data from unauthorized disclosure. he safeguards rule requires the inancial
institution to lay out an information security program. he rule stresses the need for assessing
risks for customer information and evaluating the organization's current safeguards against these
risks. he GLBA also indicates the need for evaluation of the controls implemented periodically
for efectiveness. Service providers to the inancial institutions also need to adhere to information
security practices commensurate with the risk of loss of customer data.
Although the GLBA does not prescribe a mandatory set of security controls like the PCI
Standards, it urges the subjects to consider implementing security practices for authentication and
authorization, physical security, employee security practices, application security and Web security,
and network security, among others, to ensure the protection of sensitive customer data and NPI.
Web applications have become ubiquitous with the inancial services industry, and inancial
institutions have adopted Web applications like no other industry. Web applications for the inan-
cial services industry heavily involve the information exchange of NPI, thereby necessitating the
need for the implementation of security functionality for these Web applications.
5.4 threat Analysis
5.4.1 Understanding and Categorizing Security Vulnerabilities
We have already explored the concept of threat and vulnerability in Chapter 2. A threat is
anything that is able to identify and exploit a particular vulnerability and cause a breach of
conidentiality, integrity, and/or availability. hreat analysis is one of the important processes
of the risk assessment phase and will be explored in detail in the later part of this chapter. But,
before we explore the various subprocesses that are to be carried out as part of threat analysis,
it is prudent that we delve into the concept of vulnerabilities and take a look at some common
Web application vulnerabilities. his aids greatly in our understanding of Web application
vulnerabilities and allows us to formulate risk mitigation strategies for the said Web applica-
tion vulnerabilities.
Search WWH ::
Custom Search