Did you know that the new GLBA Safeguards Rule that takes effect in December 2022 includes new requirements for technical security assessments? If you’re a financial institution that must comply with GLBA, then this article is for you. We’re going to review what those technical security assessments are, what they mean for you, and how to best implement them into your security program.
Related Article: “What IT Managers Need To Know About GLBA Before December 2022”
What is Gramm-Leach-Bliley Act (GLBA)?
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. You can read the Act and specifically the Safeguards Rule in all its glory here: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314?toc=1. The website even has a neat way to show the differences between the old version and the new version. You can check that out here: https://www.ecfr.gov/compare/current/to/2021-12-31/title-16/chapter-I/subchapter-C/part-314/section-314.4
GLBA Safeguards Rule Amendments
On January 10th, 2022 the Federal Trade Commission (FTC) issued a final rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule). The Final Rule contains five main modifications to the existing Rule. In this article, we’re going to take a look at a small subset of the first modification. The Penetration Testing and Vulnerability Assessments requirement.
NEW REQUIREMENT – Penetration Testing and Vulnerability Assessments
The first modification to the existing rule adds additional “guidance”, aka Safeguards or security control requirements. Most notably in the context of this discussion is the requirement to implement either continuous monitoring OR annual penetration testing and semi-annual vulnerability assessments. Most organizations are going to opt for the penetration test and vulnerability assessments, and that is what we’re going to be talking about from here on out.
Annual Penetration Testing
The new Rule states that you must have a penetration test performed once a year.
“you shall conduct: (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment;”
Unlike continuous monitoring, the Rule does include a definition for Penetration Testing. I’ve highlighted the important parts to pay attention to:
“a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.“
To be honest, that’s quite an interesting definition of a penetration test. It’s not how I would have written it, but nonetheless, that’s what we have to work with. Now let’s focus on the important parts.
According to the Rule, the penetration test must:
Include attempts to circumvent (aka: evade, bypass, etc.) or defeat(aka: disable, impair etc.) security features
Include attempts to penetrate, from inside or outside
Semi-annual Vulnerability Assessments
The new Rule also states that you must perform semi-annual vulnerability assessments.
“you shall conduct: (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program“
Unlike penetration testing, the Rule does not include a definition for vulnerability assessment.
According to the Rule, the vulnerability assessment must:
Be performed twice a year, OR after any material (aka: significant) change to the business, network or infrastructure
Be able to identify publicly known security vulnerabilities
When this takes effect
If you have not performed a penetration test or vulnerability assessment yet this year, then, according to only the GLBA Safeguards Rule, you’re ok. The effective date for these assessments is not until December 9th, 2022, which is when the other requirements in the Safeguards Rule take effect.
What does this all mean?
The GLBA Safeguard Rule was constructed in such a way to instruct organizations on the difference between a vulnerability assessment and a penetration test. We’ve written about the differences before in this article, so we won’t go into detail here. However, put simply, a vulnerability assessment is meant to discover any and all vulnerabilities, and a penetration test is meant to discover and validate via “penetrating”(aka exploiting) those vulnerabilities in order to prove the effectiveness, severity, and impact of those vulnerabilities to the organization.
It is likely no surprise that our security recommendations would fall in line with the GLBA Safeguard Rules because annual penetration testing and regular vulnerability assessments are best practices. We recommend clients have an annual internal and external penetration test performed as well as regular vulnerability assessments. Some clients, who have the resources, even opt to perform these vulnerability assessments quarterly. This is something that our cybersecurity professionals assist clients with on a regular basis.
Not only are we seeing regulatory requirements modified to specifically address this, but cyber insurers are also looking for these assessments to be done regularly. As a matter of fact, for some insurers, it could be a determining factor for getting a cyber insurance policy or not.
What to do next?
Again, if you have not performed a penetration test or vulnerability assessment yet this year, then, according to only the GLBA Safeguards Rule, you’re ok. For now. However, in reality, your organization is likely subject to other regulations and/or requirements so there’s a good chance you may have already had or plan to have a penetration test and vulnerability assessment performed this year. That’s great!
If you’ve never had a penetration test or a vulnerability assessment before and the GLBA Safeguards Rule is all new to you, that’s ok too! Start planning those assessments now. Many firms that offer penetration testing services book several months, sometimes 6-8 months out. So, begin planning, budgeting and scheduling of those activities now. If you are planning a penetration test and you’re not sure what to expect, check out our blog post that talks about what to expect during your upcoming external penetration test.
Lastly, our Offensive Security Team here at SecurIT360 conducts hundreds of penetration tests every year and if at any point you’re unsure where you stand, you want help identifying those gaps, or are looking for advice on how to best implement these requirements, please reach out to us. We would be more than happy to help.