GLBA: Raising Email Security Awareness

Corporations are under the gun to protect financial information
and consumers are watching!

Just a few weeks ago, one of the world’s largest banks announced that it had lost computer data containing the personal information of an estimated 1.2 million federal employees, including some members of the U.S. Senate. The missing information includes Social Security numbers and account data for government employees who use the bank’s charge cards for travel and expenses. In the aftermath of these revelations, the ability of banks and other financial institutions to safeguard our personal information has been called into question by consumers and government alike. Predictably, we are beginning to hear the rumblings of additional legislation, but there have been laws protecting consumer financial information on the books for years – laws such as the Gramm-Leach-Bliley Act (GLBA).

The effect of this legislation and consumer awareness hits squarely on the issue of email security. Customers receive their bank statements via email; bank officers pass countless sensitive email messages back and forth to one another; financial spreadsheets are included in email communication on a regular basis. This reliance on email is bringing information privacy and security into the spotlight.

With international attention now focused on privacy and information security, executives are scrambling to ensure that their enterprises are not only compliant with the law, but that they also convey a sense of security to consumers who ultimately vote with their pocketbooks. As an email security company, our interest is in understanding how these issues affect an organization’s email system.

The Gramm-Leach-Bliley Act was signed by former President Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions (including banks, brokerage firms, insurance companies and tax preparation firms), as well as all of their business partners and contractors, to protect the private financial information that passes through their enterprises.

GLBA Requirements
GLBA requires financial institutions and their partners to make various information security best practices part of everyday operations. This includes:

• Ensuring that email messages containing confidential information are kept secure when transmitted over an unprotected link
  
• Ensuring that email systems and users are properly authenticated so that confidential information does not get into the wrong hands
  
• Protecting email servers and network drives where confidential information may be stored
  

Even without government regulations defining acceptable communication behavior, financial institutions are faced with the need to protect confidential data and keep their networks operational and secure. The consequences of a failure to perform in any of these areas could have devastating effects on the business itself – potentially causing existing and potential customers to lose faith in the company’s ability to protect their identities and financial information. If that doesn’t strike fear into your heart, GLBA provides for imprisonment of company officers and steep monetary fines for non-compliance.

Components of GLBA Compliance
There are five general sections of the “safeguards” rule contained in GLBA. They outline, at a very high level, what to implement to meet these requirements – not how to implement them. In fact, nowhere does the safeguards rule mention specific technologies or products such as firewalls, encryption, and content filtering that must be in place in order to contribute to compliance. However, the use of each of these technologies is necessary in order to properly secure the email gateway against compliance violations. On the same note, experience and time have shown that technology alone is not an information security catch-all.

An effective information security program also needs specific policies and procedures in place to assist with managing information risks on an ongoing basis. Once these policies and procedures have been defined, the technology should provide automated implementation, enablement and enforcement of them.

Obviously, no single email security component can be used to secure all information; a solid information security infrastructure must consist of a combination of several technologies:

• Firewalls and intrusion prevention systems accept or deny traffic into and out of networks.
  
• Encryption ensures data integrity and confidentiality during transport across the Internet.
  
• Content filtering monitors the conversations traveling into and out of the network, scanning for terms that could indicate a violation of regulatory or corporate policy.
  
• Attachment filtering provides inspection of files sent within email messages to ensure that no confidential data is transmitted without proper safeguards in place.
  

The need to establish centralized policy-based governance over the transmission, encryption, and archival of sensitive information requires a secure gateway-based solution. The solution should be capable of interfacing with all of an organization’s business partners regardless of the partner’s technological capabilities, and it should be transparent to the user in order to maximize the efficiency and utility of email and encourage adoption of acceptable means of corporate communication.

IronMail: The Compliance Appliance
The award-winning IronMail email security appliance from CipherTrust is widely recognized as the benchmark by which all others are measured. IronMail’s Compliance Control allows organizations to set customize policies to easily and automatically manage non-compliant messages as soon as they are detected. Because Compliance Control is policy-driven, most functions are automated, with exceptions handled directly by a decision-maker such as the compliance officer, rather than by an intermediary such as a network administrator interpreting rules made by another party. In addition, powerful reporting and monitoring tools give executives and administrators access to real-time information pertaining to non-compliant email messages.

To learn more about IronMail’s Compliance Control and how it can help your organization comply with the stringent GLBA legislation, download CipherTrust’s free whitepaper, "IronMail Compliance Control: Contributing to Corporate Regulatory Compliance".