GLBA
GLBA Safeguards Rule (16 CFR Part 314)
La règle de la FTC imposant aux institutions financières de maintenir un programme de sécurité de l'information. Les amendements de 2021 ont ajouté des éléments prescriptifs tels que contrôles d'accès, chiffrement, MFA et plan de réponse aux incidents.
Who it applies to
Les institutions financières relevant de la FTC — y compris les prêteurs non bancaires, courtiers en hypothèques, concessionnaires automobiles proposant du financement, préparateurs fiscaux et fintechs — qui traitent les informations personnelles non publiques des clients.
Elements of the information security program
- §314.4(a) Designate a qualified individual10 mapped
Designate a qualified individual responsible for overseeing, implementing and enforcing the information security program.
- §314.4(c)(1) Access controls16 mapped
Implement and periodically review access controls, limiting access to customer information to those who need it.
- §314.4(c)(3) Encryption of customer information15 mapped
Encrypt customer information at rest and in transit, or use an approved compensating control.
- §314.4(c)(8) Monitoring and logging of authorized user activity11 mapped
Implement monitoring and logging to detect unauthorized access to or use of customer information.
- §314.4(d) Regularly test or monitor safeguards10 mapped
Regularly test or otherwise monitor the effectiveness of safeguards, including continuous monitoring or periodic penetration testing and vulnerability assessments.
- §314.4(h) Incident response plan13 mapped
Establish a written incident response plan to respond to and recover from security events affecting customer information.