GLBA Compliance with Netwrix Auditor

Integrated GLBA compliance solution for financial organizations

The Gramm-Leach-Bliley Act (GLBA) of 1999 was enacted to improve financial industry through removal of regulations that prevented merger of different type of financial institutions (e.g. banks and insurance companies) with the goal to open up competition between companies and modernize financial services industry.

Section 501(b) of GLBA contains important provisions aimed at protection of information. Information is one of a financial institution's most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution.

"It can be difficult to know what changed, when it changed, and who changed it. Add regulatory compliance and you'll need to hire a full crew to keep up the changes over time." /Michael Domingo, Executive Editor of MCPmag.com/

Section 501(b) compliance is sometimes referred to as FFIEC compliance after the name of the Federal Financial Institutions Examination Council (FFIEC) that created a document called FFIEC Examination Handbook for Information Security to help GLBA auditors perform adequate compliance audits. The table below summarizes requirements of section 501(b) as per the FFIEC Handbook (Document body and appendix A) and shows how Netwrix provides a complete solution to these requirements.

GLBA Requirement per FFIEC Handbook Netwrix Solution
ACCESS CONTROL: Access rights administration(Tier I: Objectives 4 & 7, Tier II: Section A)
Reviewing periodically user's access rights at an appropriate frequency based on the risk to the application or system: A monitoring process to oversee and manage the access rights granted to each user on the system (p. 23). Extensive auditing and reporting of changes to users accounts, security and distribution groups, policies, permissions, and other objects that control access to information in Active Directory, Group Policy, Exchange, file servers, VMware, and SQL Server. Detection of who did what, when, and where with advanced rollback capabilities of unauthorized actions.
Logging and auditing the use of privileged access (p. 24). Centralized consolidation and archival or audit trials with web-based reporting using predefined and custom-built reports covering all major types of privileged access, both successful and failed: logins, logoffs, access to mailboxes, user account operations, file access.
Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations (p. 24). Complete auditing of all changes to access rights and privileges with archiving feature that allows to review all changes at any time for request time frame.
ACCESS CONTROL: Authentication (Tier I: Objective 4, Tier II: Section A)
The user should select them without any assistance from any other user, such as the help desk. Web-based self-service password management system that operates without intervention of human personnel to prevent sharing of passwords during password resets, while enforcing full compliance with required password policies (such as password strength, prevention of reuse, etc).
Authentication systems should force changes to shared secrets on a schedule commensurate with risk. Complimentary to the built-in password expiration mechanism in Active Directory, Netwrix solution minimizes administrative burden related to expired passwords for users who are never prompted to change their password by the system (e.g. remote users, VPN clients, non-Windows clients).
Prevention of attacks that target a specific account and submits passwords until the correct password is discovered. Complimentary to the built-in account lockout mechanism in Active Directory, Netwrix solution helps to reduce the effects of false positives by proactive monitoring and resolution of account lockout incidents.
ACCESS CONTROL: Network Access (Tier I: Objective 4, Tier II: Section B)
Cross-domain network access monitoring to detect security incidents and unauthorized activity. Not provided, a hardware or software-based firewall must be used to separate and audit clearly defined network segments called domains (e.g. DMZ and internal network). Network domains are not Active Directory domain per the Handbook (some vendors mistakenly confuse these concepts).
ACCESS CONTROL: Operating system access (Tier I: Objective 4, Tier II: Section C)
Restricting and monitoring privileged access. Auditing of all types of access to critical data and security-related settings in Active Directory, file servers, virtual machines, databases, to make sure no change falls under the radar.
Logging and monitoring user or program access to sensitive resources and alerting on security events. Centralized consolidation and easy to use reporting of security event with extensive filtering capabilities and user-friendly reports. Ability to subscribe to reports generated on schedule.
Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters. Audit trail archiving and consolidation to track access to files and programs. Monitoring of user activities related to changes to system parameters.
Filter logs for potential security events and provide adequate reporting and alerting capabilities. Extensive event log collection system with filtering, reporting, and real -time alerting capabilities to ensure that critical security events never happen unnoticed.
Monitor operating system access by user, terminal, date, and time of access. Auditing of access to all types of systems with reporting of who did what and when.
ACCESS CONTROL: Application access (Tier I: Objective 4, Tier II: Section G)
Monitoring access rights to ensure they are the minimum required for the user's current business needs. Monitoring of security group membership, privileges, and access rights to ensure that no excessive rights are given and no rights are given proper without authorization.
Logging access and security events. Auditing of all administrative and user activities with configurable alerts and reporting that documents all security incidents and helps with early detection and prevention of further security incidents.
Using software that enables rapid analysis of user activities. Real-time alerting and schedule reporting of different types of user activities, such as logons, changes to files and permissions, changes to system configurations.
Maintaining consistent processes for promptly removing access to departing employees. Routine detection of inactive user accounts and automatic deactivation based specified thresholds to ensure that no account remain active for terminated and reassigned employees.
ACCESS CONTROL: Remote access (Tier I: Objective 4)
Tightly controlling remote access rights through management approvals and subsequent audits. Regularly review remote access approvals and rescind those that no longer have a compelling business justification. Auditing of dial-in and VPN access on user accounts. Predefined reports that show newly granted remote access rights to users. Ability to review all remote access permissions granted within specific timeframe.
Logging and monitoring all remote access communications. Log and monitor the date, time, user, user location, duration, and purpose for all remote access. Auditing of logins, remote desktop connections, and other types of remote access with full information on who logged in and when, source IP address, etc.
SECURITY MONITORING (Tier I, Objective 6, Tier II: Section M)
Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events. Web-based reporting system with predefined reports and ability to create custom reports for specific analysis needs.
Monitoring network and host activity to identify policy violations and anomalous behavior. Complete auditing of user and administrative activities, including logons, access to data and configuration.
Monitoring host and network condition to identify unauthorized configuration and other conditions which increase the risk of intrusion or other security events. Complete auditing of changes in server configurations, Active Di rectory, Group Policy to detect unauthorized or accidental changes that might open security holes and other possibilities for attacks.
Download Free Trial One-to-One Demo Request Quote

See how Netwrix Auditor helps meet requirements of other regulations, such as HIPAA, FISMA, PCI and SOX.

Disclaimer: This information is not intended to provide legal advice or substitute for the advice of an attorney.