Financial service organizations are faced with a major obligation to meet regulatory commitments such as the Gramm Leach Bliley Act (GLBA), monitoring regulated users such as financial traders or preventing exposure of clients’ personally identifiable information (PII) and confidential corporate information (such as mergers, acquisitions, private financial results, etc.).
What is GLBA?
The GLB Act applies to “financial institutions” – companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to “financial institutions” that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities (Source FTC).
The law requires that financial organizations to protect information collected about individuals. Additionally, they must be ready to address any scrutiny from Auditors. The same obligation exists for content created in collaboration systems like SharePoint which serves as the central point for collaboration, content management, communications and search.
What does GLBA mean to SharePoint?
Though SharePoint provides several benefits it can expose Financial organizations to unnecessary regulatory and corporate risk. For example, if your organization was audited, could you address the following:
- Demonstrate that regulatory policies are enforced in SharePoint?
- Demonstrate that governance processes are in place to monitor activities of regulated users in SharePoint?
- Provide an audit trail and forensics on who has handled and what actions have been taken with sensitive client information or company confidential documents?
- Identify if documents with sensitive data are being exposed in public areas of SharePoint?
- Prevent sensitive data from being published outside of SharePoint (either accidentally or intentionally) for widespread access?
In general, Auditors dislike SharePoint security model due to it being disconnected from Active Directory (no central management authority) and the black hole nature of sites and content (lack of visibility, reporting and enforcement of policy). Specifically, out of the box just about anyone can provision a site and the data isn’t protected as it should be because there’s no functionality to enforce security and data policy.
With the sheer size of many Financial service organizations, it’s what you don’t know in SharePoint that can damage the organization. Specifically, financial organizations require compliance and security solutions that facilitate the benefits of SharePoint’s while eliminating data loss risk. To achieve this organizations must be able to:
- Work with your legal counsel and security teams to understand policy.
- Provide an audit trail of all regulated users interactions (e.g. Enable auditing) within SharePoint and limit surface area for publishing information (Wiki, Blogs etc.).
- Use provisioning systems (GLBA aware forms and workflows) and classification systems and tools to ensure that sensitive and confidential is classified properly and protected.
- Protect sensitive information with granular security that travels with the item to ensure only authorized audiences can view the content within or outside of SharePoint (enforce with security and data scanners).
- Utilize a data custodian model with SharePoint whereby each site collection has executive level sponsorship and two owners. Automate the management of the ownership utilizing provisioning tools.
- Build privacy protection into your organizations policy and process (e.g. create control plans) to ensure client data is not exposed to outside or unauthorized sources (enforce with security and data scanners).
- Configure Information Barriers between internal communities, such as research groups and traders in financial securities companies (e.g. separate farms or site collections might be required).
- Use configuration management disciplines to ensure you can rebuild, confirm build and provide your SharePoint environment is configured as it should be top down. This includes document build process, configuration checklists and tools to enforce and correct configuration especially for site collection security, auditing and data policy settings.
Complying with the GLBA Act requires the Financial organization establish policy and rigorous control plans to enforce. From security policy, to user mandated education, IT service provisioning and monitoring for compliance. To get started consult with your legal and security teams for guidance. Work with venders that understand GLBA and provide tools and consulting services that enable you build and operate your SharePoint environment in a compliant manner.