October 15, 2001
comments on the Privacy Safeguards Rule
Dear Federal Trade Commission:
Our headquarters are a few short blocks from the World Trade Center. Since the September 11 terrorist attacks, we have been focused on business continuity and were not able to meet the October 9 FTC deadline for comments. Thankfully, through a combination of a good disaster recovery plan, an office in Texas, luck, and some very hard work, we were able to continue business without losing a beat, not missing a single client deadline. After a few short days our New York office was once again fully functional in terms of penetration testing and analysis, and we have been catching up on other items (such as this) since then.
More importantly, despite some very close calls, all the people at Tiger Testing and all of our families are OK. Our hearts go out to the families of any victims that may be reading this, and our thanks go out to the many people that helped keep us and so many other people alive. Also, thanks very much to the FTC for asking for our comments and for allowing us submit our comments a few days past the submission deadline.
Tiger Testing focuses exclusively on penetration testing, which is also known as ethical hacking and vulnerability assessment. We test the system security of Internet web sites and their underlying systems. This expertise and specialization gives us a unique perspective on the testing components of the Gramm-Leach-Bliley regulations. The Gramm-Leach-Bliley regulations’ testing components have a substantial impact on the goals of system security and consumer privacy.
Gramm-Leach-Bliley and Penetration Testing
The objective and following components of the proposed Gramm-Leach-Bliley regulations encompass testing requirements. Some of them, including the following can only be met if financial institutions conduct ongoing independent penetration testing of their web sites and their underlying systems:
As stated by the FTC: “The objectives of these standards are: to insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer.”
One of the “anticipated risks” faced by financial institutions is the ongoing threat of computer hackers to “the security and confidentiality of customer records and information”.
Key components of the proposed regulations include:
o Section 314.4 paragraph (b): requires each financial institution to: “identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and assess the safeguards in place to control these risks.”
o Section 314.4 paragraph (b) also requires financial institutions to consider such risks in each relevant area of their operations, including: “…(2) information systems, including information processing, storage, transmission and disposal; and (3) prevention and response measures for attacks, intrusions, or other systems failures.”
o Section 314.4 paragraph (c) requires each financial institution to “design and implement information safeguards to control the risks (identified) through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”
o Section 314.4 paragraph (e) requires each financial institution to: “Evaluate and adjust (its) information security programs” In the Federal Register, the FTC noted that this “…is consistent with the Advisory Committee’s finds that a security program should have ‘a continuous life cycle’ and the companies should be prepared to ‘revisit and review (their security standards) on a regular basis.’” The FTC also noted that: “It is also similar to the Banking Agency Guidelines’ requirement to ‘regularly test the key controls, systems and procedures of the information security programs…’”.
Analysis and Suggestions
Financial firm’s Internet web sites and underlying systems are like all other systems: when they are changed or are expected to handle external changes (i.e. advance in hacker technology) they should be tested. Without penetration testing it is not possible for financial firms to meet the Gramm-Leach-Bliley objectives of: insuring the security and confidentiality of customer records and information; protecting against anticipated threats to the security and integrity of such records; and protecting against unauthorized access to such records or information.
The Gramm-Leach-Bliley regulations clearly call for financial institutions to:
o Identify external risks (which would include several types of computer hackers – from script kiddies to cyber terrorists),
o Consider information systems risk (which would include Internet web sites and their underlying systems),
o Regularly assess, test, or monitor the effectiveness of system safeguards (which would include regular penetration testing to assess and monitor the security of web sites and their underlying systems),
o Regularly evaluate and adjust security programs (which would requires regular penetration testing and reporting)
Based on this analysis, Tiger Testing has two suggestions:
1) Go with the proposed regulations. They are a move in the right direction: toward increased systems and privacy safeguards.
2) As the regulations begin taking effect, make it clear that “regular” testing, assessment and monitoring means either ongoing or very frequent, not once in a while or semi-annually. The threats to security and privacy are continuous, so the protective steps suggested in these regulations should be continuous as well.
Thank you again for asking us to provide these comments!