Home
Pricing
Talk to our team
Compliance Hub

GLBA Compliance Checklist (FTC Safeguards Rule)

Espresso Labs Team
4 min read
GLBA Compliance Checklist (FTC Safeguards Rule)

The FTC’s Safeguards Rule (16 CFR Part 314) as updated in 2023 specifies 9 required elements for the information security program that financial institutions must maintain. This checklist helps you assess your current posture against each requirement.

Note: Institutions with fewer than 5,000 customer records are exempt from some specific requirements (marked with *). They still must maintain an information security program and designate a qualified individual.

1. Qualified Individual

  • Designated a qualified individual (CISO, CTO, or equivalent) responsible for overseeing the information security program
  • The qualified individual has knowledge, skills, and experience appropriate to the role and the institution’s risk profile
  • If using a third-party service provider for this role, maintained oversight of their performance

2. Risk Assessment

  • Conducted a written risk assessment that identifies:
    • Foreseeable internal and external risks to customer information
    • Assessment of the sufficiency of existing safeguards
    • Criteria for evaluating and categorizing identified risks
  • Risk assessment updated whenever material changes to the information security program occur
  • Risk assessment results inform the development and maintenance of safeguards

3. Safeguards — Access Controls

  • Least privilege: Users have access only to customer information necessary for their job functions
  • Multi-factor authentication (MFA) for:
    • All remote access to information systems with customer information
    • All access to privileged accounts
  • Automatic session timeouts after a period of inactivity
  • Password controls: Prohibiting common or default passwords, enforcing password strength requirements

4. Safeguards — Data Management

  • Customer information inventory: Know what customer information you have, where it is, and who has access
  • Data minimization: Only collecting customer information necessary for legitimate business purposes
  • Secure disposal: Properly disposing of customer information that is no longer needed for business or legal purposes
  • Encryption in transit: Customer information transmitted over external networks is encrypted
  • Encryption at rest: Customer information stored on information systems is encrypted (or documented risk-based compensating controls)

5. Safeguards — Change Management

  • Change management procedures: Process for tracking and managing changes to information systems
  • Secure software development: Pre-implementation security review for internally developed applications
  • Inventory of information systems: Maintained and up to date

6. Safeguards — Testing and Monitoring

  • Continuous monitoring or periodic testing of safeguards through one of:
    • Continuous monitoring of safeguards
    • Annual penetration testing AND biannual vulnerability assessments* (*required for 5,000+ customer records)
  • Penetration testing: Conducted by qualified internal or external staff, results documented and remediated*
  • Vulnerability assessments: Conducted at least every 6 months, including after significant system changes*
  • Audit logging: Systems configured to generate and retain logs sufficient to detect unauthorized access

7. Service Provider Oversight

  • Written contracts with service providers handling customer information include requirements to:
    • Implement appropriate safeguards for customer information
    • Notify the institution if they experience a security breach
  • Periodic assessments of service providers based on the risk they present and the continued adequacy of their safeguards
  • Service provider inventory: Maintained and current

8. Incident Response Plan

  • Written incident response plan addressing:
    • Goals and scope of the plan
    • Internal processes for responding to security events
    • Roles and responsibilities
    • External and internal communications
    • Remediation of vulnerabilities and restoration of services
    • Documentation of events and responses
    • Post-incident review and program updates
  • Plan reviewed and updated at least annually (and after significant incidents)

9. Annual Board Reporting*

(Required for institutions with 5,000+ customer records)

  • The qualified individual reports to the board of directors (or equivalent) at least annually on:
    • The overall status of the information security program
    • Material matters related to the program including risk assessment results, risk management and control decisions, service provider arrangements, testing results, security events, and program recommendations

Additional Regulatory Notification

  • FTC breach notification: Following a security breach involving unencrypted customer information of 500+ customers, notify the FTC within 30 days
  • Customer notification: Notify affected customers as required under applicable state breach notification laws

How Espresso Labs Helps

Espresso Labs enforces the technical safeguards required by the Safeguards Rule automatically — access controls, MFA, encryption, continuous monitoring, penetration testing, and more — and maintains the documentation your qualified individual needs for board reporting. Contact us to close your GLBA gaps without building a large internal security function.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team