GLBA Information Security Program Annual Review

Annual inspection template for reviewing the written information security program, risk assessment, and administrative, technical, and physical safeguards required under the GLBA Safeguards Rule.

Inspection Scope and Program Governance

• Review period and covered business units are defined
  Document the date range reviewed and the business units, systems, and locations included in scope.
• Written information security program is current and approved
  Verify the program document is current, version-controlled, and formally approved by management or the governing body.
• Qualified individual is designated and accountable
  Confirm a qualified individual is assigned responsibility for overseeing, implementing, and reporting on the information security program.
• Program review cadence meets annual requirement
  Verify the written information security program has been reviewed at least annually and after material changes to operations or risks.
• Board or senior management reporting is documented
  Confirm periodic reporting to the board, committee, or senior management includes program status, risk findings, and remediation progress.

Risk Assessment and Information Inventory

• Written risk assessment is documented and current
  Verify a written risk assessment exists, is dated, and reflects current systems, vendors, and business processes.
• Inventory of customer information assets is maintained
  Confirm the organization maintains an inventory of customer information, systems, repositories, and data flows in scope.
• Threats, vulnerabilities, and likelihood/impact are assessed
  Verify the assessment evaluates reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
• Third-party and service provider risks are included
  Confirm the assessment addresses vendors, cloud providers, processors, and other service providers that store, process, or transmit customer information.
• Risk treatment decisions are documented
  Verify each material risk has a documented treatment decision, owner, due date, and status.

Administrative Safeguards

• Access is limited to authorized personnel with least privilege
  Confirm access to customer information is granted based on job role and reviewed periodically for appropriateness.
• Security awareness training is completed and tracked
  Verify employees and relevant contractors receive periodic security awareness training and completion is documented.
• Incident response and escalation procedures are documented
  Confirm the organization has documented procedures for identifying, escalating, containing, and reporting security incidents.
• Change management and exception handling are controlled
  Verify security-related changes, exceptions, and compensating controls are approved, tracked, and time-bound.
• Remediation tracking is active for prior findings
  Confirm prior audit findings, deficiencies, and non-conformances have assigned owners, due dates, and closure evidence.

Technical Safeguards

• Multi-factor authentication is enforced for appropriate access
  Verify MFA is required for remote access, privileged access, and other access paths where customer information is exposed.
• Access controls and account lifecycle management are effective
  Confirm user provisioning, deprovisioning, privileged access review, and periodic recertification are operating effectively.
• Encryption protects customer information in transit and at rest where applicable
  Verify encryption or equivalent compensating controls are used for customer information stored on systems and transmitted across networks.
• Logging, monitoring, and alert review are functioning
  Confirm security logs are collected, protected from tampering, and reviewed for suspicious activity and critical events.
• Vulnerability and patch management meet defined timelines
  Verify vulnerabilities are identified, prioritized, remediated within defined service levels, and exceptions are approved.

Physical Safeguards and Facility Controls

• Restricted areas are controlled by badges, keys, or equivalent access controls
  Confirm access to records rooms, server rooms, and other sensitive areas is limited to authorized personnel.
• Paper records and removable media are secured when not in use
  Verify customer information in paper or portable form is stored in locked cabinets, secure rooms, or equivalent protections.
• Visitor controls and clean desk practices are enforced
  Confirm visitors are logged and escorted where required, and sensitive information is not left exposed in public or shared areas.

Findings, Corrective Actions, and Approval

• Deficiencies and non-conformances are recorded with severity
  List all findings observed during the review, including the affected control, severity, and evidence.
• Corrective action owner and target date are assigned
  Document the responsible owner, remediation plan, and target completion date for each open finding.
• Inspector certification and sign-off
  Inspector confirms the review was completed accurately and evidence supports the recorded results.