Run GLBA Information Security Program Annual Review — Free

Inspection Scope and Program Governance

Review period and covered business units are defined

Document the date range reviewed and the business units, systems, and locations included in scope.

Written information security program is current and approved critical (required)

Verify the program document is current, version-controlled, and formally approved by management or the governing body.

Yes No N/A

Qualified individual is designated and accountable critical (required)

Confirm a qualified individual is assigned responsibility for overseeing, implementing, and reporting on the information security program.

Yes No N/A

Program review cadence meets annual requirement critical (required)

Verify the written information security program has been reviewed at least annually and after material changes to operations or risks.

Yes No N/A

Board or senior management reporting is documented

Confirm periodic reporting to the board, committee, or senior management includes program status, risk findings, and remediation progress.

Yes No N/A

Risk Assessment and Information Inventory

Written risk assessment is documented and current critical (required)

Verify a written risk assessment exists, is dated, and reflects current systems, vendors, and business processes.

Yes No N/A

Inventory of customer information assets is maintained critical (required)

Confirm the organization maintains an inventory of customer information, systems, repositories, and data flows in scope.

Yes No N/A

Threats, vulnerabilities, and likelihood/impact are assessed critical (required)

Verify the assessment evaluates reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.

Yes No N/A

Third-party and service provider risks are included critical (required)

Confirm the assessment addresses vendors, cloud providers, processors, and other service providers that store, process, or transmit customer information.

Yes No N/A

Risk treatment decisions are documented

Verify each material risk has a documented treatment decision, owner, due date, and status.

Yes No N/A

Administrative Safeguards

Access is limited to authorized personnel with least privilege critical (required)

Confirm access to customer information is granted based on job role and reviewed periodically for appropriateness.

Yes No N/A

Security awareness training is completed and tracked

Verify employees and relevant contractors receive periodic security awareness training and completion is documented.

Yes No N/A

Incident response and escalation procedures are documented critical (required)

Confirm the organization has documented procedures for identifying, escalating, containing, and reporting security incidents.

Yes No N/A

Change management and exception handling are controlled

Verify security-related changes, exceptions, and compensating controls are approved, tracked, and time-bound.

Yes No N/A

Remediation tracking is active for prior findings

Confirm prior audit findings, deficiencies, and non-conformances have assigned owners, due dates, and closure evidence.

Yes No N/A

Technical Safeguards

Multi-factor authentication is enforced for appropriate access critical (required)

Verify MFA is required for remote access, privileged access, and other access paths where customer information is exposed.

Yes No N/A

Access controls and account lifecycle management are effective critical (required)

Confirm user provisioning, deprovisioning, privileged access review, and periodic recertification are operating effectively.

Yes No N/A

Encryption protects customer information in transit and at rest where applicable critical (required)

Verify encryption or equivalent compensating controls are used for customer information stored on systems and transmitted across networks.

Yes No N/A

Logging, monitoring, and alert review are functioning

Confirm security logs are collected, protected from tampering, and reviewed for suspicious activity and critical events.

Yes No N/A

Vulnerability and patch management meet defined timelines

Verify vulnerabilities are identified, prioritized, remediated within defined service levels, and exceptions are approved.

Yes No N/A

Physical Safeguards and Facility Controls

Restricted areas are controlled by badges, keys, or equivalent access controls critical (required)

Confirm access to records rooms, server rooms, and other sensitive areas is limited to authorized personnel.

Yes No N/A

Paper records and removable media are secured when not in use

Verify customer information in paper or portable form is stored in locked cabinets, secure rooms, or equivalent protections.

Yes No N/A

Visitor controls and clean desk practices are enforced

Confirm visitors are logged and escorted where required, and sensitive information is not left exposed in public or shared areas.

Yes No N/A

Findings, Corrective Actions, and Approval

Deficiencies and non-conformances are recorded with severity

List all findings observed during the review, including the affected control, severity, and evidence.

Corrective action owner and target date are assigned

Document the responsible owner, remediation plan, and target completion date for each open finding.

Inspector certification and sign-off critical (required)

Inspector confirms the review was completed accurately and evidence supports the recorded results.

Get your results

Enter your email — we'll send you a PDF of your filled-out template, plus the occasional MangoScoop newsletter (templates, workflow tips, product updates). Unsubscribe anytime — link is in every email.

Email (required)

Your name (optional)

Run: GLBA Information Security Program Annual Review

Inspection Scope and Program Governance

Risk Assessment and Information Inventory

Administrative Safeguards

Technical Safeguards

Physical Safeguards and Facility Controls

Findings, Corrective Actions, and Approval

Get your results