Gramm-Leach Bliley Act (GLBA) Password Requirements
(Last updated on November 29, 2021)
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions to explain their information-sharing practices to their customers, and to safeguard sensitive data. The GLBA applies to all companies that offer consumer financial products or services like loans, financial or investment advice, or insurance.
To protect consumer information, the GLBA specifies the Safeguards Rule. Designed to be flexible, the Safeguards Rule calls for assessing and addressing risks to customer information in all areas of operations, including those critical to information security.
One of the most basic and necessary components of information security today is user authentication. Passwords are the most fundamental piece of information required for accessing business systems, and sensitive data. What is the specific guidance given by the GLBA regarding passwords?
GLBA password requirements
As noted by CSO Online, “there’s no specific GLBA password requirements; instead, GLBA-covered institutions are expected to follow contemporary best practices for authenticating access to personal data which in practice today would include an appropriate password regimen.”
What are the contemporary best practices recognized by other industry standards?
The Federal Trade Commission’s (FTC) website provides some considerations for passwords, as related to the Safeguards Rule. Unfortunately, the page hasn’t been updated for quite some time, and the specified password recommendations may no longer be considered best practice.
Another well-known standard offering guidance for organizations around passwords and other areas for information security is the National Institute of Standards and Technology (NIST). The latest NIST password standards (SP) 800-63-3B includes the following recommendations and requirements:
- Skip character composition rules as they are an unnecessary burden for end-users.
- Change passwords only if there is evidence of compromise.
- Screen new passwords against a list of known compromised passwords.
The NIST password standards can be used towards designing stronger password policies for GLBA compliance. This can be combined with the password recommendation from the Payment Card Industry Data Security Standard (PCI DSS), which may also be relevant for financial institutions.
Meet GLBA password requirements with Specops Password Policy
Many companies today are using Microsoft’s Active Directory as their identity and access management solution. Active Directory does not have native functionality to provide robust features such as breached password protection needed for businesses to align with the NIST password standards.
Specops Password Policy is a feature-rich solution with robust controls over Active Directory password settings. The Specops Breached Password Protection feature includes a real-time breached password check that prevents users from selecting vulnerable passwords.
Password detection and remediation are vital features that allow organizations to take a proactive approach to password security.
Contact us to learn more about Specops Password Policy, and how it can help you meet GLBA compliance.