Conducting a GLBA Risk Assessment

Under the latest version of the Gramm-Leach-Bliley Act (GBLA) Safeguards Rule, element two is the requirement to conduct a risk assessment. The purpose of the assessment is to identify internal and external risks to your institution’s customer information security and confidentiality. For a risk assessment to meet GLBA requirements, it needs to:

  • Evaluate and categorize identified security risks or threats
  • Assess the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats
  • Describe how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks

Conducting risk assessments for the GLBA or compliance with any other information security standards can be a daunting task. NIST Special Publication 800-30 provides an in-depth roadmap for assessments that organizations can follow.

We want to provide a more streamlined look at the steps involved in a risk assessment that meets the requirements of the GLBA Safeguards Rule, from preparing for the assessment to implementing controls to mitigate the identified risks.

Approach the task from a broad perspective, and consider each of the following areas:

  • Security policies and procedures
  • Incident-response procedures
  • Disaster recovery and business continuity plans
  • Network security controls
  • Identity and access controls
  • Media protection
  • Physical security of IT assets
  • Physical security of hard copy documentation
  • User education and awareness
  • Third-party security (vendors/suppliers/outsourcing)

GLBA Risk Assessment Steps

Understand your Data and Assets

The first step in the risk assessment process is to identify the data you have, and the systems involved in processing that data. This will give you a better idea of what needs to be evaluated in the assessment.  

Start by creating a list with all the data you hold about your organization or your customers, including account numbers, contact information, account balance, etc. Be sure to classify each data type. An example would be labeling data as “public,” “private,” or “restricted” in order to prioritize which needs the most security.

You also need to create a list of the assets involved in accessing, storing, processing, transmitting, or protecting data. Typically, this will be technical systems like servers, laptops, and applications. Physical items such as filing cabinets and actual buildings need to be included along with staff members that work with the data.

Threat identification

The next step is to identify the potential threats your organization is facing. It goes without saying, the list of potential threats could go forever, ranging from malware attacks to insider threats and even natural disasters. Don’t direct too much focus on “doomsday” events, instead focus on the types of threats or attacks you’ll likely see repeatedly, and you are most susceptible to.

Qualify the Risk

Assess how much danger each identified threat poses to your institution. Consider these two factors when qualifying how much risk comes with each threat: the likelihood of the threat, and the amount of damage it could cause. Find a ranking system that works for your organization. A common system would be a low, medium, or high ranking for both the likelihood and potential damage categories. For example, there is a high likelihood your institution will be hit with a phishing attack and a low probability you’ll experience a physical forced entry into your building that results in data being stolen. Threats with a high likelihood of occurring and high potential damage need to be a priority.

Control Design and Implementation

This is where the rubber meets the roads. You’ve identified the threats that present the most risk to your institution, now it’s time to mitigate and manage that risk. The list of controls that need to be designed and implemented could range from the installation of anti-malware software to getting a network of security cameras up and running. Whatever controls are necessary for your institution, it’s crucial to ensure that all employees get the training needed to understand their role in the controls’ proper execution.

Risk Treatment Plan

Throughout the risk assessment process, risks may be identified that your institution cannot properly remediate with security controls. You need to develop a plan for that risk. If it is a low-probability threat with minimal potential damage, the organization may choose to simply accept the risk. For riskier threats, consider partnering with a cybersecurity service provider that can deliver experience, knowledge, and technology that your institution likely doesn’t have to address more serious threats.

Control Validation

Security controls are not a set-it and a forget-it project. Once they’ve been implemented, it’s vital to ensure they are mitigating the risk as they were designed to do. Continuously monitor and test that your security controls are effectively protecting your data. Conduct periodic vulnerability scans and penetration testing to identify new security gaps that may have emerged. Be prepared to adopt new controls to address those gaps as well as any new threats that have emerged.

CompliancePoint has the experience and knowledge to guide your institution through an effective risk assessment. We can also help you meet the requirements of all elements of the GLBA Safeguards rule. To learn more about how we can help with the GLBA, or other security standards like ISO 27001, SOC 2, PCI DSS, and NIST, contact us at

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.