GLBA Compliance Resources and Services

The Standards for Safeguarding Customer Information Rule (the Rule) component of the Gramm-Leach-Bliley Act (GLBA) requires financial institutions — including higher education institutions that participate in Title IV programs — to protect the personally identifiable information of the customers they serve.

The Rule initially went into effect in 2003. It was officially amended by the Federal Trade Commission with a 2023 effective date, and the update includes expanded guidelines and recommendations for compliance. So while the GLBA requirements are not new, many of the changes from the recent update are now part of the required audit procedures in the Compliance Supplement.

Many institutions find it challenging to reach full compliance, but we can help. CapinTech, a CapinCrouse company, has been helping organizations meet GLBA compliance requirements for over 20 years. We have extensive experience with GLBA in highly regulated industries and offer a wide range of helpful resources and services.


GLBA Compliance Resources 

We have developed the following resources to assist organizations working toward GLBA compliance:


Recorded Webcasts and Videos

Important GLBA Updates, Part 1

Important GLBA Updates, Part 2

GLBA Updates and Insights for Higher Education Institutions

CapinTech Cyber Series: Vulnerability Management

CapinTech Cyber Series: The Criticality of Vendor Management and Due Diligence

CapinTech Cyber Series: Cybersecurity Training and Best Practices


Articles, Blog Posts, and Alerts

FSA Clarifies Certain Information Security Requirements Under GLBA

2023 OMB Compliance Supplement Now Available; Includes GLBA Changes

Revisiting GLBA: Important Updates

FTC Amends GLBA Safeguards Rule to Require Data Security Breach Reporting

The Need for Vendor Management: Outsourcing the Support but Not the Oversight

Cybersecurity Training: Who, What, When, Where, and Why


Sample Documents

Please note that these documents are for illustrative purposes only.

Sample Information Security Program and Incident Response Plan

Sample Information Security Program Annual Summary Report



How Weak IT Controls Can Affect Your Financial Statement Audit


Services to Help You Achieve GLBA Compliance

There are a variety of ways we can help you meet the GLBA compliance requirements. Please contact us to learn more or set up a consultation to discuss any of the following services:


Documentation Services

For many organizations, a lack of time is cited as one of the most significant obstacles to achieving GLBA compliance. There are several time-consuming written requirements in GLBA, including documentation of a risk assessment, mitigating safeguards, and an incident response plan. We can help you save valuable time and effort by documenting your existing policies and procedures for critical components of your information security program.


Vendor Management

GLBA requires organizations to establish procedures for overseeing relevant service providers and ensuring that they are capable of securing the organization’s information. We can simplify this process for you by gathering documentation and performing an initial assessment of the information from your designated vendors. We’ll provide you with a summary of the key considerations and highlight areas for management review and approval.


Vulnerability Scanning and Penetration Testing

GLBA requires organizations to implement a process that continuously identifies vulnerabilities that could impact customer information. CapinTech’s vulnerability scanning services can identify vulnerabilities on your internal and external network that could be exploited by bad actors or malware. Our penetration testing service takes this a step further to determine if the identified vulnerabilities can actually be used by a bad actor to gain access to your systems and data.


Employee Training

Employee awareness is a key component of any control framework. We can design an information security training session for you that covers GLBA requirements, current threats, and the mitigating policies and procedures you have established. This training is conducted through a live 60-minute webinar with a Q&A session unless an onsite presence is requested.


Independent Assessment

GLBA requires organizations to establish a process to periodically test the effectiveness of key controls, and many organizations prefer to have an independent review of this effectiveness. We can perform an evaluation of your key controls and identify gaps in existing processes or controls that are not functioning as intended. The results of this review can be used to plan for future enhancements to your information security program.


Experienced Insight

GLBA compliance is complex, but it’s important to understand the requirements to ensure your organization achieves and maintains compliance. And the good news is that taking the required steps will also strengthen your cybersecurity defenses.

You can rely on our experience and insight to help you manage the various compliance requirements. Please contact us with questions or to learn more.