GLBA Safeguards Data Inventory Worksheet
Element 314.4(b)(2) of the amended Safeguards Rule requires a written risk assessment, and the risk assessment requires an inventory: every system, every vendor, every data class that touches non-public personal information. This worksheet walks the team through producing the inventory in the structure the FTC examiner expects, plus a control-family mapping that surfaces the safeguards covering each row.
What you walk away with
~25 min · 4 sections · 6 fields- A populated NPI inventory — one row per system / vendor / data class.
- A control-family mapping showing which 16 CFR 314 controls cover each row.
- Surfaced gaps where a data flow exists but a control does not.
- An artifact the Qualified Individual signs off and presents to the board.
Scope
Per 314.4(a) — the named owner of the information security program.
NPI inventory
List each system, vendor, and process that creates, stores, transmits, or disposes of NPI.
Name the system or vendor that handles NPI.
What kind of NPI flows through? Be specific: SSN, account number, transaction history.
Tick each control family that covers this row. Blank ticks are gaps.
Any controls absent — and the plan to close them.
Name the system or vendor that handles NPI.
What kind of NPI flows through? Be specific: SSN, account number, transaction history.
Tick each control family that covers this row. Blank ticks are gaps.
Any controls absent — and the plan to close them.
Name the system or vendor that handles NPI.
What kind of NPI flows through? Be specific: SSN, account number, transaction history.
Tick each control family that covers this row. Blank ticks are gaps.
Any controls absent — and the plan to close them.
Name the system or vendor that handles NPI.
What kind of NPI flows through? Be specific: SSN, account number, transaction history.
Tick each control family that covers this row. Blank ticks are gaps.
Any controls absent — and the plan to close them.
Name the system or vendor that handles NPI.
What kind of NPI flows through? Be specific: SSN, account number, transaction history.
Tick each control family that covers this row. Blank ticks are gaps.
Any controls absent — and the plan to close them.
Vendor oversight summary
Effective May 2024 — 30-day notification to FTC for events affecting 500+ customers.
Inventory roll-up
Most fintech firms have 20-60 inventory rows once subprocessors and physical flows are included.
0 = Not wired · 1 = Documented · 2 = Templates ready · 3 = Tested
Next steps
The populated inventory is the input to the GLBA Safeguards Rule scorecard. Run the scorecard to surface gaps in the controls themselves, and use the GLBA Safeguards Data Map checklist as the line-item field-by-field reference.
Key takeaways
- An inventory the team built once and never refreshed is worse than no inventory — it gives false confidence.
- Subprocessors are the most-missed inventory category. The vendor's vendor handles your NPI.
- Test environments using production data are the most common control gap. Synthetic test data is a structural fix.
- The 30-day FTC notification trigger is new (May 2024). Most firms have the IRP but not the trigger wired in.
FAQ
How granular should the rows be?
One row per (system, data class, lifecycle stage) tuple. If a system stores SSN and transmits transaction history, that's two rows.
Does this satisfy the written risk assessment requirement?
Partially. The inventory is the foundation; the risk assessment also requires threat mapping (314.4(b)) per row and an evaluation of whether the safeguards in place are sufficient. Use this worksheet first; layer threat-mapping next.