Training under GLBA is required via its Safeguards Rule, 16 CFR 314.4. The training requirement is rather vague, but interagency guidance recommends that organizations should: “Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information.”
Data security is just as important as staff training. Data encryption is the first step. Encryption at the file system level using AES 256-bit encryption is recommended. File system encryption provides transparent protection for your data. It also provides extra protection for discarded hard drives. Next Transport Layer Security to transfer data to and from remote locations is important to insure that data is not intercepted or modified in transit. Lastly your data should be physically secure. Data should be stored in a security controlled area. All access should be logged and monitored.
Following these steps are a good start to being GLBA compliant, but you should also continually look for any weak spots in your security. Regular security audits are paramount.