1 / 51

Chapter 12: Regulatory Compliance for Financial Institutions

Chapter 12: Regulatory Compliance for Financial Institutions. Objectives. Know information security regulations for financial institutions Identify financial sector regulatory agencies Understand the components of a GLBA-compliant information security program

flynn
Download Presentation

Chapter 12: Regulatory Compliance for Financial Institutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 12: Regulatory Compliance for Financial Institutions

  2. Objectives • Know information security regulations for financial institutions • Identify financial sector regulatory agencies • Understand the components of a GLBA-compliant information security program • Implement a GLBA-compliant information security program • Respond to the ever-increasing threat of ID theft

  3. Introduction • A financial institution’s most significant asset is not money: it’s information about money, transactions and customers • Protection of those information assets is necessary to establish the required trust for the institution to conduct business • Institutions have a responsibility to protect their client’s information and privacy from harm such as fraud and ID theft

  4. What Is the Gramm-Leach-Bliley Act? • Signed into law by President Clinton in 1999 • Also known as the Financial Modernization Act of 1999 • Meant to allow banks to engage in a wide array of financial services • Banks can now merge with stock brokerage companies and insurance companies, which means that they can possess large amounts of private, personal client information

  5. What Is the Gramm-Leach-Bliley Act? Cont. • GLBA allowed for information such as bank balances, account numbers, to be bought and sold by banks, credit card companies and other financial institutions. This information is usually considered private, and the potential for misuse is great • Title 5 of the GLBA specifically addresses protecting both the privacy and the security of financial information

  6. What Is the Gramm-Leach-Bliley Act? Cont. • What is NPI? • Stands for non-public personal information • Includes the following information: • Names • Addresses • Phone numbers • Income and credit histories • Social security numbers

  7. To Whom Does the GLBA Pertain? • To all financial institutions that either collect private information from their customers, or receive such information • Also applies to companies that provide financial products and/or services such as: • Automobile dealers • Check-cashing businesses • Consumer reporting agencies • Courier services

  8. Who Enforces GLBA? • 8 federal agencies and the states have authority to administer and enforce the Financial Privacy Rule and Section 501(b) • Which agency is tasked with enforcing the regulation, along with the severity of the penalty, is dependent upon the industry to which the business belongs • Non traditional financial services companies are regulated by the Federal Trade Comm., but are not subject to scheduled, regular audits unless a complaint has been lodged against them

  9. FFIEC to the Rescue • Stands for the Federal Financial Institutions Examination Council • Formal interagency body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions by the board of the Federal Reserve System, the Fed Deposit Ins Corp, the Nat Credit Union Assoc. and the Office of Controller of the Currency

  10. FFIEC to the Rescue Cont. • FFIEC publishes the InfoBase Handbook, which provides field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information • The InfoBase is used as the de facto guide to information technology and information security examination

  11. FFIEC to the Rescue Cont. • The InfoBase includes the following topics: • Audit • Business Continuity Planning • Development & Acquisition • E-banking • FedLine • Outsourcing technology services • Retail payment system • Supervision of technology service providers

  12. FFIEC to the Rescue Cont. • GLBA-related definitions • Board of directors: managing officials • Customer information system: any method used to access, collect, store, use, transmit, protect or dispose of customer information • Service provider: any person or entity that maintains, processes or otherwise is permitted to access customer information through its provision of services directly to the financial institution

  13. What Are Interagency Guidelines? • The dependence of financial institutions upon information systems is a source of risks • The interagency guidelines (IG) were created as a way to mitigate those risks related to information being compromised • The IG require every covered institution to implement a comprehensive written information security program that includes administrative, technical and physical safeguards

  14. What Are Interagency Guidelines? Cont. • Administrative safeguards include: • Security policies • Procedures • Management • Training

  15. What Are Interagency Guidelines? Cont. • Physical safeguards include: • Security controls designed to protect: • Data systems • Physical facilities • From: • Natural threats • Man-made threats

  16. What Are Interagency Guidelines? Cont. • Technical safeguards include: • Security measures that specify the use of technology to secure the confidentiality, integrity and availability of information

  17. What Are Interagency Guidelines? Cont. • Information Security Program • The criteria for designing a GLBA-compliant information security program should include: • Ensuring the confidentiality of customer information • Protecting against: • Any anticipated threats against the integrity of customer information • Accidental or intentional loss • Threats to information assets, systems & networks vital to the operation of the Bank

  18. What Are Interagency Guidelines? Cont. • Information Security Program Objectives • Protect the confidentiality, integrity and availability of customer information • Protecting customers from harm that may come from failing to achieve objective #1

  19. What Are Interagency Guidelines? Cont. • Information Security Program Requirements • Involving the board of directors • Assessing risk • Managing and controlling risks • Adjusting the program • Reporting to the board

  20. Involving the Board • The board must approve the bank’s written information security program • The board must oversee the development, implementation & maintenance of the program • As corporate officials, the board has a fiduciary & legal responsibility • Banks should provide board members with appropriate training on information security • The board may in turn delegate information security tasks to other roles and/or committees

  21. Assessing Risk • Risk assessments start by creating an inventory of all information items and information systems • Identifying threats is the next step • Threat: potential for violation of security • Threat assessment: identification of types of threats • Threat analysis: systematic rating of threats based upon risk and probability • Threat probability: likelihood that a threat will materialize

  22. Assessing Risk Cont. • Mitigating controls: once threats are identified, appropriate mitigating controls must be developed • The level of control is related to the severity of the threat • Institutions must assess the sufficiency of controls: • Prioritize information systems based upon the results of the criticality analysis. Classify them in different tiers • Prioritize the threats based upon the results of the threat analysis. Classify them in tiers of varying severity • Match the two lists. For each threat, list a mitigating control. All controls should be evaluated, tested and documented

  23. Managing Risk • The information security program should be designed to control the identified risks commensurate with the sensitivity of the information as well as the complexity and scope of their activities: • Access controls on customer information systems • Access restrictions at physical locations containing customer information • Encryption of electronic customer information • Separation of duties • Monitoring systems to identify attacks • Incident response program • Disaster recovery plan

  24. Logical and Administrative Access Controls • Goal: to provide access only to authorized individuals whose identity is established and authenticated • Should involve need-to-know and principle of least privilege • Involves identification, authentication and authorization

  25. Logical and Administrative Access Controls Cont. • Type of Logical and Administrative Access Controls • Access Rights Administration • Authentication • Network Access • Operating System Access • Application Access • Remote Access

  26. Access Rights Administration • Applies to all employees, vendors, contractors, customers • Format process in place to enroll, authorize, authenticate, & monitor user accounts & activities • Assigning users & system resources only the access required to perform their required functions • Updating access rights based upon personnel or system changes • Periodically reviewing users’ access rights • Designing appropriate confidentiality & acceptable use policies

  27. Authentication • Authentication is the verification of identity by a system upon the presentation of unique credentials to that system • Can be single factor (one credential) or multi-facto (2 or more credentials) • Complexity & type of authentication should be commensurate to the level of sensitivity of data accessible after authentication takes place • Transmission & storage of authentication element should be encrypted

  28. Network Access • Network access can be granted not only to employees, but also to remote users, 3rd-party vendors, consultants • Access must therefore be additionally controlled so that protected information is not disclosed to unauthorized parties • Network access procedures include: • Grouping network servers into security domains • Establishing proper, consistent access requirements within and between security domains

  29. Operating System Access • Operating system access must be regulated so that only authorized personnel can get admin-level access • Procedures include: • Securing access to system utilities • Restricting & monitoring privileged access • Logging & monitoring user or program access to sensitive resources & alerting on security events • Updating the OS with security patches • Securing the devices that can access the OS through physical and logical means

  30. Application Access • Application access: mission-critical applications require additional security and access controls • Access should only be granted on a least privileged principle basis • Admin access should be logged and reviewed • Procedures include authentication& authorization controls, monitoring access rights, using time of day limitations on access, logging access & security events

  31. Remote Access • Remote access must be restricted and controlled: • The remote communications should be disabled at the OS level if it is not needed • Access must be controlled through management approval and audits • Remote access must be monitored and logged • Remote access devices must be secured • Strong authentication & encryption must be deployed

  32. Managing Risk Cont. • Additional Security Areas • Physical Security • Data Security • Malicious Code • Systems Development • Personnel Security • Media Handling • Logging & Data Collection • Service Provider Oversight • Intrusion Detection & Response • Business Continuity • Training

  33. Physical Security • Physical security includes protection from physical access, damage, theft and destruction • Zones should be created based on protection needs • Appropriate controls must be deployed for each zone against: • Physical penetration • Damage from environmental contaminants • Electronic penetration through active or passive electronic emissions

  34. Data Security • Data security can be accomplished through the use of encryption • Encryption protects confidentiality, and also provides proof of authenticity and non-repudiation • Encryption is inherent to some communication protocols, but not all! • Procedures: • Ensure that encryption methods deployed are strong enough • Ensure that key management is secure

  35. Malicious Code • Malicious code includes viruses, Trojans, worms, logic bombs and spyware • Blended threats are more and more popular • Procedures include: • Antivirus must be deployed and updated • Appropriate blocking strategy at the network perimeter • Filtering input to applications • Training staff

  36. Systems Development, Acquisition and Maintenance • Security should be integrated from the start • All software, either developed or acquired, must be tested for security • Procedures: • Defining security requirements before development starts • Incorporating security standards in the development phase, along with security controls, audit trails, logs for data processing and data entry

  37. Personnel Security • Personnel security: according to the FBI, 80% of attacks originate from inside the network • Human errors are also possible such as data deletion, alteration • Loss of equipment • Procedures: • Employees should receive security training • Regular security awareness campaigns • Background checks on employees

  38. Electronic and Paper-Based Media Handling • Media • All sensitive information must be secured, regardless of what media it is stored on • Five components of media security: • Handling • Storage • Transit • Reuse • Disposal

  39. Electronic and Paper-Based Media Handling Cont. • Procedures: • Establishing security procedures for handling information • Establishing security procedures for storing information • Ensuring safe and secure disposal of sensitive media • Securing media while in transit or during transmission to third-parties

  40. Logging and Data Collection • Logs must be generated and reviewed regularly • The person in charge of log review should NOT have administrative privileges on the network • Separation of duties • Logs should be secured • Logs should be designed for each component: some will require more levels of details than others

  41. Service Provider Oversight • Service provider oversight: many aspects of operations may be outsourced. This does not mean that the bank is not responsible for those operations anymore. Information owners must still make sure that their data is secure • Procedures: • Use due-diligence when selecting third-parties • Implementing contractual assurances regarding security responsibilities, controls and reporting • Requiring non-disclosure agreements • Providing 3rd-party review of the service provider’s security through audits and tests • Coordinating incident response policies and contractual notification requirements

  42. Intrusion Detection and Response • Intrusion detection and response: institutions should be able to detect, react and respond to an intrusion • Procedures: • Preparing for an intrusion, which includes: • Analysis of the data flows • Nature and scope of monitoring • Consideration for legal factors • Policies governing detection and response • Appropriate reporting

  43. Business Continuity Considerations • Business continuity considerations include: • Plans to activate alternate sites • Primary usage of redundant equipment • Alternate communication lines • Procedures: • Identifying personnel with key security roles and training them • Determining security needs for alternate sites and communication networks

  44. Training, Training, and More Training! • Staff should receive security training at least once a year • Security awareness campaigns should be run at least once a quarter • Untrained staff are perfect targets for hackers!

  45. Testing the Controls • All controls must be tested • Priority should be given to high-risk, critical systems • Separation of duties applies to control testing • Three types of test that can be run: • Penetration tests • Audits • Assessments

  46. Adjusting the Program, Reporting to the Board, and Implementing the Standards • Adjusting the program: the business environment is not static. The bank evolves with new clients, new features, new services, new equipment. These changes must be reflected in the information security program • Effective monitoring involves both technical and non-technical evaluations • Change drivers include mergers and acquisitions, changes in technology, changes in data sensitivity

  47. Adjusting the Program, Reporting to the Board, and Implementing the Standards Cont. • Reporting to the Board of Directors • Reporting to the board should take place at least annually and describe the overall status of the information security program and the bank’s compliance with the interagency guidelines • The report needs to address risk assessment and management, control decisions, service provider arrangements, recommendation for change of the program

  48. Identity Theft and Regulatory Compliance • Identity theft occurs when someone possesses and uses any identifying information that is not theirs with the intent to commit fraud or other crimes • Identifying information includes: • Name • Date of birth • Social security numbers • Credit card numbers

  49. Identity Theft and Regulatory Compliance Cont. • Responding to identity theft: the interagency guidance on response programs for unauthorized access to customer information and customer notice (“the guidance”) • The guidance describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information

  50. Identity Theft and Regulatory Compliance Cont. • Regulatory compliance : additional controls • The guidance identifies additional controls: • Access controls on customer information systems, such as authentication and authorization to prevent employees from leaking sensitive information to unauthorized 3rd parties • Background checks for employees • Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems

More Related