By the nature of their business, financial institutions find themselves as the prime target for hackers. In response, industry and government agencies outlined various compliance regulations. So let’s take a close look at the different regulations and how your organization can ensure compliance with them.
The seemingly never-ending daily headlines about devastating cyberattacks have impacted businesses. “The rise of data breaches forces enterprises to comply with an increasingly complex legal and regulatory environment,” according to market research firm Gartner.
The regulations force organizations to create and enforce security standards designed to reduce the likelihood of successful cyberattacks. Four regulations are geared toward financial organizations:
- The Sarbanes-Oxley Act (SOX) establishes requirements for the secure storage and management of corporate-facing, electronic financial records.
- The Gramm-Leach-Bliley Act (GLBA) regulates the collection, safekeeping and use of private financial information.
- The Payment Card Industry Data Security Standard (PCI DSS) established security requirements for any organization that stores, processes, or transmits cardholder data.
- The Federal Financial Institutions Examination Council (FFIEC) requires that the banking industry implement sophisticated security checks to assist in the prevention of electronic fraud.
To comply with the various requirements, financial organizations need to put checks place. So what items need to be monitored and what tools help to ensure compliance?
Firewall and Web Gateways
The first step to protecting information is putting a barrier between the enterprise network and outsiders. All fiscal organizations that work with sensitive data are expected to install and maintain firewall-like solutions. These systems rely on company policies that outline which users have access to what information. In addition, such solutions need to have change policy processes in place, so whenever a policy is modified, such alterations are verified. PCI DSS also includes strict rules so banks continuously track and monitor access to all network resources and payment data.
Logging and Data Collection
These enterprises must implement administrative controls that track network activity. They need to see who is coming into the network and what information they access. Logging and data collection solutions perform that work. FFIEC guidelines mandate that transaction event information must be logged and reviewed on a daily basis to ensure that no outsiders are trying to penetrate your systems. In addition, that data must be stored for at least 90 days. FFIEC also has guidelines in place for identifying specific log sources (e.g., firewalls, IDS, anti-spam systems) and then analyzing them for potentially threatening network activity. Financial companies must have procedures in place for security incident response and reporting.
Financial institutions are expected to implement Intrusion Detection Systems (IDS). These services are another check in addition to a firewall. These solutions assess the types of connections a firewall is allowing and either reports connections that are suspicious or blocks connections that it finds unacceptable. In some cases, an outsider may gain access to sensitive information. An IDS system notifies the IT team about the possible problem, so they can look more closely into it and both contain the incident and determine if there is a possibility of a system compromise.
Why wait for an outsider to determine if your network has any holes? With penetration testing, a company tests its network security. This combination of tools and analyst expertise identifies vulnerabilities that exist within your security defenses, so you can fix them before they are exploited.
Auditing is an important part of the compliance checklist. Compliance reports mandate that financial institutions produce and monitor reports that illustrate how their systems are working and what activity they have tracked. That process creates a variety of reports that illustrate how different system elements perform and highlight risky activity.
IT Audits: These reports are critical to ensuring that your information technology and security processes are working as designed. A few frameworks, such as CoBIT and NIST, outline how these reports should be structured.
Cyber Security Risk Assessments: Financial services firms must examine how much exposure they have to outside interference. A risk assessment takes that step. The June 2015 FFIEC Cybersecurity Risk Assessment and the June 2014 NIST Cybersecurity Framework are solid foundations for measuring your cybersecurity risk profile.
NACHA: The National Automated Clearing House Association is the source of guidance for the ACH Network, which annually moves tens of billions of electronic payments and trillions of dollars in debits and credits. Its compliance rules mandate that financial institutions annually conduct an audit to ensure that those transactions are secure.
Where to Find Assistance
Nowadays, security is a complex and evolving area. Financial services companies need to put checks in place to protect information. These various checkpoints help you secure sensitive information. Once those checks are in place, they need to put procedures in place to verify that they work efficiently.
Such work is complex and often beyond a financial institution’s skill set. Where can you go for help? DataComm has a well-established track record of keeping financial systems secure. The company’s broad suite of security services includes managed firewalls, logging services, intrusion detection, penetration testing, and auditing solutions.
Learn more about how DataComm can work with your business and improve is compliance reporting.