Secure Messaging for Finance White Paper

Transcription

1 O C T O B E R Secure Messaging for Finance White Paper The Gramm-Leach-Bliley Act (GLBA) Sarbanes Oxley (SOX) Payment Card Industry (PCI-DSS) The Data Protection Act 1998 This whitepaper helps organizations understand how four key regulations, GLBA, SOX, PCI-DSS and The Data Protection Act 1998 impact the Finance industry and how to improve the security of communications.

2 Table of Contents The Gramm-Leach-Bliley Act (GLBA)... 3 Sarbanes Oxley (SOX)... 5 Payment Card Industry (PCI-DSS)... 7 The Data Protection Act Additional Compliance Considerations About OpenText...11

3 The Gramm-Leach-Bliley Act Introduction The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, provides a number of provisions to protect consumers private financial information against exploitation and loss while in the hands of financial institutions and other organizations. As financial institutions have evolved since 1999, the way they maintain, use and transmit customer information has dramatically shifted with the adoption of electronic communications, namely . poses a new challenge to securing customer financial data against loss or unauthorized exposure as it remains vulnerable to: n Malware: Commonly downloaded through infected attachments and executable files, viruses and other malware can infect a messaging system to delete files, damage programs, access and capture sensitive data for exploitation. n Phishing: Fraudulent s appearing as authentic and legitimate attempt, and often succeed at getting unsuspecting users to give up sensitive data for financial exploitation. n User-error: When it comes to data leakage, users are a leading cause. According to a 2011 study by the Ponemon institute, 69% of organizations surveyed indicated employees violated security policies frequently and send confidential and sensitive information via non-approved, unsecured methods. Tasked with securing customers private information under GLBA, financial institutions must ensure the security and integrity of customer information exchanged via . Who is Affected by GLBA? GLBA broadly applies to organizations within the financial industry. These include financial institutions in the traditional sense such as banks, credit unions and mortgage lenders as well as additional businesses that provide products and services of a financial nature. Such services include but are not limited to investment or tax advisory services, insurance sales and underwriting, check cashing, money transfers and money orders, consumer lending or leasing and credit card activities. Businesses that provide financial products and services like those above, by nature, utilize a broad range of customers nonpublic personal information (NPI) such as credit card numbers, bank account information and social security numbers. As a result, GLBA charges affected businesses to protect NPI or face harsh civil and criminal penalties. Why Should My Organization Comply with GLBA? To compel financial services providers to comply with requirements, GLBA imposes biting financial and criminal penalties on businesses and executives that fail to protect NPI using prescribed safeguards. For each violation, a financial institution can be fined up to $100,000 while its executives can be fined up to $10,000 and face imprisonment for up to 5 years. Additionally, if GLBA is violated at the same time that another federal law is violated, or if GLBA is violated as part of what the SEC deems a pattern of compliance violations within a 12-month period, the violator s fine will be doubled and he or she can imprisoned for up to 10 years. ENTERPRISE INFORMATION MANAGEMENT 3

4 What Does GLBA Require for Compliance? The act places responsibility on financial institutions to protect customer financial data and personal identifying information in their possession wherever it resides including . Two key components of the act directly impact security: the Safeguards Rule and a provision for Pretexting Protection. The Safeguards Rule requires that affected institutions (1) conduct a thorough risk assessment of its security measures and (2) develop, implement, and maintain a written information security program that contains administrative, technical, and physical safeguards to: 1. Ensure the security and confidentiality of customer records and confidential information when stored and transmitted. 2. Proactively protect against any anticipated threats or hazards to the security or integrity of these records. 3. Protect against unauthorized access to or use of records that could cause customers to sustain substantial harm or inconvenience. GLBA mandates that additional safeguards be implemented to address what it calls Pretexting, or fraudulent attempts to access and exploit customer NPI. Exploits of this nature include phishing scams, social engineering, spoofs or other attempts to impersonate a customer by obtaining NPI. How Can My Organization Meet These Requirements? GLBA does not explicitly identify specific policies and technologies organizations should implement as safeguards to achieve compliance. However, several technologies and best practices stand out as clear solutions to meet GLBA requirements in relation to n End-to-end encryption: To meet regulation requirements that mandate NPI be secured, end-to-end encryption is often necessary to ensure that data remains confidential and secure between the message sender and the intended recipient. n Data Leak Prevention (DLP): A DLP solution for is essential for GLBA compliance, providing enhanced security through content filtering, authentication, and permissions rules that limit access and transmission of sensitive information sent within and outside the organization. n Archiving: An archiving system will enable organizations to meet control objectives for message retention and auditing by capturing, preserving and making all traffic easily searchable for compliance auditors to evaluate. When encrypted and backed-up, archiving provides additional protections for information against loss and unauthorized exposure. n Anti-Spam & Anti-Virus: Protections from spam, phishing, and malware such as filters and antivirus software will also demonstrate adequate protections against unanticipated threats to the integrity and security of NPI. n User Training & Awareness: While the right mix of security technologies is necessary to achieve compliance, technologies are only as smart as the people using them. Educate users on acceptable use policies for ; train them to identify fraudulent , phishing scams and other pretexting threats. ENTERPRISE INFORMATION MANAGEMENT 4

5 Sarbanes-Oxley Act Introduction The Sarbanes-Oxley Act (SOX) was introduced in 2002 to bring greater accountability and transparency to the financial operations of public corporations. Namely, its provisions attempt to keep companies from cooking the books by demanding companies establish internal controls to accurately gather, process, and report financial information. With technology playing a crucial role in organizations financial operations, the call to implement internal controls extends to information systems used by finance, including systems. communication has become an important means of circulating financial information, yet it also remains vulnerable and exploitable. s many vulnerabilities malware, phishing attacks, unauthorized access create the risk of unauthorized disclosure, corruption, or loss of financial information. communication policy becomes a crucial part of SOX s internal controls to safeguard information from unauthorized use, disclosure, corruption or loss. Who is Affected by SOX? Sarbanes-Oxley currently applies to all US public companies, their global subsidiaries and any foreign company whose shares are traded on the US stock exchange. The act makes the chief executives and chief financial officers of companies personally responsible for the information that is included in their financial accounts and systems of internal financial control. Why Should My Organization Comply with SOX? To ensure that companies meet rules, SOX places harsh penalties on organizations and individuals who manipulate and falsify financial reports as well as for gross negligence regarding financial compliance requirements. Violators face up to 20 years in prison and or $5 million in fines for failing to keep financial operations and reporting compliant. Additionally, the SEC can distribute civil damages to investors who were harmed by corporations as well as censure brokers, dealers and investment advisors involved in potential noncompliance. What Does SOX Require for Compliance? While SOX does not explicitly mention requirements for security, two provisions: 302 and 404 include requirements directly relevant to security and compliance policy. Section 302 mandates that organizations establish, maintain and regularly evaluate the effectiveness of internal controls placed within systems that support financial operations. Similarly, section 404 tasks company management to provide evidence that verifies the effectiveness of internal controls in an annual report submitted to the SEC for consideration. ENTERPRISE INFORMATION MANAGEMENT 5

6 For additional guidance, the Information Systems Audit and Control Association has provided a widely-accepted framework that translates SOX requirements into more explicit control objectives, some of which apply to . This framework for compliance, known as the Control Objectives for Information and Related Technology (COBIT), in effect requires companies to implement policies and solutions that: n Identify and protect financial information against unauthorized access, transmission or disclosure. n Authenticate individual message senders and intended recipients. n Secure the transmission of communications containing financial information. n Secure message indexing, archiving, and retention. n Have the ability to audit and retrieve messages as needed by auditors and compliance officers. n Protect servers and other systems that store or process s containing financial information. n Track and log message traffic. These are the main control objectives that affect compliance. A full list of IT control objectives for SOX compliance can be found at cobit/pages/downloads.aspx How Can My Organization Meet These Requirements? There s no one size fits all policy or technology that works for every organization. However, there are a few steps every organization should take to develop a strategy for SOX compliance that aligns with your company s current processes and systems: 1. Identify where relevant financial information is within your company, how it is being circulated via , and who can and should have access to financial information. This will enable solutions to later encrypt, archive, or even block transmission of content based on users, user groups, keywords and other lexicons that identify your data as sensitive. 2. Identify what messages need to be archived and backed up and how to do so in a way that facilitates compliance auditing and ediscovery in the event of legal proceedings. 3. Implement technology solutions such as encryption, data leak prevention and archiving that can enforce compliance policy and provide necessary protections against unauthorized disclosure, corruption or loss of financial data. 4. Educate users on acceptable use policies for . When users understand proper workplace usage and the consequences of non-compliance, they will be less likely to let their guard down and make mistakes. ENTERPRISE INFORMATION MANAGEMENT 6

7 The Payment Card Industry Data Security Standard Introduction With over a 100 billion transactions occurring each year involving a credit, debit or prepaid card, the amount of cardholder data whizzing between merchants, payment processors and banks is astounding. To prevent cardholders information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. First introduced in 2004 by the Card Industry Security Standards Council, The Payment Card Industry Data Security Standard (PCI DSS) is a stringent set of security standards that businesses must meet to transact using card information. Unlike compliance regulations administered by government organizations, PCI DSS defines specific security framework and technologies that businesses must implement to secure cardholder data wherever it resides, including . Who is Affected by PCI-DSS? PCI DSS applies to all merchants, retailers and other businesses and organizations who transact using major credit, debit and prepaid cards. Additionally, PCI DSS applies to third parties, such as payment card processors, who store and access cardholder information to process transactions on behalf of organizations that accept card payments. Why Should My Organization Comply with PCI-DSS? Failure to comply with PCI DSS protocols has far reaching consequences that can severely damage your business s bottom line and brand. Consequences for non-compliance include: n Fines: Banks and credit card institutions may, at their discretion, fine offending merchants up to $500,000 per security incident, and up to $50,000 per day for every day a business is operating in violation of security standards. n Suspension of Merchant Accounts: Card providers such as Visa and MasterCard can refuse to do business with merchants and organizations who don t meet compliance requirements. n Public Notification: Currently 38 states have laws requiring that data breaches exposing customer information (including cardholder data) be reported to customers affected. n Litigation: Organizations may face civil suits, damages and other costly legal proceedings as a result of cardholder data being exposed without authorization. n Loss of Reputation, Customers and Business: It takes years to build a credible reputation but only a few minutes to ruin one. A recent study by the Ponemon Institute showed that 31% of respondents terminated their relationship with an organization after receiving notification of a breach of data security. ENTERPRISE INFORMATION MANAGEMENT 7

8 What Does PCI-DSS Require for Compliance? Unlike the broad framework requirements of government regulations, PCI DSS is broken down into 12 major requirements that additionally specify policies and technologies businesses must implement to secure cardholder data. While not all requirements are relevant to security, the following requirements directly impact organizations messaging security. In short, they charge organizations to: n Protect stored cardholder data at rest and in transit. n Encrypt transmission of cardholder data across open, public networks including systems. n Use and regularly update anti-virus software on all systems commonly affected by malware. n Restrict access to cardholder data to a need-to-know basis. n Assign a unique ID to each person with computer access. n Track and monitor all access to network resources and cardholder data. n Regularly test security systems and processes. n Maintain a policy that addresses information security. PCI details further requirements and standards, dependent upon organization type and the volume of annual credit transactions, that determine the specific policies and technologies your organization should implement. While a complete list of technical and policy requirements can be viewed at the website of the Security Standards Council ( the next section identifies core technologies necessary for all organizations to comply with PCI requirements affecting messaging security. How Can My Organization Meet These Requirements? Several technologies and policy-best practices stand out as solutions to help meet PCI-DSS requirements in relation to n End-to-end encryption: PCI-DSS requires that sensitive information must be encrypted during transmission over public networks because it is easy and common for a malicious individual to intercept and or divert data while in transit. Examples of public networks in scope for PCI-DSS include the Internet, wireless technologies, Global System for Mobile communications (GSM) and General Packet Radio Service (GPRS). n Data Leak Prevention (DLP): A DLP solution for is essential for PCI-DSS compliance helping prevent accidental or malicious leaks of cardholder information through content filtering, authentication, and permissions rules that limit access and transmission of sensitive information. n Anti-Spam and Anti-Malware: PCI stipulates that organizations implement appropriate technologies to protect from phishing and malware at the gateway that could compromise the system and cardholder data. To protect against advanced malware and attacks, a firewall is essential but not enough. It becomes necessary to implement, regularly update and audit a firewall, filter and antivirus software to protect the messaging system from unexpected threats at the gateway. n User Training & Awareness: While the right mix of security technologies is necessary to achieve compliance, technologies are only as smart as the people using them. Educate users on acceptable use policies for ; train them to identify fraudulent , phishing scams and other pretexting that threatens the security of messaging system and integrity of customer information floating within it. ENTERPRISE INFORMATION MANAGEMENT 8

9 The Data Protection Act 1998 Data protection in the United Kingdom is governed by The Data Protection Act 1998, which was enacted in March It regulates the obtaining, holding, using, processing and disclosing of personal data, information related to identifiable living individuals. The Act applies both to manual data and data processed by computers. communication is an important means of circulating personal data, yet it also remains vulnerable and exploitable. s many vulnerabilities malware, phishing attacks, unauthorized access create the risk of unauthorized disclosure, corruption, or loss of financial information. communication policy is a crucial part of protecting individual rights related to their personal data. Who is Affected by the Data Protection Act? The Data Protection Act creates obligations for data controllers, defined as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. Data controllers will usually be organisations, but can be individuals such as self-employed consultants. Every data controller processing personal information must register with the Information Commissioner s Office (ICO), unless they are exempt. Why Should My Organization Comply with The Data Protection Act? Data controllers must ensure that any processing of personal data for which they are responsible, whether they do it in-house or engage a data processor, complies with the Data Protection Act. Failure to do so can result in enforcement, even prosecution, and compensation claims from individuals. To encourage compliance to the Data Protecton Act, the ICO has the power to issue monetary penalties of up to 500,000 for serious breaches of the Data Protection Act occurring on or after 6 April Additionally, the ICO has the discretion to investigate and prosecute criminal offences related to the Data Protection Act. What Does The Data Protection Act Require for Compliance? The Data Protection Ace provides eight core principles for data protection that organisations must follow. Three key components of the act directly impact security: Principle 5: Retaining personal data - Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Organisations should review the length of time personal data is stored, consider the purpose of the data then determine whether it needs to be retained, deleted or archived. Principle 7: Information Security - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. ENTERPRISE INFORMATION MANAGEMENT 9

10 Principle 8: Sending personal data outside European Economic Area (EEA) - Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. If you are considering sending personal data outside the EEA, the ICO provides a checklist to help you decide if the eighth principle applies and, if so, how to comply with it to make a transfer: How Can My Organization Meet These Requirements? The Data Protection Act does not explicitly identify every specific technology organizations should implement as safeguards to achieve compliance, however, several technologies and best practices stand out as clear solutions to meet requirements in relation to n End-to-end encryption: The ICO does specifically recommend using encryption software to prevent the compromise of information during transmission across the internet, processing and storage. n Data Leak Prevention (DLP): A DLP solution for is essential for providing enhanced security through content filtering, authentication, and permissions rules that limit access and transmission of sensitive information intentionally or accidentally sent within and outside the organization. n Archiving: An archiving system will enable organizations to meet control objectives for message retention and auditing by capturing, preserving and making all traffic easily searchable for compliance auditors to evaluate. When encrypted and backed-up, archiving provides additional protections for information against loss and unauthorized exposure. n Anti-Spam & Anti-Virus: Protections from spam, phishing, and malware such as filters and antivirus software will also demonstrate adequate protections against unanticipated threats to the integrity and security of personal data. n User Training & Awareness: While the right mix of security technologies is necessary to achieve compliance, technologies are only as smart as the people using them. Educate users on acceptable use policies for ; train them to identify fraudulent , phishing scams and other pretexting threats. ENTERPRISE INFORMATION MANAGEMENT 10

11 Additional Compliance Considerations While it is critical to implement an solution that conforms to the regulations discussed above, today s solutions are too often ine ective because they deliver a poor user experi - ence. According to a 2011 study by the Ponemon Institute, over half of encryption users were frustrated with their encryption solutions being inflexible and difficult to use. security should complement existing solutions rather than complicate them. In fact, when systems are too complex users commonly turn to unsecure alternatives, defeating the purpose of the system. One of the root causes of solution complexity is Public Key Infrastructure (PKI) management, which is time-consuming and costly from a resource allocation perspective. Also according to the Ponemon study, About 52 percent of the businesses said they have had serious key management problems, with about a third claiming that keys were lost or misplaced and another third citing key failure. PKI management used to be a requirement for secure systems, but this is no longer true. Today, cloud-based systems can perform automatic key management, which removes the management burden, and simplifies the user experience. Therefore, when considering a solution for secure , it s important that it conforms to requirements without compromising the functionality and workflow of existing that your business depends on. This means implementing a solution that allows easy and scalable deployment, simplifies management complexity, and works with your existing infra - structure to enable the productivity and functionality that users expect. About OpenText OpenText provides Enterprise Information Management software that enables companies of all sizes and industries to manage, secure, and leverage their unstructured business information, either in their data center or in the cloud. Over 50,000 companies already use OpenText solutions to unleash the power of their information. Copyright Open Text Corporation OpenText is a trademark or registered trademark of Open Text SA and/or Open Text ULC. The list of trademarks is not exhaustive of other trademarks, company names, brands and service names mentioned herein are property of Open Text SA or other respective owners. All rights reserved.