Banking Industry Regulations: Don t Burn A Hole In Your Pocket

Transcription

1 Banking Industry Regulations: Don t Burn A Hole In Your Pocket If you ever mention the word compliance in a social gathering of bankers, you will evoke very animated responses from even the dullest of dull. Regulation in the banking industry has undergone a sea of changes in the last over ten years. The result is today s heavily regulated banking industry, which faces the challenge of fitting regulatory compliance into constrained information security budgets. While there arguably are many regulations and standards to comply with, the right approach can ensure that compliance doesn t burn a hole in your pocket. As a matter of fact, you can stay well within your budget and attain compliance at the same time. The Regulatory Scene First, a brief look at some of the important information security regulations and industry standards that banks and financial institutions are likely to encounter. Gramm-Leach Leach-Bliley Act (GLBA) The Gramm-Leach-Bliley Act mandates that financial institutions develop standards for administrative, physical and technical safeguards to protect the non-public personal information of their customers from being disclosed to third parties. Further guidance issued in January 2003 requires banks to take specific action to protect all information assets, not just customer information. At a high level, the GLBA requires: Implementing and maintaining a comprehensive and ongoing information security program. Assessing and evaluating threats and associated risks with the help of comprehensive risk assessments. Implementing controls that are commensurate with the associated risk identified in the risk assessment process. Instating pretexting 1 protection, which involves implementing safeguards against social engineering attacks, in the form of evaluations, audits and employee training. Oversight of service providers. Board of Directors involvement and approval, supported by annual reporting.

2 Fair and Accurate Credit Transactions Act (FACTA) FACTA came into effect as an amendment to the Fair Credit Reporting Act (FCRA) to address the growing problem of identity theft. Financial institutions faced a mandatory deadline of November 1, 2008 to comply with the new FACTA regulations referred to as the Red Flag Rules (addressed in sections 114 and 315 of the FACTA). Compliance with Section 315 has subsequently been postponed by the Federal Trade Commission (FTC) to May 1, The Red Flag Rules require: Performance of on-going and comprehensive risk assessments to identify covered accounts and related threats that pose a reasonably foreseeable risk of identity theft. Based on the risk assessment, a comprehensive identity theft prevention program is required. Further, management and oversight of the program is required. The implementation of formal change of address procedures that properly verify the validity of a customer s change of address request. Employee training to ensure that employees are knowledgeable in the concepts of identity theft and are fully able to recognize and counter threats posed by it. Development of specific policies, procedures and practices to combat identity theft. Oversight of third party providers. Payment Card Industry Data Security Standards (PCI DSS) While PCI DSS is a standard, not a regulation, the worldwide security standard is effectively as good as a regulation because the PCI Security Standards Council (PCI SSC) is comprised of founding members American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. So, effectively, if you were ever planning on issuing credit cards that bear any one of these logos, you would have to comply with the PCI DSS. Depending upon the quantity and nature of transactions you process as a merchant or service provider, you may have to undergo at least one of the following: A network scan performed quarterly by an Approved Scanning Vendor (ASV). An annual on-site review and assessment by a Qualified Security Assessor (QSA) which includes a review of network security, cardholder data protection, vulnerability management, access control measures, networking monitoring and testing, and information security policies. An annual self-assessment questionnaire which is a validation tool to assist merchants and service providers in selfevaluating their compliance with the PCI DSS. Further, the PCI DSS states that if you need to do an on-site assessment or you need to complete the self-assessment questionnaire, you need to perform external and internal penetration tests at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

3 A Collective Approach A cursory look at the regulations and standards we briefly covered might appear too costly for any average budget. However, a closer, analytical look reveals that the key is to go about compliance with the right approach the collective approach. Combining requirements of different regulations and addressing them collectively will not only save you a significant amount of time and money, but will also equip you with more efficient and effective information security. Risk Assessment GLBA and FACTA both require risk assessments that consider all reasonably foreseeable threats and then require implementing controls that commensurately address the risks identified. While the focus of the risk assessments is slightly different - GLBA emphasizes information security and FACTA underscores identity theft - resources to conduct them can be greatly reduced if the logistics are carried out in a parallel fashion. Key risk assessment components, such as asset identification and classification, threat identification and analysis, and safeguard identification and implementation, can be performed to collectively address the requirements of both the GLBA and the FACTA. Information security and identity theft are areas of considerable overlap; one cannot really be considered without taking the other into perspective. So it is fitting that these be collectively addressed even though they may be documented separately for compliance purposes. Comprehensive Program GLBA and FACTA both require a comprehensive program document that addresses information security and identity theft. While the program documents would need to be separate, a number of key components are closely tied and at times the same. For instance, aspects such as logical/physical security, incident response, service provider oversight, legal issues, and help desk would actually be better addressed if they were viewed from the angles of information security as well as identity theft. Penetration Testing and Vulnerability Assessments GLBA regulators often look for evidence that penetration testing and vulnerability assessments are performed, at least at a network level, on a periodic basis. Under the light of the GLBA, penetration testing and vulnerability assessment results need to be conducted in conjunction with risk assessments. Under PCI DSS, the likelihood is high that quarterly network scans will need to be performed. Also, external and internal penetration testing is a requirement under the PCI DSS. The penetration tests and vulnerability assessments you perform for addressing GLBA requirements can go a long way in helping you comply with the PCI DSS. If external and internal penetration tests are performed and followed-up rigorously and comprehensively, your organization s security will increase greatly and you will have no need to engage in any additional efforts to comply with the PCI DSS requirements, both on quarterly scanning and penetration testing. Further, if you were to undergo an on-site QSA audit, vulnerability assessments done diligently will ensure that lesser stones need to be unturned.

4 Social Engineering Social Engineering evaluations are performed to find out how weak your weakest link is. People are deemed the weakest link in information security because their helping nature often leads to disclosure of sensitive information. Newer techniques such as phishing 2 and vishing 3 have proven to be quite successful for hackers. While social engineering evaluations are highly encouraged for GLBA, as it offers steps against pretexting, they serve as exceptional tools to counter identity theft. Identity thieves are often very clever and skilled at using social engineering so social engineering evaluations can be highly effective in combating the threat. The evaluation results can then also be used to present to FACTA regulators as additional steps being taken at the organization to address identity theft demonstrating to regulators organizational responsibility. Employee Training Information security and identity theft are, without doubt, two areas that can benefit the most from employee training. An employee educated in the risks that he/she may face on the job that could seriously undermine the organization s reputation and sustainability can often avert serious security or identity theft incidents. Employees are best trained on information security and identity theft simultaneously. Employees need to know where these two areas overlap, because an incident in one area could almost immediately impact the other. From a regulatory standpoint, a clearly common aspect about employee training as required by the GLBA and the FACTA is that the training needs to be a coordinated effort between different areas of the organization. Hence, it should be provided to the entire enterprise and must have the clear support and direction from the board of directors. A collective training program encompassing information security and identity theft, and further tailored to meet different audiences within an organization, will minimize resource expense and result in a well-trained, intelligent, and efficient workforce. Service Provider Oversight With the growing reliance on outsourcing, the important element of oversight is often overlooked. It is important to remember that work sent outside the organizational perimeter is still the organization s own work. An issue as sensitive as information security is vital to an organization s reputation. It is essential to ensure that a service provider is as secure as you are. The regulatory requirement aside, a responsible attitude towards service provider oversight is a fundamental building block of information security. The GLBA and the FACTA both require diligent service provider oversight. Ensure that due diligence is exercised during service provider selection. Service providers should be required by contract to implement appropriate safeguarding measures. Service providers should also be required to immediately notify the parent organization of any security breach at their end. Service provider oversight measures, supported by ongoing monitoring can go a long way to ensure a robust information security environment and at the same time it will bring you GLBA and FACTA compliance in a single effort.

5 Smart Compliance Ever-growing regulatory requirements and limited information security budgets can be a challenging conflict. Yet organizations cannot forego one for the other. All regulatory requirements come with heavy penalties for non-compliance. It is vital that requirements from different regulations be coupled and addressed collectively. Bear in mind that regulatory compliance is just one side of the coin. The reputation and sustainability of an entire business is in question when it comes to information security. Implementing the collective approach in a methodical and goal-oriented manner is essential to manage enterprise risk the right way. References

6 ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com. Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit info@emrisk.com Phone: Douglas Road North Tower, Suite 835 Coral Gables, FL 33134