CORE Security and GLBA

Similar documents
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Attack Intelligence: Why It Matters

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

IBM Security QRadar Risk Manager

2011 Forrester Research, Inc. Reproduction Prohibited

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

FIVE PRACTICAL STEPS

Leveraging a Maturity Model to Achieve Proactive Compliance

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

IBM Security QRadar Risk Manager

Continuous Network Monitoring

Payment Card Industry Data Security Standard

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

CORE Insight Enterprise

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Real-Time Security for Active Directory

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

How To Buy Nitro Security

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

TABLE OF CONTENTS INTRODUCTION... 1

IT Security & Compliance. On Time. On Budget. On Demand.

I D C A N A L Y S T C O N N E C T I O N

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Total Protection for Compliance: Unified IT Policy Auditing

Advanced Threat Protection with Dell SecureWorks Security Services

How To Manage Security On A Networked Computer System

TRIPWIRE NERC SOLUTION SUITE

Solutions Brochure. Security that. Security Connected for Financial Services

Extreme Networks Security Analytics G2 Risk Manager

Integrated Threat & Security Management.

Cybersecurity Issues for Community Banks

Securing the Cloud Infrastructure

North American Electric Reliability Corporation (NERC) Cyber Security Standard

How To Handle A Threat From A Corporate Computer System

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Cisco Advanced Services for Network Security

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

IBM Security Intrusion Prevention Solutions

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Overview 1. Coordination with GLBA Section 501(b) 1. Security Objectives 2. Regulatory Guidance, Resources, and Standards 2. Overview 3.

IBM Security QRadar Vulnerability Manager

SANS Top 20 Critical Controls for Effective Cyber Defense

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

QRadar SIEM 6.3 Datasheet

Managing security risks and vulnerabilities

Preemptive security solutions for healthcare

Extreme Networks Security Analytics G2 Vulnerability Manager

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Compliance Management, made easy

The Business Case for Security Information Management

Breaking down silos of protection: An integrated approach to managing application security

NEC Managed Security Services

Attachment A. Identification of Risks/Cybersecurity Governance

Sarbanes-Oxley Compliance for Cloud Applications

Security. Security consulting and Integration: Definition and Deliverables. Introduction

Leveraging Network and Vulnerability metrics Using RedSeal

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

The Path Ahead for Security Leaders

Leveraging Privileged Identity Governance to Improve Security Posture

Understanding Vulnerability Management Life Cycle Functions

NERC CIP VERSION 5 COMPLIANCE

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Alcatel-Lucent Services

Cisco Security Optimization Service

Information Security Program CHARTER

White Paper The Dynamic Nature of Virtualization Security

How To Test For Security On A Network Without Being Hacked

INFORMATION SECURITY STRATEGIC PLAN

PCI Data Security Standards (DSS)

Defending the Database Techniques and best practices

SECURITY. Risk & Compliance Services

Privilege Gone Wild: The State of Privileged Account Management in 2015

Proven LANDesk Solutions

Governance, Risk, and Compliance (GRC) White Paper

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Vulnerability management lifecycle: defining vulnerability management

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Transcription:

CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com blog.coresecurity.com

Introduction The Gramm-Leach-Bliley Act (GLBA) of 1999 was enacted in response to the rapid increase in Internet banking and online access to account information. GLBA Section 501(b), titled Establishing Standards for Safeguarding Customer Information, requires financial institutions in the United States to create information security programs that: Ensure the security and confidentiality of customer information; Protect against any anticipated threats or hazards to the security or integrity of such information; and, Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Penalties for non-compliance include fines to businesses of up to $100,000 per violation, fines for officers and directors of up to $10,000 per violation, criminal penalties of up to five years in prison, and revocation of professional licenses. GLBA doesn t prescribe any technologies or exact guidelines of developing such a program to safeguard customer information and integrity. Instead, the Federal Financial Institutions Examination Council (FFIEC), comprised of examiners from many different regulatory bodies, is tasked with GLBA enforcement. The FFIEC IT Examination Handbook and the FFIEC Authentication in an Internet Banking Environment supplement as well as numerous enterprise risk management frameworks prescribed by COSO, COBIT and NIST assists auditors with exhaustive tests to assess compliance with GLBA Section 501b. The examination steps for Section 501(b) include the following considerations: Involvement of the board in overseeing and designing the corporate information security program Evaluation of the risk assessment process Evaluation of the adequacy of the program to manage and control risk Assessment of measures to oversee service providers Process to adjust the information security program Communication of findings Addressing GLBA Requirements with CORE Security Solutions IT security guidance from the FFIEC provides risk professionals and auditors the necessary best practices to fulfill and enforce GLBA Section 501b. Predictive security intelligence solutions from CORE Security address much of the FFIEC guidance as detailed in the table on the following pages. 2

Information Security Risk Assessment (from FFIEC IT Financial institutions must maintain an ongoing information security risk assessment program that effectively: Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements; Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation. Conduct Proactive, Real-World Risk Assessments Our predictive security intelligence solutions enable financial institutions to proactively identify critical threats, see how risk changes over time as technology and business processes evolve, and prioritize their risk and security practices to stay ahead. Continuously assess changing infrastructure against the latest threats and proactively identify weaknesses posing imminent risks Leverage automation and delegation to increase the scale and frequency of security assessments across large IT environments Add deeper intelligence and context to vulnerability and threat data through actual testing and simulation; enabling security and risk teams to prioritize and remediate the most critical threats. Risk Assessments (from Authentication in an Internet Banking Environment supplement) Institutions must establish a Risk Assessment that accounts for: Constantly evolving threats to both its internal and external environment Changes to how customers utilize online banking systems, or when new services are introduced Actual security incidents which occur within the institution and industry The Risk Assessment must be reviewed, updated or performed at least every 12 months Information Security Strategy (from FFIEC IT Build Risk Preemption into Your Security Strategy Financial Institutions should develop a strategy that defines control objectives and establishes an implementation plan, including appropriate considerations of prevention, detection, and response mechanisms as well as layered controls that identify threats to organizational assets. Prevent and proactively defend against newer types of threats such as malware and advanced persistent threats through real world replication and simulation of attacks Conduct multi- and cross-vector analysis across web applications, network systems, and endpoints to identify exposures across layered controls and 3

access to organizational assets such as IP or customer data Reduce the overall response and remediation time by alerting security and downstream IT teams to the highest priority vulnerabilities Security Controls Implementation (from FFIEC IT An effective control mechanism includes numerous controls to safeguard and limits access to key information system assets at all layers in the network stack. This section addresses logical and administrative controls, including access rights administration for individuals and network access issues. Layered Security Controls (from Authentication in an Internet Banking Environment supplement) Institutions should implement a strategy of Layered Security to protect online transactions: Use different controls at different points in a transaction to help mitigate any weaknesses Use a risk-based approach where controls are strengthened as risk increases Deploy processes that detect and respond to suspicious activities at the riskiest points of online transactions Enhance the controls over system administrators who manage online access and configurations of commercial accounts Use the results of the Risk Assessment to adjust levels of authentication controls accordingly. Verify Security Controls Efficacy FFIEC guidance acknowledges that diverse security controls at different points in a transaction flow can help mitigate weaknesses. Most banks also realize that single layer of authentication will simply not work with constant change and myriad of technologies. As a result, CISOs and CROs must grapple with multiple layers of security technologies and somehow consolidate and understand the data they provide. CORE solutions offer continuous and consistent application to monitoring and assessment to keep up with diverse controls environments. Continuously assess large, diverse IT environments Assess IPS/IDS, firewalls and other defenses against real-world network, client-side and web application attack techniques Ensure that defensive technologies are configured and updated to protect against current threats Reveal paths that attackers and malicious insiders would use to circumvent security controls and access sensitive assets Maintain asset visibility by automatically sensing and adapt to changes in infrastructure Repeat assessments to validate the efficacy of new or updated security controls Security Threat & Process Monitoring & Updating (from FFIEC IT Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and Stay Ahead of Evolving Threats Things change -- Financial institutions should validate their ongoing risk mitigation strategy and processes by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration, and other conditions that increase risk. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report 4

implemented controls. and guide responses to security incidents. CORE solutions enable financial institutions to: Assess systems designated as critical and delivers proactive alerts regarding the latest threats and impacts to those systems Assimilate data from multiple sources (e.g., network and web scanners) to validate potential threats as real Pinpoint what is truly exploitable, enabling smarter decisions to prioritize and escalate remediation actions. Deliver data using terminology specific to the organization, system, location, mandates, data types, etc. Validate security metrics; benchmark & track risk posture About CORE Security CORE Security is the leading provider of predictive security intelligence solutions. We help more than 1,400 customers worldwide preempt critical security threats and more effectively communicate business risk. Our award-winning enterprise solutions are backed by over 15 years of expertise from the company s CORE Labs research center. Learn more at www.coresecurity.com. 41 Farnsworth Street Boston, MA 02210 USA Ph: +1 617.399.6980 www.coresecurity.com Blog: blog.coresecurity.com Twitter: @coresecurity Facebook: CORE Security LinkedIn: CORE Security 2012 CORE Security and the CORE Security logo are trademarks or registered trademarks of CORE SDI, Inc. All other brands & products are trademarks of their respective holders. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information