Financial Information Security
Arguably, beyond the government itself, no industry has a greater impact on the health of our economy than financial services. And nothing has a greater impact on a financial entity than to lose the confidence and trust of its customers. The convergence of Personally Identifiable Information (PII), wealth, and business risk make the industry a target for regulation and crime in a manner unique to its importance.
Financial organizations are characterized by:
- Complex, interconnected IT environments with a wide mix of both state-of-the-art and legacy information systems.
- Reliance on a wide array of third parties to deliver comprehensive services to clients.
- An escalated risk profile relating to the wealth of directly “financially linked” PII that is unique to the financial industry.
- An escalated compliance profile relating to the escalated risk profile
Diagnosis: Financial Pain Points
- Demonstrating compliance with the myriad of overlapping and ambiguous standards (e.g., GLBA, PII, PCI, FFIEC, OTS).
- Addressing the challenges associated with Financial Identity Theft while concurrently providing higher levels of service and access in an increasingly competitive industry. Integral to this is a need to understand and manage risk relating to organized crime and crimeware (e.g. Zeus, Spy Eye).
- Managing third-party risk associated with the growing need to share sensitive data with partners (e.g., brokers, investor communications, transaction cost analysts) to achieve business/operational goals.
- Ensuring that Online and Mobile banking systems are secured and operationalized so as to guarantee that access to capital and PII is restricted to those authorized.
The Information Assurance “Prescription”
Addressing the unique challenges of financial information security likewise requires a unique and flexible approach.
Typical engagements include:
- Information Security Gap Assessment – Is the design of our environment consistent with prevailing guidance? Gap Assessments may be scoped to address different elements (e.g., trading network, Wholesale Payment System, Online Banking, etc.) or to focus on one or more regulations (e.g., FFIEC Information Security Handbook, GLBA, SEC, OTS, NCUA).
- BITS Shared Assessment / ISO 27002 Gap Assessment – Increasingly, financial institutions are realizing that the best way to know they’re secure and prove they’re compliant with a myriad of regulations is to align their Information Security Management System (ISMS) with a Security Framework.
- Design/Compliance Assessment support via Vulnerability Assessments and Penetration Tests at the network/applications/people/facilities layers to ensure net security objectives are being achieved.
PII/Identity Theft Simplified
Protecting PII is exceptionally challenging because it requires a holistic approach to ensuring the security of the processes that act on the information – as well as the assets (servers, networks, applications, personnel, facilities) that support these processes.
- Secure Data Flow Diagrams (SDFD) – Identify critical risks and the required security controls at each point where information is acted on in your environment.
- Risk Assessment – The SDFD can easily be extended into a formal Risk Assessment to comply with relevant HIPAA requirements.
- Database Security Assessment – At the heart of all financial applications sits an array of databases housing PII. Ensuring that Configuration, Vulnerability, User, Privileged User, and Log Management practices are designed and operating correctly is critical to securing PII and ensuring the integrity and provability of the transactions they process.
- Malware/Crimeware Assessment – Malware is especially problematic in the financial services space as the impact of credential theft is notably higher. Protecting against malware requires a wide array of information security controls working in a complementary and holistic manner. These include: anti-virus, security awareness training, intrusion prevention, access filtering, Data Loss Prevention (DLP), Security Event Monitoring, and Incident Response. Our Malware Assessments can be tuned to ensure that one or all of these elements work together to mitigate the risk of malware to an acceptable level.
Third Party Risk Simplified
Our Vendor Risk Management practice ensures:
- Third-party security risks and compliance requirements are identified and communicated.
- Agreements evolve as business, technologies, and threats do.
- Monitoring mechanisms ensure third parties achieve your security objectives.
- Security Incidents are identified, responded to, and learned from.
Online and Mobile Banking Security Simplified
The potential impact of a breach of an online banking system necessitates a comprehensive information security approach similar to the formal Security Certification & Accreditation activities prevalent in the government sector:
- Requirements Gap Assessment during the Requirements phase to ensure that the security requirements are sufficient to achieve security and compliance objectives.
- Design Gap Assessment during the Design phase to ensure that the system’s design is fully consistent with the specified requirements.
- Security Certification & Accreditation activities prior to deployment, to ensure that the implementation is fully consistent with the design, and that the supporting organizational elements are in place and operating as intended. This phase often includes a wide array of substantiative assessment activities including; Application Code Scans, Application Vulnerability Assessments & Penetration Tests, Network Vulnerability Assessments & Penetration Tests, Database Vulnerability & Configuration Assessments.
- Monitoring and ongoing Risk Management during the Operations phase to ensure that the security and compliance posture is maintained.
Why Partner with Pivot Point Security?
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, technology industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.
- Domain expertise means we know the ins and outs of the FFIEC, SEC, OTS, and other regulations you need to comply with. It also means that we are experts in the Security Frameworks (BITS Shared Assessment, ISO 27001, ISO 27002, OWASP, COBIT) that should form the basis of Information Security Management Systems.
- Financial sector experience means you won’t have to spend time explaining to us what a core processor is, why your Wholesale Payment Systems is critical, or what the impact of a service disruption will be.
- Organizational character means we have the competence to do the job well in a transparent and straightforward manner that makes working with us something you’ll appreciate.
Pivot Point Security is a great choice to help you easily address your Information Security and Compliance challenges.
Representative Financial Clients
View more representative Financial Industry clients of Pivot Point Security
She’s the CSO – of an internationally recognized Financial Services company.
She started the year with several initiatives aimed at addressing risks of concern.
Acquisitions and consolidations (with associated outsourcing) have dominated her teams time to date.
The risks haven’t gone away… and now she has some new ones. She needed help.