When the FTC introduced proposed changes to GLBA’s Safeguard Rule last year, security experts sat up and took notice. The updates marked the first major changes in fifteen years and expanded the scope of covered entities under GLBA. In addition, the proposed changes would require financial institutions to perform risk assessments at regular intervals, to report any findings to Board members, and to mitigate risks by encrypting customer data, using multi-factor authentication, and implementing other measures to prevent unauthorized access to customer data.
For many retail banks, the prospect of performing a thorough risk assessment can feel daunting given the numerous and sometimes competing regulatory requirements. However, by segmenting risk assessment and risk mitigation into manageable steps, even retail banks new to the process can create a solid foundation for developing and managing a robust data security program. These ten steps provide an effective roadmap to help safeguard data from cybersecurity threats.
Step 1: Identify and allocate resources
The first step to performing a comprehensive risk assessment is to take stock of your operational and technological environment and identify any resources you will need to identify potential vulnerabilities. Performing quarterly vulnerability scans and annual penetration tests of any networks that store or process sensitive information is a good place to start. You also need to evaluate who will perform the assessment. Will you rely on an internal audit team or retain a third-party auditor? What additional resources will you need to allocate to mitigate risks once you’ve identified them?
Step 2: Perform a data inventory
Once you’ve allocated resources for performing the risk assessment, you need to perform a thorough data inventory. Start by identifying which systems store or process sensitive data. If you use third-party service providers or vendors who process or store data on your behalf, be sure to include them as well. Next, identify what types of data each system processes. Then, classify the sensitivity of all the information in those systems. Once you’ve identified what data you’re processing or storing, you are better prepared to identify which systems are most vulnerable, to identify possible safeguards, and to prioritize spending to protect these systems.
Step 3: Review user access
You also want to examine how and where employees access data. Do they perform all work onsite or do some employees access your network remotely? Do they use individual computers and other devices to perform some of their work? Are they transporting laptops to and from a branch to a home office? Knowing the answers to these questions will establish whether employees are accessing sensitive information in a secure environment. This knowledge can also help prevent data breaches arising from lost or stolen devices. When reviewing access privileges, make sure you have a complete list of all users for every system that stores or transmits customer data. Suspend or terminate any inactive accounts and evaluate whether each user requires their existing level of access to perform their assigned duties. A best practice is to limit access privileges to the minimum necessary to perform assigned job duties using the least amount of privilege. For elevated privilege users make sure you follow the ISACA and SSH Communications Security Guidelines. SSH keys are now widely used. Banks and other financial institutions can unknowingly put themselves at risk if SSH keys are not managed properly. Improperly managed SSH keys can be leveraged by attackers to penetrate the IT infrastructure and move freely across a network without detection.
Step 4: Assess the adequacy of technical safeguards
Ensuring that you have effective technical safeguards to detect and prevent unauthorized access is one of the most important steps you can take to protect your data. According to the National Institute of Standards and Technology (NIST), consider instituting a comprehensive continuous monitoring plan to include operational visibility; managed change control; and attendance to incident response duties. Security-related information collected during continuous monitoring is used to determine if the system security is operating as intended and in accordance with applicable Federal law, guidelines, and policies. When performing a risk assessment, pay close attention to payment card systems and implement the appropriate controls to comply with GLBA and PCI DSS requirements. Effective security measures include protecting your network perimeter with a well-rated hardware firewall, performing electronic payments over a secure SSL Internet connection, encrypting data during transmission and at rest, and locking and monitoring all production areas, networks and internal processes on a 365/24/7 basis.
Step 5: Audit third-party service providers
Organizations are only as strong as their weakest link and this is particularly true for financial institutions. If you employ third-party service providers for document processing, billing, and distribution, make sure you audit their security program as thoroughly as your own. One of the best ways to validate a third-party service provider’s security program is to check whether they hold an industry-recognized certification or attestation:
- The SOC2 attestation is offered by the American Institute of Certified Professional Accountants and evaluates the security and privacy controls a service provider employs to protect the confidentiality, integrity, and availability of data stored and processed on its systems.
- PCI DSS Type 3.2 is a set of requirements for processing credit card payments offered through the Payment Card Industry Security Standards Council. PCI DSS includes 12 requirements for securing, testing, and monitoring networks and systems, protecting cardholder data, managing vulnerabilities, implementing access controls, and maintaining an information security policy.
- Sarbanes-Oxley (SOX) validates an organization’s compliance with all corporate accounting controls required of public institutions under U.S. federal law.
When evaluating third-party service providers, check to see if they hold these security attestations or certifications. If they don’t, will you continue to do business with them or find other secure providers? If you do use these providers, what steps will you take to validate their security programs?
Step 6: Implement multiple levels of security
Once you have completed the risk assessment, you will need to take steps to mitigate identified risks. If your risk assessment identified any gaps in your facility security, access controls, or technical safeguards, now is the time to correct any oversights. If you have not already done so, implement comprehensive information security policies and procedures, malware protection, encryption, multi-factor authentication, IDS, firewalls, and 24/7 network monitoring using a layered approach.
Step 7: Restrict access to the server room and areas housing sensitive information
In tandem with securing your systems and networks, you need to restrict access to the physical facilities that house these resources. Install electronic lock systems, security alarms, security cameras, motion detection sensors, and other tools for monitoring physical access to your facility and review logs and CCTV footage on a regular basis. Restrict access to the server room to your IT Department and maintain a facility access list that is updated at least quarterly.
Step 8: Establish secure methods for data disposal
Improper disposal of electronic and hard copy records has caused major headaches for some organizations. For example, several years ago one financial services company was assessed a civil penalty in excess of $100,000 for tossing financial records containing customer data in dumpsters. To avoid costly penalties, evaluate the methods in place for disposing of redundant and obsolete data that may contain sensitive data. Digitally overwriting electronic data and shredding hard copy records are best practices that will protect sensitive financial information.
When disposing of data, it’s important to track any record retention requirements. Check all applicable regulatory requirements and use these timeframes to develop a schedule for disposing of obsolete data.
Step 9: Conduct regular security awareness and privacy training
The most robust security policies in the world are useless if your staff doesn’t know they exist. Have your staff complete security awareness and privacy training during onboarding and repeat annually or more frequently to ensure they retain the information. Train your staff on social engineering scams and conduct phishing exercises regularly and consistently to provide real-world practice in preventing security incidents.
Step 10: Plan for security incidents, data breaches, and other emergencies
As security threats grow increasingly sophisticated, it’s not a question of whether your institution will experience a security incident or data breach, but when. In addition to taking preventive measures, it’s vital that you have plans in place for responding to security incidents and managing data breaches. Make sure your incident response plan includes an identified chain of command and publishes contact information for team members. Include procedures for responding to data breaches and notifying regulatory agencies, law enforcement, and customers. Outline procedures for conducting a thorough forensic analysis of the causes of any security incident or data breach and use the information to prevent future occurrences. Investing in cybersecurity liability insurance is another excellent precautionary measure to consider if you have not already done so.
If a natural disaster or cybersecurity incident occurs, you also need to restore the integrity and availability of any lost or damaged data. Make sure you have comprehensive disaster recovery and business continuity plans that detail procedures for restoring access to your network, data, and facilities. You also want to test your plans annually to make sure team members understand their roles and how to respond to different scenarios.
Regulatory requirements and growing security concerns make performing a thorough risk assessment and mitigating identified vulnerabilities essential components of your security program. In many cases, taking these steps can prevent security incidents and data breaches. When security is compromised, the knowledge you gain from identifying and mitigating risks can prevent an incident from becoming a compliance nightmare.
Scott Stephens is President of DATAMATX, one of the nation’s largest privately held, full-service providers of printed and electronic billing solutions. For more than 40 years, companies in the financial services, healthcare, insurance and other industries working with DATAMATX have benefited by leveraging the latest in technology and security to enhance the value of every customer communication produced and delivered. Find DATAMATX at www.datamatx.com