Chapter 12: Regulatory Compliance for
Financial Institutions
Objectives





Know information security regulations for financial
institutions
Identify financial sector regulatory agencies
Understand the components of a GLBA-compliant
information security program
Implement a GLBA-compliant information security
program
Respond to the ever-increasing threat of ID theft
2
Introduction



A financial institution’s most significant asset
is not money: it’s information about money,
transactions and customers
Protection of those information assets is
necessary to establish the required trust for
the institution to conduct business
Institutions have a responsibility to protect
their client’s information and privacy from
harm such as fraud and ID theft
3
What Is the Gramm-Leach-Bliley
Act?




Signed into law by President Clinton in 1999
Also known as the Financial Modernization Act of
1999
Meant to allow banks to engage in a wide array of
financial services
Banks can now merge with stock brokerage
companies and insurance companies, which
means that they can possess large amounts of
private, personal client information
4
What Is the Gramm-Leach-Bliley
Act? Cont.


GLBA allowed for information such as bank
balances, account numbers, to be bought and
sold by banks, credit card companies and other
financial institutions. This information is usually
considered private, and the potential for misuse is
great
Title 5 of the GLBA specifically addresses
protecting both the privacy and the security of
financial information
5
What Is the Gramm-Leach-Bliley
Act? Cont.

What is NPI?


Stands for non-public personal information
Includes the following information:





Names
Addresses
Phone numbers
Income and credit histories
Social security numbers
6
To Whom Does the GLBA Pertain?


To all financial institutions that either collect private
information from their customers, or receive such
information
Also applies to companies that provide financial
products and/or services such as:




Automobile dealers
Check-cashing businesses
Consumer reporting agencies
Courier services
7
Who Enforces GLBA?



8 federal agencies and the states have authority to
administer and enforce the Financial Privacy Rule and
Section 501(b)
Which agency is tasked with enforcing the regulation,
along with the severity of the penalty, is dependent upon
the industry to which the business belongs
Non traditional financial services companies are
regulated by the Federal Trade Comm., but are not
subject to scheduled, regular audits unless a complaint
has been lodged against them
8
FFIEC to the Rescue


Stands for the Federal Financial Institutions
Examination Council
Formal interagency body empowered to prescribe
uniform principles, standards and report forms for
the federal examination of financial institutions by
the board of the Federal Reserve System, the Fed
Deposit Ins Corp, the Nat Credit Union Assoc. and
the Office of Controller of the Currency
9
FFIEC to the Rescue Cont.


FFIEC publishes the InfoBase Handbook, which
provides field examiners in financial institution
regulatory agencies with a quick source of
introductory training and basic information
The InfoBase is used as the de facto guide to
information technology and information security
examination
10
FFIEC to the Rescue Cont.

The InfoBase includes the following topics:








Audit
Business Continuity Planning
Development & Acquisition
E-banking
FedLine
Outsourcing technology services
Retail payment system
Supervision of technology service providers
11
FFIEC to the Rescue Cont.

GLBA-related definitions



Board of directors: managing officials
Customer information system: any method used
to access, collect, store, use, transmit, protect or
dispose of customer information
Service provider: any person or entity that
maintains, processes or otherwise is permitted to
access customer information through its provision
of services directly to the financial institution
12
What Are Interagency Guidelines?



The dependence of financial institutions upon
information systems is a source of risks
The interagency guidelines (IG) were created as a
way to mitigate those risks related to information
being compromised
The IG require every covered institution to
implement a comprehensive written information
security program that includes administrative,
technical and physical safeguards
13
What Are Interagency Guidelines?
Cont.

Administrative safeguards include:




Security policies
Procedures
Management
Training
14
What Are Interagency Guidelines?
Cont.

Physical safeguards include:

Security controls designed to protect:



Data systems
Physical facilities
From:


Natural threats
Man-made threats
15
What Are Interagency Guidelines?
Cont.

Technical safeguards include:

Security measures that specify the use of technology to
secure the confidentiality, integrity and availability of
information
16
What Are Interagency Guidelines?
Cont.

Information Security Program

The criteria for designing a GLBA-compliant
information security program should include:


Ensuring the confidentiality of customer information
Protecting against:



Any anticipated threats against the integrity of customer
information
Accidental or intentional loss
Threats to information assets, systems & networks vital to
the operation of the Bank
17
What Are Interagency Guidelines?
Cont.

Information Security Program Objectives


Protect the confidentiality, integrity and availability of
customer information
Protecting customers from harm that may come from
failing to achieve objective #1
18
What Are Interagency Guidelines?
Cont.

Information Security Program Requirements





Involving the board of directors
Assessing risk
Managing and controlling risks
Adjusting the program
Reporting to the board
19
Involving the Board





The board must approve the bank’s written information
security program
The board must oversee the development,
implementation & maintenance of the program
As corporate officials, the board has a fiduciary & legal
responsibility
Banks should provide board members with appropriate
training on information security
The board may in turn delegate information security
tasks to other roles and/or committees
20
Assessing Risk


Risk assessments start by creating an inventory of
all information items and information systems
Identifying threats is the next step




Threat: potential for violation of security
Threat assessment: identification of types of threats
Threat analysis: systematic rating of threats based upon
risk and probability
Threat probability: likelihood that a threat will materialize
21
Assessing Risk Cont.



Mitigating controls: once threats are identified,
appropriate mitigating controls must be developed
The level of control is related to the severity of the threat
Institutions must assess the sufficiency of controls:



Prioritize information systems based upon the results of the
criticality analysis. Classify them in different tiers
Prioritize the threats based upon the results of the threat
analysis. Classify them in tiers of varying severity
Match the two lists. For each threat, list a mitigating control.
All controls should be evaluated, tested and documented
22
Managing Risk

The information security program should be designed to
control the identified risks commensurate with the
sensitivity of the information as well as the complexity and
scope of their activities:
 Access controls on customer information systems
 Access restrictions at physical locations containing
customer information
 Encryption of electronic customer information
 Separation of duties
 Monitoring systems to identify attacks
 Incident response program
 Disaster recovery plan
23
Logical and Administrative Access
Controls

Goal: to provide access only to authorized
individuals whose identity is established and
authenticated


Should involve need-to-know and principle of least
privilege
Involves identification, authentication and authorization
24
Logical and Administrative Access
Controls Cont.

Type of Logical and Administrative Access
Controls






Access Rights Administration
Authentication
Network Access
Operating System Access
Application Access
Remote Access
25
Access Rights Administration






Applies to all employees, vendors, contractors, customers
Format process in place to enroll, authorize, authenticate,
& monitor user accounts & activities
Assigning users & system resources only the access
required to perform their required functions
Updating access rights based upon personnel or system
changes
Periodically reviewing users’ access rights
Designing appropriate confidentiality & acceptable use
policies
26
Authentication




Authentication is the verification of identity by a
system upon the presentation of unique
credentials to that system
Can be single factor (one credential) or multi-facto
(2 or more credentials)
Complexity & type of authentication should be
commensurate to the level of sensitivity of data
accessible after authentication takes place
Transmission & storage of authentication element
should be encrypted
27
Network Access



Network access can be granted not only to
employees, but also to remote users, 3rd-party
vendors, consultants
Access must therefore be additionally controlled
so that protected information is not disclosed to
unauthorized parties
Network access procedures include:


Grouping network servers into security domains
Establishing proper, consistent access requirements
within and between security domains
28
Operating System Access


Operating system access must be regulated so
that only authorized personnel can get adminlevel access
Procedures include:





Securing access to system utilities
Restricting & monitoring privileged access
Logging & monitoring user or program access to
sensitive resources & alerting on security events
Updating the OS with security patches
Securing the devices that can access the OS through
physical and logical means
29
Application Access




Application access: mission-critical applications
require additional security and access controls
Access should only be granted on a least
privileged principle basis
Admin access should be logged and reviewed
Procedures include authentication& authorization
controls, monitoring access rights, using time of
day limitations on access, logging access &
security events
30
Remote Access

Remote access must be restricted and controlled:





The remote communications should be disabled at the OS
level if it is not needed
Access must be controlled through management approval
and audits
Remote access must be monitored and logged
Remote access devices must be secured
Strong authentication & encryption must be deployed
31
Managing Risk Cont.

Additional Security Areas











Physical Security
Data Security
Malicious Code
Systems Development
Personnel Security
Media Handling
Logging & Data Collection
Service Provider Oversight
Intrusion Detection & Response
Business Continuity
Training
32
Physical Security



Physical security includes protection from physical
access, damage, theft and destruction
Zones should be created based on protection
needs
Appropriate controls must be deployed for each
zone against:



Physical penetration
Damage from environmental contaminants
Electronic penetration through active or passive
electronic emissions
33
Data Security




Data security can be accomplished through the
use of encryption
Encryption protects confidentiality, and also
provides proof of authenticity and non-repudiation
Encryption is inherent to some communication
protocols, but not all!
Procedures:


Ensure that encryption methods deployed are strong
enough
Ensure that key management is secure
34
Malicious Code



Malicious code includes viruses, Trojans, worms,
logic bombs and spyware
Blended threats are more and more popular
Procedures include:




Antivirus must be deployed and updated
Appropriate blocking strategy at the network perimeter
Filtering input to applications
Training staff
35
Systems Development, Acquisition
and Maintenance



Security should be integrated from the start
All software, either developed or acquired, must
be tested for security
Procedures:


Defining security requirements before development
starts
Incorporating security standards in the development
phase, along with security controls, audit trails, logs for
data processing and data entry
36
Personnel Security




Personnel security: according to the FBI, 80% of attacks
originate from inside the network
Human errors are also possible such as data deletion,
alteration
Loss of equipment
Procedures:



Employees should receive security training
Regular security awareness campaigns
Background checks on employees
37
Electronic and Paper-Based Media
Handling

Media

All sensitive information must be secured, regardless of
what media it is stored on

Five components of media security:
 Handling
 Storage
 Transit
 Reuse
 Disposal
38
Electronic and Paper-Based Media
Handling Cont.

Procedures:




Establishing security procedures for handling
information
Establishing security procedures for storing information
Ensuring safe and secure disposal of sensitive media
Securing media while in transit or during transmission to
third-parties
39
Logging and Data Collection


Logs must be generated and reviewed regularly
The person in charge of log review should NOT
have administrative privileges on the network



Separation of duties
Logs should be secured
Logs should be designed for each component:
some will require more levels of details than
others
40
Service Provider Oversight


Service provider oversight: many aspects of operations
may be outsourced. This does not mean that the bank is
not responsible for those operations anymore.
Information owners must still make sure that their data is
secure
Procedures:





Use due-diligence when selecting third-parties
Implementing contractual assurances regarding security
responsibilities, controls and reporting
Requiring non-disclosure agreements
Providing 3rd-party review of the service provider’s security
through audits and tests
Coordinating incident response policies and contractual
notification requirements
41
Intrusion Detection and Response


Intrusion detection and response: institutions should be
able to detect, react and respond to an intrusion
Procedures:

Preparing for an intrusion, which includes:
 Analysis of the data flows
 Nature and scope of monitoring
 Consideration for legal factors
 Policies governing detection and response
 Appropriate reporting
42
Business Continuity Considerations

Business continuity considerations include:




Plans to activate alternate sites
Primary usage of redundant equipment
Alternate communication lines
Procedures:


Identifying personnel with key security roles and training
them
Determining security needs for alternate sites and
communication networks
43
Training, Training, and More
Training!



Staff should receive security training at least once
a year
Security awareness campaigns should be run at
least once a quarter
Untrained staff are perfect targets for hackers!
44
Testing the Controls

All controls must be tested



Priority should be given to high-risk, critical systems
Separation of duties applies to control testing
Three types of test that can be run:
 Penetration tests
 Audits
 Assessments
45
Adjusting the Program, Reporting to
the Board, and Implementing the
Standards

Adjusting the program: the business environment
is not static. The bank evolves with new clients,
new features, new services, new equipment.
These changes must be reflected in the
information security program


Effective monitoring involves both technical and nontechnical evaluations
Change drivers include mergers and acquisitions,
changes in technology, changes in data sensitivity
46
Adjusting the Program, Reporting to
the Board, and Implementing the
Standards Cont.

Reporting to the Board of Directors

Reporting to the board should take place at least
annually and describe the overall status of the
information security program and the bank’s
compliance with the interagency guidelines

The report needs to address risk assessment and
management, control decisions, service provider
arrangements, recommendation for change of the
program
47
Identity Theft and Regulatory
Compliance


Identity theft occurs when someone possesses and uses
any identifying information that is not theirs with the
intent to commit fraud or other crimes
Identifying information includes:




Name
Date of birth
Social security numbers
Credit card numbers
48
Identity Theft and Regulatory
Compliance Cont.


Responding to identity theft: the interagency guidance
on response programs for unauthorized access to
customer information and customer notice (“the
guidance”)
The guidance describes response programs, including
customer notification procedures, that a financial
institution should develop and implement to address
unauthorized access to or use of customer information
49
Identity Theft and Regulatory
Compliance Cont.


Regulatory compliance : additional controls
The guidance identifies additional controls:



Access controls on customer information systems, such as
authentication and authorization to prevent employees from
leaking sensitive information to unauthorized 3rd parties
Background checks for employees
Response programs that specify actions to be taken when
the financial institution suspects or detects that
unauthorized individuals have gained access to customer
information systems
50
Summary



Financial institutions must protect the information with which
they are entrusted.
The GLBA requires that standards be developed and assigns
this task to 8 federal agencies: seven monitor federallyinsured banks and published the interagency guidelines, while
the FTC oversees organizations that provide non-traditional
financial services and published the standards for
safeguarding customer information.
The intent of both publications is to protect the confidentiality,
integrity and availability of non-public personal information.
51