Chapter 12: Regulatory Compliance for Financial Institutions Objectives Know information security regulations for financial institutions Identify financial sector regulatory agencies Understand the components of a GLBA-compliant information security program Implement a GLBA-compliant information security program Respond to the ever-increasing threat of ID theft 2 Introduction A financial institution’s most significant asset is not money: it’s information about money, transactions and customers Protection of those information assets is necessary to establish the required trust for the institution to conduct business Institutions have a responsibility to protect their client’s information and privacy from harm such as fraud and ID theft 3 What Is the Gramm-Leach-Bliley Act? Signed into law by President Clinton in 1999 Also known as the Financial Modernization Act of 1999 Meant to allow banks to engage in a wide array of financial services Banks can now merge with stock brokerage companies and insurance companies, which means that they can possess large amounts of private, personal client information 4 What Is the Gramm-Leach-Bliley Act? Cont. GLBA allowed for information such as bank balances, account numbers, to be bought and sold by banks, credit card companies and other financial institutions. This information is usually considered private, and the potential for misuse is great Title 5 of the GLBA specifically addresses protecting both the privacy and the security of financial information 5 What Is the Gramm-Leach-Bliley Act? Cont. What is NPI? Stands for non-public personal information Includes the following information: Names Addresses Phone numbers Income and credit histories Social security numbers 6 To Whom Does the GLBA Pertain? To all financial institutions that either collect private information from their customers, or receive such information Also applies to companies that provide financial products and/or services such as: Automobile dealers Check-cashing businesses Consumer reporting agencies Courier services 7 Who Enforces GLBA? 8 federal agencies and the states have authority to administer and enforce the Financial Privacy Rule and Section 501(b) Which agency is tasked with enforcing the regulation, along with the severity of the penalty, is dependent upon the industry to which the business belongs Non traditional financial services companies are regulated by the Federal Trade Comm., but are not subject to scheduled, regular audits unless a complaint has been lodged against them 8 FFIEC to the Rescue Stands for the Federal Financial Institutions Examination Council Formal interagency body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions by the board of the Federal Reserve System, the Fed Deposit Ins Corp, the Nat Credit Union Assoc. and the Office of Controller of the Currency 9 FFIEC to the Rescue Cont. FFIEC publishes the InfoBase Handbook, which provides field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information The InfoBase is used as the de facto guide to information technology and information security examination 10 FFIEC to the Rescue Cont. The InfoBase includes the following topics: Audit Business Continuity Planning Development & Acquisition E-banking FedLine Outsourcing technology services Retail payment system Supervision of technology service providers 11 FFIEC to the Rescue Cont. GLBA-related definitions Board of directors: managing officials Customer information system: any method used to access, collect, store, use, transmit, protect or dispose of customer information Service provider: any person or entity that maintains, processes or otherwise is permitted to access customer information through its provision of services directly to the financial institution 12 What Are Interagency Guidelines? The dependence of financial institutions upon information systems is a source of risks The interagency guidelines (IG) were created as a way to mitigate those risks related to information being compromised The IG require every covered institution to implement a comprehensive written information security program that includes administrative, technical and physical safeguards 13 What Are Interagency Guidelines? Cont. Administrative safeguards include: Security policies Procedures Management Training 14 What Are Interagency Guidelines? Cont. Physical safeguards include: Security controls designed to protect: Data systems Physical facilities From: Natural threats Man-made threats 15 What Are Interagency Guidelines? Cont. Technical safeguards include: Security measures that specify the use of technology to secure the confidentiality, integrity and availability of information 16 What Are Interagency Guidelines? Cont. Information Security Program The criteria for designing a GLBA-compliant information security program should include: Ensuring the confidentiality of customer information Protecting against: Any anticipated threats against the integrity of customer information Accidental or intentional loss Threats to information assets, systems & networks vital to the operation of the Bank 17 What Are Interagency Guidelines? Cont. Information Security Program Objectives Protect the confidentiality, integrity and availability of customer information Protecting customers from harm that may come from failing to achieve objective #1 18 What Are Interagency Guidelines? Cont. Information Security Program Requirements Involving the board of directors Assessing risk Managing and controlling risks Adjusting the program Reporting to the board 19 Involving the Board The board must approve the bank’s written information security program The board must oversee the development, implementation & maintenance of the program As corporate officials, the board has a fiduciary & legal responsibility Banks should provide board members with appropriate training on information security The board may in turn delegate information security tasks to other roles and/or committees 20 Assessing Risk Risk assessments start by creating an inventory of all information items and information systems Identifying threats is the next step Threat: potential for violation of security Threat assessment: identification of types of threats Threat analysis: systematic rating of threats based upon risk and probability Threat probability: likelihood that a threat will materialize 21 Assessing Risk Cont. Mitigating controls: once threats are identified, appropriate mitigating controls must be developed The level of control is related to the severity of the threat Institutions must assess the sufficiency of controls: Prioritize information systems based upon the results of the criticality analysis. Classify them in different tiers Prioritize the threats based upon the results of the threat analysis. Classify them in tiers of varying severity Match the two lists. For each threat, list a mitigating control. All controls should be evaluated, tested and documented 22 Managing Risk The information security program should be designed to control the identified risks commensurate with the sensitivity of the information as well as the complexity and scope of their activities: Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Separation of duties Monitoring systems to identify attacks Incident response program Disaster recovery plan 23 Logical and Administrative Access Controls Goal: to provide access only to authorized individuals whose identity is established and authenticated Should involve need-to-know and principle of least privilege Involves identification, authentication and authorization 24 Logical and Administrative Access Controls Cont. Type of Logical and Administrative Access Controls Access Rights Administration Authentication Network Access Operating System Access Application Access Remote Access 25 Access Rights Administration Applies to all employees, vendors, contractors, customers Format process in place to enroll, authorize, authenticate, & monitor user accounts & activities Assigning users & system resources only the access required to perform their required functions Updating access rights based upon personnel or system changes Periodically reviewing users’ access rights Designing appropriate confidentiality & acceptable use policies 26 Authentication Authentication is the verification of identity by a system upon the presentation of unique credentials to that system Can be single factor (one credential) or multi-facto (2 or more credentials) Complexity & type of authentication should be commensurate to the level of sensitivity of data accessible after authentication takes place Transmission & storage of authentication element should be encrypted 27 Network Access Network access can be granted not only to employees, but also to remote users, 3rd-party vendors, consultants Access must therefore be additionally controlled so that protected information is not disclosed to unauthorized parties Network access procedures include: Grouping network servers into security domains Establishing proper, consistent access requirements within and between security domains 28 Operating System Access Operating system access must be regulated so that only authorized personnel can get adminlevel access Procedures include: Securing access to system utilities Restricting & monitoring privileged access Logging & monitoring user or program access to sensitive resources & alerting on security events Updating the OS with security patches Securing the devices that can access the OS through physical and logical means 29 Application Access Application access: mission-critical applications require additional security and access controls Access should only be granted on a least privileged principle basis Admin access should be logged and reviewed Procedures include authentication& authorization controls, monitoring access rights, using time of day limitations on access, logging access & security events 30 Remote Access Remote access must be restricted and controlled: The remote communications should be disabled at the OS level if it is not needed Access must be controlled through management approval and audits Remote access must be monitored and logged Remote access devices must be secured Strong authentication & encryption must be deployed 31 Managing Risk Cont. Additional Security Areas Physical Security Data Security Malicious Code Systems Development Personnel Security Media Handling Logging & Data Collection Service Provider Oversight Intrusion Detection & Response Business Continuity Training 32 Physical Security Physical security includes protection from physical access, damage, theft and destruction Zones should be created based on protection needs Appropriate controls must be deployed for each zone against: Physical penetration Damage from environmental contaminants Electronic penetration through active or passive electronic emissions 33 Data Security Data security can be accomplished through the use of encryption Encryption protects confidentiality, and also provides proof of authenticity and non-repudiation Encryption is inherent to some communication protocols, but not all! Procedures: Ensure that encryption methods deployed are strong enough Ensure that key management is secure 34 Malicious Code Malicious code includes viruses, Trojans, worms, logic bombs and spyware Blended threats are more and more popular Procedures include: Antivirus must be deployed and updated Appropriate blocking strategy at the network perimeter Filtering input to applications Training staff 35 Systems Development, Acquisition and Maintenance Security should be integrated from the start All software, either developed or acquired, must be tested for security Procedures: Defining security requirements before development starts Incorporating security standards in the development phase, along with security controls, audit trails, logs for data processing and data entry 36 Personnel Security Personnel security: according to the FBI, 80% of attacks originate from inside the network Human errors are also possible such as data deletion, alteration Loss of equipment Procedures: Employees should receive security training Regular security awareness campaigns Background checks on employees 37 Electronic and Paper-Based Media Handling Media All sensitive information must be secured, regardless of what media it is stored on Five components of media security: Handling Storage Transit Reuse Disposal 38 Electronic and Paper-Based Media Handling Cont. Procedures: Establishing security procedures for handling information Establishing security procedures for storing information Ensuring safe and secure disposal of sensitive media Securing media while in transit or during transmission to third-parties 39 Logging and Data Collection Logs must be generated and reviewed regularly The person in charge of log review should NOT have administrative privileges on the network Separation of duties Logs should be secured Logs should be designed for each component: some will require more levels of details than others 40 Service Provider Oversight Service provider oversight: many aspects of operations may be outsourced. This does not mean that the bank is not responsible for those operations anymore. Information owners must still make sure that their data is secure Procedures: Use due-diligence when selecting third-parties Implementing contractual assurances regarding security responsibilities, controls and reporting Requiring non-disclosure agreements Providing 3rd-party review of the service provider’s security through audits and tests Coordinating incident response policies and contractual notification requirements 41 Intrusion Detection and Response Intrusion detection and response: institutions should be able to detect, react and respond to an intrusion Procedures: Preparing for an intrusion, which includes: Analysis of the data flows Nature and scope of monitoring Consideration for legal factors Policies governing detection and response Appropriate reporting 42 Business Continuity Considerations Business continuity considerations include: Plans to activate alternate sites Primary usage of redundant equipment Alternate communication lines Procedures: Identifying personnel with key security roles and training them Determining security needs for alternate sites and communication networks 43 Training, Training, and More Training! Staff should receive security training at least once a year Security awareness campaigns should be run at least once a quarter Untrained staff are perfect targets for hackers! 44 Testing the Controls All controls must be tested Priority should be given to high-risk, critical systems Separation of duties applies to control testing Three types of test that can be run: Penetration tests Audits Assessments 45 Adjusting the Program, Reporting to the Board, and Implementing the Standards Adjusting the program: the business environment is not static. The bank evolves with new clients, new features, new services, new equipment. These changes must be reflected in the information security program Effective monitoring involves both technical and nontechnical evaluations Change drivers include mergers and acquisitions, changes in technology, changes in data sensitivity 46 Adjusting the Program, Reporting to the Board, and Implementing the Standards Cont. Reporting to the Board of Directors Reporting to the board should take place at least annually and describe the overall status of the information security program and the bank’s compliance with the interagency guidelines The report needs to address risk assessment and management, control decisions, service provider arrangements, recommendation for change of the program 47 Identity Theft and Regulatory Compliance Identity theft occurs when someone possesses and uses any identifying information that is not theirs with the intent to commit fraud or other crimes Identifying information includes: Name Date of birth Social security numbers Credit card numbers 48 Identity Theft and Regulatory Compliance Cont. Responding to identity theft: the interagency guidance on response programs for unauthorized access to customer information and customer notice (“the guidance”) The guidance describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information 49 Identity Theft and Regulatory Compliance Cont. Regulatory compliance : additional controls The guidance identifies additional controls: Access controls on customer information systems, such as authentication and authorization to prevent employees from leaking sensitive information to unauthorized 3rd parties Background checks for employees Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems 50 Summary Financial institutions must protect the information with which they are entrusted. The GLBA requires that standards be developed and assigns this task to 8 federal agencies: seven monitor federallyinsured banks and published the interagency guidelines, while the FTC oversees organizations that provide non-traditional financial services and published the standards for safeguarding customer information. The intent of both publications is to protect the confidentiality, integrity and availability of non-public personal information. 51