Financial Conduct Authority. Financial Crime : A Guide for Firms

Transcription

1 WHITEPAPER Financial Conduct Authority Financial Conduct Authority Financial Crime : A Guide for Firms

2 Summary The Financial Conduct Authority regulates the financial services industry in the UK. Tackling financial crime is a key part of the FCA s remit. To this end, the FCA publish a guide on how firms can prevent financial crime on their website: Part two of the guide contains summaries of, and links to, thematic reviews of various financial crime risks. It includes the consolidated examples of good and poor practice that were included with the review s findings. Each chapter includes a statement about those to whom the crime risk is most relevant and, where good and poor practice is included, to whom that guidance applies. LogRhythm s integrated architecture has been specifically designed to provide real-time continuous, automated monitoring for the detection and prevention of both security and fraudulent related activity. LogRhythm goes beyond monitoring by allowing customers to automate actual remediation and other actions via SmartResponse TM plugins. In addition to industry-leading security analytics, LogRhythm offers extensive reporting functionality which is essential for best practice understanding of the environment, as well as providing information to all levels of the organisation. Every LogRhythm solution comes with over 800 pre-defined reports including compliance and best practice reports. Also included in the reporting package are Executive Level reports which provide high-level visibility of critical events happening across the enterprise. These reports are very easy to clone and modify, allowing customers to create custom reports to address a variety of security, compliance and operational use cases. The following table provides a summary of how LogRhythm can support the implementation of each control suggested as good practice in Chapter Six Data Security in Financial Services. LogRhythm s real time analytics engine, the AI Engine, provides deep visibility into all aspects of the organisation, from firewall configuration to processes starting up on an endpoint. The AI Engine uses multiple techniques to analyze the data from different dimensions. This includes performing advanced correlation against all data for sophisticated pattern recognition to identify suspicious or malicious activity. By combining data with both external and internal context, a detailed picture of normal behaviour can be built, thus enabling real-time detection of abnormal behaviour. PAGE 1

3 6.4 Access Rights 1. Specific IT access profiles for each role in the firm, which set out exactly what level of IT access is required for an individual to do their job. 2. If a staff member changes roles or responsibilities, all IT access rights are deleted from the system and the user is set up using the same process as if they were a new joiner at the firm. The complexity of this process is significantly reduced if role-based IT access profiles are in place the old one can simply be replaced with the new. 3. A clearly-defined process to notify IT of forthcoming staff departures in order that IT accesses can be permanently disabled or deleted on a timely and accurate basis. 4. A regular reconciliation of HR and IT user records to act as a failsafe in the event of a failure in the firm s leavers process. 5. Regular reviews of staff IT access rights to ensure that there are no anomalies. 6. Least privilege access to call recordings and copies of scanned documents obtained for know your customer purposes. LogRhythm offers a wide range of supporting capabilities in the area of Access Rights. Privileged User Monitoring is provided out of the box, offering monitoring and alerting for users being added to highly privileged groups. This module may be adapted to monitor a wide variety of groups in alignment with the organisations internal delegation of rights model. LogRhythm is able to integrate with well-known Identity Access Management solutions as well as standard access control solutions, such as LDAP, to automatically build up a profile of user and host activity across the organisation. LogRhythm is also able to consume data from a wide variety of sources and subsequently monitor those sources, such as HR systems. Logs may be collected when new starters are created or existing staff members leave. Based on this integration, automated alerts and subsequent remediation can be triggered to prevent new starters accessing or attempting to access areas outside of their function and conversely alert and prevent leavers from utilising accounts to gain access prior to or after leaving the organisation. Regular reports can be scheduled to provide a timely overview of leavers and new starters. 6.5 Passwords and user accounts 1. Individual user accounts requiring passwords in place for all systems containing customer data. 2. Password standards at least equivalent to those recommended by Get Safe Online a government- backed campaign group. In July 2011, their recommended standard for passwords was a combination of letters, numbers and keyboard symbols at least eight characters in length and changed regularly. 3. Measures to ensure passwords are robust. These might include controls to ensure that passwords can only be set in accordance with policy and the use of passwordcracking software on a risk-based approach. 4. Straight-through processing, but only if complemented by accurate role-based access profiles and strong passwords. LogRhythm can detect the use of shared user accounts through a variety of approaches. Typically, systems have well known shared account names. Using LogRhythm, customers can import a list of known accounts and trigger an alarm whenever a shared account is used in the environment. Furthermore LogRhythm is able to detect behaviour such as the same account being used to login from disparate physical locations or accounts being used to login via VPN when they don t typically roam. LogRhythm is able to monitor and learn about typical user behaviour within an organisation and subsequently detect and alert on deviation from that behaviour. Upon detection of this activity, LogRhythm can initiate automated action via SmartResponse plugins that can for example disable the user s account or block suspicious IPs from the network. PAGE 2

4 6.6 Monitoring access to customer data 1. Risk-based, proactive monitoring of staff s access to customer data to ensure it is being accessed and/or updated for a genuine business reason. 2. The use of software designed to spot suspicious activity by employees with access to customer data. Such software may not be useful in its off- the-shelf format so it is good practice for firms to ensure that it is tailored to their business profile. 3. Strict controls over superusers access to customer data and independent checks of their work to ensure they have not accessed, manipulated or extracted data that was not required for a particular task. LogRhythm has several built-in functions which allows for the monitoring of access to and the overall security of customer data. LogRhythm s AI Engine can build profiles of normal user, host or data activity, based on the customers business profile. This profile may be used as a baseline of normal behaviour within the environment, and used to alert when behaviour that is out of the ordinary is detected such as accessing a large number of customer records in a short period of time or accessing customer records outside of business hours. LogRhythm s File Integrity Monitor detects all file and/or folder additions, deletions, modifications and reads, and can identify who performed the action. This allows customers to protect confidential data by alerting them any time sensitive data is accessed or modified. LogRhythm s Privilege User Monitoring capabilities ensure that even accounts with escalated privileges are monitored and profiled, and that anomalous activity is surfaced. 6.7 Data backup 1. Firms conducting a proper risk assessment of threats to data security arising from the data back-up process from the point that back-up tapes are produced, through the transit process to the ultimate place of storage. 2. Firms encrypting backed-up data that is held off-site, including while in transit. 3. Regular reviews of the level of encryption to ensure it remains appropriate to the current risk environment. 4. Back-up data being transferred by secure Internet links. 5. Due diligence on third parties that handle backed-up customer data so the firm has a good understanding of how it is secured, exactly who has access to it and how staff with access to it are vetted. 6. Staff with responsibility for holding backedup data off-site being given assistance to do so securely. For example, firms could offer to pay for a safe to be installed at the staff member s home. 7. Firms conducting spot checks to ensure that data held off-site is held in accordance with accepted policies and procedures. LogRhythm can consume logs from data backup solutions ensuring that an alert can be raised should a backup fail, or even not start when expected. Furthermore, utilising LogRhythm s SmartResponse capabilities, a backup could be triggered by the system in the event that it didn t automatically start when expected. LogRhythm is also able to monitor access to the backup files or systems, and can even collect logs from door access control systems so that physical access to the data storage locations can be identified to ensure backups and their integrity are maintained. PAGE 3

5 6.8 Access to the internet and 1. Giving internet and access only to staff with a genuine business need. 2. Considering the risk of data compromise when monitoring external traffic, for example by looking for strings of numbers that might be credit card details. 3. Where proportionate, using specialist IT software to detect data leakage via Completely blocking access to all internet content which allows web-based communication. This content includes web-based , messaging facilities on social networking sites, external instant messaging and peer-to-peer file-sharing software. 5. Firms that provide cyber-cafes for staff to use during breaks ensuring that web-based communications are blocked or that data cannot be transferred into the cyber-cafe, either in electronic or paper format. LogRhythm can monitor all user internet traffic through its integration with firewalls and proxies. Utilising LogRhythm s native Threat Lists, organisations can detect when users are accessing, or traffic is coming from known bad URLs and IP addresses. Furthermore, LogRhythm provides detailed lists of known Peer-to-Peer, File Sharing, Social Network processes and sites and can detect, alert and remediate any traffic and/or users accessing those applications. LogRhythm s native integration with applications, such as Microsoft Exchange can detect various forms of data leakage via as well as alert administrators to occurrences of abnormal behaviour, such as an increase in both the number of files sent and the frequency of s being sent to a user s personal address from their corporate systems. LogRhythm s Network Monitor, which performs deep packet inspection, full packet capture, and analysis at the networking layer, can detect as well as capture sensitive information being sent over or the internet. 6.9 Key-logging devices 1. Regular sweeping for key-logging devices in parts of the firm where employees have access to large amounts of, or sensitive, customer data. (Firms will also wish to conduct sweeps in other sensitive areas. For example, where money can be transferred.) 2. Use of software to determine whether unusual or prohibited types of hardware have been attached to employees computers. 3. Raising awareness of the risk of key-logging devices. The vigilance of staff is a useful method of defence. 4. Anti-spyware software and firewalls etc in place and kept up to date. LogRhythm is able to defend against both software and hardware based keylogging devices through the utilisation of its Data Loss Defender endpoint monitoring solution as well as its Process Monitoring solution. LogRhythm s Data Loss Defender can prevent the attachment of USB storage devices to endpoints running its agent software, and generate a log to record the event. LogRhythm can also natively profile/ baseline processes that usually run on particular systems and alert if nonstandard/suspicious processes are launched. LogRhythm integrates with antimalware and antispyware solutions for the added detection and alerting of keylogging devices. LogRhythm can also monitor to ensure that these systems are kept up-to-date. PAGE 4

6 6.10 Laptop 1. The encryption of laptops and other portable devices containing customer data. 2. Controls that mitigate the risk of employees failing to follow policies and procedures. The FSA has dealt with several cases of lost or stolen laptops that arose from firms staff not doing what they should. 3. Maintaining an accurate register of laptops issued to staff. 4. Regular audits of the contents of laptops to ensure that only staff who are authorized to hold customer data on their laptops are doing so and that this is for genuine business reasons. 5. The wiping of shared laptops hard drives between uses. LogRhythm s integration with third party encryption technologies ensures that alerts and reports can be generated on any devices which are yet to be encrypted or have had their encryption removed, ensuring complete visibility of the protection of devices across the estate. Should a device be lost, LogRhythm can provide the information to ascertain who the device belonged to, what software was on the device as well as what information may have been retained on the device. LogRhythm is also able to capture the MAC address of the laptop and, should a lost laptop attempt to reconnect to the network, LogRhythm can provide alerting and remediation through its integration with Network Access Control (NAC) systems Portable media including USB devices and CD s 1. Ensuring that only staff with a genuine business need can download customer data to portable media such as USB devices and CDs. 2. Ensuring that staff authorised to hold customer data on portable media can only do so if it is encrypted. 3. Maintaining an accurate register of staff allowed to use USB devices and staff who have been issued USB devices. 4. The use of software to prevent and/or detect individuals using personal USB devices. 5. Firms reviewing regularly and on a riskbased approach the copying of customer data to portable media to ensure there is a genuine business reason for it. 6. The automatic encryption of portable media attached to firms computers. 7. Providing lockers for higher-risk staff such as call centre staff and superusers and restricting them from taking personal effects to their desks. LogRhythm s Data Loss Defender can detect and control all removable media devices connected to critical systems as well as record information being copied to/from these devices. Using the information gathered from the Data Loss Defender, profiles of user activity may be built, for real time alerting or later reporting purposes. Furthermore, LogRhythm s integration with other Endpoint Security solutions allows for broad and deep monitoring, alerting and reporting on all devices as well as the information copied to these devices. PAGE 5

7 6.12 Physical security 1. Appropriately restricted access to areas where large amounts of customer data are accessible, such as server rooms, call centres and filing areas. 2. Using robust intruder deterrents such as keypad entry doors, alarm systems, grilles or barred windows, and closed circuit television (CCTV). 3. Robust procedures for logging visitors and ensuring adequate supervision of them while on-site. 4. Training and awareness programmes for staff to ensure they are fully aware of more basic risks to customer data arising from poor physical security. 5. Employing security guards, cleaners etc directly to ensure an appropriate level of vetting and reduce risks that can arise through third party suppliers accessing customer data. 6. Using electronic swipe card records to spot unusual behaviour or access to high risk areas. 7. Keeping filing cabinets locked during the day and leaving the key with a trusted member of staff. 8. An enforced clear-desk policy. LogRhythm s AI Engine and its integration with third party physical security solutions allows for robust logging, alerting and reporting on a wide variety of scenarios from monitoring access to locations through the capture of swipe card access systems, to alerting on tailgating, or even access to critical systems without a prior recorded electronic swipe in. Alerting and reporting on operational activity around the health of the physical monitoring systems, such as systems going down, storage/backup locations for CCTV running out of space etc. is also possible through LogRhythm s comprehensive device support Managing third-party suppliers. 1. Conducting due diligence of data security standards at third-party suppliers before contracts are agreed. 2. Regular reviews of third-party suppliers data security systems and controls, with the frequency of review dependent on data security risks identified. 3. Ensuring third-party suppliers vetting standards are adequate by testing the checks performed on a sample of staff with access to customer data. 4. Only allowing third-party IT suppliers access to customer databases for specific tasks on a case- by-case basis. 5. Third-party suppliers being subject to procedures for reporting data security breaches within an agreed timeframe. 6. The use of secure internet links to transfer data to third parties LogRhythm s integration with Identity Access Management Solutions as well as Active Directory, LDAP and authentication appliances such as VPNs, allows organisations to monitor all third party access to the infrastructure, alerting on shared access, successful access or attempted access to systems which are not under third party control as well as abnormal access locations and times. LogRhythm s detailed alerting and reporting capabilities ensure full third party monitoring capabilities, and LogRhythm s SmartResponse remediation functionality ensures any abnormal activity detected can be acted upon in real-time to prevent data loss and destruction Internal audit and compliance monitoring 1. Firms seeking external assistance where they do not have the necessary in-house expertise or resources. 2. Compliance and internal audit conducting specific reviews of data security which cover all relevant areas of the business including IT, security, HR, training and awareness, governance and third-party suppliers. 3. Firms using expertise from across the business to help with the more technical aspects of data security audits and compliance monitoring. LogRhythm provides out-the-box alerting and reporting on a number of key auditing and compliance initiatives including ISO27001 and PCI-DSS as well as SOX, to assist organisations in reaching or maintaining their audit requirements. Compliance reports can be automatically generated and distributed to the wider organisation in a variety of formats without requiring access to LogRhythm to ensure all relevant parties are always kept abreast of the organisations compliance standing. PAGE 6