Demonstrating Compliance in the Financial Services Industry with Veriato

Similar documents
Demonstrating HIPAA Compliance

Why you MUST protect your customer data

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Regulation P & GLBA Training

Sarbanes-Oxley Act (SOX)

HIPAA Regulatory Compliance

SARBANES-OXLEY (SOX) ACT

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

GLBA. The Gramm-Leach-Bliley Act

Tracking and Reporting

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. EventTracker 8815 Centre Park Drive, Columbia MD 21045

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Compliance in 5 Steps

GLBA, information security and incident response a compliance perspective

Putting It All Together:

Cybersecurity in Higher Ed

01.0 Policy Responsibilities and Oversight

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Post-Secondary Institution Data-Security Overview and Requirements

Cyber Security Program

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

The Honest Advantage

Annual Report on the Status of the Information Security Program

Cybersecurity The Evolving Landscape

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

locuz.com SOC Services

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Security and Privacy Breach Notification

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Cyber Risks in the Boardroom Conference

SAS Metadata Security Journey prepare to be audited!

HIPAA Compliance Checklist

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

White Paper. Complying with SOX Regulations Using the Exabeam Security Intelligence Platform

Automate and simplify PCI DSS compliance using FileAudit Plus

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

SECURITY & PRIVACY DOCUMENTATION

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

General Data Protection Regulation (GDPR)

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

Information Security Risk Strategies. By

Enterprise SM VOLUME 1, SECTION 5.7: SECURE MANAGED SERVICE

Managing Your Affiliates and Partners in the Financial Industry

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Compliance 101: Basics for Security Professionals

Five Best Practices to Manage and Control Third-Party Risk

The Convergence of Security and Compliance

Comprehensive Database Security

PROTECT AND AUDIT SENSITIVE DATA

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

NYDFS Cybersecurity Regulations

EMC Ionix IT Compliance Analyzer Application Edition

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Complete document security

All you need to know and do to comply with the EU General Data Protection Regulation

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Is Your Compliance Strategy Putting Your Business at Risk?

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Financial Regulations, Enforcement & Cybersecurity

Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

Security Breaches: How to Prepare and Respond

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Carbon Black PCI Compliance Mapping Checklist

Understanding Security Regulations in the Financial Services Industry

What to do if your business is the victim of a data or security breach?

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Cybersecurity It Matters to SMB

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

What To Do When Your Data Winds Up Where It Shouldn t

Oracle Buys Automated Applications Controls Leader LogicalApps

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Secret Server HP ArcSight Integration Guide

Integrating HIPAA into Your Managed Care Compliance Program

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

DeMystifying Data Breaches and Information Security Compliance

Security and Privacy Governance Program Guidelines

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

What is Penetration Testing?

FOR FINANCIAL SERVICES ORGANIZATIONS

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Operational Network Security

COMMENTARY. Information JONES DAY

Transcription:

Demonstrating Compliance in the Financial Services Industry with Veriato

Demonstrating Compliance in the Financial Services Industry With Veriato The biggest challenge in ensuring data security is people. At its core, compliance is about behavior. It s about whether your users utilize protected data sets in an appropriate manner. While most organizations focus on the establishing and assessment of the security controls around access, the true test of compliance revolves around having visibility into what users do with sensitive data after they access it the risk of data breaches, compliance violations, and the investigations, fines, and reputational damage that comes with them, depends on it. Malicious users whose loyalty no longer aligns with the organization can improperly access, copy, email, share, or print customer, investor, or financial data in many cases, without the knowledge of the platform or application in use. Veriato provides contextual user activity detail and screen recordings necessary to satisfy requirements of all mandates applicable to the financial services industry. By logging all user activity and capturing screen detail for video playback, Veriato creates an indisputable audit trail that will satisfy the evidence requirements of even the most scrutinizing auditor. This brief discusses the challenges of safeguarding customer, investor, and financial data, and how Veriato uniquely creates the audit detail necessary to meet compliance objectives.

Demonstrating Compliance in the Financial Services Industry With Veriato Introduction Nearly all financial services companies and financial institutions are subject to a number of compliance mandates. The Gramm-Leach-Bliley Act (GLBA) and the Dodd-Frank Wall Street Reform and Consumer Protection Act both provide specific guidance on how financial services organizations need to protect consumer data within financial systems. The enforcement of these regulations is overseen by both the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). In addition, the Sarbanes-Oxley (SOX) regulation seeks to protect investor information, but is vague when it comes to specific required activities. Those organizations processing credit card information, must also comply with the Payment Card Industry Data Security Standard (PCIDSS). Lastly, those financial services companies residing in the state of New York now must also comply with the new Cybersecurity Requirements (23 NYCRR 500), which outlines specific technical and administrative controls to be in place. So, financial services organizations require an ability to have complete visibility into every action performed by a user with access to customer, financial, and investor data every application used, webpage visited, record copied, file saved, print screen generated, and page printed. Only then will a covered entity truly know whether protected data has been appropriately accessed and used by either true insiders, or external attackers posing as insiders via stolen credentials. But, compliance to GLBA, Dodd-Frank, SOX, PCI, 23 NYCRR 500 or any other mandate is as much about establishing and adhering to policies and procedures, as it is maintaining appropriate technical controls. Both are needed to confirm users have been instructed on proper access to and usage of sensitive data, access to protected data is correctly granted, use is appropriate, and compliance can be demonstrated.

There are severe penalties for non-compliance: GLBA poses imprisonment for up to 5 years, with steep fines of up to $100,000 for each violation, and up to $10,000 fines for officers and directors for each violation. Dodd-Frank poses civil penalties of up to $1,000,000 per day the organization remains in violation. Penalties for non-compliance with PCI range from $50,000 to $500,000. NYDFS requirements tout civil penalties, but do not provide specifics. PENALTIES Given the fact that 24% of all data breaches target the financial services industry, organizations face a challenge of not just ensuring internal processes are followed, but to remain secure in the face of data breaches that involve the use of stolen credentials 81% of the time 1. THIRD TIER SECOND TIER FIRST TIER Notwithstanding paragraph (A), for any person that recklessly engages in a violation of a Federal consumer financial law, a civil penalty may not exceed $25,000 for each day during which such violation continues. For any violation of a law, rule, or final order or condition imposed in writing by the Bureau, a civil penalty may not exceed $5,000 for each day during which such violation or failure to paycontinues. $5,000 $25,000 $1,000,000 (CIVIL PENALTIES UP TO $1 MILLION PER DAY) Notwithstanding subparagraphs (A) and (B), for any person that knowingly violates a Federal consumer financial law, a civil penalty may not exceed $1,000,000 for each day during which such violation continues. 1 Verizon, Data Breach Investigations Report (2017)

Demonstrating Compliance in the Financial Services Industry With Veriato Compliance Challenges for Key Stakeholders While most compliance mandates aren t broken out into separate specific objectives for each stakeholder in the organization, stakeholders each have different needs around the goal of adhering to any: CEO step Needs a proactive approach leveraging people, processes, and technology that ensures adherence to mandate 1 requirements around safeguarding protected data. CFO Can t afford the cost of a breach in compliance. Would rather spend budget on preventative measures, than on responding to a breach. CCO Wants a plan in place of how to easily and quickly demonstrate compliance. CSO Desires for protected data to remain secure, and a way to know protected data isn t being misused. IT Manager Needs to provide a means of visibility into exactly how protected data is used, regardless of application. What s needed is a technology that cost-effectively addresses compliance requirements by monitoring the access to protected data, aligning with established policy and processes, providing visibility into how protected data is used or misused, and providing context around either demonstrating compliance or determining the scope of a breach.

Demonstrating Compliance in the Financial Services Industry With Veriato Demonstrating Compliance with Veriato The intent of each of the mentioned compliance mandates is to ultimately ensure the privacy of non-public financial, investor, and personal data. As long as the only access a given protected data is performed by someone who both has a legitimate need and only uses that information for the purposes of the organization, your organization will remain compliant. But, because users with access to protected data utilize that access every day, it becomes nearly impossible to tell if and when your organization may be out of compliance. Add to that the fact that, while the access to data may seem appropriate, the cutting and pasting of information into a Word doc saved up on a cloud drive certainly isn t which means your organization needs to be monitoring and recording all user activity, regardless of application. Veriato assists with establishing compliance with requirements specific to financial services organizations by providing IT, security teams, and auditors alike with complete visibility into every action taken by the organization s users. Veriato solutions help to analyze risk, audit controls, and review activity in an effort to establish, maintain, and continually demonstrate compliance.

GLBA - 15 U.S. CODE 6801 / FTC SAFEGUARDS RULE -16 CFR PART 314 Protection of Non-public personal Information Veriato acts as a core part of your implementation and maintenance of security measures to protect personally identifiable financial information, specifically around monitoring and reviewing the conduct of you workforce in relation to the protection of non-public personal information. Below are some examples of how Veriato can assist in addressing GLBA s requirement for administrative and technical safeguards: Insure the security and confidentiality of customer records and information Veriato provides visibility into how users access, interact with, and use personal information. Veriato creates an audit trail used to assess whether security and confidentiality has been maintained, regardless of application used. Protect against any anticipated threats or hazards to the security or integrity of such records By leveraging user behavior analytics, Veriato provides a contextual activity review of both the access to personal information, as well as technical and psycholinguistic indicators to provide an early warning of threats.

DODD-FRANK - SECTION 154(B)(3), ORGANIZATIONAL STRUCTURE; RESPONSIBILITIES OF PRIMARY PROGRAMMATIC UNITS DATA CENTER Information Security While broad in scope, this section intends that processes, policy, and technology be put in place to ensure financial data is kept secure and protected against unauthorized disclosure. Veriato s advanced user activity monitoring and behavior analysis technology monitors and can alert the Council or Director (as defined within the Act) of inappropriate access to protected data, regardless of application. Below are some examples of how Veriato can assist in addressing this requirement, include: Notification of Unauthorized Disclosure Before disclosure can be made, an assessment of the scope of the unauthorized access must be determined. Veriato not only empowers security teams to record an examine user activity within systems containing protected financial data, but also within any other application, providing unmatched visibility into actions taken around financial data access. Should users attempt to copy, print, email, instant message, etc. financial data, Veriato is immediately aware of it and can notify the proper authorities. 7

SARBANES-OXLEY ACT SECTIONS 302 & 404 Internal Control Assessment While SOX does little in the area of providing specific guidance around what internal controls are necessary to ensure the accuracy of financial reporting, section 302 establishes the signing officer is responsible for such controls, and section 404 requires an annual internal control report Below are some examples of how Veriato can assist in addressing Sarbanes-Oxley requirements: Internal Control Assessment The simplest means of assessing internal controls is to observe their practical application, looking for misuse by users or acts of fraud. Veriato s comprehensive visibility into all user activity across applications empowers organizations to assess the state of controls, ensuring only approved users are accessing protected data, and providing contextual detail around any activity that may put the integrity of financial reporting into question.

NEW YORK STATE DFS 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies New York State has implemented its own additional set of requirements for financial services companies to ensure the integrity and confidentiality of non-public personal and financial information. Below are a few examples of where Veriato can assist in meeting these new requirements: Audit Trail (500.06) Veriato s unmatched ability to record activity across every application facilitates a comprehensive audit trail, providing complete visibility into all user actions. Risk Assessment (500.09) Veriato s activity data and reporting provide necessary activity detail that provide context as part of an overall risk assessment, identifying any means by which users have been able to inappropriately access and/or misuse non-public data. Monitoring of Authorized Users (500.14) User activity is constantly being recorded with Veriato, where unauthorized access to, misuse of, or tampering with non-public data can be defined, monitored, and alerted upon. Incident Response Plan (500.16) Should non-public data be accessed, misused, or tampered with.

Demonstrating Compliance in the Financial Services Industry With Veriato How Veriato Helps Address Compliance Challenges Veriato helps financial services organizations of all kinds satisfy their compliance obligations through detailed, contextual, rich logging of all user activity both inside systems housing financial, customer, or investor data, as well as any other application combined with robust screen recording and playback. This level of visibility into user interaction with protected data provides comprehensive evidence for compliance audits. Activity data is searchable, making it easy for an auditor, security teams, or IT to find suspect actions, with the ability to playback activity to see before, during, and after the activity in question. Reports can be produced in minutes typically a fraction of the time needed and don t require pulling critical resources from other tasks. Veriato assists in meeting a number of specific requirements, leveraging its deep visibility into user activity to provide context around access to protected data, showing what was accessed and what was done with the data. The following sections outline how Veriato can assist with meeting specific compliance requirements.

To learn more about how Veriato can help you with Financial Services Compliance, contact a Veriato representative today OUT OF 10 Financial Services Our solutions are deployed in 110+ countries Over 3,000 enterprises, & thousands of SMBs have placed their trust in our solutions Veriato USA 4440 PGA Boulevard, Suite 500 Palm Beach Gardens, FL 33410 Veriato EMEA 3rd Floor, Crossweys House 28-30 High Street Guildford, Surrey GU1 3EL United Kingdom https://www.linkedin.com/company/veriato https://twitter.com/veriato https://www.facebook.com/veriatoinc/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback