Putting the Finance Industry's Security Practices under the Microscopepe
What surprises me when I hear about the whole set of different levels of business problems that we often discuss in professional forums, seminars and gatherings especially during casual networking breaks. The interactions with CXO’s (especially CIO’s, CTO’s, CISO’s and even CFO’s) often leads to discussions around the breaking news of security failures, incidents and the Cyber Security Threats and its ever evolving trends.
If I may analyse and give the perspective to prepare ourselves and the organizations to face these Threat-full space of Cyber Threats; then my sincere advice is to invest in a professional help or follow the below key security measures to conduct a microscopic review and enhance existing Security Practice to its best. The key to achieve a good Cyber Security is to let it evolve as a best Security Practice and not get locked in to mere discussions, planning and documentations.
Key Security Measures
1. Study and understand the Regulatory Compliance requirements of your business
2.Study and understand the Cyber Threat landscape that apply to your business
3. Conduct a microscopic assessment of the existing Security Practices of organization to understand the gaps that fail to meet the Regulatory Compliance and the gaps that can be exploited to realise the Cyber Threats.
4. Identify, implement and adhere to organizations Minimum Security Controls standards that meet your business objectives, mitigate the Security Practice gaps, achieve compliance and help in detecting, protecting and preventing the Cyber Threats.
What are our Regulatory Compliance requirements?
Every business operates within a set of Regulatory, Legal and Social compliance requirements. Given below are some of the important requirements applicable to the Finance Industry. It is advisable to study and understand its applications and
• Gramm-Leach-Bliley Act (GLBA Safeguards – Emphasis on “financial institutions must protect the consumer information they collect”.
• Dodd-Frank Wall Street Reform–
Insists to “promote the financial stability by improving accountability and transparency in the financial system”. It provides the measure of what is “reasonable and appropriate” for protecting consumer data in financial systems.
• Sarbanes-Oxley Act (SOX)– Mandates to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes”.
• Payment Card Industry Data Security Standard (PCI DSS)– Regulates on “maintaining payment security that is required for all entities that store, process or transmit cardholder data”.
• Nationals, states and cities mandate the social responsibilities in order to “ensure environment safety and preservation of natural resources”.
How should we do microscopic review of existing Security Practices?
Perform thorough self-assessments of following aspects of existing Security Practices or take a professional help from security practitioners to review it on your behalf. The aim should be to find all the gaps, short-comings and lapses that may exploit the vulnerabilities to realise the threats and disrupt the business.
• Security Programs and its alignment with business goals and objectives.
• Security Framework in use. Are industry standard security frameworks in place? E.g. of few recognised security frameworks are:
- Information Security Management Standards (ISMS) – ISO 27000 series
- Information Security Forum (SoGP)
- NIST’s Cyber Security framework
- PCI-DSS standards
- COBIT 5
• Security Approach. Is the current security approach right? Does it support the changing Cyber Security Threat landscape? E.g. The security approach can be:
- Threat based security programs,
- Risk based security programs,
- Compliance based security programs, etc.
• Security Architectures in use. It is important to have security architectures that perform following security management & control functions effectively.
- Threat Management
- Risk Management
- Compliance Management
- Incident Response Management
- Identity Management
- Privilege Management
- Access Management
•Security Controls in place. An ongoing review of security controls in use and its effectiveness is a key to achieve the Cyber Security resilience and meet Confidentiality, Integrity, Availability and Safety (CIAS) of organizational resources i.e. People, Processes, Technology and Infrastructure.
• Security Awareness Programs in place. As per industry threats and incidents surveys; over 67 percent of security incidents are a result of lack of security awareness, responsibility and accountability. The security awareness should be in the culture of the organization. In fact, it would be wise to say that security must be the responsibility of every individual working for the organization.
• Security Audits and Certifications. Review existing security certification programs in the organization and its enforcement in real-world practice. In general, financial industry adopt and practice following security programs:
- ISO 27001
- PCI-DSS certification
- SSAE 16 / ISAE 3402 reviews aka SOC1, SOC2, SOC3
- DSCI (Data Security Council of India’s) Data Privacy reviews.