Financial Services: Compliance Challenges
Financial services organizations—banks, brokerage houses, mortgage lenders, and a host of other businesses involved in handling other people’s money—are under more regulatory scrutiny than any other sector. While Gramm-Leach-Bliley Act (GLBA), Sarbanes Oxley (SOX), and Payment Card Industry (PCI) standards usually come to mind when we think about compliance in the financial sector, there are a half dozen other information security regulations that these organizations must answer to, including FACTA (Fair and Accurate Credit Transaction Act), the United States Patriot Act, and various state data protection laws.

Staying on top of these regulations could easily keep an IT department busy full time. After struggling for nearly a decade to meet compliance requirements through inefficient, manual audit reporting processes and piecemeal IT controls, financial institutions are looking at more streamlined and cost-effective alternatives.

Here’s an overview of some of the major regulations to which financial services organizations are required to answer.

Gramm-Leach-Bliley Act
Signed into law on November 12, 1999, The Gramm-Leach-Bliley Act (GLBA) mandates that financial institutions must protect confidential customer information against threats to security, confidentiality, and integrity—and this includes unauthorized access that could result in harm or inconvenience to customers. Published a year later, Regulation P strictly specifies how financial services companies can use personal consumer information and requires organizations to inform consumers of their disclosure policies. Customers must receive disclosure statement every year, and they must have the ability to “opt out” of their private information shared with other third parties.

Sarbanes-Oxley Act
On the heels of the catastrophic Enron, Tyco, Adelphia, and WorldCom accounting scandals, which resulted in more than U.S. $500 billion in market value declines, Congress responded by enacting the Sarbanes-Oxley Act of 2002 (SOX). The raison d’être behind SOX is to prevent corporate fraud, protect investors, and safeguard corporate employees. All publicly traded companies in the United States are subject to SOX, including financial services organizations. Under SOX, the Security Exchange Commission (SEC) is required to demand full disclosure of internal controls over financial reporting in the annual reports of all SEC-registered companies. SOX compliance means that IT departments must coordinate with finance departments to provide visibility into finances, controls, operations, and processes.

USA Patriot Act
Six weeks after the devastating attack on the World Trade Center in New York City on September 11, 2001, the president signed the United States Patriot Act, which includes measures to prevent, detect, and prosecute money laundering to finance terrorist activities. For financial institutions, this means due diligence and recordkeeping practices, especially in the area of private banking and foreign accounts. Banks, for example, must implement a Customer Identification Program (CIP), which requires them to obtain identifying information from customers, verify this customer information, check customers against lists provided by federal agencies, notify customers that information may be requested in the process of verifying their identities, and produce and maintain records related to the CIP. Without a CIP program in place along with supporting records, a bank could be cited for violating a federal law.

PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) was developed in January 2005 by the major credit card companies—Visa, MasterCard, American Express, among others—as a set of guidelines to help organizations that process card payments prevent credit card fraud, hacking, and other security exploits. (For a more detailed examination of PCI DSS,requirements take a look at our November issue.) This security standard includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

FACTA
Passed by the U.S. Congress in 2003 as an amendment to the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) gives consumers the right to ask for a free credit report annually from any or all of the three consumer credit reporting companies—Equifax, Experian and TransUnion. FACTA also includes provisions for reducing identity theft. Consumers can place alerts on their credit histories if they suspect identify theft. In addition, the law requires secure disposal of consumer information when it is no longer being used.

California Security Breach Information Act
Written into law in 2003, Senate Bill 1386, the California Security Breach Information Act, requires organizations that maintain personal data about individuals to inform them if the security of that information is compromised. The goal is to help curb identity theft. 34 other states have similar legislation. Companies that can prove that they have taken reasonable measures to protect personal data through appropriate encryption techniques are exempt from disclosure requirements.

Challenges and Solutions
Keeping up these compliance regulations while continuing to maintain a profitable business may seem like a monumental task. In some sense, it is a goliath; every regulation that comes along creates new challenges. At the same time, if financial services companies adopt a security risk management process that complements and supports their business strategy, they will be in a better position to stay compliant. What’s needed is a consistent, repeatable, unified approach for complying with internal and external policy controls. And with comprehensive, integrated security solutions, IT organization can maintain compliance controls while efficiently supporting new business and regulatory mandates. The chart below examines some of the challenges presented by compliance regulations and outlines the types of solutions that can help organizations address them.

Challenge	Solution
Financial institutions need to be able to support ongoing audits by aggregating and correlating data on compliance status and details on risk posture, activities, and countermeasures. They also should maintain security in every transaction and manage countermeasures.	The key to overcoming this challenge is the deployment of a centralized management console that can consolidate and correlate details from vulnerability assessment, risk analysis, intrusion and data loss prevention, and remediation tools. If the management tool can provide detailed reporting for various audiences, that’s even better—a major step toward eliminating time-consuming manual processes. Ideally, such a management system should integrate agent-based controls, policy management, and reporting operations. That way, financial services organizations demonstrate in real time and through reports that policies are consistently defined, distributed, and maintained across all layers of protection.
For institutions that offer online transactions services, compliance with PCI DSS should be a top priority. Even Level 3 merchants that process 20,000 to 1,000,000 Visa or MasterCard ecommerce transactions annually must comply.	When it comes to PCI DSS compliance, there are several security technologies to consider: Start with a network vulnerability assessment, preferably one that has received the Approved Scanning Vendor and Qualified Security Assessor certifications for PCI DSS Deploy a network intrusion prevention system (IPS) that monitors network attacks and prevents them from affecting unmanaged systems that are infected or vulnerable Run regular scans on systems hooked up to the network. If systems with high vulnerabilities can be prioritized as high risk, so much the better. Include comprehensive agent-based security software that includes anti-virus, anti-spyware, personal firewall, host intrusion prevention, and network access control
Acquisitions and the cultivation of new business partnerships bring new security challenges. So as not to compromise their own security, financial organizations need to implement technologies that allow them to efficiently discover and assess vulnerabilities and risks in the infrastructure of companies they acquire or partner with.	Scan systems regularly to identify IT vulnerabilities and noncompliance and calculate risk metrics. Perform agent-based audits for policy violations and IT controls and define polices based on best practices and regulatory requirements.
Regulations like PCI DSS require financial institutions to ensure the health and integrity of data across transaction networks. Beyond the realm of online transactions, laws like GLBA make it imperative for organizations to prevent fraud and confidentiality breaches by controlling the use and transmission of sensitive client, employee, and financial information. Another important aspect of data protection is the need to inspect email on public and closed networks to block malicious and inappropriate content and comply with email privacy regulations.	Inspect network traffic and enforce protections to safeguard the network and systems that access it. Also, monitor and track the use of data and enforces policies on data use, storage, and transmission. It’s preferable if both host and gateway based data protection are in place prevent leaks and provide support for forensic analysis. And, consider installing an Internet gateway system that inspects IMAP, POP, and web mail to defend against web and email threats. This type of system should also effectively block spam and spyware, detect web-borne exploits, and enforce acceptable web usage and email regulations.
Essential for any business is an efficient and effective approach to threat protection, which includes protection from zero-day attacks, simplification of patch management, and control over network access for unmanaged clients that may not have the latest security updates or may violate policy in some way.	Make sure that your security vendors have a research infrastructure that delivers dynamic threat and signature updates on a regular basis. Patch management can be made more efficient by incorporating solutions that include: Network access control to audit a system as it tries to join the network and grant or deny access based upon the results of that audit A remediation system that can provide automated patching and configuration for systems that fall out of compliance Network-based scanning network intrusion prevention to protect systems not running agents

Maintaining a competitive advantage facilitates compliance
To their great advantage, high-profile players in the financial sector are always keen on adopting new technologies to fuel growth, reduce costs, and stay competitive. In this sector, nearly every new business initiative has an obvious IT component. Mergers and acquisitions, for example, require audits, assessments, and custom technology integration. Responsive, personalized banking services at kiosks, on the road, or at home require new types of service automation. And fraud prevention demands demonstrable transaction and data integrity.

As they work on deploying technologies that make innovative business initiatives a reality, IT organizations find that they need to incorporate compliance policies and technologies to secure these new systems. All of this hard work presents a real opportunity to improve efficiency. IT can use these new projects to automate and orchestrate compliance processes. Automation is the only way to provide accurate policy enforcement, monitoring, and reporting. And this, in turn, makes it easier for IT to align security controls to compliance regulations.