AT Think

How to demonstrate data security compliance for even the most skeptical auditor

Even though financial service organizations have tight security for the protection of account transactions and processing between the customer and automated systems, what does your organization have to do to ensure compliance with federal mandates to protect the privacy of financial, investor and personal data that’s visible to your employees? One crucial requirement is an indisputable audit trail that satisfies the evidence requirements of even the most scrutinizing auditor.

This audit trail needs to include complete visibility into every action performed by staff, especially those with access to customer, financial and investor data. A good system should track every application used, webpage visited, record copied, file saved, print screen generated, and page printed, etc. Only then will the organization truly know whether protected data has been appropriately accessed and used, or if users, whether their intent was malicious or even accidental, properly used that information. The system should also be able to detect external attackers posing as insiders via stolen credentials.

Consider what happened at the CME Group (a.k.a., the Chicago Merchandise Exchange and the Chicago Board of Trade) six years ago. A 10-year veteran was charged with stealing trade secrets and proprietary algorithms that ran the company’s Globex trading platform. Prosecutors alleged that if Chunlai Yang had gotten away with it, CME could have incurred a loss as big as $100 million. Facing up to seven years in prison, Yang pleaded guilty to two counts of trade secrets theft and got four years of probation.

Traders work on the Eurodollars Options floor at the Chicago Mercantile Exchange.
Traders work on the Eurodollars Options floor at the Chicago Mercantile Exchange in Chicago, Illinois, U.S., on Monday, Jan. 28, 2008. CME Group Inc., the world's largest futures exchange, is in talks to acquire Nymex Holdings Inc. for more than $11 billion to gain the biggest energy-trading market. Photographer: Tim Boyle/Bloomberg News
TIM BOYLE/BLOOMBERG NEWS

How was he caught? With 24 percent of all data breaches targeting the financial services industry, the CME Group wanted to take the steps necessary to remain secure while meeting compliance mandates. The company installed software that would monitor employees’ activity, including Yang’s. The software detected that he had been gathering proprietary source code for the purposes of exfiltrating — or, surreptitiously withdrawing — data. The evidence against him included screen captures that showed Yang in the act of copying source-code files to removable media from his laptop. This shows he wasn’t using protected data sets in an appropriate manner, one requirement for compliance.

So how can a company create the audit details needed to meet compliance objectives?

Compliance requires absolute protection of private information. To do so, within an organization, you need to establish and communicate policies and procedures about the proper use of personal financial data. You also need to create and maintain appropriate technical controls that ensure compliance by monitoring the access to protected data. With detailed monitoring of every action of the employee, you receive visibility into how protected data is used or misused, and demonstrate compliance or determine the scope of a breach.

Let’s outline how monitoring employees can help address specific compliance challenges:

The Gramm-Leach-Bliley Act

One section of the GLBA requires protecting personally identifiable financial information, specifically around monitoring and reviewing the conduct of your workforce in relation to the protection of non-public personal information.

Organizations can utilize user monitoring software to ensure the security and confidentiality of customer records and information, providing visibility into how users access, interact with and use personal information. The software does this by creating an audit trail to assess whether security and confidentiality have been maintained, regardless of the type of application being used.

User behavior analytics can protect against any anticipated threats or hazards to the security or integrity of such records. The software provides a contextual activity review of both the access to personal information, as well as technical and psycholinguistic indicators to provide an early warning of threats.

Dodd-Frank – Section 154(B)(3): Information Security

While broad in scope, this section mandates that processes, policy, and technology be put in place to ensure financial data is “kept secure and protected against unauthorized disclosure.” More advanced user activity monitoring and behavior analysis technology monitors can alert the council or director (as defined within the law) of inappropriate access to protected data, regardless of application. For example, Dodd-Frank mandates notification of unauthorized disclosure. This means that before any disclosures can be made, security teams must assess the scope of the unauthorized access. This not only empowers them to record and examine user activity within systems containing protected financial data, but also within any other application, which provides unmatched visibility into actions taken around financial data access. Should users attempt to copy, print, email or instant message any financial data, the software is immediately aware and can notify the proper authorities.

Sarbanes-Oxley Act – Sections 302 & 404: Internal Control Assessment

While SOX does little to provide specific guidance around what internal controls are necessary to ensure accurate financial reporting, it does require an annual internal control report. One simple way to assess internal controls is to look for misuse by users or acts of fraud. By having visibility into all user activity across applications, organizations can assess the state of controls, ensuring only approved users are accessing protected data, and providing contextual detail around any activity that may put the integrity of financial reporting into question.

While there are other federal mandates in the financial services realm, and also forensic tools available to financial institutions, these specific examples demonstrate the benefits that deep visibility into user activity can provide. After unusual behavior by an especially high-risk employee (or employees) triggers an alert, the institution can launch an investigation — as the CME Group did — that can potentially resolve whether that individual¹s actions represent some kind malfeasance or even a false positive.

By taking the steps necessary to comply with federal mandates, companies not only protect their customers’ data and their own assets from being improperly shared, but also protect the institution from severe fines (and potential imprisonment) for non-compliance — and a damaged reputation. Knowing what’s happening within an organization is a critical component you shouldn’t do business without.

For reprint and licensing requests for this article, click here.
Audit Cyber security Dodd-Frank Sarbanes-Oxley Data breaches
MORE FROM ACCOUNTING TODAY