Securing Confidential Data
Adopting a comprehensive risk management approach, internally and across the supply chain, is mission critical for financial institutions
In today's financial services marketplace, increasingly sophisticated and often well-publicized security breaches related to consumer data, as well as heightened regulatory oversight and compliance requirements, highlight the need for banks and credit unions to develop and maintain a comprehensive risk management approach.
Two fundamental components of that approach are a viable internal security program and a solid vendor awareness and risk management process. According to Joe Filer, assistant vice president of security compliance at Harland Clarke, the latter is key, because account holders who entrust their confidential data to a bank or credit union will likely have a laser-like focus when it comes to responsibility for a breach. "The financial institution will be held responsible for a data breach, regardless of where it occurs in the supply chain or why it happens," says Filer. And that can have a potentially negative impact not only on an institution's relationships with account holders and vendors, but also on its bottom line.
To help protect confidential data throughout the supply chain, Filer recommends paying attention to details and looking for the following in third-party vendors:
- Financial stability. A vendor's financial stability will impact its security efforts, including its ability to invest in the people, processes and technologies that help keep confidential data secure.
- A documented information security management program. This should combine physical and logical control measures and use a layered security model to provide end-to-end security of confidential information. Controls should be consistent with the comprehensive requirements defined in ISO/IEC 27002:2005, an information security standard published by the International Standards Organization.
- A mature internal security program. A mature program comprises the following elements: 1) a security program at a relative steady state that is embedded at all levels of the organization and that has been embraced as an integral part of the business; 2) the ability to address a changing set of variables related to risk; and 3) the continuity of internal information security personnel who have significant depth and breadth of experience.
- Visibility and control over the entire supply chain as they relate to data protection. A vendor should have its finger on the pulse of its security position constantly, in terms of both a point-in-time reference and a long-term view.
- Assistance with meeting compliance expectations and visibility requirements. Through clear contract terms and a solid definition of confidentiality requirements, financial institutions can set the stage for what a vendor should provide in terms of compliance documentation — and set expectations that will help support their need to perform due diligence with the vendor, which may include on-site audits.
- Performance of comprehensive annual external control evaluations. Key external evaluations to look for include SAS 70/SSAE 16 audits as well as third-party certifications, such as the Cybertrust certifications currently provided by Verizon Business and PCI (Payment Card Industry) certification.
- An integrated security strategy. Vendors that effectively combine the four elements of security — physical security, information security, business continuity and compliance — show that they have an understanding of the implications of security practices across their organizations.
- Business continuity planning. Some key questions to ask: Does the vendor have a disaster recovery plan? Is that plan tested annually? If so, how did the company perform in its latest test? Does the vendor have more than one facility in case of unexpected service interruption?
For information about how Harland Clarke can help your financial institution protect account holder data, contact your account executive or visit harlandclarke.com/contactus.