acc 675 control audit final project
TRANSCRIPT
Data Loss Prevention
In the Banking and Finance Industry
BY: KELLY A. GIAMBRA
ACC 675 SEPTEMBER 2015
What is Data Loss Prevention?
Data loss prevention (DLP) is the practice of detecting and preventing
confidential data from being “leaked” out of an organization’s boundaries
for unauthorized use. Data may be removed from an organization either
intentionally or unintentionally.
Intentional:
Unauthorized release
of data from internal
users. Motivations
are varied, but may
include corporate
espionage, financial
reward, or a
grievance with their
employer.
Unintentional:
Could be due to a poor
business process. The
solution is greater than just
a content management
system. Business processes
would need to be re-
examined possibly leading
to a cultural change within
the organization.
WHY IS DATA LOSS PREVENTION NECESSARY?
Preventing data loss
is a best practice
approach to
avoiding potential
breach, damage, or
loss of confidential,
private, or
proprietary
information
DLP is also known as
data leak or simply
leak protection, and
refers to systems and
technologies that
detect data
breaches, or the
movement of data
outside secure
storage and systems.It prevents
movement of
sensitive data
outside an
organization’s secure
perimeter.
3 distinct types: in-
use protection, in-
motion protection, &
at rest protection
Data Loss Prevention: Banking & Finance
Banks, credit card companies and other credit reporting institutions must keep sensitive data safe and secure, in the face of threats from damaging data breaches, targeting credit cards, bank account credentials, and other confidential data.
Examples of Common Data Loss Targets:
Email, Webmail, & Instant
Messaging File transfer protocol (FTP)
Blogs & Social
media Web pages Removable
media Cell phones Camera
Devices
Removable MediaHard
Copies
Personally identifiable information
(PII): Banking &Finance
PII: is any data that could identify a specific individual and can be
sensitive or non-sensitive. Non-sensitive PII is information transmitted in an
unencrypted form.
Types of Information Collected:
Social security numbers - Employment information - Account Balances
- Transaction Histories - Credit Information - Assets & Income
- Investment Experience
Why is it collected?
For customers to be able to open accounts, perform transactions, apply for loans or mortgages, use
credit or debit cards, seek advice about investments, report to credit bureaus.
Personally identifiable information
(PII): How it is Used . . .
Everyday business purposes: open accounts, perform transactions, apply
for loans or mortgages, use credit/debit cards, seek investment advice,
report to credit bureaus
For marketing purposes: with service providers used to offer bank products
& services
For joint marketing with other financial companies
For affiliates’ everyday business purposes
For nonaffiliated: to market for accounts and services endorsed by
another organization
Federal law gives consumers the right to limit some but not all sharing related to: affiliates' everyday business
purposes, affiliates from using information for marketing purposes, nonaffiliated to market to consumers. State
laws may provide additional consumer privacy rights.
What is a Data Breach? A data breach is the unauthorized access
to private data by a cyber-criminal or
disgruntled employee.
An employee may accidently or via malice, attempt to send private company data
by storage drive transfers or email content sent. DLP can stop these data breaches
by using a strategy plan and software to protect outgoing data breaches.
Banks and
Financial
Institutions are most
vulnerable to
company to bank
business
transactions
especially through
the internet. In
order to protect
data, a prevention
plan must be
created from risk
assessments and
be implemented.
DLP Preventive
Controls must
secure data
regardless where it
is stored, prevent
un-intentional data
loss caused by
human error with
encryption and
DLP, protect
against malware,
phishing threats
and unwanted
applications, stay
compliant with
PCIDSS.
Examples of Banking Systems At Risk of
Data Breach
Wholesale Payment Systems: Domestic and international commercial
transaction, eg. Commercial loans, real estate loans, corporate and
government securities, foreign exchange activities
E-banking: the automated delivery of new and traditional banking
products and services directly to customers through electronic,
interactive communication channels
Retail Payment Systems : Checks, ACH, Third-Party ACH Processing,
Credit Cards, Debit/ATM Cards, Card/PIN Issuance, Merchant Acquiring,
EFT/POS and Credit Card Networks
STATISTICS OF DATA BREACHES
Within Banks and Financial Institutions.
In 2015 the FBI official reported more than 500 million records being stolen from U.S. financial
institutions over the past 12 months from cyberattacks. According to PricewaterhouseCoopers, 45
percent of financial institutions have suffered from crime in the past year, compared to 34 percent
across all other industries.
JP Morgan Chase: Affected 76 million and 7 million small businesses. Hackers obtained customer names, addresses, phone numbers and email addresses.
Global Payments Inc.: In 2012, 1.5 million cardholder account had data, credit and debit card
information stolen, costing more than 90 million
Citibank: In 2011, 360,000 credit cardholders had data stolen on Ciiti’s online banking system
costing the bank 19.4 million.
Heartland Payment Systems: In 2009, this company had its computer network compromised affecting 130 million credit cards and costing the company 2.8 billion.
Federal Information Security & Data
Breach Notification Laws
Federal Information Security Management
Act
The Privacy Act of 1974 Office of Management and Budget
“Breach Notification Policy”
Gramm-Leach-Bliley Act (GLBA)FTC Safeguards Rule (GLBA)
Information Security Guidelines
Section 501(b) of GLBA The Fair and Accurate Transactions
Act (“FACT Act”)
Federal Trade Commission Act
(FTC):
Fair Credit Reporting Act, as
amended by the Fair and
Accurate Transactions Act
(FCRA)
Payment Card Industry Data Security Standard
(PCI-DSS)
HIPPA
Federal Information Security & Data
Breach Notification Laws
As you can see by the examples, data breaches
encountered by Banks and other Financial Institutions are
constantly making the news. This is due to their high
visibility and huge financial ramifications if they violate the
laws and regulations. . . . and although there are several
that apply to Financial Institutions, the most common
ones you will find are:
Sarbanes–Oxley Act (SOX)
Graham Leach Bliley Act (GLBA)
Payment Card Industry Data Security Standard
(PCI DSS)
Health Insurance Accountability and Portability
Act (HIPPA)
The Sarbanes–Oxley Act (SOX)
SOX was introduced in 2002 to improve accountability and transparency of public corporations. Its
provisions demand companies to establish internal controls to accurately gather, process, and report
financial information. It also extends to IT systems used by finance, to assure the integrity of data.
The two SOX provisions
are 302 and 404:
Section 302 mandates
that firms establish,
maintain and regularly
evaluate the
effectiveness of internal
controls placed within
systems that support
financial operations.
To ensure that
companies meet rules,
SOX places harsh
penalties to those who
manipulate and falsify
financial and violators
face up to 20 years in
prison and/or $5 million
in fines for failing to keep
financial operations and
reporting in compliance.
In addition, the SEC can impose civil damages to
investors who were harmed by these corporations.
Gramm-Leach-Bliley Act (GLBA)
GBLA's privacy
protections only
regulate financial
institutions e.g.,
businesses that are
engaged in banking,
insuring, stocks and
bonds, financial advice,
and investing.
It requires firms to develop precautions to ensure the
security & confidentiality of customer records &
information, to protect against any anticipated
threats or hazards and to protect against
unauthorized access to or use.
Financial institutions are
required to provide
customers with an
annual notice of their
information sharing
policies. This notice
must inform customers
of their policies on:
disclosing nonpublic
personal information
(NPI)
GBLA prohibits disclosure to
anyone other than to a consumer
reporting agency, access
codes/account numbers to any
nonaffiliated 3rd party for use in
telemarketing, direct mail, or other
marketing through electronic mail.
Payment Card Industry Data Security
Standard (PCI DSS)
PCI DSS is a
proprietary
information security
standard for
organizations that
handle branded
credit cards from the
major card schemes
including Visa,
MasterCard,
American Express,
Discover, and JCB
PCI-DSS mandates
DLP data discovery
function by stating a
merchant should
“confirm the
accuracy of their PCI
DSS scope by
identifying allocations
and flows of
cardholder data,
and enforce controls
to protect the data.
Compliance Requirements:
Minimize cardholder data storage, develop
a data retention and disposal policy.
Do not store sensitive authentication data
subsequent to authorization.
Mask the primary account number (PAN)
when displayed (the first six and last four
digits are only to be displayed)
Limit access to systems and cardholder data
to only those whose job requires access.
Track and monitor all access to data
Health Insurance Accountability and
Portability Act (HIPPA)
“Section 1179 of HIPAA exempts certain activities of financial
institutions from the HIPAA Rules, to the extent that these activities
constitute authorizing, processing, clearing, settling, billing,
transferring, reconciling, or collecting payments for health care… (US
Dept. of Health and Human Services, 2013)”
• But banks and financial institutions that engage in contract services for
health care entities may be subject to HIPAA.
• HIPAA requires these contracts only use protected health information for
purposes for which it was engaged, safeguard confidential information
and assist the covered entity in complying with its own obligations under
HIPAA. A business associate agreement must contain the elements
specified at 45 CFR 164.504(e).
• Also under the HITECH Act, business associates are responsible for ensuring
that business associate agreements meet HIPAA requirements and are
regulated under federal law
Federal Agencies that Regulate
Banks and Financial Institutions
Federal Deposit
Insurance
Corporation (FDIC)
Federal Reserve
Board (FRB)
Office of the Comptroller of the
Currency (OCC) Office of Thrift
Supervision (OTS)
National Credit Union
Administration (NCUA)
Commodity Futures
Trading Commission (CFTC
Federal Housing Finance
Agency (FHFA)
Federal Financial Institutions
Examination Council (FFIEC):
Securities and Exchange
Commission (SEC)
Bureau of Consumer Financial
Protection (CFPB)
DLP: A Video Overview By Symantec (Click
Slideshow View To Watch )
Data Loss
Prevention
(DLP)
systems:
Discover,
Monitor, and
Protect
Sensitive
Data
DLP Solutions: Target 3 Levels
1.) Data-in-operations/Client Level: Targets Endpoints Used By Employees For Their Day-to-day Business Operations. User Activities That Violate Policies Are Blocked By DLP Agents
2.) Data-in-transit/Network
level: Targets data moving
outside the organization’s
network. Data is monitored
and blocked if necessary.
Data transfers using email
(SMTP), web (HTTP/HTTPS) and
file transfer (FTP/FTPS) are
verified against policies to
prevent or detect sensitive
data leakage.
3.) Data-at-rest/Storage level. Targets the static data stored in servers. Sensitive data stored is
scanned based, using crawlers to identify and assess the sensitivity of the data and whether the
location is appropriate. Discover scan classifies or tags the files and then monitors their access.
10 Key Considerations in Protecting
Sensitive Data Leakage Using DLP
1.) DLP Solution strategies should be considered a part of the overall information security plan and based on a risk assessment.
2.) Involve the right people in policy-making. eg. managers from key departments like research and development, engineering, finance, compliance, and legal.
3.) Identify sensitive data and understand how it is handled.
4.) Used a phased approached with the initial pilot implementation being restricted to a region or division.
5.) Minimize the impact of DLP to system performance and business operations.
6.) Create DLP policies and policy management processes that are meaningful.
7.) Implement effective event review and investigation methods that provide valuable information.
8.) Provide analysis and meaningful reporting
9.) Implement security and compliance measures to protect the DLP systems large amount of personal data
10.) Implement a proper internal data flow and oversight process to protect private information during the course of normal business operations
DLP: Examples of Information Security
Controls for Financial Institutions
Ongoing knowledge of attack sources, scenarios, and techniques
Up-to-date equipment inventories, and network maps.
Rapid response capability to react to newly discovered vulnerabilities.
Network access controls over external connections.
System hardening. Financial institutions should "harden" their systems prior to placing
them in a production environment.
Controls to prevent malicious code.
Rapid intrusion detection and response procedures.
Physical security of computing devices.
User enrollment, change, and termination procedures.
Authorized use policy.
Training. Financial institutions should have processes to identify, monitor, and address
training needs.
Independent testing.
Prevent Wrongful Disclosure of
Confidential Data
Protect confidential data such as customer identity and account information,
intellectual property, and financial results;
Allow only authorized laptops, desktops, and other devices to connect to the bank’s
network;
Prevent employees from sending unauthorized documents and data through
corporate or Web email’
Encrypt disks and backup tapes to prevent data usage in case of loss or fraudulent
access;
Prevent confidential data from being stored on file servers with unauthorized users;
Report risk of confidential information exposure across bank departments;
Comply with financial data security regulations and industry standards.
Effective Controls Prevent Data Loss, Data
Theft and Data Leaks.
An effective
control
implements a
DLP policy An effective
control system
uses filters to
protect sensitive
content
It should also scans data
transfers to
local and
network
systems
Action should be taken
if a policy violation is
detected: block and/or
report
Data Loss Prevention and IT Audit
Controls
For Banking and Financial Institutions.
In March of 2015, a
federal judge
gave prelim
approval to award
$10 million in
settlement from a
lawsuit brought by
Target customers,
who were victims
of an online attack
involving
confidential data
in 2013.
During the 2013 holiday
season, Target
announced that hackers
had stolen credit and
debit card information
from 40 million of its
customers. This included
personal information, like
email and mailing
addresses.
Privacy Control Guidelines for
Financial Institutions The OTS grouped the IT risks faced by financial institutions in three
categories:
1. Information Integrity risks
2. Business continuity risks
3. Vendor management risks
The OTS Handbook 341 describes administrative, operational
& procedural controls to mitigate IT risks:
1.) Logical and Administrative Controls
2.) Physical Security
3.) Encryption
4.) Anti-Virus and other controls against malicious code
5.) Systems Development, Acquisition and Maintenence
6.) Personnel Security Controls
7.) Electronic and Paper-based Media Handling
8.) Logging and Data Collection
9.) Service Provider Oversight
10.) Intrusion Detection and Response
Top Trends of IT Audits Within Banks
and Financial Institutions
1.) Network
segmentation
2.) Security
penetration testing
3.) Disaster recover testing
4.) Managing third party risk
5.) IT equipment and
retention logs
Most large financial institutions have segmented networks where core
banking networks with sensitive data are separated from corporate data
networks used by bank employees.
Banking executives are now going beyond the FFIEC once per year diagnostic
test requirements, and testing is now more ongoing and proactive.
While, the mandates only require that banks have a disaster recovery or
business continuity plan in place, auditors are encouraging banks to have it
fully tested showing proof the systems work.
Smaller financial institutions are now turning to 3rd party vendors, especially
to access cloud-based computing services. However, auditors expect a
comprehensive due diligence process during vendor selection.
Regulators are now looking for transparency and accuracy in the log data.
Auditors are putting more focus on preventing log-in access to the bank
network after business hours for better security.
Auditing the Accounting Information
System (AIS)
An (AIS) is used by
a business to
collect, store,
manage, process,
retrieve and report
its financial data so
it can be used by
accountants,
consultants,
business analysts,
managers, CFOs,
auditors
Specially trained
accountants
work with the AIS
to make sure
systems are at its
highest level of
accuracy in company
transactions and
record keeping
of data.
Generally Accepted Auditing Standards
(GAAS) AU Section 150 (The 10 Standards)
General Standards: An Auditor Must:
1. Have adequate technical training
and proficiency
2. Maintain independence.
3. Exercise due professional care
Standards of Field Work: An Auditor Must:
1. Adequately plan the work and properly supervise
assistants.
2. Have a sufficient understanding of the entity & its
internal controls
3. Have sufficient audit evidence for a reasonable basis
of an opinion
Standards of Reporting: An Auditor Must:
1. State in the auditor's report that financial statements compliance with GAAP.
2. Identify principles have not been consistently observed in the current period to the
preceding period.
3. State in the auditor’s report if informative disclosures are not reasonably adequate,
4. Express an opinion of the financial statements or state that an opinion cannot be
expressed
Major Phases of the Audit Process
Engagement Planning
Test of ControlsSubstantive
ProceduresCompletion
Reporting
Next Period
How Accountants and the AIS are
Connected
An accountant and auditor’s understanding of the AIS requires skills in use of
computers, maintenance, file updates, and backups
Accountants roles are no longer confined to solely economic processes, but information
technology as well
The auditor must understand the IT environment and the AIS because they impact
the choice of design on the system of internal controls
It has become necessary for accountants and auditors to have knowledge of
new IT breakthroughs, since most companies like banks rely on automated
systems and not manual systems
Banks and Financial Institutions require AIS that ensures reliability, accuracy of
this information, as well as protect data from being lost or stolen
AUS Standard No. 2 (Superseded By AUS No. 5,
Fiscal Years on or after November 15, 2007)
This standard establishes requirements and provides directions for when an auditor is engaged to audit
both company financial statements and the manager’s assessment of effectiveness of internal
controls over financial reporting.
An internal control is a
process designed by
management to provide
reasonable assurance as to
the reliability of financial
reporting and the
preparation of financial
statements for external
purposes according to
GAAP.
An internal control pertains to maintenance
of records that accurately reflect
transactions and dispositions of assets,
provide. Reasonable assurance that
transactions are recorded, as needed to
prepare financial statements under GAAP,
and provide reasonable assurance regarding
prevention or detection of unauthorized
access to company assets that could
materially effect the financial statements.
Special Auditing Considerations for DLP
The auditor should evaluate the
processes, that manager have in
place to classify data, and develop
plans to protect the data based on
the classification.
Consider: What sensitive data is held? What is most
important data? Where does it reside? Where is data
going?
DLP control review audits controls
in place to manage privacy,
data in motion, in use and at rest.
Consider: What controls are in place to
protect data? How well do these controls
operate? Where do the vulnerabilities exist,
and what must be done to manage these
gaps?
Privacy regulation audits
evaluate privacy regulations,
assesses managers response via
policy development, awareness
and control procedures.
Consider: How well are privacy regulations on
global business understood? Are policies
updated and communicated in a timely
manner? • Do users follow control procedures to
address regulations?
Summary
SUMMARY OF DATA LOSS PREVENTION FOR BANKING AND FINANCIAL INSTITUTIONS
This Presentation Covered:
An Overview Of Data Loss Prevention For Banks
And Financial Institutions;
Definitions Can Be Seen On Various Slides’
Statistics Of Data Breaches Within Banks And
Financial Institutions;
Why Data Loss Prevention Is Important and How it
May Impact Banks and Financial Institutions,
Financially, Reputational, and Compliance-wise;
And How It Should Be Addressed In An Audit
Including, Overall Risk, Audit Planning, and
Specific Auditing Guidelines.
SANS Institute. (2003). Security Assessment Guidelines for Financial Institutions. SANS Institute InfoSec Reading Room.
https://www.sans.org/reading-room/whitepapers/auditing/security-assessment-guidelines-financial-institutions-993
Somansa (2014). Using Data Loss Prevention for Financial Institutions Banks, Credit Unions, and Payments. Data Loss Prevention (DLP) Introduction
for Financial Institutions. http://www.somansatech.com/Somansa_Whitepaper_Financial_Institutions.pdf
Stevens, G. (2010). Federal Information Security and Data Breach Notification Laws. Congressional Research Service.
https://www.fas.org/sgp/crs/secrecy/RL34120.pdf
Symantec (2014). Data Loss Prevention Product Overview. https://www.youtube.com/watch?v=1EURubSiiHwWatch
T
abuchi, H. (2015). $10 Million Settlement in Target Data Breach Gets Preliminary Approval. New York Times.
http://www.nytimes.com/2015/03/20/business/target-settlement-on-data-breach.html?_r=0
Tittel, E. (2013). Understanding Data Loss Prevention. Tom’s IT Pro. http://www.tomsitpro.com/articles/threat_management-utm-it_security-
it_certification-infosec,2-473.html
Xamin (2014). Top Trends In IT Audits Within Financial Institutions – Part I and Part II. http://www.xamin.com/top-trends-audits-within-financial-
institutions-part.html
***Images and Cartoons were retrieved from Google images.
REFERENCES
Any
Questions?END