Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard...
-
Upload
elfreda-taylor -
Category
Documents
-
view
216 -
download
1
Transcript of Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard...
Understanding Enterprise Privacy Compliance Processes for the
Financial Services Industry
Harvard Privacy Symposium
August 20, 2008
3:00 – 3:45 p.m.
Susan M. Pandy, Senior Director, Internet & eCommerce, NACHA
John Carlson, Senior Vice President, BITS
Dan Burks, Chief Privacy Officer, U.S. Bank
Agenda
• Electronic Payments Snapshot
• Risks
• Regulation & Supervision
• Striking a Balance between Security, Privacy and Convenience
The Electronic Payments Mix
Changes in Payments Volumes ’03 – ‘06
* Includes ACH, Credit Card, Debit Card and EBT. •Does not include check images
18.6
-4.5
-5
0
5
10
15
20
Elec
tron
ics*
Checks Written
76% of the increase in total electronic
volume comes from sources other than
from declines in check volume.
Source: ECCHO, Federal Reserve 2007 Payments Study
Checks Become Less Relevant Over Time
• To Come
Banks Respond with Electronic Payments
Source: Grant Thornton 14th Annual Bank Executive Survey
Cross-Channel Information Risk
Phishing
Internet/PC
Man-in-the-Middle
Hacking
WormsEmployee
TheftSpyware
Theft of Data
Ch
ann
els
ATM
Physical
POS
Wireless
SkimmingEmployee
TheftTrapping
Dumpster Diving
Employee Theft
MailTheft
SpywareEmployee
Theft
SkimmingEmployee
Theft
ExternalTheft
Trapping
Information Risk in Electronic Payments
• Increased product offerings across channels (e.g., Internet, phone, mobile, ATM, branch, etc.)
• Enhanced accessibility to electronic payment channels/networks = End-to-end transaction risk
• Information fraud = attempts to gain access to identities, transactions, credentials, data or any combination of these factors.
• Exposure risk: Trojans, crimeware, data breaches and hacking
Sample Headlines
Feds Arrest Hackers of TJX, Other Retailers in Huge Conspiracy BustEleven perpetrators held responsible for online theft and sale of more than 40 million credit and debit cards
Card data stolen from grocery chain
Privacy Trust Eroding FactorsBar Chart 4: Factors Mostly Likely to Decrease Privacy Trust Scores
-48%-44%
-36%
-23%-19% -17%
-60%
-50%
-40%
-30%
-20%
-10%
0%
Data breachIrresponsible
marketing Data inaccuracyToo much"legalese"
Aggressivesharing
Customer servicemishaps
Source: Ponemon Institute 2007
Bar Chart 2: Percentage Difference between 12 Data Breach Companies and Sample Average Ranks in 2006 and 2007
1%
-23%-25%
-20%
-15%
-10%
-5%
0%
5%
2006-Before Breach 2007-After Breach
Affect Of A Breach On Privacy Trust
Source: Ponemon Institute 2007
Regulation and Supervision
• Role of Regulators in security and privacy protection – Differences between financial regulators and
the Federal Trade Commission– Focus on authentication as one of several
important security controls
• Industry collaboration
• Research and development priorities
Key Regulatory Requirements
• Gramm-Leach Bliley (GLBA)
• Identity Theft “Red Flags” Rule
• Interagency guidance – Information security, including authentication– Vendor management
Authentication Requirements
• 2005: Federal Financial Institutions Examination Council (FFIEC) updated guidance for authentication– Risk-based program that requires:
• Risk assessment process• Adequate “layered” security controls • Customer awareness programs
– Urges multifactor authentication– Applies to all forms of electronic banking
activities
Authentication (Cont.) • In response to risks and regulatory/supervisory
requirements, financial institutions are: – Deploying stronger and broadly accepted authentication methods,
predominantly knowledge-based authentication (KBA) (e.g., challenge questions) and/or device authentication (e.g., unique identifier of customer’s PC)
– Tokens also used, but for limited applications (e.g., high value transfers)
– Applying layered controls to protect consumers and FIs
• Guidance underscores the importance of the enrollment process and scalability
• Consumer acceptance is top concern, together with cost and technology readiness – Reveals tension between imposing new requirements and customer
convenience
Vendor Management Requirements
• Oversight of third party service providers – Senior Management/Board Oversight– risk assessment– Contract review– Ongoing monitoring
• Risk-based supervision – Increasing focus on oversight of both
domestic and foreign-based service providers
Financial Industry Challenges • Changing threat landscape• Evolution and adequacy of controls • Vendor management • Customer convenience • Customer privacy preferences and
security expectations • Fraud from traditional and new channels • Privacy issues around new channels
Examples of Industry Efforts
• Identity Theft Assistance Center • Focused efforts to address fraud, security and
vendor management through BITS/The Financial Services Roundtable – Development of industry best practices,
including:• Breach notification• Securing data in transport and storage • Encryption key management • Security awareness programs
• Shared Assessments Program
Financial Sector R&D Priorities
• Financial Services Sector Coordinating Council established in 2002– 45 financial sector associations and financial institutions– Goal: critical infrastructure protection and homeland
security through coordination and collaboration – Works in partnership with the Treasury Department and
financial regulators in the Financial and Banking Information Infrastructure Committee (FBIIC)
• R&D committee established 2004– Identifies priorities for research – Beta testing SMART program as a means to provide
subject matter experts to researchers in academia
Seven Major Challenges Facing the Finance and Banking Sector
1. Designing and Testing Secure Applications
2. More Secure and Resilient Financial Transaction Systems
3. Enrollment and Identity Credential Management
4. Understanding the Human Insider Threat
5. Data Centric Protection Strategies
6. Measuring the Value of Security Investments
7. Development of Practical Standards
Striking A Balance
CUSTOMER CONVENIENCE & ACCESS
PRIVACY INFORMATION SECURITY
Balancing Security, Privacy and Convenience
• Keeping pace with technology
• Channel specific fraud detection
• Compliance challenges
• Privacy as strategic marketing vs. compliance exercise
Information Fraud: Sensitive Information Movement – End-to-End
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WW Partners
Remote Employees
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer Portal
34
Information Fraud: Specific Risks
NetworkNetwork
Media TheftMedia TheftDevice TheftDevice Theft
TakeoverTakeover
FraudFraud
InterceptIntercept
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer portal
Media LossMedia Loss
UnauthorizedAccess
UnauthorizedAccess
DOSDOS
CorruptionCorruption
UnavailabilityUnavailability
EavesdroppingEavesdropping
Data TheftData Theft
Remote Employees
WW Partners
Data LossData Loss
Device LossDevice Loss
Unintentional Distribution
Unintentional Distribution
UnauthorizedAccess
UnauthorizedAccess
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
35
Best Practices for Mitigating Against Information Fraud Risks: External
• Protect against emerging threats– Monitor for developments and changes
• Maintain a logical authentication strategy– Revisit this strategy
• Educate – Without creating paranoia or indifference
Best Practices for Mitigating Against Information Fraud Risks: External
• Understand what data is most sensitive to the business
• Select appropriate controls based on: – Policy– Risk – Where sensitive data resides
• Manage security centrally
• Audit security to constantly improve
Select the Appropriate Controls
Data Controls: Encryption and Key ManagementData Controls: Encryption and Key Management
Data Controls: Enterprise Digital Rights ManagementData Controls: Enterprise Digital Rights Management
Access Controls: Authentication and AuthorizationAccess Controls: Authentication and Authorization
Audit Controls: Security Event and Information MgtAudit Controls: Security Event and Information Mgt
Data Controls: Data Loss PreventionData Controls: Data Loss Prevention
Contact Information Susan Pandy, Senior Director
Internet & eCommerce, NACHA [email protected]
www.nacha.org John Carlson, Senior Vice President, BITS
www.bitsinfo.orgDan Burks, Chief Privacy Officer, U.S. Bank
www.usbank.com