PLANO, Texas, March 12 -- EDS has identified eight key security risks that should be of utmost concern to financial institutions. The importance of security and operational risk management has grown tremendously due to a variety of factors, including growing regulatory requirements, increasing security risk from insiders and the growing number of data security breaches.
Financial institutions are currently responsible for customer and corporate security at three separate levels: the financial institution (including network and infrastructure all the way to employees and agents with access to data), service providers (outsourced functions must still include management responsibility by the financial institution) and consumers (consumer end-point vulnerabilities can jeopardize a financial institution's security). Financial institutions only have direct control over one or two of these levels, and the rapidly evolving environment is changing the way they approach security and operational risk management. EDS recommends eight risk priorities that financial institutions must consider to minimize the possibility of security breaches.
1. Securing Data Outside the Organization - Since regulators demand that non-public personal information be backed up and stored off-site, risks arise because large banks do not have the infrastructure to support the bandwidth required to move all their data electronically. When tapes or other removable media are the storage medium of financial institutions, dangers can arise, through the loss or theft of this media during shipping. The encryption of all data that is moved offsite is crucial, but should be mandatory for portable end- user devices such as laptops and PDAs, as well as all removable media.
2. Security and Privacy Controls of Service Partners - Privacy and security regulations dictate that financial institutions are ultimately responsible for the actions of their service partners. Therefore, a key risk management priority becomes the assurance that both domestic and offshore service providers have adequate security and privacy controls to detect and prevent breaches in the confidentiality and integrity of customer information.
3. Insider Threat - While financial institutions have put appropriate measures in place to protect against external threats, it is generally accepted that the majority of data losses today are the result of the "Insider Threat." Employees or contractors, whose roles allow them access to significant personal and confidential information have often been the causes of information loss. However, systemic problems and accidental employee actions are the most frequent forms of potential data loss. Financial institutions need to consider the deployment of data loss prevention tools. These tools cannot only monitor and optionally block outbound sensitive communications of all types, but they can also verify that no personal or confidential information has been stored on widely accessible shared drives or Web servers. Many tools also now provide very granular control of end-user devices and can selectively prevent copying and pasting or writing to removable media of personal or confidential information.