Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard Privacy Symposium August 20, 2008 3:00 – 3:45 p.m. Susan.

Published byElfreda Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard Privacy Symposium August 20, 2008 3:00 – 3:45 p.m. Susan."— Presentation transcript:

1 Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard Privacy Symposium August 20, 2008 3:00 – 3:45 p.m. Susan M. Pandy, Senior Director, Internet & eCommerce, NACHA John Carlson, Senior Vice President, BITS Dan Burks, Chief Privacy Officer, U.S. Bank

2 Agenda Electronic Payments Snapshot Risks Regulation & Supervision Striking a Balance between Security, Privacy and Convenience

3 The Electronic Payments Mix

4 Changes in Payments Volumes ’03 – ‘06 * Includes ACH, Credit Card, Debit Card and EBT. Does not include check images 18.6 -4.5 -5 0 5 10 15 20 Electronics* Checks Written 76% of the increase in total electronic volume comes from sources other than from declines in check volume. Source: ECCHO, Federal Reserve 2007 Payments Study

5 Checks Become Less Relevant Over Time To Come

6 Banks Respond with Electronic Payments Source: Grant Thornton 14 th Annual Bank Executive Survey

7

8 Cross-Channel Information Risk Phishing Internet/PC Man-in- the-Middle Hacking Worms Employee Theft Spyware Theft of Data Channels ATM Physical POS Wireless Skimming Employee Theft Trapping Dumpster Diving Employee Theft Mail Theft Spyware Employee Theft Skimming Employee Theft External Theft Trapping

9 Information Risk in Electronic Payments Increased product offerings across channels (e.g., Internet, phone, mobile, ATM, branch, etc.) Enhanced accessibility to electronic payment channels/networks = End-to-end transaction risk Information fraud = attempts to gain access to identities, transactions, credentials, data or any combination of these factors. Exposure risk: Trojans, crimeware, data breaches and hacking

10 Sample Headlines Feds Arrest Hackers of TJX, Other Retailers in Huge Conspiracy Bust Eleven perpetrators held responsible for online theft and sale of more than 40 million credit and debit cards Card data stolen from grocery chain

11

12 Privacy Trust Eroding Factors Source: Ponemon Institute 2007

13 Affect Of A Breach On Privacy Trust Source: Ponemon Institute 2007

14 Regulation and Supervision Role of Regulators in security and privacy protection –Differences between financial regulators and the Federal Trade Commission –Focus on authentication as one of several important security controls Industry collaboration Research and development priorities

15 Key Regulatory Requirements Gramm-Leach Bliley (GLBA) Identity Theft “Red Flags” Rule Interagency guidance –Information security, including authentication –Vendor management

16 Authentication Requirements 2005: Federal Financial Institutions Examination Council (FFIEC) updated guidance for authentication –Risk-based program that requires: Risk assessment process Adequate “layered” security controls Customer awareness programs –Urges multifactor authentication –Applies to all forms of electronic banking activities

17 Authentication (Cont.) In response to risks and regulatory/supervisory requirements, financial institutions are: –Deploying stronger and broadly accepted authentication methods, predominantly knowledge-based authentication (KBA) (e.g., challenge questions) and/or device authentication (e.g., unique identifier of customer’s PC) –Tokens also used, but for limited applications (e.g., high value transfers) –Applying layered controls to protect consumers and FIs Guidance underscores the importance of the enrollment process and scalability Consumer acceptance is top concern, together with cost and technology readiness –Reveals tension between imposing new requirements and customer convenience

18 Vendor Management Requirements Oversight of third party service providers –Senior Management/Board Oversight –risk assessment –Contract review –Ongoing monitoring Risk-based supervision –Increasing focus on oversight of both domestic and foreign-based service providers

19 Financial Industry Challenges Changing threat landscape Evolution and adequacy of controls Vendor management Customer convenience Customer privacy preferences and security expectations Fraud from traditional and new channels Privacy issues around new channels

20 Examples of Industry Efforts Identity Theft Assistance Center Focused efforts to address fraud, security and vendor management through BITS/The Financial Services Roundtable –Development of industry best practices, including: Breach notification Securing data in transport and storage Encryption key management Security awareness programs Shared Assessments Program

21 Financial Sector R&D Priorities Financial Services Sector Coordinating Council established in 2002 –45 financial sector associations and financial institutions –Goal: critical infrastructure protection and homeland security through coordination and collaboration –Works in partnership with the Treasury Department and financial regulators in the Financial and Banking Information Infrastructure Committee (FBIIC) R&D committee established 2004 –Identifies priorities for research –Beta testing SMART program as a means to provide subject matter experts to researchers in academia

22 Seven Major Challenges Facing the Finance and Banking Sector 1.Designing and Testing Secure Applications 2.More Secure and Resilient Financial Transaction Systems 3.Enrollment and Identity Credential Management 4.Understanding the Human Insider Threat 5.Data Centric Protection Strategies 6.Measuring the Value of Security Investments 7.Development of Practical Standards

23 Striking A Balance CUSTOMER CONVENIENCE & ACCESS PRIVACY INFORMATION SECURITY

24 Balancing Security, Privacy and Convenience Keeping pace with technology Channel specific fraud detection Compliance challenges Privacy as strategic marketing vs. compliance exercise

25 Information Fraud: Sensitive Information Movement – End-to-End File Server Endpoint Applications Storage FilesNetwork Production Data Data warehouse DR Staging WW Campuses WW Customers WW Partners Remote Employees WA N WWW VPN Disk storage Back up disk Back up tape Outsourced Development Enterprise email Business Analytics Customer Portal 34

26 Information Fraud: Specific Risks Network Media Theft Device Theft Takeover Fraud Intercept File Server Endpoint Applications Storage Files Production Data Data warehouse DR Staging WW Campuses WW Customers WA N WWW VPN Disk storage Back up disk Back up tape Outsourced Development Enterprise email Business Analytics Customer portal Media Loss Unauthorized Access DOS Corruption Unavailability Eavesdropping Data Theft Remote Employees WW Partners Data Loss Device Loss Unintentional Distribution Unauthorized Access Unauthorized Activity 35

27 Best Practices for Mitigating Against Information Fraud Risks: External Protect against emerging threats –Monitor for developments and changes Maintain a logical authentication strategy –Revisit this strategy Educate –Without creating paranoia or indifference

28 Best Practices for Mitigating Against Information Fraud Risks: External Understand what data is most sensitive to the business Select appropriate controls based on: –Policy –Risk –Where sensitive data resides Manage security centrally Audit security to constantly improve

29 Select the Appropriate Controls Data Controls: Encryption and Key Management Data Controls: Enterprise Digital Rights Management Access Controls: Authentication and Authorization Audit Controls: Security Event and Information Mgt Data Controls: Data Loss Prevention

30 Contact Information Susan Pandy, Senior Director Internet & eCommerce, NACHA 703.561.3953703.561.3953 spandy@nacha.org www.nacha.org John Carlson, Senior Vice President, BITS 202.589.2442 john@fsround.org www.bitsinfo.org Dan Burks, Chief Privacy Officer, U.S. Bank 612.303.7816 daniel.burks@usbank.com www.usbank.com

Download ppt "Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard Privacy Symposium August 20, 2008 3:00 – 3:45 p.m. Susan."

Similar presentations

FFIEC Agency Supplement to Authentication in an Internet Banking Environment http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf.

FFIEC Agency Supplement to Authentication in an Internet Banking Environment
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.

Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
Sponsored by Lumension Ponemon Institute© Private & Confidential Document Page 1 2009 Security Mega Trends Survey Independently conducted by Ponemon Institute.

Sponsored by Lumension Ponemon Institute© Private & Confidential Document Page Security Mega Trends Survey Independently conducted by Ponemon Institute.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Risk Management. Risk Categories Strategic Credit Market Liquidity Operational Compliance/legal/regulatory Reputation.

Risk Management. Risk Categories Strategic Credit Market Liquidity Operational Compliance/legal/regulatory Reputation.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
1 ZIXCORP The Criticality of Email Security Dena Bauckman Director Product Management April 2015.

1 ZIXCORP The Criticality of Security Dena Bauckman Director Product Management April 2015.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
INTRODUCTION Coined in 1996 by computer hackers. Hackers use e-mail to fish the internet hoping to hook users into supplying them the logins, passwords.

INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.
Securing Information Systems

Securing Information Systems

Similar presentations

Ads by Google