BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Unified Vulnerability Management for Financial Organizations

Post by Morey Haber June 14, 2011

If you are in the financial sector, how are you protecting your financial systems from tampering? If you are the CEO or CFO you must ensure that you financial reports are accurate, delivered in a timely fashion, and do not contain any information that was tampered with. This requires securing critical information technology systems that contain this data and the systems that they are interconnected with. The entire infrastructure that supports this is commonly referred to as the “scope“. Systems in Scope have interconnections between them and are used to transfer data or process data elements used to create accurate records. For the executive signing off on an organization’s financial reports, ensuring that all the systems in scope are not tampered with is a critical function that they must get right. The tampering of data can occur in a variety of ways but the most critical is when it is done using flaws in the underlying technology such as vulnerabilities. This is where a Unified Vulnerability Management program becomes a strategic part in ensuring the accuracy of a financial organization’s reports. It can identify flaws in the technology, make recommendations for remediation, perform patch mitigation, and provide protection against zero day vulnerabilities and Advanced Persistent Threats.

This type of security is covered by two different regulatory initiatives that may be applicable to your financial organization:

SOX
Description
In July 2002, the United States Congress passed the Sarbanes-Oxley Act (“SOX”), which was primarily designed to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and independent auditors under heavy scrutiny.  The act is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC).  Financial data and documentation are at the heart of the compliancy issue. 

Vulnerability and Risk Requirements
SOX Section 404: Assessment of Internal Control
Understand the flow of transactions, including IT aspects, to identify points at which a misstatement could arise. Evaluate controls designed to prevent or detect fraud. Perform a fraud risk assessment.

GLBA
Description
The Gramm-Leach-Bliley Act (GLBA) was enacted to ensure protection over customer’s records and information. To satisfy the rules and provisions of GLBA, financial institutions are required to perform security risk assessments, develop and implement security solutions that effectivelydetect, prevent, and allow timely incident response, and to perform auditing and monitoring of their security environment.

Vulnerability and Risk Requirements
Section 508
Subtitle A: Disclosure of Nonpublic Personal Information
Constructing a thorough [risk management] on each department handling the nonpublic information
Subtitle B: Fraudulent Access to Financial Information
Social engineering occurs when someone tries to gain access to personal nonpublic information without proper authority

eEye solutions have taken into consideration the requirements of our clients that need to monitor systems for vulnerabilities and these regulatory compliance initiatives. Retina CS has dedicated scanning and report templates for both SOX and GLBA, and Retina Insight provides long term data warehouse reporting on security trends and regulation compliance. For example, the report below shows SOX trending over last few months for Section 404:

Ensuring against financial tampering is difficult when systems have known vulnerabilities that can be leveraged to disrupt operations, steal information, or alter underlying data. The example highlights how IT processes have not been fixing vulnerabilities from July 2010 until March 2011. After March, some mitigation was performed to lower the risk but not enough to fully ensure that a threat could still not tamper with critical systems. This process has been displayed in the form of Section 404 requirements for SOX and not just raw vulnerability data. It allows C level executives to understand how they are truly protecting their businesses and the controls in place to secure data. These types of reports provide the proof to the financial documents they need to sign and the piece of mind that their organization is using the correct processes to ensuring financial reports are accurate and have not been tampered with.

For more information on Retina CS or Retina Insight, please click here. 

Additional articles

insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,

Vulnerability Expert Forum Highlights: April 2014

We had a great turnout for last week’s April 2014 Vulnerability Expert Forum (VEF) webcast. BeyondTrust Research experts, Carter and DJ, provided in-depth knowledge about the latest vulnerabilities and their potential impacts on network environments. Below are highlights from the Forum, plus an on-demand video of the presentation. Latest critical vulnerabilities, vendor patches, and zero-day…

Post by Chris Burd April 16, 2014
Tags:
, , , , ,