By Peter Bradley, CEO at Torsion Information Security (www.torsionis.com)
Info security, data governance, data access…name it what you will but for the finance industry there are hoops galore that you must jump through if you want to remain compliant.
As well as regular scheduled compliance checks from internal auditors, there can also be spot checks without warning from the external regulators.
What do you need to show them? Well you need to demonstrate that: you know exactly who has access to what information,why and when; that you have the right processes in place to keep access to this information correct and appropriate; and that you are asking the right questions internally and externally. You must prove that you are in complete control when it comes to owning and sharing data.
Financial organisations typically manage high volumes of sensitive data that needs controlling. There’s financial data, commercial data, customer data, and if you’re publicly listed the level of control required is even higher.
As well as the compliance checks there are various standards that you may operate under such as PCI DSS for customer payment data and ISO 27001 for info security.
And while SharePoint and other collaboration tools such as Office 365 and Microsoft Teams are great for sharing files, folders and sites with colleagues (and those outside your business)access can quickly get out of control. ‘SharePoint Sprawl’ is therefore one of the major drawbacks of collaboration platforms, particularly as it affects crucial business practices such as data governance, cyber security and data management.
Add all of this together and firms simply have too much data, too many people, and too much constant business change for sprawling data access to be effectively managed by manual processes or tools. Access to data, for instance, is shared on average, up to forty-four times more than it is revoked, presenting a situation where ‘who has access to what’ tends to accumulate and sprawl at a rapid rate.
So how can you ensure you are data governance compliant 24/7?
Know who has access to what information
There are plenty of processes you can put in place to monitor who has access to which documents and folders such as creating a thorough catalogue of sites, restricting permissions and providing clear site descriptions. However, these processes are highly manual, the extent of which is far beyond the resources of most data rich firms.
The good news is that, thanks to the latest machine learning technology, there are automated solutions designed to engage business users without being a burden on their day to day activities.
The new tools apply machine learning, data science, the mass of resources of cloud-based computing and AI to integrate with existing collaboration systems such as SharePoint and Office 365 to constantly monitor and control who has access to what. The sprawl, and data governance, can be controlled.
Prove that you are in control
When it comes to data, it often comes down to the firm being able to prove they are in control of access.So, you need to go that extra mile and prove to the auditor that you knownot only who has access to what documents but also the reasons why somebody has access to a specific piece of information. The business process which leads to the list of who has access to something must be proven to be appropriate and working well – just presenting a list of names is no longer sufficient.
Put another way, only when you know the reason why someone has access, can you prove to an auditor whether they should have access, by demonstrating that the reason is actually true.
So, if someone shares a file or site, you need to capture the reason why.This could be part of their job role or department, the account they’re working on, or that they’re temporarily covering for someone else.Then you need to monitor those reasons, detect whenever they are no longer true, and proactively revoke access which is no longer appropriate.
For example, if Jane is covering Mary’s maternity leave she should only have access to Mary’s documents for the period she is off, and any permissions should state both the reason Jane has access i.e. maternity leave and how long for. If an auditor sees this rule, they can easily cross check to see if Mary is still on maternity leave or if she has returned. You have therefore proven that you are in control of why each person has access to specific information.
Of course, this is too onerous to manage manually and there are now automation tools that can record access permissions, set rules and automatically revoke access when it’s no longer valid or required. At any point, the auditor can see who has access to what information, why they have it, and most importantly have proof that access is correct and appropriate.
Carry out regular security certifications
Another tactic you can employ is to carry out periodic security certifications, by asking business users to certify that access to the information they are responsible for is correct. This further demonstrates that a firm is in control of their sensitive information.
It’s not viable for a central IT department to know who should have access to what, particularly in a large financial institution. Info security needs to engage all business users and become everybody’s problem and responsibility. All staff need to be made aware of how to handle information safely and securely, how to spot incidents and what to do in the event of a breach. Therefore it should fall to the business users to certify access to their own data.
But business users are busy carrying out their day to day jobs so once again it makes sense to introduce software that can carry out the security certifications automatically, making the onus on the business user as minimal as possible.
Data access compliance in action
CPS is the industry’s only independent global provider of data-driven cash management solutions. They provide cash centre consultancy, data & software solutions and sorting machines, supported by a global service team, to central banks, commercial processors and retailers as well as single note inspection systems to banknote printworks.
They use an automated platform from Torsion Information Security to ensure they are compliant at all times and minimising the chances of any security breaches.
The software they use monitors and detects any inappropriate access, out of date folders and permissions, duplication or the movement of files. If anything doesn’t look quite right it will promptly alert a business user associated with the file and shut down any potential breaches. Other than that, it runs in the background until it is required. It carries out periodic security certifications by briefly prompting a user to check any access is still current. At any time they can produce a record of who has access to what information, when and why and prove they are in control of it.