Network security, from policies to regular assessments, is integral to businesses of all sizes. Certain industries, on the other hand, mandate network security compliance. Finance is one, and businesses and organizations under this vast umbrella must comply with the following standards.
The Federal Financial Institutions Examination Council (FFIEC) outlines all principles, standards, and reports for federal examination of financial institutions, and the Information Technology Handbook portion addresses network security and assessments. While touching on audits to e-banking standards and all other aspects in between, the FFIEC Information Technology Handbook essentially requires all such institutions to have strategies in place for identifying risk exposure, enforcing confidentiality and availability of all information, determining the effectiveness of management planning, and evaluating processes and compliance. As part of business continuity planning, a network security policy must align with a financial institution’s strategy for minimizing financial losses, improving customer experience, and reducing any negative effects.
Going into greater detail, the FFIEC Information Technology Handbook delineates standards for Information Security. Because such threats constantly evolve, a financial institution’s network security policy must change with them. More specifically, an information security policy needs to react to changing threats to reduce and assess risks through identification, management, implementation of new strategies, testing, and monitoring.
As many financial institutions have developed e-banking systems in recent years, the FFIEC Information Technology Handbook is devoted to addressing related risks and procedures. E-banking makes such institutions particularly vulnerable online, and in response, such businesses or other entities must implement controls for guarding and securing customer information, including an authentication process for customers. As such institutions are liable for unauthorized transactions, a network security policy needs to address potential losses from fraud and violations of customer privacy.
The Gramm Leach Bliley Act, or simply GLBA, is part of the FFIEC Information Technology Handbook but stands on its own. GLBA 501(b) is also known as Interagency Guidelines Establishing Information Security Standards, but regardless of name, this section mandates security and confidentiality of all non-public personal information through safeguards; protection against anticipated security threats, unauthorized access, or use of information; establishing a risk-based security program through assessment and management of threats; training and testing, and monitoring, auditing, adjusting, and reporting.
Sarbanes-Oxley is an additional set of network security standards for financial institutions. Also known as the Public Company Accounting Reform and Protection Act of 2002, Sarbanes-Oxley goes into depth for reporting. Section 404, the most pertinent, specifies that sufficient controls to prevent fraud, misuse, and loss of financial data and transactions must be put in place. To be effective, controls must quickly detect any intruders and take swift counteractive actions but also note any exceptions. Sarbanes-Oxley 404 additionally specifies that a network security audit must be part of any overall assessment of a financial institution.