The process of protecting personally identifiable financial information (PIFI) is a daunting task for many security professionals. The objectives are relatively clear, but the means to achieving those objectives are constantly changing while the industry learns to adapt.
Personally identifying information (PII) is any piece of information, which can potentially be used to uniquely identify or locate a person. This information has become more important as information technology and the Internet have made it easier to collect. In particular, PIFI has become a target of criminals to harvest, stalk or sell the identity of a person for personal gain. In addition the growth of outsourcing business and knowledge processes has exposed PII and PIFI even more as the information is shared. In response, many Web site privacy policies address the collection of PII, and lawmakers have put limits on the distribution and accessibility of PII.
Let's examine three areas of vulnerability and the role information security can play in preventing or decreasing the risk of a breach:
Problem: Business and knowledge process outsourcing
Outsourcing business processes and of late, knowledge processes, are major concerns from an information security perspective. Once a business function begins to participate in process globalization, the business no longer directly controls the chain of custody of financial or personally identifiable information in that process. The only security control available is the contract or service agreement, which can be difficult to change once it is established.
Recommendations: Information security should work closely with sourcing and legal teams when contracts are under initial review to assess whether the contract stipulates security controls, ability to conduct audits and access controls. If you are working with an existing partner, review the active contract and, if necessary, implement change requests to the master services agreement. Building incentives for the business to assist in measuring and monitoring the partner's risk profile will go a long way in maintaining a healthy security posture with customer data.
Problem: Sensitive customer data inventory
Having a data inventory is key to claiming a level of control with customer data. Data inventory is also the basis for most of the consumer data protection and privacy laws that exist today. If you do not know where and how the data is being used, then you can't claim that your customer data is secure. You should know where sensitive data is located, transaction use, display use and how the data is being accessed. The ease in establishing the inventory depends on your organization's maturity level in data management, change management and exception management documentation.
Recommendations: Information security should build a process to capture sensitive data elements in key areas of the deployment life cycle, such as change or production control. This will keep the inventory up to date and remain accessible for future auditing needs. Next, develop a qualitative-based mechanism to capture business intelligence from data owners and system users. Implement technology to systematically capture sensitive data structures to fill in any gaps in the inventory and to flag new transactions that you don't know about.
Problem: Regulatory overload
Financial services companies are inundated with regulatory requirements and audits. Often, the different customer information requirements conflict or can promote redundant activities that chew up valuable resources. Many companies choose to either segregate the data physically or select the most restrictive requirements as their default mode of operation. Either way, this increases the time, energy and cost associated with maintaining compliance.
Recommendations: Information security must represent value to the organization with the ability to maintain focus, reduce costs and eliminate waste while maintaining compliance. A simple change in thinking from the traditional regulatory silos to comparing work structure across regulatory requirements will help the overall objective. By developing a matrix that compares the work structure, you can identity similar activities and develop a solution.
As greater scrutiny is applied to managing personal information by regulators and legislators, information security will need to demonstrate that it has investigated the business process to understand what information is being accessed and where it is going, especially with outsourcers.
Developing a sensitive data inventory and identifying the common requirements across regulations will provide information security with a solid toolset to use in identifying the risks and demonstrate the appropriate compliance for future audits and inquiries.
About the author:
Rick Lawhorn, CISPP, CISA, is the director of information security and compliance at PlanIT Technology Group and previously was CISO for GE Financial Assurance and Genworth Financial. He has more than 17 years of experience in information technology and extensive security experience, and has created a working group focused on developing meaningful metrics for CISOs. He can be reached at rick.lawhorn@mac.com.
