Banking on Identity Management for Security and Compliance
Because of the sensitive nature of the assets and information they maintain for customers, ensuring a highly secure environment is mission-critical for banks and other financial institutions. Any breach of or lapse in security can be disastrous and costly, with revenue loss, higher operating costs and damaged reputation heading the list of potentially damaging consequences.
Financial institutions have long recognized the need for a high level of security, and many have made significant investments in their IT infrastructure and other solutions that help secure customer data and assets from cyber breaches. Other physical security solutions address the need to know and control who is in a facility, where they are, what areas they can (and do) access, and for what duration of time.
While these robust solutions serve to improve security, financial institutions are also subject to corporate governance and oversight by FDIC, FFIEC and other government agencies, as well as strict documentation and reporting requirements. There are also a number of government regulations institutions must comply with, including BASEL III, GLBA, SOX and SAS 70. It should come as no surprise that financial institutions expend a great deal of time, effort and expense just to maintain compliance with these agencies and regulations.
Thankfully, there are tools designed to mitigate these challenges, including visitor and identity management software solutions. In addition to drastically improving overall security, best-in-breed software can also alleviate many of the pain points associated with compliance. Just how these physical identity access management (PIAM) solutions can be applied to address the requirements of the most prominent agencies and standards is explained below.
Federal Deposit Insurance Corporation (FDIC)
Perhaps the most well-known of the agencies, FDIC oversees financial institutions’ adherence to the many statutory requirements for providing information and reports to respective regulators and other parties. Because PIAM software is designed for policy- or rules-based processes, the system can be configured to perform required processes automatically, including background checks on identities at set intervals. An accompanying policy could be written to perform this task more frequently for contractors or temporary employees, with automatic alerts sent if these checks result in a change in status for individuals.
Federal Financial Institutions Examination Council (FFIEC)
This agency is charged with establishing uniform principles, standards and reports, to promote uniformity in the supervision of financial institutions. Role-based access is a hallmark of PIAM solutions, allowing them to efficiently control access authorization for secured areas. Access requests are approved or denied by approvers or signatories who have been authorized within the software. When access to a secured area is requested, these individuals receive an automated alert that requires them to visit a web-based portal to approve or deny the request based on policies created within the software. This process automatically documents compliance with requirements for attestation reports that verify who approved access to which doors and for what duration of time.
Statement on Auditing Standards No. 70, Service Organizations (SAS 70)
Issued by the American Institute of Certified Public Accountants (AICPA), SAS 70 provides standards to service auditors for assessing the internal control and activities of an organization. PIAM solutions address these requirements through provisioning, auditing and reporting, and off-boarding processes. The system automatically generates reports that show who visited a facility, who approved their visit, how long they stayed and which areas within the facility visitors were allowed to access.
Third Basel Accord (BASEL III)
This voluntary global standard deals with bank capital adequacy, stress testing and market liquidity risk. By enabling convergence between physical and logical security systems, PIAM solutions gather and can provide security intelligence and analytic data from a number of sources and systems. By pulling reports at pre-determined intervals, these solutions facilitate necessary checks that are used to measure liquidity risk exposure. The software also streamlines the monitoring process by having all policies reside within the system.
Gramm-Leach-Bliley Act (GLBA)
This law requires financial institutions to create an information security program to protect customer information from threats or unauthorized access that could result in substantial harm or inconvenience to any customer. The logical security component of PIAM solutions ensures that sensitive information can only be accessed by those who have been authorized to do so. Automated reports provide the detailed audit trail necessary to ensure compliance and pinpoint when and for how long a specific identity accessed what information.
Sarbanes-Oxley Act Sections 302 and 404 (SOX)
Section 302 of this law requires an organization’s signing officers to establish and maintain internal procedures designed to ensure accurate financial disclosure. Section 404 requires management and external auditors to report on the adequacy of an organization’s internal control on financial reporting. With PIAM solutions, users can audit and report activity related to identities within their organization, including reports that identify individuals’ activity such as what an individual is accessing from where and for how long, and whether any changes have been made to established policies. Alerts can be sent when policy- or rules-based criteria are not met, and audit reports can be generated at defined intervals or on an as-needed basis.
These are just some areas of compliance that best-in-breed visitor and identity management solutions address. The automated tracking and reporting functions contained in these solutions allow financial institutions to easily maintain and demonstrate compliance without incurring the significant effort and expense normally associated with this cumbersome process. At the same time, PIAM software also delivers the enhanced physical and logical security required to protect institutions and customer data and assets from unauthorized access – and prevent the potentially damaging consequences that follow. Rather than having to choose between allocating resources to compliance or security, financial institutions that implement PIAM solutions benefit from having a single tool that enhances both functions and can also improve overall operations significantly.