Banking and financial services are the lifeblood of today’s globalized economy. With a worldwide capitalization expected to exceed $143 trillion in 2014, the industry is the most heavily regulated and is more often than not a primary target for cybercrimes – including financial fraud, identity theft, data manipulation, denial of service, and advanced persistent hacking attacks on payment systems and other critical information systems and communication channels.
As banks focus on growth, rapid service delivery, reduced operational costs, increased efficiency, and enhanced customer experience, they execute various strategies, including:
- Expanding branches internationally and locally
- Adopting Internet and mobile banking
- Offering banking services and solutions tailored to customer demographics
- Embracing new technologies and paradigms such as cloud computing
- Forging new partnerships, utilizing mergers and acquisition to expand their reach and channels
- Adopting programmatic approaches to management of security and risk
- Investing in marketing and brand value creation
Such strategies increase interconnection and complexity in the banking industry and create opportunities for cyber-criminals. Hackers and organized crime groups are constantly innovating and using new, improvised or advanced techniques against banks to subvert information security controls to steal money. As a result, banks face these challenges:
- Managing risk – assessing, evaluating and mitigating financial, operational and information security risks
- Managing compliance – with regulations and standards (e.g., PCI DSS) and minimizing financial penalties
- Maintaining privacy – safeguarding customer identities against theft
- Protecting data – protecting sensitive financial information and maintaining transaction and data integrity
- Securing information – governing, managing, implementing, and sustaining effective security controls
- Managing vulnerabilities – detecting and managing application, network and system and device vulnerabilities
- Managing incidents – detecting, preventing and responding to information security incidents
- Managing vendor risk – managing and exchanging information with multiple vendors and suppliers
Many banks have deployed technology solutions to manage their security risks. While this is a great start, banks still struggle to implement the technologies effectively. With our extensive experience in serving banking clients, Aujas understands the challenges and complexities in the banking world. We offer solutions that help banks face those challenges and better manage information security risks.
We help our banking clients establish effective programs and solutions for protecting their data, managing security incidents and vulnerabilities, and for implementing effective information security risk and compliance programs.
Banks must comply with standards and regulations such as PCI DSS, GLBA, and privacy laws. They also look to implement information security management systems that follow industry best practices such as ISO27001 to govern their security program.
We not only help with PCI DSS compliance, we provide services that allow for automation of governance, risk and compliance (GRC) programs:
- Our integrated GRC management approach allows our clients to build a system that integrates all of their compliance requirements. This helps to minimize audit fatigue.
- We help our clients through the journey of PCI DSS compliance by assessing readiness levels – which is easy – and helping in readiness and remediation efforts. Our Compliance Assure solution helps banks automate self-assessments.
- We offer comprehensive services to manage vendor risk. Our services range from defining and operationalizing the entire vendor risk management program to conducting third party risk assessments. We support custom vendor risk assessment frameworks and standardized frameworks such as Shared Assessments AUP, SIG and SIG lite. We are members of Shared Assessments and we use their assessment tools and frameworks.
- One of our specialties is IT GRC automation consulting using the RSA Archer eGRC Suite. We support our clients through blueprinting, deploying, and integrating the solution with processes and systems, and then managing it.
- Strategy and design – We evaluate our client’s needs quite thoroughly using executive workshops and field assessments. Then we provide a detailed strategy and roadmap for implementing enterprise-wide IAM initiatives. We also assist them with business case analysis, technology evaluation, and solution architecture.
- Role engineering and entitlement management – We help our clients define roles and manage entitlements, ensuring that employees have only the access required to do their jobs effectively for as long as they are doing those jobs. Our policy-based dynamic controls allow for automating who can have access to what, at what time, and in what context.
- Access management – We implement complete solutions for enterprise access management, including web access management, single sign-on, and converged access control.
- Sustenance and optimization – Identity access management is never static and a bank’s system needs to evolve. As an end-to-end solution provider, Aujas’ support is available to sustain and optimize an IAM solution through enhancements and upgrades.
- Establish a data protection framework and strategy to govern the management of sensitive data including customer demographics, card data, shopping histories, loyalty programs, supplier information, pricing, marketing plans, and more.
- Conduct data leakage risk assessments (DLRA) to identify where and how sensitive data is stored and used. We also perform risk assessments to identify breach risk and vectors.
- Integrate popular data protection technologies such as data leakage prevention (DLP), database activity monitoring (DAM), information rights management (IRM), data encryption, tokenization, and masking/redaction technologies.
- Monitor their data protection technologies to identify potential data breach incidents, manage consequences; improve effectiveness by fine-tuning rule bases, and moving rules to active protection from passive monitoring.
Today, most banks offer their customers Internet and mobile banking services. It is vital that these channels be secured to protect customer data and maintain customer trust.
Banks work with us to assess and secure their infrastructure, web applications, and mobile applications. Our application security services include:
- Helping our clients to design, develop and manage vulnerability management programs. These programs leverage threat intelligence to anticipate and proactively mitigate vulnerabilities.
- Assessing a bank’s infrastructure, application and mobile application security by conducting vulnerability assessments, penetration testing and code reviews. We don’t stop at scanning technology we also help clients mitigate the risks found. Our security assessments meet and exceed the ASV standards set forth by PCI.
- Assisting our customers in mitigating Advanced Persistent Threats with our APT risk mitigation service..
- Evaluating human behavior using our cloud-based Phishnix. This application not only assesses how susceptible people are to phishing attacks, it trains them to avoid attacks.Learn more about our threat management services.
- We help our clients establish a more responsive incident management program by incorporating proactive & reactive processes. We enable our customers to define Indicators of Compromise (IoC), work with threat intelligence and use it with their threat management program.
- We use our Correlation Library to provide accelerated rule deployment for various SIEM/SA/SI technology providers.
- We help security leaders see through the reporting fog and focus on critical issues with our analytics and visualization solution for SIEM/SA.
- We design custom SIEM/SA solutions that go beyond the traditional security event analytics and integrate analysis and correlation capabilities to solve other issues such as identity fraud.Learn more about our security intelligence services.
- Mobile application security – We test for vulnerabilities in mobile applications with penetration testing (black/gray box), secure code review, reverse engineering and API’s security testing. We also help remediate the vulnerabilities found.
- Mobile application store security – We perform security assessments for internal apps, external apps, and open API’s. We also conduct secure code reviews, and malicious patterns verifications, and assess device OS and dependent Telco’s components.
- Mobile payment and banking security – We assess mobile payment and banking applications, conduct secure code review and reverse engineering of payment gateways and application API/interfaces.
- USSD/DSTK application security – We assess USSD/DSTK applications, USSD gateways, and USSD application server frameworks. We review and analyze USSD logs, USSD-based payment application’s PCI-DSS and payment forum’s compliance pre-audit.
- Enterprise mobile data management services – We help clients with enterprise data fragmentation; access control for critical business data and for business applications usage; mobile content management; data storage encryption, and authentication for fragmentized data.
- Mobile device security – We review the mobile devices’ security configuration; prepare customized device security policies and user awareness programs; and assess mobile platforms and operating systems (Android, iOS, Symbian, Blackberry, J2ME, and BADA).
Cloud computing is a fast growing technology and cloud-based business applications are growing at a rapid pace. Banks, however, are entering the cloud cautiously. Before moving to the cloud, banks must consider data confidentiality, security, regulatory compliance, interoperability of standards, and service quality.
Aujas helps banks enter the cloud with the confidence that their customer data can be secured and that they are complying with stringent banking regulations. We offer:
- Cloud security advisory – We assist organizations in establishing effective cloud security governance, operations strategy, and tactical processes.
- Secure cloud applications – We build the cloud application as well as the ecosystem around the core platform so that cloud applications are easy to use and secure.
- Secure release – Cloud security is not a one step process; it requires constant innovation across various business needs. Our secure release program for the cloud adopts new and proven approaches and technologies to help secure applications with less user intervention. Learn more about our cloud security services.
Secure Code Review of Internet of Things for a Leading Payment Service Provider
One of the leading payment service provider in APAC engaged us to secure their mobile payment devices through secure code review and remediation advisories.
Goal of this engagement was to assess the device application source code for security flaws and validate that secure coding practices has been incorporated in the source code development life cycle. Also to assess the source code with Industry best practices – OWASP.Download case study
Information Security Program Evaluation to Meet Regulatory Requirements for a Commercial Bank
Our client is a large international bank with an extensive network of branches, ATMs and remittance centers. Over the past three decades it has expanded dynamically and now provides a full range of banking products and services to retail and corporate customers. It also offers home financing and heavy equipment leasing services.Download case study
Powering the vendor risk program of a leading international bank
Our client is a leading international bank with a large footprint of 2402 domestic branches (including extension counters) and 12,922 ATMs spread across the country. The Bank also has operations in Singapore, Hong Kong, Dubai, Sri Lanka and China.Download case study
Turning a Bank’s DLP from a Liability to an Asset
Our client is a large international bank with a global network of branches, remittance centers, and ATM kiosks. Over the past three decades, the bank has expanded and now provides a full range of banking products and services to its retail and corporate customers. It also offers home financing and heavy equipment leasing services.Download case study
Data Protection Program Implementation for One of the World’s Largest Banks
Privacy and data protection have recently become the prime focus for many organizations worldwide. An increasing number of data breaches have eroded customer and consumer trust, forcing countries to establish privacy and data protection rules and regulations. While organizations are moving towards implementing enterprise-wide data protection programs, the proliferation of technology, advent of new data sharing channels and dependency on cross-border data transfers have made the undertaking complex.Download case study
Mobile Banking Made Safe
Our client is a large private bank with a revenue of $6.5 billion last year. This bank had a national presence and a customer base of over 28 million. Our client wanted to make banking and other related services available to customer more easily and so has widely adopted mobile banking.Download case study
Techno Risk Assessment for Large Banking Client
Our client is a top regional bank with headquarters and regional offices around the world and a customer base of over 2 million. The bank offers services which include retail banking, commercial banking, treasury services, project and structured home finances via its state-of-the-art data centers.Download case study