Banking and financial services are the lifeblood of today’s globalized economy. With a worldwide capitalization expected to exceed $143 trillion in 2014, the banking industry is the most heavily regulated and is more often than not a primary target for cybercrimes – including financial fraud, identity theft, data manipulation, denial of service, and advanced persistent hacking attacks on payment systems and other critical information systems and communication channels.
As banks focus on growth, rapid service delivery, reduced operational costs, increased efficiency, and enhanced customer experience, they execute various strategies, including:
- Expanding branches internationally and locally
- Adopting Internet and mobile banking
- Offering banking services and solutions tailored to customer demographics
- Embracing new technologies and paradigms such as cloud computing
- Forging new partnerships, utilizing mergers and acquisition to expand their reach and channels
- Adopting programmatic approaches to management of security and risk
- Investing in marketing and brand value creation
Such strategies increase interconnection and complexity in the banking industry and create opportunities for cyber-criminals. Hackers and organized crime groups are constantly innovating and using new, improvised or advanced techniques against banks to subvert information security controls to steal money and information assets.
Similarly, the global insurance industry, with worldwide premiums over $4.6 trillion and an asset base above $26.8 trillion, plays a vital role in managing global financial risk and safeguarding individual and business interests. Insurance companies collect, use, and store an enormous quantity of financial, health and medical information. This has let them, as well as regulatory agencies, to focus on establishing effective information security and privacy programs.
Insurance companies face a challenging risk landscape. As they launch innovative solutions and streamline operations, they increasingly face the risks involved with mobility, cloud computing, application platform integration, compliance management, and more. With data breaches, fines, and litigation often the day’s top news headlines, data security is also of growing concern for insurers.
As a result, the banking, insurance and financial services industries face many challenges such as:
- Managing risk – assessing, evaluating and mitigating financial, operational and information security risks
- Managing compliance – with regulations and standards (e.g., PCI DSS, GLBA, SOX, HIPAA ) and minimizing financial penalties
- Maintaining privacy – safeguarding customer identities against theft
- Protecting data – protecting sensitive financial information and maintaining transaction and data integrity
- Securing information – governing, managing, implementing, and sustaining effective security controls
- Managing vulnerabilities – detecting and managing application, network and system and device vulnerabilities
- Managing incidents – detecting, preventing and responding to information security incidents
- Managing vendor risk – managing and exchanging information with multiple vendors and suppliers
Many organizations in these industries have deployed technology solutions to manage their security risks. While this is a great start, they still struggle to implement the technologies effectively. With our extensive experience in serving banking and insurance clients, Aujas understands their challenges and complexities.
We help our banking, financial services and insurance customers establish effective programs and solutions for protecting their data, managing security incidents and vulnerabilities, and for implementing effective information security risk and compliance programs. Aujas solutions include:
1. Risk & Compliance Advisory
Banks must comply with standards and regulations such as PCI DSS, GLBA, and privacy laws. They also look to implement information security management systems that follow industry best practices such as ISO27001 to govern their security program.
We not only help with PCI DSS compliance, we provide services that allow for automation of governance, risk and compliance (GRC) programs:
- Our integrated GRC management approach allows our clients to build a system that integrates all of their compliance requirements. This helps to minimize audit fatigue.
- We help our clients through the journey of PCI DSS compliance by assessing readiness levels – which is easy – and helping in readiness and remediation efforts. Our Compliance Assure solution helps banks automate self-assessments.
- One of our specialties is IT GRC automation consulting using the RSA Archer eGRC Suite. We support our clients through blueprinting, deploying, and integrating the solution with processes and systems, and then managing it.
Our services are designed to cover the entire information security landscape. We are a one-stop for all your information risk management requirements.Learn more about our risk and compliance management services.
2. Vendor Risk Management
Managing vendor risks is not only a prudent strategy; it can also be a legal and regulatory requirement, depending on the country. Most organizations use at least one vendor or service provider, and share sensitive and regulated data with them. It is absolutely essential that organizations ensure vendors and service providers secure data to same degree as done internally.
Aujas offers end-to-end vendor risk management services, from developing an effective vendor risk management program to performing third party vendor risk assessments. Our services are supported by Vendor Assure, our vendor risk management solution. We help clients:
- Design a vendor risk management program that allows for risk-based vendor categorization based on location, volume of data shared, type of service, regulation requirements, etc.
- Manage the program to ensure all the vendors are addressed based on their risk categorization, including self-certification management, vendor risk assessments, tracking and follow-up on risk mitigations and closure of findings.
- Conduct third party risk assessments in accordance with your vendor risk assessment requirements.
- We offer comprehensive services to manage vendor risk. Our services range from defining and operationalizing the entire vendor risk management program to conducting third party risk assessments. We support custom vendor risk assessment frameworks and standardized frameworks such as Shared Assessments AUP, SIG and SIG lite. We are members of Shared Assessments and we use their assessment tools and frameworks.
We customize our vendor risk management program in accordance with the client’s assessment framework. We are also a SharedAssessment member, and we align closely with their AUP and SIG/SIG Lite frameworks and tools.
3. Identity & Access Management
We offer our banking clients comprehensive services for Identity and Access Management (IAM), including:
- Strategy and design – We evaluate our client’s needs quite thoroughly using executive workshops and field assessments. Then we provide a detailed strategy and roadmap for implementing enterprise-wide IAM initiatives. We also assist them with business case analysis, technology evaluation, and solution architecture.
- Role engineering and entitlement management – We help our clients define roles and manage entitlements, ensuring that employees have only the access required to do their jobs effectively for as long as they are doing those jobs. Our policy-based dynamic controls allow for automating who can have access to what, at what time, and in what context.
- Access management – We implement complete solutions for enterprise access management, including web access management, single sign-on, and converged access control.
- Sustenance and optimization – Identity access management is never static and a bank’s system needs to evolve. As an end-to-end solution provider, Aujas’ support is available to sustain and optimize an IAM solution through enhancements and upgrades.
We are vendor-agnostic, ensuring that our clients get best-in-class solutions across all leading IAM solution providers. Learn more about our IAM services.
4. Security Intelligence
Many banks deploy technologies such as traditional SIEM, the newer security analytics engines, exfiltration detection, advanced malware detection, and data leakage prevention. It can be difficult, however, for banks to know how to use these tools effectively. Aujas helps banks’ security leadership and operations teams get the most out of these technologies:
- We help our clients establish a more responsive incident management program by incorporating proactive & reactive processes. We enable our customers to define Indicators of Compromise (IoC), work with threat intelligence and use it with their threat management program.
- We use our Correlation Library to provide accelerated rule deployment for various SIEM/SA/SI technology providers.
- We help security leaders see through the reporting fog and focus on critical issues with our analytics and visualization solution for SIEM/SA.
- We design custom SIEM/SA solutions that go beyond the traditional security event analytics and integrate analysis and correlation capabilities to solve other issues such as identity fraud.Learn more about our security intelligence services.
5. Data Protection
The banking industry depends on the secure flow of data. Our data protection service helps our clients identify and classify sensitive data as it is stored, processed and transported across organizations. We help our clients:
- Establish a data protection framework and strategy to govern the management of sensitive data including customer demographics, card data, shopping histories, loyalty programs, supplier information, pricing, marketing plans, and more.
- Conduct data leakage risk assessments (DLRA) to identify where and how sensitive data is stored and used. We also perform risk assessments to identify breach risk and vectors.
- Integrate popular data protection technologies such as data leakage prevention (DLP), database activity monitoring (DAM), information rights management (IRM), data encryption, tokenization, and masking/redaction technologies.
- Monitor their data protection technologies to identify potential data breach incidents, manage consequences; improve effectiveness by fine-tuning rule bases, and moving rules to active protection from passive monitoring.
Our data protection experts work with a bank’s departments including retail banking, commercial banking, card management and operations, fraud and investigation, compliance, finance and accounting, HR, IT, and marketing to identify and secure sensitive data. Learn more about our data protection services.
6. Threat Management
Today, most banks offer their customers Internet and mobile banking services. It is vital that these channels be secured to protect customer data and maintain customer trust.
Banks work with us to assess and secure their infrastructure, web applications, and mobile applications. Our application security services include:
- Helping our clients to design, develop and manage vulnerability management programs. These programs leverage threat intelligence to anticipate and proactively mitigate vulnerabilities.
- Assessing a bank’s infrastructure, application and mobile application security by conducting vulnerability assessments, penetration testing and code reviews. We don’t stop at scanning technology we also help clients mitigate the risks found. Our security assessments meet and exceed the ASV standards set forth by PCI.
- Assisting our customers in mitigating Advanced Persistent Threats with our APT risk mitigation service..
- Evaluating human behavior using our cloud-based Phishnix. This application not only assesses how susceptible people are to phishing attacks, it trains them to avoid attacks.Learn more about our threat management services.
7. Cloud Security
Cloud computing is a fast growing technology and cloud-based business applications are growing at a rapid pace. Banks, however, are entering the cloud cautiously. Before moving to the cloud, banks must consider data confidentiality, security, regulatory compliance, interoperability of standards, and service quality.
Aujas helps banks enter the cloud with the confidence that their customer data can be secured and that they are complying with stringent banking regulations. We offer:
- Cloud security advisory – We assist organizations in establishing effective cloud security governance, operations strategy, and tactical processes.
- Secure cloud applications – We build the cloud application as well as the ecosystem around the core platform so that cloud applications are easy to use and secure.
- Secure release – Cloud security is not a one step process; it requires constant innovation across various business needs. Our secure release program for the cloud adopts new and proven approaches and technologies to help secure applications with less user intervention. Learn more about our cloud security services.