Compliance Officers Need Intuitive, Automated Capabilities to Close the Access Review Gaps
In this series, we’re taking a closer look at the behind-the-scenes heroes of the financial sector: Compliance Officers (COs). Whether it’s keeping their organizations SOX-compliant, preparing for FFIEC audits, or staying ahead of tomorrow’s cybercriminals, they face a mountain of high-stakes complexity. To keep their compliance programs in fighting form, they require strong controls that are simpler to use.
With last year’s final updates to the Graham-Leach-Bailey Act (GLBA), regulators are putting teeth behind enforcement actions and potential penalties. The legal stakes of noncompliance with GLBA are high, with big fines and even possible jail time looming.
What Is The GLBA?
When it came into law in 1999, the GLBA permitted financial institutions (FIs) to do what had been banned since the Great Depression: consolidate and offer both commercial and investment banking.
While the general public might recall controversy around this deregulation (and its possible contribution to the subprime mortgage crisis of 2008), the GLBA did have a silver lining: data security. It tightened up how companies should—and shouldn’t—handle their customers’ non-public information (NPI). Ultimately, the GLBA rules represent best IT practices that decrease the chances of financial fallout and reputation damage from a breach.
And with the GLBA, “FI” applies broadly to any business that is “significantly engaged” in providing financial products or services, from ATM operators to higher education institutions — even ‘finders’ that connect customers with financial brokers.
2021 Updates To GLBA’s Cybersecurity Requirements
Following last year’s Solar Winds and Colonial pipeline scandals, the Federal Trade Commission (FTC) and the Federal Deposit Insurance Corporation (FDIC) introduced a slew of new changes and mandatory notifications to the GLBA’s Safeguards Rule. With these updates, regulators signaled their intention to aggressively pursue enforcement against financial institutions (FIs) with demonstrated cybersecurity vulnerabilities. Among the new mandates are requirements to:
- Ensure service providers maintain appropriate safeguards.
- Log the activities of users and detect unauthorized users.
- Perform risk assessments periodically.
Let’s examine how a modern, converged identity governance cloud platform can help safeguard against fines, make suggestions for improvement, and take corrective action for misconduct.
Vendor Oversight: It’s Not Just A Good Idea, It’s The Law.
FIs rely on a vast array of interconnected systems that expose them to several cybersecurity risks. In fact, last year over 93% of global organizations suffered a direct breach due to weaknesses in their supply chains. The GLBA not only requires FIs to develop, implement, and maintain a comprehensive information security program — they must ensure third-party vendors are capable of implementing safeguards for customer’s NPI. If regulators discover that your vendors are lax, it’s your organization that could end up making headlines — and not in the way you want.
Keep the Supply Chain; Lose the Risk
Saviynt’s risk-based creation policies allow you to be in charge of third-party organizations and users from the first introduction to relationship completion. Throughout the relationship, maintains risk visibility to reduce the attack surface. Saviynt’s intelligent, out-of-the-box and custom controls and fine-grained entitlements assure that you are assigning only the access that third parties need to meet their contractual requirements. With Saviynt, COs have the power to automate low-risk access — and escalate high-risk requests for additional review access-based analytics. This allows for more efficient provisioning, monitoring, auditing, and removal of sensitive, time-bound relationships.
Document Activities All Year Long
But GLBA compliance isn’t a single annual occurrence. It needs to be periodically reevaluated and documented with a complete paper trail for future reference. A detailed compliance history demonstrates the intent to follow the law and can lessen any potential fines and penalties when and if auditors find non-compliance.
According to last year’s updates, documentation of risk assessment procedures, policies, and reports should include:
- User activity, including privileged users
- Security events
- Exceptions to the policy, duration that the exception lasted, and when access was removed
- Proof that you reviewed all documentation to ensure policy enforcement
When trying to prove that your organization’s controls were effective, one of the most difficult tasks is understanding and documenting how workflows interact across a wide range of cloud, on-prem, and hybrid applications. To produce accurate reports for different apps with different security models, COs need crystal clear visibility at the fine-grained “edit/read” level. The era of manual spreadsheet analysis has passed. Managers, role owners, application owners, and IT administrators need a better way to log activities.
With Saviynt’s Control Exchange, you have over 200 built-in controls to track access and usage, create key performance indicators, and streamline the compliance documentation process. Saviynt natively integrates with business-critical IaaS and SaaS products, enabling organizations to merge divergent identity, role, and group definitions from across its on-premise, hybrid, and cloud infrastructures to create a single, authoritative identity source.
Perform Periodic Risk Assessments
Certifying correct access give your organization the proof and peace of mind that you are GLBA compliant. But as employees and third parties move positions within the company or leave altogether, they often take their access with them when they go. Unfortunately, the certifying access can drain time, manpower, and productivity — especially when conducting separate access certification campaigns for standard and privileged access.
Cut Down The Noise and Enhance Your Security Posture
Don’t end up in a situation where you have to sacrifice security for efficiency — or copy users’ access to prevent a slowdown. Saviynt’s user-friendly, automatic reminders and escalations make it easy for business managers, application owners, role owners, and others in the organization to make informed decisions about access certifications.
Saviynt’s certification capabilities provide the real-time view of access and risk, the full history of how someone obtained access, and decisions made in prior certifications. Using our campaign dashboard, reviewers can more easily make informed decisions by comparing user access from the previous review cycle against the current campaign. If approvers are unavailable, automatic reminders and escalations prevent time lags and provide campaign owners with clear insight into the campaign’s completion status. Saviynt also organizes access reviews by risk so that reviewers have a clear focus on the areas that matter. Low-risk access can be reviewed less frequently, cutting down on data overwhelm.
Once you’ve found these potential violations, our extensive library of controls give COs and auditors the tools to confront or accept a wide variety of risks. This extends not only to static and inherent risk scores assigned to an account, but also to dynamic risk scores derived from usage, behavior analytics, peer group analytics, and data gathered from external systems.
Why Saviynt
Whether on the ground, in the cloud, or in a hybrid environment, Saviynt’s intuitive interface makes periodic access reviews easier for everyone to create, examine, and validate. COs will be equipped to run automatic mitigation to address suspicious activities, prioritize remediation, and prevent breaches — all while preserving the time and productivity of your security teams.
