In our previous posts we surveyed regulations and standards with provisions that apply specifically to endpoints, and looked at the Information Security Handbook from the Federal Financial Institutions Examination Council (FFIEC) for guidance on best practices.
Here we will look at another excellent set of guidelines for financial firms, the Data Security in Financial Services report from the Financial Services Authority (FSA) of the UK. This report provides detailed recommendations on how firms can comply with The Data Protection Act 1998 (DPA), which “gives legal rights to individuals in respect of personal data processed about them by others.”
This report can be downloaded at:
http://www.fsa.gov.uk/pubs/other/data_security.pdf
Inventory and Anti-Spyware
The FSA report highlights the risk that key-logging devices and malware can capture log-on credentials and facilitate unauthorized access to personal information. Best practices to prevent this include “use of software to determine whether unusual or prohibited types of hardware have been attached to employees’ computers,” and “anti-spyware software and firewalls etc in place and kept up to date.”Control of Laptops and Data on Devices
The report strongly recommends “The encryption of laptops and other portable devices containing customer data” and “Maintaining an accurate register of laptops issued to staff.”Control of USB Devices
FSA authors also point to the risks inherent in the widespread use of portable USB devices. They cite as best practices in this area “The use of software to prevent and/or detect individuals using personal USB devices” and “The automatic encryption of portable media attached to firms’ computers.”In short, in the area of controlling confidential data on endpoints, the Data Security in Financial Services report recommends encrypting data on laptops, encrypting USB devices, and implementing tools to ensure that up-to-date security features are in place on laptops and other portable devices. In fact, the FSA has fined financial firms for not effectively following these recommendations.
