Companies started the year executing their normal slate of plans and projects, but in March everything came to a screeching halt because of the COVID-19 pandemic. Since then, many have been so busy keeping the lights on that most, if not all, non-essential activities have been put on the back burner, if not shelved altogether.

Regulatory compliance activities have also taken a backseat and will perhaps continue to do so unless things rapidly normalize. While a lot of assistance and extensions are being afforded to businesses and households alike for mortgages and other monthly payments and even tax return filings, it is highly unlikely there will be any exceptions or exemptions made to regulatory obligations and due dates. Complying with the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), New York Department of Financial Services (NYDFS) Cyber Security Regulation, Federal Financial Institutions Examination Council (FFIEC) standards, and more will still apply per usual. 

If anything, these standards designed to thwart cybercrime will only tighten as security risks have grown exponentially due to the huge surge in telecommuting. While many organizations successfully enabled large numbers of employees to work at home, they also became more vulnerable to security issues. Poorly protected devices, alongside personal devices with no known protection used by employees not trained in digital security, represented a serious risk. That combined with the sharing and displaying of financial, sales, and other confidential information via poorly protected web conferencing and collaboration tools has resulted in extraordinary exposure of confidential data. The consequences of which are more than likely to appear on the horizon. 

Companies will somehow get to the traditional data security compliance obligations mentioned previously but may miss the newer SWIFT Customer Security Programme (CSP) mandate. In force since 2017, SWIFT CSP is really ramping up this year, adding new Customer Security Controls Framework (CSCF) v2020 requirements. And with good reason—SWIFT moves a huge portion of the world’s money and a single weak link in the financial messaging network can wreak havoc on the entire community. Fortunately, SWIFT CSP is one of the better security standards around. It is very well defined, easy to understand and act on, and has requirements that are not onerous. 

SWIFT Users Should Prepare Now

Every SWIFT user must complete a Know Your Customer (KYC) Security Attestation application and submit their organization’s self-assessment data before December 31, 2020. The assessment confirms an organization’s level of compliance with SWIFT’s customer security controls and must be conducted by an external third-party or an internal independent function. SWIFT makes self-assessment results available to all SWIFT users for total network-wide customer visibility. It is a very fair and transparent system that benefits all stakeholders.

So, what does this mean for organizations? A lot if an organization is engaged in international remittances. 

If another SWIFT member, bank, or corporate entity wants to send money to credit a customer account, they are at liberty to look up the receiver’s security posture on the SWIFT website. If they are not comfortable with the organization’s level of compliance, they can refuse to conduct SWIFT transactions with them. Similarly, organizations transferring money to another SWIFT customer can refuse to accept and credit transfers to the recipient account specified, leaving the originator in limbo. 

Initially, SWIFT takes an easy-to-follow approach with CSP. However, if a customer’s security self-assessment is found to be sketchy or unreliable upon examination, or if other customers have been reluctant to transact with an organization, SWIFT will insist the customer undergo a full-blown third-party infrastructure audit. After audit completion, network access can be temporarily or permanently shut down as organizations work to remedy identified deficiencies. 

This is harsh, but the outcome of complying with SWIFT CSP is far more positive. It provides easy and clear guidance to make sure SWIFT infrastructure is secure and ready so that customers can continue providing high-quality transactional services to customers and protect their reputations. 

The Bottom Line:  Despite the current pandemic environment, companies are well-advised to start working on SWIFT CSP compliance in the second half of 2020 to make sure they can continue to fully serve customers without putting their reputations and businesses at risk.

In my last blog, I introduced readers to the two pillars of Alacriti’s information security program:

1. Strong information security policies
2. A comprehensive risk management lifecycle

There I detailed the information security policies that comprise our current approach, including how they’ve helped us present a sustainable security and compliance posture to scores of annual certification audits and client assessments. I also wrote briefly about the importance of a comprehensive risk management lifecycle, which is the second pillar of our program. I’ll now go into more detail about the risk management lifecycle and how we approach it here at Alacriti.

Security policies, procedures, logging and monitoring systems, incident handling, and internal audits are all necessary tools to achieve and sustain a strong security posture. However, they also pose a risk for organizations. These tools allow us to go deep into the target domain (for example firewall controls, encryption, or incident management) to achieve a strong capability. However, they can also blind us to the breadth of the canvas. Or to put it another way, we can run the risk of missing the forest for the trees.

A good risk management framework (RMF) helps create a complete picture of an organization’s risk canvas so we know that we’re expanding the breadth of our view at the proper rate. Of course, there will never be resources (the good old troika of time, expertise, and money) to do it all. Therefore, priorities must be made according to risk levels, regulatory priorities, and current audit issues. The beauty of the RMF is that it will remind organizations of the major gaps in their defenses that require attention. This can help prevent organizations from thickening the fort walls in one area while leaving others unintentionally exposed.

Alacriti adopted the NIST body of knowledge as the foundation for our risk management program. Over the past decade, we built our risk management program upon a foundation that’s comprised of RMF, policies and procedures, controls (by family), and evidence gathering and management.

This body of knowledge also comes with a huge set of topical guidance that we use to develop topic-specific policies and procedures. A special publication called the NIST SP 800-37 is the foundation of the RMF. Several American information security regulations are either based on this or draw on its framework including FISMA, HIPAA, FedRAMP, FIPS, DoD, and others. This has given us the advantage of being able to comply with multiple regulations from the same baseline effort.

A quote from The Office of the Chairman of the National Strategy for Cyberspace Operations (DoD) made in relation this standard is a useful point of reference for decision makers from all sectors. It says, “For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations.”  It helps us focus on the entire canvas from threats to impacts, trends to experiences, and eliminating to resolving. That is the heart of risk management.

The NIST SP 800-37 presents the following risk management lifecycle for practitioners:

The cycle does not need any explanation however I will share a few lessons that we’ve learned along the way. First for foremost, make sure your technology and legal/compliance functions come together to define this and prevent it from being “thrown over the wall” amongst groups. Secondly, make sure they don’t try to win the day with jargon because both sides have plenty of it. Thirdly, don’t try to boil the ocean – you can never have a large enough fire to do that. Start by addressing low-hanging fruit like immediate audit items but be sure to use the RMF so no one loses sight of the full picture. Finally, make sure to keep this process iterative. It is a program, not a project.

 When you mesh the control families that the NIST defines (see SP 800-53), a cohesive picture will begin to emerge that empowers you to make progress with decreasing effort over time. Most importantly, the experience of our compliance efforts waxing and waning (as many of the efforts are risk or topic driven) has changed to a sustainable posture over time. This has created a solid foundation in the face of changing regulations, infrastructure, applications, and over events outside of our control.

 Here is a quick overview of the NIST Control Families. You can designate different teams to focus on specific families and use the risk management lifecycle approach to achieve continuous improvement in their respective areas. This allows the team to adjust their speed based on other pressures while also ensuring that nothing falls through the cracks.

The Bottom Line: At Alacriti, we live with 24x7x365 real-life risks. Our infrastructure and applications are under constant threat from entities that mean us harm. In addition, we must comply with ever-expanding regulations that apply to our clients in the financial services, healthcare, payment processing, and government realms. Our experience shows that adopting a comprehensive, flexible risk management framework provides a powerful toolkit to your technology, security, and compliance professionals.

Please Note: All quotes, references, and diagrams related to NIST are from NIST’s official documents and websites.

Digital transformation is sweeping across all facets of our lives. From complex business and financial transactions, through to hailing rides and streaming media, seemingly nothing has been left untouched. Businesses from street-side vegetable vendors to the largest global banks are performing a wide variety of financial transactions on the web or mobile web that were impossible barely a decade ago.

With this digital transformation comes users or account holders, and with them comes their data. Companies like Amazon or Netflix can store hundreds of millions of financial and personal information records in their systems. A single security breach of this massive amount of data could impact their business, reputation, and stock value in ways that can be difficult to overcome. Add to that the time and expense of recovering the data, for those who can recover it, and it’s no secret why information security is a critical component of every business.

Information security is now a large body of knowledge and there are hundreds of disciplines within its gamut. Many large companies that suffer security breaches are very knowledgeable about security, have invested huge sums of money over many years to build their security systems, and carry impressive certifications and credentials. So, what goes wrong?

At Alacriti, we grapple with this question all the time. As a payment processing technology provider, our clients, auditors, and regulators expect us to maintain a very high standard of data security. Over the past decade, we built security systems and processes designed to live up to these expectations. In our experience, we’ve learned that there are two pillars of a strong information security program:

Pillar #1: Security Policies

The first pillar is to have a comprehensive, clear, actionable, and measurable set of security policies that cover all aspects of the organization’s operations. Without these, security efforts can grow sporadically in the organization.

Pillar #2: Risk Management Lifecycle

The second pillar is a comprehensive risk management lifecycle that allows us to view the entire spectrum of activities needed to maintain our security posture. Without this, security efforts tend to focus on solving today’s problems rather than anticipating the needs of tomorrow.

I’ve written this blog to provide some insight into Alacriti’s security policy suite. We have developed different policies that help our employees understand the organization’s security principles, practices, and their responsibilities. At the root of all policies is our Information Security Policy which describes the basic rules of engagement, organizational directives, and consequences of non-compliance.

Each of the major subject areas in the Information Security Policy are further developed into separate policy documents that provide specific guidance in individual operational areas. Our current policy suite includes:

• Anti-bribery
• Segregation of duties
• Secure SDLC
• Patch management
• Pandemic events
• Incident management
• Ethics and whistle-blower protection
• Business process assurance
• Business continuity and disaster recovery
• Employee background checks and drug screening
• Vendor risk management
• Data privacy
• Human resources
• Access control

Some important control points built into our policy management process are:

• Adopting an industry framework (we adopted the US Government’s NIST SP 800) that allows a balanced view of enterprise security. This helps reduce the risk of becoming topical or sporadic.
• Mandatory annual review and updates of all policies to reflect changes in both the company and the technical/regulatory environment in which we operate.

• Mandatory annual training of all employees that explains our policies, expected behavior, and consequences of non-compliance. Each training is followed by a written test to ensure that employees have assimilated the learning.

• A strong suite of procedural and process documents for each business unit or group that facilitates policy compliance in their day-to-day work. This includes collaboration tools, ticketing systems, logs, and evidence chains.

• On-going internal audits to perform risk-based assessments of all functions in the context of behaviors and controls mandated by policies.

• Review of the policy suite by an external auditor in the context of our business, technology, and regulatory obligations to validate that our policies are adequate for the purpose.

The combination of these efforts has created a reasonable assurance that we are comprehensively covering our bases. There is also an organization-wide understanding that meeting these goals and obligations has allowed us to adopt new technologies without losing control over our security and privacy commitments.

A case in point is our recent migration to the cloud for some of our large application products. Our policy suite became the binding glue for all our technology and business leaders to pursue a common agenda of non-negotiable principles, processes, and best practices to achieve our cloud migration efficiently and cost effectively. While many organizations struggle with the security challenges of the cloud, we can say confidently that cloud migration allowed us to take our security posture to the next level.

The Bottom Line: A strong set of security policies is a pillar of sustainable information security. At Alacriti, there is a comprehensive, ongoing effort to keep these policies aligned with emerging technical and business scenarios. In addition, a comprehensive risk management framework helps us keep our policies balanced and measurable.

IT Security

Coders didn’t think consciously about IT security when writing for mainframe computers or even early PCs. The common thinking was that they were secure by default.

Two developments turned this on its head over the last 15 years. Web quickly became the principal conduit for applications, and software was suddenly visible to almost anyone anywhere in the world. This was great for businesses, especially the good guys that businesses wanted to work with, and even better for the bad guys who recognized the potential to profit with almost no risk or barriers. In response to these threats, governments and industry bodies jumped in. With good intent, they wrote many regulations and best practices to improve security and make the world a safer place.

While no one denies the good intentions behind these regulations, they can also be difficult for businesses to navigate. Regulations are made by different departments of the federal government, as well as state and local governments. Add to this mosaic the regulations required by foreign governments and self-regulation by industry bodies, and the landscape can become quite complicated.

Here’s a shortlist of major regulations to consider. There are many more, but this list provides a snapshot of the complexity and effort required to comply:

• The Sarbanes-Oxley Act of 2002 (SOX)
•  The Financial Services Modernization Act of 1999, aka the Gramm-Leach-Bliley Act (GLBA)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Bank Secrecy Act (BSA)
• The USA PATRIOT Act
• The Federal Information Security Management Act of 2002 (FISMA)
• The Payment Card Industry Data Security Standard (PCI DSS)
• The California Senate Bill 1386 (CA SB 1386)
• The Personal Information Protection and Electronic Documents Act (PIPEDA)

Alacriti’s customers hail from some of the most heavily regulated industries including financial services, insurance, healthcare, and utilities. As their partner in information capture, processing, storage, and transmission, our clients expect us to build systems and services that are in full compliance with these regulations. We are often a party to their internal/external audits and examinations, and we are committed to staying at the forefront as the regulatory landscape continues to evolve.

Information Security and Information Privacy

As organizations develop responses to risk and security challenges, as well as regulatory compliance, they and their clients/partners sometimes face ambiguity over information security and information privacy. After all, if you have secured information it should automatically be private too, right?

Well, yes and no. Let’s look at common scenarios that unfold in every organization.

Say you have the credit card details or social security numbers of your employees or customers lying on a table or open on a computer screen, but no one looks at it. Is this a security problem or a privacy problem?

Then say that someone looks at it but doesn’t misuse it. Is this a security problem or a privacy problem?

Now say that an employee copies this information and walks away without detection but doesn’t misuse it. Is this a security breach or a privacy breach?

And then say an employee finds a buyer for this information but we don’t know what the buyer does with that data. Is this a security breach or a privacy breach?

And finally, say that professional hackers break into your system and steal data. This is what we most easily understand as both a security breach and a privacy breach.

A security breach may or may not result in a privacy breach. Say someone steals data from your system but you had taken precautions like encrypting crucial data (credit card numbers, social security numbers, etc.) or storing data in multiple pieces that hackers can’t put back together. Due to these measures, the hacker may have your data but they may not be able to use it. This scenario would represent a security breach but not a privacy breach.

A privacy breach can be more difficult to grasp. If an employee casually looks at a piece of paper lying on a desk or an open document on a computer screen and sees sensitive information, then you have a privacy breach.

It’s imperative to make employees aware of what constitutes private, personally identifiable, or protected information. It’s also imperative to create a culture where employees are continuously aware of the data an organization stores, what is expected of them, and what constitutes a breach.

Security can be centralized in the hands of a few, but privacy is everyone’s concern.

Pandemic Preparedness for Business Organizations

Every few years, a global health-related event brings pandemic preparedness to the forefront. And after some time, it recedes from peoples’ memories only to be revived by a future episode. In response, Alacriti developed a robust preparedness capability in the event of a pandemic. Here are four parameters of our framework to help other organizations build their approach.

1. Pandemic Event Definition

Which events do you declare a pandemic? For example, you may determine that if 40% of your employees are not available to work (whether physically on-site or remote) for more than nine consecutive workdays, it is a pandemic event. Of course, you can tweak the parameters to specific situations, but all stakeholders must have a common understanding of what constitutes a pandemic.

2. Incorporation with Incident Management Policy

A pandemic event could logically be considered an extension of incident management. Your typical incident management policy identifies people on various teams that respond to an incident. A pandemic event may mean that the people you identified are not available, so a wider circle may need to be identified for effective incident management.

3. Multi-Location Approach

A pandemic typically means that many people lose access to work simultaneously. Establishing multiple work locations that are geographically diversified is a critical component of pandemic preparedness.

4. Integration with BCP and DR

Pandemic preparedness should integrate with business continuity plans (BCP) and disaster recovery (DR) and should not be a stand-alone effort. It could be beneficial to add pandemic preparedness to DR exercises like switching over from production facilities to DR facilities and then switching back. This can establish that one single location has the ability to run the entire operation and become an automatic protection against a pandemic event that disables one physical location.

Each organization’s unique situation will require its own considerations, but an integrated approach can be an efficient and cost-effective way of achieving pandemic preparedness.

*This blog was compiled and edited for clarity in 2019.