Fintechs have to jump through numerous hoops when it comes to data governance and ensuring they are cyber secure. Data and processes are subject to regular scheduled compliance checks from internal auditors, plus spot checks without warning from external regulators.
You need to demonstrate that you know exactly who has access to what information, why and when; that you have the right processes in place to keep access to this information correct and appropriate; and that you are asking the right questions internally and externally. You must also prove that you are in complete control when it comes to owning and sharing data.
When it comes to the types of data fintechs typically manage, there’s financial data, commercial data, customer data, and if you’re publicly listed the volume increases. All of which are highly sensitive.
Plus there are various standards that you may operate under such as PCI DSS for customer payment data and ISO 27001 for info security.
And while SharePoint and other collaboration tools such as Office 365 and Microsoft Teams are great for sharing files, folders and sites with colleagues (and those outside your business) access can quickly get out of control.
Add all of this together and firms simply have too much data, too many people, and too much constant business change for sprawling data access to be effectively managed by manual processes or tools.
In this article we aim to show you how to be data governance compliant at all times.
Know who has access to what data
There are plenty of processes you can put in place to monitor who has access to which documents and folders such as creating a thorough catalogue of sites, restricting permissions and providing clear site descriptions. However, these processes are highly manual, the extent of which is far beyond the resources of most data rich firms.
The good news is that, thanks to the latest machine learning technology, there are automated solutions designed to engage business users without being a burden on their day to day activities.
The new tools apply machine learning, data science, the mass of resources of cloud-based computing and AI to integrate with existing collaboration systems such as SharePoint and Office 365 to constantly monitor and control who has access to what. The sprawl, and data governance, can be controlled.
Prove your processes
When it comes to data, it often comes down to the firm being able to prove they are in control of access. So, you need to go that extra mile and prove to the auditor that you know not only who has access to what documents but also the reasons why somebody has access to a specific piece of information.
Think about it like this…only when you know the reason why someone has access, can you prove to an auditor whether they should have access.
The reason that they have access could be part of their job role or department, the account they’re working on, or that they’re temporarily covering for someone else. Then you need to monitor those reasons, detect whenever they are no longer true, and proactively revoke access which is no longer appropriate.
Of course, this is too onerous to manage manually and there are now automation tools that can record access permissions, set rules and automatically revoke access when it’s no longer valid or required. At any point, the auditor can see who has access to what information, why they have it, and most importantly have proof that access is correct and appropriate.
Regularly certify access
Fintechs should also carry out periodic security certifications, by asking business users to certify that access to the information they are responsible for is correct. This further demonstrates that a firm is in control of their sensitive information.
It’s not viable for a central IT department to manage everybody’s access and permissions, so you need to engage all business users, making it everybody’s responsibility. It should fall to the business users to certify access to their own data.
But business users are busy carrying out their day to day jobs so once again you need to seek out technology that can carry out the security certifications automatically, minimising the impact on day to day activities.
Data access compliance in action
Cash management firm CPS use an automated platform from Torsion Information Security to ensure they are compliant at all times and minimising the chances of any security breaches.
The software they use monitors and detects any inappropriate access, out of date folders and permissions, duplication or the movement of files. If anything doesn’t look quite right it will promptly alert a business user associated with the file and shut down any potential breaches. Other than that, it runs in the background until it is required. It carries out periodic security certifications by briefly prompting a user to check any access is still current. At any time they can produce a record of who has access to what information, when and why and prove they are in control of it.
By Peter Bradley, CEO at Torsion Information Security
Peter Bradley has spent a career as a consultant, specialising in secure information management. His deep understanding of the nature of information flow and lifecycle in organisations enables him to make a powerful and effective contribution to the information security discussion. Peter founded Torsion Information Security in 2014.
Torsion solves the problem of sprawling access to files and folders by integrating with collaboration systems such as Sharepoint, Teams and Office 365, to monitor and control access.
Constant sharing with little visibility or control of who has access to what, leads to significant security and compliance challenges. Torsion gives control back to the business user of who has access to what, why and when. The unique solution is cloud-first, smooth to deploy and affordable for businesses of all sizes.
The post #Privacy: How fintechs can stay in control of data governance and cybersecurity appeared first on PrivSec Report.