Financial Services institutions understand that they must implement improved security controls not only to comply with specific regulations such as the Gramm-Leach-Bliley Act (GLBA), but they must also protect customer information from breaches and assure the trust among their customers.
“TraceSecurity truly understands the requirements for compliance and they package the products and services so that you get everything you need on a continuous level.”
TraceSecurity’s solutions for the Financial Services sector helps you meet specific regulatory challenges from GLBA, the Federal Financial Institutions Examination Council (FFIEC) and the five enforcement agencies including the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). See the chart for FFIEC guideline specifics below.
TraceSecurity Integrated Dashboard
| FFIEC Examination Handbook | TraceSecurity Solutions |
| Financial institutions must maintain an ongoing information security risk assessment program. More details.
Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements; Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation. [close] |
Risk Assessment, Risk Manager |
| Institutions are required to establish an information security program that meets the requirements of the 501(b) guidelines. Information security polices and procedures are some of the institution’s measures and means by which the objectives of the information security program are achieved. | TracePolicy |
| Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. | TraceTrain, Security Training |
| Self-assessments are useful in providing a warning flag to line management so problems can be addressed before they arise in testing reports. Self-assessments may be performanced by operations personnel or by vendors under the direction of those at the institution who are response for the systems being assessed. | TraceSecurity Compliance Manager |
| Independent tests include penetration tests, audits, and assessments. Independence provides credibility to the test results. The reports generated from the tests should be prepared by individuals who also are independent of the design, installation, maintenance, and operation of the tested system. More details.
Security Assessment – The TraceSecurity Security Assessment follows a standard methodology to test for network and human based vulnerabilities. IT Security Audit - The TraceSecurity IT Audit process based on the FFIEC Information Security work program. The Audit will help you evaluate the utility of and adherence to your organization's information security practices, controls, and compliance with institutional policies Penetration Testing – TraceSecurity Penetration Test mimics the actions of an actual attacker exploiting weaknesses in security without the usual dangers Social Engineering – TraceSecurity’s Social Engineering uses techniques to manipulate people into allowing unauthorized access to confidential information to determine if policies are understood and being followed. [close] |
Security Assessment, IT Security Audit, Penetration Testing, Social Engineering |
Many institutions that are not commonly thought of as financial in nature are covered by GLBA requirements, such as insurance companies, tax prepares, colleges and universities, financial planners and others.
In defining and implementing an information security program, covered institutions must develop a risk-based information security program that includes involvement of the board and senior management, a risk assessment of threats and vulnerabilities, effective risk management and controls, training, testing, vendor oversight, monitoring and adjusting, and board reporting.
