Upload
blackberry
View
1.434
Download
1
Embed Size (px)
Citation preview
© 2016 BlackBerry. All Rights Reserved. 1
1
File Sharing Use Cases in Financial Services
Jeff Holleran
Vice President, Corporate Strategy
July, 2017
© 2016 BlackBerry. All Rights Reserved. 2
2
Agenda
Secure File Sharing in Financial Services
Financial Services Use Cases
Next Steps
Secure File Sharing in Financial Services
© 2016 BlackBerry. All Rights Reserved. 4
4
Financial Services: Key File Security Drivers
Regulations - Multiple Requirements:
Data Security and Encryption
Strong Authentication and User Management
Protection of Customer Data
Chain of Custody and Compliance Reporting
DLP Support
Intellectual Property Protection
Internal Technology and Systems
Management and Maintenance of Client IP
Corporate Governance and Confidentiality
Mergers and Acquisitions
Executive-Level Communications
Maintenance of Mandated Internal Business Firewalls
Threat Intelligence Sharing
© 2016 BlackBerry. All Rights Reserved. 5
5
Regulatory Requirements
NYDFS 500 GLBA/ FFIEC PCI DSS GDPR
Protection of Customer Info X X X X
Encryption X X X X
Access Controls X X X X
Compliance Logging and Reporting X X X X
Oversight of External Users X X X X
Incident Monitoring and Reporting X X X
Section 500.15 Encryption of Nonpublic Information.
(a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement
controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both
in transit over external networks and at rest.
© 2016 BlackBerry. All Rights Reserved. 6
6
Best-Practices Security Standards
ISO/IEC 27001 Certification
ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving an information security management system."
SOC2 Type 2 external audits against AICPA auditing standards
A SOC 2 report helps to address third-party risk concerns by evaluating internal controls, policies, and
procedures that directly relate to the security of a system at a service organization.
FIPS 140-2
U.S. government (NIST) computer security standard used to approve cryptographic modules.
Financial Services firms and their technology partners should conform to the following standards:
The following standards provide best-practices security benchmarks for technology providers:
US DoD ITAR & DFARS Compliance (NIST 800-53 and NIST 800-171)
US HIPAA compliance and reporting
UK Cyber Essentials Standards
© 2016 BlackBerry. All Rights Reserved. 7
7
File Sharing Throughout the FS Enterprise
CEO
Board of
Directors
• SEC filings
• Tax/audit filings
• SOX reports
• Placements
• Board reports
CIO /
CTO
Investment
Banking
Human
Resources
• Compliance reports: GLBA, SOX, PCI, etc.
• Contracts
• Proprietary systems
• Compensation
• Bonus data
• Employee equity grants
CFO
Market
Research
Legal
Real Estate
Services
• Contracts
• Corp dev/M&A
• eDiscovery
• Outside counselBusiness
Partners
Investors
Banking
Customers
M&A
Parties
Banking
Services
• Board documents
• Strategy plans
EXTERNAL
• Buy-side research
• Sell-side research
• Advisory Services
• M&A deal materials
• Mortgage documents
• Ecological assessment documents
• Property debt documents
• Loans, Letter of Credit
• Performance report
• Wealth Management/ Investment fund performance data
Regulators
Outsourced
Operations
Industry
Groups
Outside
Attorneys
Risk
Assessment
Sharing
© 2016 BlackBerry. All Rights Reserved. 8
8
File Sharing Today: Major Risk Factors
The average organization has
13 file sync applications in use – most
not approved or managed by IT
1376% of organizations send traffic
to Dropbox (2GB/mo. on average)
76%
Source: Netskope, Palo Alto Networks, Gartner
Of non-sanctioned cloud
services used in FS firms are
cloud storage and webmail apps
40%Of cloud DLP violations at FS
Firms involve Webmail, Cloud
Storage or Collaboration Apps
72%
© 2016 BlackBerry. All Rights Reserved. 9
Secure Enterprise File Sharing Requirements
Security & Compliance Productivity
File Encryption
Encryption at rest, in transit and in use
FIPS 140-2 certified crypto-modules
File Access and Usage Controls
Only Authorized Users May Access Data and Files
Restrict File Redistribution
DRM, watermarking and online-only mode
Administrative Controls
Fine-Grained User and Policy Management
Ability to Revoke or Change Access Automatically or
Manually
Logging and Auditing
All Data Access Events Must Be Captured and Logged
Flexible Compliance Reporting
DLP Integration and Support
Collaborative Workspaces
Accessible via browser and apps
Cross-Platform Support
Platform Agnostic
Secure Access, Productivity and Synchronization
Extend and Secure Existing Repositories
“Protect-in-Place”
Provide Access and Sharing W/O File Migration
Support Existing Workflows & Systems
Robust Integration Architecture
Development API’s and SDK’s
Financial Services
Case Studies
© 2016 BlackBerry. All Rights Reserved. 11
11
Common Financial Services Requirements
SHARING TO AGENTS / MERCHANTS
EXTERNAL AUDIT REPORTING
M&A / COMMERCIAL TRANSACTIONS
LOAN / CREDIT INFORMATION
Remote access / mobile productivity
• Control sensitive / regulated information shared to agents
• Capture data from remote locations on mobile devices
• Securely synced folders
Securely collaborate with 3rd parties
• Sharing spreadsheets, models, numbers, etc.
• Control how files are used, who is accessing them, when and where
• Revoke access to documents after deal
Regulated, non-public information
• Share confidential, non-public documents with outside auditors
• Compliance regulations
Protecting customer statements (PII)
• Collaborating on loan / credit information throughout lifecycle
• Providing regulated statements, capital calls, tax documents
LITIGATION / TRAIL CASES
Sharing to outside counsel
• Simple and secure sharing of files (some large – 10 GB)
• Prevent forwarding of information and revoke access after trial
© 2016 BlackBerry. All Rights Reserved. 12
12
USERSBUSINESS NEED BENEFITSRequirement 3.4: All credit
card data needs to be encrypted or
rendered unreadable.
• PCI certification on portfolio basis
• Already adopted for secure
collaboration Easy to apply to
PCI
• Executives (SVP / VP)
• Managers
• Customer representatives
• Anyone who touches customer
credit card information
• Persistent AES-256 encryption
• Encryption and controls
travel with the file
• All file activities are fully tracked for
auditability
Case Study: PCI DSS Compliance -
Protecting Customer Personal DataCustomer Overview
American financial services company operating in
business banking, retail banking and wealth management
Payment Card
Industry Data
Security Standard
(PCI DSS)
© 2016 BlackBerry. All Rights Reserved. 13
13
Case Study: Agent Network Regulatory Audit
USERSBUSINESS NEED BENEFITS
Each of the 2,500 agencies must
undergo regulatory audit every 18
months
Requires collection of policies
from 10-20 customers, approx. 20
documents per customer
No secure standard process for
sharing files
Auditors (India)
Audit Manager
Regional Sales Manager
Independent Agency
Minimize security risk by
standardizing the process.
Control who has access, how long,
what they can do with the file, etc.
Track activity for access to
sensitive data. Export audit logs for
records.
Customer Overview
Global provider of insurance, annuities and employee benefit programs, serving 90 million customers.
© 2016 BlackBerry. All Rights Reserved. 14
14
USERSBUSINESS NEED BENEFITSNeed to protect business documents
for transactions.
• Replace Intralinks with a mobile-
friendly solution
• Globally accessible by 1,000
internal users and 15,000 limited
partners
• Board members
• Internal employees and contractors:
Sales, PR, Legal
• Limited partners
• Rolled out globally
• Easily integrated with existing portal
with APIs – no change to user
experience
• Added security controls on
business documents
Case Study: Securing Investor Relations
Customer Overview
One of the world’s largest private equity firms.
© 2016 BlackBerry. All Rights Reserved. 15
15
Case Study: Wealth Management Advisors
USERSBUSINESS NEED BENEFITSEstablish a mobility strategy
• Securely share and work on
mobile devices
• WMAs spent hours printing &
shredding files
• Must be easy enough to use for
senior executives and board
members
• Wealth Management Advisors
(WMA)
• Clients
• Senior executives and board
members
• Reduce the amount of paper used,
resulting in $440K worth of carbon
credits
• Save time to spend with clients,
doing more value-added work
Customer Overview
Large European bank, operating in more
than 50 countries globally.
What Next?
© 2016 BlackBerry. All Rights Reserved. 17
17
Perform a Security Audit and Review
BlackBerry Shield Security Audit and Review Program
Option One: Online Self-Assessment
Option Two: 90-Minute Detailed Personal Review
For more information:
https://us.blackberry.com/enterprise/security/mobile-security-best-practices
• Device security policy management
• Security administrator controls
• OS integrity and malware controls
• Encryption (at rest, in transit)
• Authentication
• Data leak prevention
• Secure communications and content protection
• Application security
• Availability
Technical Controls Administrative Controls
• Mobile Device Lifecycle Management
• Application security
• Organizational security structure
• Security configuration change management
• Risk assessment
• Security incident and response
• Governance/HR and Legal
• Security awareness training
BlackBerry Offers a FREE Security Audit
Thank You…
Questions?