January 10, 2019 | BLOG POST |
By Tom Ulrich, Director of Application Delivery for Envision Financial Systems, Inc.
This post is the second in a series of blog posts about how Envision approaches cybersecurity risks. This blog post addresses the need to develop strong controls and independently verify that what you are doing is meeting its objective.
“How do I know my customer’s data is safe?” Our answer: Engage independent verification methods and constantly evaluate the evolving risk profile.
As we know from high profile data breaches (here are the top 21 through November 30, 2018) such as Marriott, Yahoo (twice) and Equifax, there are no guarantees that the amount of investment correlates to a low risk profile. If someone wants to get to your customer’s data, they will find a weak link in your cybersecurity chain. That doesn’t mean there aren’t methods to be employed to mitigate the potential risk.
We believe in the effectiveness of a multi-layered security approach developing and deploying software. This ecosystem includes operational and infrastructural control structures based upon industry best practices. In our case, we follow the best practice guidance of ISO 27001/2 framework. For the uninitiated, ISO 27001 provides an auditable framework to which corporations are wise to adhere. The companion ISO 27002 framework provides best practices in support of 27001. Other important guiding frameworks and best practices are found in NIST 800 framework series and the periodic FINRA guidance documents.
As an example, based upon the ISO 27001/2, we created practical auditable controls coupled with best practices to ensure our development practices are commensurate with security risks. One example of this practice is aligning our development practices to ensure we adhere to risks outlined in OWASP (Open Web Application Security Project). Our development practices give direction to everyone involved, so that from the very beginning—initial requirements-gathering—all the way through delivery of the software to customers, each person does his and her part to ensure that the final product incorporates all relevant best practices.
Our secure application development policy, for example, covers key areas—among others:
- Defines each software module and assigns a risk ranking to each one
- Delineates how people of different roles should contribute to development; examples include business analyst, developer, architect, quality control engineer.
- Utilizes a tiered approach to ensure every layer of application is secure
- Special emphasis on authentication and authorization
- Utilize industry best practices in encryption and hashing of data where applicable
- Prescribes using recommended versions of certified open-sourced software
- Calls for vendor analysis, including support offered and business stability
- Incorporates in house and third-party application security testing—both dynamic and static—to identify vulnerabilities in the code for internet facing applications
In some instances, we deliver our investor management suite of technology products as a managed service. Any managed service provider knows the importance of controls focused on security and data loss prevention.
Our managed application services offering provides ISO 27002 best practices, in concert with the complementary best practices employed by our hosting partner, that are focused on data security principles. We leverage the latest technologies to secure data and ensure that the client and investor access points are continuously monitored for intrusion. The infrastructure undergoes both vulnerability assessments and penetration tests to identify any potential areas of exposure.
Test, test, and test
It’s one thing to put in place governing controls. It quite another to validate they are effective and being followed.
We then have all of our controls tested annually by outside auditors through the American Institute of Certified Public Accountants (AICPA) System Organizational Controls examination process. These include SOC 1 and SOC 2 audits. These exams focus on “controls related to financial, security, availability, processing integrity, confidentiality or privacy.” Read more from the AICPA here.
In addition to the operating controls review putting in place preventative reviews is also essential. Software accessible via the internet needs to be written with security at the forefront. This should include providing software developers tools to find and take action on vulnerabilities during the development process. It should also include a period post development application and infrastructure testing and certification by employing independent parties to perform black and/ or white box penetration testing of internet facing applications and its supporting infrastructure.
Lastly, the use of detective tools shouldn’t be neglected. When delivering your solution to your customers, the environment from which you are delivering it needs to be constantly monitored for potential nefarious actions. Whether that is an all-out brute force attack or an employee knowingly or not, leaving the door open when they leave. Monitoring your application and environment can help identify and stop unwanted activities.
When providing financial software and services, it is vitally important that the application and its supporting systems work in tandem. By ensuring synergistic application development and hosting policies, procedures and practices, firms can mitigate the theft of customer data.