Managing and Regulating Third Party Data Loss Prevention Through Enterprise Rights Management

Financial organizations are struggling to meet today’s increasingly complex data governance requirements as the demand for “anywhere-anytime” access to corporate data rises exponentially. The equally rapid expansion of cyber threats and cyber crime introduce an increasingly hostile landscape for those in finance, especially those individuals in charge of moving data.  One aspect of data management often overlooked is in how data leakage can factor into an organization’s compliance plans, in particular third party data, which is where Enterprise Rights Management comes into play. 

Financial organizations need Enterprise Rights Management solutions to control the operational use of documents by internal and external partners, by performing high-level data loss prevention. This meets the PCI DSS requirement of controlling third party data and protecting it from security breaches.

PCI and 3rd Party Data

Data loss prevention (DLP) needs to follow any data that leaves an organization’s network boundaries, whether that is during collaborative efforts, client data exchanges or other data sharing activities in which a financial organization will be involved. Maintaining Enterprise Rights Management policies on all data is a vital part of hitting PCI compliance requirements, which is more difficult to achieve when the data is being used by third parties. Unfortunately, this may not be enough.

According to an interview conducted by Security Week, third party security is by and large a weak point for financial organizations. Many do not verify the data security policy of a third party prior to sharing sensitive data, often times exposing this data to higher risk of breach. The security protection of third parties may introduce new risk factors to your data that can subvert or even cancel out security intelligence implemented on shared financial data.

Thankfully, there is help. The PCI SCC helps those in the financial industry, as well as other PCI-reliant industries, work through the PCI compliance challenges brought forth by third party data sharing. This security guidance shows best practices throughout the data management cycle and covers the steps needed to conduct third party security policy due diligence. 

 

Some of the other facets of this guide touch on:

  • Engaging third parties to prioritize data security
  • Develop written agreements to clearly outline data security policies and assigns security responsibilities
  • Provider monitoring action steps and plans for configuration and remediation

This helps financial institutions share data in collaborative efforts while having a defined data security process in place that aligns with its own security intelligence methods and policies.

Revolving PCI Conflicts With BigFix

With the above action items in place, let’s turn to an actionable, security intelligence tool that will aid and further protect the PCI compliant stature of a financial organization’s data. IBM’s BigFix provides a great add-on call the BigFix Compliance add-on, which provides PCI DSS v3.2 security checklists to be used for endpoint and network data and device monitoring.

A key component I love utilizing with my financial and retail clients is the Security Configuration Management (SCM) module, which provides even further controls to better set, detect and enforce data security policies. The feedback I have received on this has been great; financial organizations using these additional controls find the benefit of real-time reporting and automatic non-compliance remediations a huge regulatory success. I mean, who wouldn’t want instant data security policy enforcement?

But what really brings this home is in how the BigFix compliance add-on in its ability to autodiscover and manage security policies on devices that were previously unknown, an especially important win in today’s collaborative environment. I have seen third parties push back on this, as having someone else’s security policy application on their personal device would be a bit concerning. However, as seamless as it is to enforce security policy on such a device is, it is just as easy to un-enforce the same device once the collaboration or project has ended. Thus, the third party device is left as it was, and the financial organization has successfully maintaining PCI compliance throughout the process.

Third Party DLP At Your Service

It is important for those in the financial industry to maintain PCI compliance on all of its data at all times, including when it leaves an organization’s walls as part of a third party initiative. Establishing and maintaining an appropriate level of security intelligence to ensure PCI compliance and DLP is vital to any financial institution, and Champion is equipped and ready to assist in meeting security intelligence goals.

PREV

Best Practices to Prevent Revenge DDoS in Banking Using QRadar

NEXT

Integration of Security Intelligent ERM Controls Enhances Data Loss Prevention in Banks

WRITTEN BY:

Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.

 

Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.

 

Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!

 

As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.

 

He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.

 

Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.

 

Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.

 

In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.

 

Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.