Cenzic: Application Security for Financial Institutions

WHITE PAPER
Application Security for
Financial Institutions
Under GLBA, FFIEC, and Other
Laws



Table of Contents
Executive Summary ............................................................................................................... 3
Financial Information is Vulnerable ......................................................................................... 4
Legislators Respond............................................................................................................... 5
The Gramm-Leach-Bliley Act.................................................................................................. 5
FFIEC Guidance .................................................................................................................... 7
Sarbanes-Oxley Compliance for Publicly-Held Financial Institutions........................................ 10
Other Laws............................................................................................................................. 11
Application Security Plays a Critical Role ................................................................................ 12
Cenzic Hailstorm Helps Compliance Efforts to Protect Financial Information ........................... 13
GLBA Compliance Chart ........................................................................................................ 15

Copyright © 2005 Cenzic (v1.1) Page 2 www.cenzic.com ? 1-866-4-CENZIC Executive Summary Recent news of numerous security breaches involving the theft or loss of financial information have emphasized the vulnerability of consumers' financial information. Companies that lose control over customer information face enormous losses from: the cost of responding to the incident, from a loss of revenue after some customers stop doing business with them, and from lawsuits and government enforcement actions. Financial institutions, with Web applications like online banking face information security regulatory requirements under federal and state law. The most prominent law in this area is the Gramm-Leach-Bliley Act (GLBA). Examining guidance under GLBA makes it apparent that application security and automated tools to assess application security vulnerabilities are essential to meet GLBA security targets such as risk assessment, preventing malicious code, testing of code and key controls, and updating controls in response to new vulnerabilities and changes in ®applications. The Cenzic Hailstorm solution helps financial institutions comply with GLBA and other laws, because it automates risk assessment, checks for vulnerability to the injection of malicious code into Web servers, automates the testing of code and key controls during the software development process, and helps them respond to new vulnerabilities in the software development lifecycle.
Copyright © 2005 Cenzic (v1.1) Page 3 www.cenzic.com ? 1-866-4-CENZIC I. Financial Information is Vulnerable F inancial Web applications hold out the promise of providing financial services better, faster, and with greater customer satisfaction. Online banking is now common, but Web applications for financial services also include bill payment, securities trading, loan applications, money transfers, and data aggregation. But Web-based financial services are not without their problems. Not the least of these problems is security vulnerabilities, which can result in legal liability. Consider what happened to Sunbelt Lending Services, Inc. in Clearwater, Florida, a mortgage broker. The company is wholly owned by Cendant Mortgage Company. Sunbelt implemented a lead generation program on its company Web site, and ended up not enjoying much use. Although it eventually discontinued the application, it ended up caught in a Federal Trade Commission sweep of mortgage providers who fail to provide 1adequate protection over customer personal and financial information. The FTC claimed Sunbelt failed to take adequate steps to protect customer information. Eventually, the FTC entered into a Consent Agreement with Sunbelt to settle the matter and, on January 3, 2005, approved an order requiring Sunbelt to submit to a security biennial assessment by a Certified Information Systems Security Professional (or similar securi... [download for more]