| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. |  |
Abstract
During the COVID-19 pandemic, global financial regulatory bodies relaxed regulation to facilitate out of office working. By necessity, this extended to offshore third-party service providers providing sensitive services to financial organizations. The regulators and some financial organizations are now pushing for a return to the office, and in the case of third-party service providers, the secure room environments utilized prior to the pandemic and the associated physical controls. This is proving problematic for a variety of reasons. The advancement in software solutions that would allow hybrid working without losing the controls associated with a secure room environment provide a viable alternative to returning to a physical work environment, without sacrificing regulatory compliance.
| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. | |
Introduction
Historically, regulatory requirements relating to the financial industry have been implemented to establish a standardized level of care and security, all while ensuring that organizations are compliant with applicable legal restrictions. Compliance with these regulations extends beyond the core organization and encompass vendors and third-party service providers. Non-compliance to these regulations by any vendor or outsourcing partner will result in regulatory findings being levied against the financial organization and potential reputational damage. Particularly, attention must be paid to the compliance of outsourcing service providers, the majority of whom operate in remote locations from financial organizations, with the primary concern being information security. This includes security regulations, specific compliance instructions for information security policies, maintenance of records, and secure locations for information processing and review. These information security concerns span not only over the logical aspect of security policies, but notably, the physical layer. The physical component has conventionally been satisfied by an on-site dedicated secure room, with available resources pre-approved by a financial organization. Physical access to these rooms is tightly controlled by access control mechanisms such as electronic card readers and continuous monitoring controls, such as CCTV. However, with current technological advancements in remote workplace security, solutions for distributed workforces are now capable of meeting or exceeding these regulatory security requirements, creating benefits for both the outsourced service provider and the financial organization without sacrificing the expected and necessary security layers. Although these on-site secure environments have previously been considered the global standard, changes in work environments due to outside factors such as the COVID-19 pandemic have forced regulatory requirements to relax these necessary layers of protection to allow for remote work, using cloud computing and virtualization solutions for remote access. The push to reinstate regulation that was previously relaxed during the early stages of the COVID-19 pandemic now provides a challenge for financial organizations and outsourcing service providers, as regulators urge a return to office. New complexities must be considered when organizations consider how to revert to the operating controls employed prior to COVID-19, while faced with a workforce who do not want to return to the office full-time, and a shortage of real estate due to divesting during the pandemic. The remainder of this paper will identify the most common challenges faced by regulatory organizations in the scope of this analysis, and how they are able to be addressed via remote security solutions.
| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. | |
Regulatory Concerns
In reviewing the current reports on concerns surrounding compliance by the SEC (2019), Protiviti (2021), and Deloitte (2022), the top risks and regulations that are currently concerning financial institutions follow a common theme, being information security and threats against internal and customer data privacy protection. These are certainly not novel or ephemeral issues and are compounded by the continuously evolving work environments shaped by the COVID-19 pandemic. Stating that finding the balance between regulatory compliance and operational efficiency is complex would be an immense understatement, as each organization and regulation may be required to comply with varying degrees of security. Therefore, it is critical to ensure that the solutions implemented to address these regulatory requirements are effective, robust, and scalable. Additionally, when considering regulatory compliance issues relating to offshore third-party service providers, the data held and processed by these offshore partners will be subjected to the same regulations as the financial services organization contracting them. However, without certainty that the necessary security measures for compliance are being followed offshore, a regulatory headache can echo throughout an organization. Due to these third-party partners being largely involved in the financial industry for data solutions or for providing services, the same security solutions that are implemented onshore must be available to safeguard against data issues offshore.
| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. | |
Information Security
74% of the civilian financial institutions they analyzed had information and cybersecurity infrastructures that were determined to be either “At Risk” or “High Risk." In the modern era, after key talent, information is an organization’s most valuable assets, and therefore entices malicious actors as a potential target for theft. Those responsible for the protection of this asset hold a heavy responsibility in ensuring that implemented security is as effective as possible. In a joint 2019 study, the Office of Management and Budget and the Department of Homeland Security discovered that 74% of the civilian financial institutions they analyzed had information and cybersecurity infrastructures that were determined to be either “At Risk” or “High Risk” (SEC, 2019). As these infrastructures are a large component of what protects one of the organization’s most valuable assets, this is exceedingly unsettling to the managers of an organization’s information security. In order to identify potential solutions for the noted 74% figure, we must first identify individual components of what threats result in an infrastructure being considered at “High-Risk” (SEC, 2019). Two primary factors stand out as large components of this determination; access control solutions to prevent unauthorized malicious actors, and outdated security principles. Access control has never been more important than in the current climate of distributed workforces, and by proxy, the distributed access points necessary to protect. Access control and authentication techniques will be addressed in each category of this analysis, as implementing solutions to mitigate risks against unauthorized access threats is a significant component of any regulatory compliance relating to data and information systems.
Within a secure environment, access control can be controlled through physical and cyber configurations such as biometric access solutions and user profile permissions respectively. While prior to the COVID-19 pandemic this was thought to only be accomplished within a controlled physical office setting, it is important to dispel this notion, as modern efforts have resulted in solutions for physical access control for a distributed workforce outside of the secure room environment. In the case of some current solutions, many of the on-premises physical security measures can be replicated for remote workers. Continuous biometric authentication implemented on physical device endpoints allows for access control into sensitive systems, while restrictions for shoulder surfing and screen sharing provide protection against unauthorized parties viewing the sensitive material on the screen. This allows for an organization to maintain their physical security standards outside of the secure room environment while reducing risk by complying with regulatory requirements. With these new capabilities, organizations can receive the added benefits of maintaining a distributed workforce to retain key talent, and greatly reducing the immense overhead costs related to physical offices required to host daily operations for many employees. By modernizing a security infrastructure functionality through implementation of a continuous biometric authentication solution, outdated systems can be minimized through security virtualization efforts and solutions such as cloud hosting, or by locking down necessary legacy systems with biometric security controls.
| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. | |
Data Privacy and Third-Party Service Providers
Special regulations apply to the financial industry related to data privacy and consumer privacy. These, for example, include regulations such as the Gramm- Leach-Bliley act which establishes a safeguard requirement “that financial institutions protect the privacy of consumers’ personal financial information” (FTC, 2016), PCI-DSS regulations which define “the policies, tools, and controls needed to protect cardholder data” (Imperva, 2020), and for organizations operating internationally, GDPR personal privacy requirements. Data privacy regulations are a constant factor in all business operations that involve end-user information and are especially dominant in financial industries, carrying penalties both monetarily and of reputation if violated. A key component of these data privacy requirements and concerns factors around controlling who is authorized to view and access certain information, while ensuring that customer information does not leave authorized locations. Similar to information security management, the ability to comply with these requirements was previously felt to only be manageable when onsite in a location controlled by the financial organization. In applying the same solutions recommended for the management of information security, organizations can address privacy through a multilayered security posture using biometric security access controls. As biometric authentication can now be accomplished through a user’s endpoint machine with facial recognition occurring at the machine level as opposed to streaming the camera feed, organizations benefit from a more secure environment without sacrificing end-user and employee privacy. In addition to facial recognition, layers such as unauthorized user detection can occur at the machine level and are able to compound the access control protection. To help visualize these security advancements, this would be akin to allowing users who have the correct privileges to enter a physical location using a key card while prohibiting unauthorized users from accessing that same location. Further restrictions can be applied to secure sessions that prevent data leakage such as preventing screen sharing or screen shots and blocking mobile phones from taking pictures of sensitive information on the screen. Within this secure virtual machine environment, an end-user can access sensitive data, while adhering to the access controls defined by the organization’s security policies, resulting in a secured remote work environment.
In addition to complying with data privacy regulations during internal business functions, third-party service providers that are offshore or outsource offshore must be taken into consideration. As these are already not physically controllable environments by the contracting organization, regulatory security practices can be difficult to verify and properly implement. A discussion paper by the Financial Stability Board (FSB, 2020) noted that while immense benefits in scaling, cost efficiency, and remote connectivity can be gained through employing the use of third-party data processors and service providers, financial organizations face considerable challenges. Primarily, three scenarios which provided immense concern were that the third party may not be aware of applicable regulations to follow for the financial organization, that the third party was aware but refused access to the organization to audit the compliance processes, or that the financial organization lacked the ability to enforce the third party to follow regulatory compliance practices (FSB, 2020). While any of these three potential scenarios would be daunting to a financial organization required to answer to regulatory requirements, they can realize immense benefit through utilization of the same remote security authentication tools previously discussed. As a secure environment and solution can protect a workspace used by a remote vendor or end-user to access a secure and sensitive system through a VPN, resulting in a secured environment with protective measures while remote, a distributed clean room is able to be quickly established, allowing only the intended and authorized user access to sensitive information.
| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. | |
Consequences of Inaction
The potential benefits of outsourcing certain functions to third-party service providers are widely understood and well documented. With this said, there is a real and present danger in overlooking that the necessary security levels required for a regulated entity outside of a secure room environment can still be captured. This paper has described the technical means by which regulation can be satisfied with a remote workforce, however the potential risks of ignoring this new demand cannot be understated. A failure to embrace these new security solutions and organizations forcing staff back into a physical office environment will lead to the loss of key talent, as the employee demand for remote work has risen due to the COVID-19 pandemic environment and is not going away anytime soon. A loss of these critical human resources will in turn mean the loss of institutional knowledge, worsening controls and metrics, and missed SLAs. The current financial climate has increased the need for financial organizations to spend money wisely in 2023 and beyond. An inability to successfully utilize outsourced service providers would put further stress on these budgets. It is therefore important that regulatory bodies, financial services organizations, and offshore third-party service providers recognize that there are secure alternatives when using a remote workforce that provide regulatory compliance and embrace these solutions.
| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. | |
Conclusion
Compliance with regulations impacting the organizations in the financial industry is key, and the importance of a strong security posture cannot be understated. However, to achieve and exceed the necessary levels of security for compliance no longer requires the burden of tying employees to one physical office. Dispersed workforces grew exponentially out of need during the COVID-19 pandemic and show no signs of slowing due to the raised satisfaction of employees working remotely and organizations finding cost savings due to not requiring physical real estate and overhead to maintain business operations. In addition, dependency on offshore third-party service providers and data processors has become greater than in years prior, resulting in added pressure to ensure compliance is met. As regulators are pushing for these offshore suppliers to return to controlled physical locations, the techniques and tools discussed in this document will allow the same level of protection in a hybrid or fully remote situation, allowing compliance with client security policies and the associated financial services regulation. The added benefit of allowing staff to continue remote working will keep institutional knowledge within the third-party service provider and maintain the necessary controls to satisfy operational and regulatory needs. Although all organizations are different, and therefore regulations and compliance requirements applicable differ from one institution to the next, the security tools discussed here to defend against information security concerns and to strengthen data privacy protection have a place in every organization’s security infrastructure. Should a physical office be required, these same security tools available to protect remote employees can just as easily be implemented on-site, enabling a hybrid workforce with common security standards and controls.
| Get more insights on enabling Physical Security Controls in a Hybrid Environment in our free whitepaper. | |
