Take it From a Compliance Officer:

By Randy Griffith, Senior Security Consultant, CISO Global, Inc.

Even before the fiasco at Silicon Valley Bank, financial institutions were under tremendous scrutiny from regulators. How could they not be? Banks are among the oldest known targets for theft, and in a digital age, the best way to extract money is going to be either straight cyber-theft from existing accounts or ransomware. IT systems that house customers’ financial data can be architected with the right security controls in place to protect that data to the highest standard. Meeting compliance standards for network security by default is hard to know where to start. and when working with IT consultants, the focus is only on functionality, with the implication that security will come along later with add-ons.  

I have audited and prepared countless financial institutions for their audits, and my observation is that not everyone executes security controls to the same standard – prioritizing risk over compliance. Reviewers coming to visit you on-site want to see that not only are you checking the right boxes to satisfy compliance requirements, but you are truly prioritizing cybersecurity as you mitigate risks to customers’ financial data. 

From my perspective, what matters most for network design is proper segmentation. Meaning whoever’s designing the network has segmented users and servers in virtual local area networks (VLANs) that are segmented and separated from each other and internet access. Rules exist between the VLANs, and users should only have access to what they need to access without having access permissions to items on the network they don’t absolutely need to perform their work.  

Granting unnecessary access permissions – even if it’s by default or accident – is a big issue. If a user has more access than they should, and their account is compromised, there is little to nothing to stop an attacker from using their credentials to exfiltrate whatever data the user has access to. You wouldn’t leave the vault open all day with no record of who is coming and going, allowing all employees to access it freely, so why should a network housing sensitive information be any different? Records of who accesses what data should be maintained for nonrepudiation purposes. 

Cyber attackers are masterful at what’s called lateral movement or using a single compromised access point to move through systems. If a network is properly segmented, there is less to no way to get from standard user system into the server system(s) that house highly sensitive data. They will be completely separated, lateral movement does very little good for an attacker. This is one principle security engineers employ when properly designing a network with cybersecurity in mind. 

Designing your network securely is not enough to meet compliance, however. You still need to demonstrate your compliance by 1) understanding any legal and regulatory requirements for your organization, 2) implementing appropriate controls to achieve your compliance objectives, and 3) documenting all of the company’s controls, 4) shoring up weak areas on an ongoing basis, and 5) having regular audits or reviews of your organization’s observance of those controls and objectives. Collect evidence on a periodic basis, so that those controls are observed. That way, when an audit occurs, you already have what is needed for the audit. 

Even better, centralizing documentation in easy-to-access locations and reader-friendly formats will make the process much simpler for both you and your reviewer or auditor. When you work in an industry that is under strict compliance requirements, it’s a good idea to do everything you can to make your auditor’s (or reviewer’s) live easier. Simplify and streamline documentation for them. Have someone on-hand who speaks their language and can answer questions using the correct terminology, and who can address concerns they may have in a calm and helpful way. If you have taken the steps to engineer systems that are secure by design, and you have all the documentation, you want to make sure your audit or review reflects that. 

If you have questions about your network, or about an upcoming audit, we encourage you to request a consultation with one of our experts.