Financial Industry Compliance: Part 1, Survey of Regulations

by Val Hetrick, Fiberlink

The financial industry is of course highly regulated. But what financial industry regulations and standards apply specifically to endpoints, and to data stored on mobile and distributed devices?

We did a little research on the subject, and would like to share our findings.

In this post we will survey several of the relevant laws.

In the next two posts we will look at the endpoint-related content in two excellent comprehensive guides, the Information Security Handbook from the Federal Financial Institutions Examination Council (FFIEC), and the Data Security in Financial Services report from the UK Financial Services Authority (FSA).

In the fourth post we will discuss a new MaaS360^® offering designed specifically to address the endpoint compliance requirements of financial firms.

So here is a quick survey of key regulations that specifically address protecting data on endpoints or protecting data transmitted wirelessly to and from mobile devices.

Massachusetts 201 CMR 17.00

Massachusetts law 201 CMR 17.00, states that laptops containing confidential information about Massachusetts residents must be protected by data encryption, firewalls, and up-to-date anti-virus files.

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Nevada NRS 603A

Nevada NRS 603A specifies that personal data transmitted electronically must be encrypted. It also specifies that organizations that accept payment cards must comply with the Payment Card Industry Data Security Standard (PCI DSS).

http://www.leg.state.nv.us/NRs/NRS-603A.html

The “Safeguards Rule” (Regulation S-P)

The “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248), applies to brokers, dealers, investment companies, and investment advisers registered with the Securities and Exchange Commission (SEC). These firms must: “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” Further, “These written policies and procedures must be reasonably designed to… Protect against any anticipated threats or hazards to the security or integrity of customer records and information.”

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=5cb4e1372eca646597d391a3ecfff6a4&rgn=div8&view=text&node=17:3.0.1.1.8.1.112.20&idno=17

This regulation clearly covers data stored on distributed computers. The SEC recently fined a firm $100,000 because the company did not require its registered representatives to have anti-virus software on their computers.

California SB 1386

Forty-five of the fifty U.S. states have data breach laws that require the notification of potential victims of security breaches. One of the best known and most stringent is California SB 1386.

Fortunately, many of these laws include a “safe harbor” clause for encrypted data. If a laptop or mobile device is lost or stolen, the requirement to notify potential victims can be eliminated if the organization proves that lost information was encrypted.

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

H.R. 2221

In 2009 the U.S. House of Representatives passed H.R. 2221, the “Data Accountability and Trust Act.” If enacted by the U.S. Senate, this legislation would create a national standard for protecting personal information and require firms to safeguard personal data against reasonably foreseeable attacks.

http://www.govtrack.us/congress/billtext.xpd?bill=h111-2221

PCI DSS

To protect payment card data, the Payment Card Industry Data Security Standard (PCI DSS) requires the use of personal firewalls, anti-virus and anti-spyware software, and virtual private networks on all computers containing credit card related information.

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Our quick survey has turned up two types of mandates:

Requirements for specific technologies (encryption, virtual private networks, firewalls, and anti-virus packages).
More general guidelines such as “protecting against foreseeable risks.”

How can financial firms respond to such vague guidelines? We’ll take that up in our next post.

Tags: Device Management, financial compliance, MaaS360, mobility-as-a-service

This entry was posted by MaaS360 on June 30, 2010 at 4:04 pm, and is filled under Endpoint Management. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

BYOD Statistics and Checklist [INFOGRAPHIC]

about 1 day ago - 1 comment

With the bring-your-own-device (BYOD) craze hitting enterprises, universities, hospitals, and everywhere between, IT administrators may find a checklist a good option to take charge of what’s coming their way. As millions of employees walk into the new year with devices received as holiday gifts, what better time to buckle down and successfully implement a plan for 2012? More >

Alleviating Your Mobile Security Woes

about 5 days ago - No comments

by John Harrington, Fiberlink This year, the security of confidential information on mobile devices is a top concern for companies across the world. Executives are being urged to finalize mobile security strategies while IT departments are in the drivers seat for implementation. Screw-ups will assuredly have a lasting backlash on the parties that fail to More >

Tips for Safe Banking from Your Smartphone

about 1 week ago - No comments

by Pragati Jain, Fiberlink Smartphone banking is today’s smart way of managing money on the go. We’ve all come to appreciate it for the simplicity and convenience it offers us. While the perks are great (quick access to funds, account balance summaries anytime, anywhere) safety and privacy have remained prime concerns. For this reason, I’ve come More >

SaaS Application Customization Techniques

about 4 weeks ago - No comments

by Ameya Kulkarni, Fiberlink Software-as-a-Service (SaaS) eliminates the need to install applications on the customer hardware. SaaS applications are typically accessed from a web browser and a single instance of the application often serves all the customers. Since the same application instance needs to fulfill different needs for different customers and there may be no More >

Alleviating Your Mobile Device Management Pain Points

about 2 months ago - No comments

by Pragati Jain, Fiberlink Should employees be allowed to bring their personal handheld devices to work? The above question is no longer relevant in today’s time. With the kind of flexibility and social interaction smartphones and tablets provide, these Swiss army-style devices are irresistible. Hence, can be found everywhere you turn. This trend has just More >

Battling to Secure Your Mobile Workforce?

about 2 months ago - No comments

by Pragati Jain, Fiberlink Did you know that around 45% of the mobile workforce has a job that is compatible with a certain amount of mobile commuting? Wow! Telecommuting is slowly turning into a motivating factor for employees to stick with their company. While the employee benefits from flexible work hours, improved productivity and better work-life balance, the More >

Best Practices for Securing Mobile Devices

about 2 months ago - No comments

by John Harrington, Fiberlink The enhanced access to information provided by greater use of smartphones and tablets among employees has created inherent data security risks. However, many companies have shown a willingness to face such challenges in exchange for promoting a workforce that is more productive both while at their desks and away from the More >

Moving to the Cloud… Why not?

about 2 months ago - No comments

by Pragati Jain, Fiberlink Recently, the MaaS360 MDM solution achieved an important certification under the U.S. Federal Information Security Management Act (FISMA) by the GSA. Google and Salesforce.com are the only other cloud providers who have achieved this certification from the GSA. We’ve maintained our position as the pioneer in SaaS (software-as-a-service) solutions for secure mobile More >

Kindle Fire vs. iPad 2, Round 2 Recap

about 2 months ago - No comments

by John Harrington, Fiberlink Now that we’ve (somehow) bounced back from the period of drowsiness synonymous with the Thanksgiving holiday, I invite you to jump right back into the action with me. Continuing from where we left off, I’m going to summarize how the kindle fire chalks up to the iPad 2 in terms of More >

Fiberlink CEO Talks Industry Growth & Job Creation on CBS

about 2 months ago - No comments

by John Harrington, Fiberlink Yesterday, Jim Sheward (CEO of Fiberlink) had the opportunity to speak on CBS Philly’s Talk Philly program where he introduced our company, our plans for job creation, and why we were voted one of the Best Places to Work in Philadelphia. With his iPhone in hand on set, Jim described Fiberlink More >

- Our Sites
- Blog Sponsor
  
  This blog is sponsored by Fiberlink. Fiberlink is the developer of MaaS360, the leading cloud-based, mobile device visibility and management platform. To learn more or take a test ride of MaaS360, please visit www.maas360.com.

Top
©2011 Fiberlink Communications. All Rights Reserved. All brands and their products, featured or referred to within this document, are trademarks or registered trademarks of their respective holders and should be noted as such.

MaaS360 Sites

MaaS360 Links

Financial Industry Compliance: Part 1, Survey of Regulations

Massachusetts 201 CMR 17.00

Nevada NRS 603A

The “Safeguards Rule” (Regulation S-P)

California SB 1386

H.R. 2221

PCI DSS

No comments yet.

No trackbacks yet.

Alleviating Your Mobile Security Woes

Tips for Safe Banking from Your Smartphone

SaaS Application Customization Techniques

Battling to Secure Your Mobile Workforce?

Best Practices for Securing Mobile Devices

Kindle Fire vs. iPad 2, Round 2 Recap

My latest tweets

Our Sites

Blog Sponsor