Data access and control is critical for financial services
By Stuart Janicki • 24 Jul 2013
No firm expects staff to be dishonest, but there are times when human error or malicious intent can lead to data loss or exposure. Technology, policy and training can only go so far.
Appropriate access, control and security to the right technology, software and communications help to build strong data security. Staff should not have unlimited access to all systems and customer data. This is critical in the financial services environment, where the depth and breadth of data stored makes it a target for fraudsters.
The right access is achieved by objectively reviewing the staff job role to determine what systems or technology is required to perform that role. If access to a certain system does not form part of their day to day role, then there is no need for access.
Crucially, internet and email access need to be evaluated. When data is in an electronic format, it becomes easy to distribute quickly. Consider if the staff member’s access contributes a genuine business benefit.
If they are permitted access, then consider how you will track or limit usage. You may want to monitor outgoing communications for trigger words or strings, such as credit card numbers or passport information. Another step may be to block social media, social sharing or peer-to-peer networks where data may be transferred more discretely.
Within your customer databases, you may consider either masking data or blocking access. If a staff member doesn’t need the whole credit card or passport number, then why display it? Consider what the appropriate level of detail required is to perform the job role.
You can scale this process by building staff profiles. This is identifying key job types, and assigning the same level of access to each staff member. This helps the IT department to standardise access quickly and efficiently.
Staff should then receive a unique login and password. A lot of software packages keep a log of changes, activity and access to each record or part of the database. If something erroneous does occur it can be traced back to each individual for accountability.
Individual logins comes with the caveat that they must be protected with strong passwords. The FCA highly recommends following the password advice provided by Get Safe Online. Long passwords with a mixture of upper and lower case letters, numbers and symbols is critical to keeping accounts secure. You must reiterate to staff why passwords such as Password12345 is not recommended.
Establishing a process for reviewing these profiles is important. This should be both periodically and upon end-of-employment. Periodically should be a review to ensure that all listed access rights are still appropriate. For any leavers, the process and communication between HR and IT should be standardised in a timely manner to ensure that access is deleted or disabled.
At Cloud Direct, we have a standardised process for employee access. Every new hire is generated an employee login form. Every software package or program has an associated admin that will generate a unique username and default password to be listed on the form. The employee is asked to change the default password and sign when done. This form is reviewed during appraisal to ensure that appropriate access is still granted. At the end of employment, the admin of each software package is asked to revoke access and asked to sign when this has been completed. You can download this employee login template as an example for free!
Share this post