Secure Messaging, Part 5: Protecting Confidential Financial Information with a Turn-Key Email Security Solution
Novell Cool Solutions: Trench
Digg This -
Posted: 29 May 2002
E-mail security is a very hot topic for our readers these days. In the wake of the terrorist attacks of September 11, there has been heightened interest how government agencies, corporations, and individuals can protect the confidential and classified information that they share via e-mail. We turned to our new partners at Tovaris to help us explain these complex issues.
Tovaris is our new secure messaging partner. They are an e-mail privacy and security company located in Virginia. Their product suite, the Tovaris E-mail Security SolutionTM (TESS), provides e-mail security capabilities to financial services firms, healthcare providers, and government agencies.
In this fifth article of a series about e-mail security, we explore the financial services industry's challenges for keeping financial information safe from hackers.
Also in this series:
What's the Problem?
The Internet is a dangerous place to conduct business; without proper safety precautions, conducting business across the Internet is like riding a motorcycle in rush hour. With no helmet.
The news is full of financial information stolen by hackers and crackers. A few cases in point:
- Computer hackers gained access to the California state government's computer systems in April 2002 and stole sensitive financial and personal information about as many as 265,000 state workers (Sacramento Bee, 5/25/02)
- Telecom company Qwest Communications acknowledged that a glitch in its Web-based paperless billing system left some long-distance customer records exposed for over a week (SecurityFocus Online, 5/27/02)
- Hackers accessed confidential information from the World Economic Forum (WEF) database in Feb 2001, including credit card numbers, addresses, e-mail addresses, home and cell phone numbers and passport numbers belonging to business people and government officials including former President Bill Clinton (WiredNews.com, 2/12/2001)
The Federal Government is well aware of the risks to consumer financial information. There are established regulatory protections in place for confidential financial information held by financial services organizations, banks, brokerages, and credit card companies.
Financial Services Compliance Considerations
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Institution Privacy Protection Act of 2001, requires that financial services firms maintain the security and privacy of NPI (Nonpublic Personal Information) about their customers. NPI includes:
- Fact that an individual is the customer of a particular financial institution
- Consumer's name, address, social security number, account number
- Any information a consumer provides on an application
- Information from a "cookie" obtained in using a website
- Information on a consumer report obtained by a financial institution1
GLBA regulations are designed to improve the financial services industry's privacy and security protections, and to safeguard sensitive consumer information - much like HIPAA will do in the healthcare industry.
What Organizations are Affected?
Entities supervised by the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (Fed), the Federal Deposit Insurance Corporation (FDIC) and the Office of Thrift Supervision (OTS) are all affected by GLBA regulations. GLBA regulates financial services organizations including insurance providers, securities firms, and banks, and covers four main aspects2:
- Organizations must maintain policies to protect the security and confidentiality of nonpublic information;
- Organizations are prohibited from sharing account information with non-affiliated third parties for marketing purposes;
- Allows customers to opt-out of sharing personal information;
GLBA requires organizations to review and classify their data stores, assess the internal processing of that data, determine what information protection mechanisms are needed, and establish ongoing monitoring of those processes and systems.
Encryption of Electronic Customer Information
In the remainder of this article we will focus on the encryption of financial information in e-mail communications. According to the SANS Institute, the eight factors for protecting customer information are:
- Encryption of electronic customer information (especially in transit)
- Access control
- Physical security at locations where customer information is stored
- Implement a change management process for customer information system modifications
- Dual control, segregation of duties and employee background checks for employees with access to customer information
- Monitoring systems and procedures to detect any actual or attempted attacks or intrusions on customer information systems
- Develop an incident response program for how to handle attempted and actual unauthorized access to customer information
- Disaster recovery program for the protection against destruction of customer information due to physical hazards and technical failures3
Codes and ciphers have been around as long as there has been information that needed to be kept secret. For our purposes, however, encryption is defined as a process that uses algorithms (mathematical formulas) to scramble information and make it unreadable to anyone but the intended recipient(s).
Turn-Key E-mail Security for GLBA Compliance
Tovaris enables financial services organizations to address the five major requirements of a GLBA-compliant e-mail encryption system with the Tovaris E-mail Security Solution? (TESS):
- Authentication ("Is the sender who he says he is?")
- Authorization ("Is the sender allowed to send this message?")
- Integrity ("Did the message reach its recipient unaltered and unchanged?")
- Encryption ("Was this message protected (unreadable) across the Internet?")
- Auditing ("Can we prove the message was sent securely?")
Any e-mail security solution a financial services organization considers must address the following questions:
- Does the product integrate seamlessly with my existing network and e-mail infrastructure, including virus checking, content scanning, and archiving services?
- Will the product allow my employees to send encrypted e-mail messages to any Internet recipient?
- Will the product enable my employees to encrypt sensitive information from their familiar e-mail application, while still sending and receiving messages as normal?
- Will the product be easy for my overburdened systems administrators to deploy, manage, and use?
- Is the product cost effective?
1Federal Trade Commission, Bureau of Consumer Protection, Division of Financial Practices "The Gramm-Leach-Bliley Act Privacy of Consumer Financial Information" URL: http://www.ftc.gov/privacy/glbact/glboutline.htm
2Whitney, Sally. "The Great Privacy Debate." Best's Reviews. Jun 2000.
3Lang, Marion (SANS Institute) "Gramm-Leach-Bliley Act of 1999: What Information Security Professionals Need to Know". (April 4, 2001) URL: http://www.giac.org/practical/gsec/Marion_Lang_GSEC.pdf
The Tovaris E-mail Security Solution? (TESS) allows financial services organizations to comply with GLBA security regulations for customer financial information encryption in a transparent, cost-effective manner.
For more information regarding the Tovaris E-mail Security Solution?, contact Sean Steele, National Account Manager, at 703-465-0964 or visit the Tovaris website at www.tovaris.com.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com