In my previous post “Financial Conduct Authority (FCA) and Information Security” I set out the background to the Regulator and their approach to Information Security. From all of that we at IP Sentinel have distilled from the verbiage some of the questions that the FCA will ask as part of an assessment.
Firms should be alert to the financial crime risks associated with holding customer data and have written data security policies and procedures which are proportionate, accurate, up to date and relevant to the day-to-day work of staff.
- How is responsibility for data security apportioned?
- Has the firm ever lost customer data? If so,
- what remedial actions did it take?
- Did it contact customers?
- Did it review its systems?
- How does the firm monitor that suppliers of outsourced services treat customer data appropriately?
- Are data security standards set in outsourcing agreements, with suppliers’ performance subject to monitoring?
Firms should put in place systems and controls to minimise the risk that their operation and information assets might be exploited by thieves and fraudsters. Internal procedures such as IT controls and physical security measures should be designed to protect against unauthorised access to customer data.
The FCA supports the Information Commissioner’s position that it is not appropriate for customer data to be taken off-site on laptops or other portable devices which are not encrypted.
- Is your firm’s customer data taken off-site
- by staff (sales people, those working from home)
- or third parties (suppliers, consultants, IT contractors etc)?
- If so, what levels of security exist? For example:
- Does the firm require automatic encryption of laptops that leave the premises
- or measures to ensure no sensitive data is taken off-site?
- If customer data is transferred electronically, does the firm use secure internet links?
- How does the firm keep track of its digital assets?
- How does it dispose of documents, computers, and imaging equipment such as photocopiers that retain records of copies?
- Are accredited suppliers used to, for example, destroy documents and hard disks?
- How does the firm satisfy itself that data is disposed of competently?
- How are access to the premises and sensitive areas of the business controlled?
- When are staff access rights reviewed? (It is good practice to review them at least on recruitment, when staff change roles, and when they leave the firm.)
- Is there enhanced vetting of staff with access to lots of data?
- How are staff made aware of data security risks?
We also know what they consider to be good and bad (read unacceptable) practice in a wide range of areas:
Governance, Training and awareness, Staff recruitment and vetting, Controls – access rights, Controls – passwords and user accounts, Controls – monitoring access to customer data, Controls – data back-up, Controls – access to the internet and email, Controls – key-logging devices, Controls – laptop, Controls – portable media including USB devices and CDs, Physical security, Disposal of customer data, Managing third party suppliers, Internal audit and compliance monitoring.
As well as:
Records, Responsibilities and risk assessments, Access to systems, Outsourcing, Physical controls, Data disposal, Data compromise incidents.
If you would like to discuss this in more depth and work out if your firm is compliant with the Regulators guidelines please give James Hogbin a call on 01825 701870