SlideShare a Scribd company logo

Compliance in Unified Communications & Collaboration- The Financial Sector (1)

S
Steve Hood
1 of 4
Download to read offline
secure communications. solved. supported. Compliance in Unified Communications & Collaboration: The Financial Sector White Paper
White paper There are two topics that every Chief Information Security Officer (CISO) should consider: 1. How to address the growing demand for Unified Communications & Collaboration (UCC). 2. How to ensure that the organisations compliance obligations are met. Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked because any UCC implementation impacts the deploying organisations compliance status. This white paper examines UCC compliance issues and how organisations can realise the benefits of UCC without compromising compliance status by implementing correct security controls. Compliance secure communications. solved. supported. When compliance is discussed in the context of Information Technology (IT), most think of the myriad of financial sector regulations which apply to data processing and storage. However, compliance is a much broader topic, which is often overlooked. Some may be unaware that compliance applies to all forms of business communication (essentially all of the components of UCC) including: UCC The financial sector has its own set of compliance regulations, which is complicated by the fact that regulations vary from country to country. In 2011, the Financial Services Authority (this body has now become two separate entities - The Financial Conduct Authority and the Prudential Regulatory Authority) extended UK compliance regulations to cover the recording of phone calls. At a European level, the Markets in Financial Instruments Directive (MIFID), which was published in 2007, mandated that records must be kept to enable the reconstruction of each stage of the processing of each transaction. This can be interpreted to include the recording of phone calls, but this requirement is not explicitly stated. Nonetheless, new regulations (MIFID II), which were passed by the European Parliament and Council in 2014 will apply from January 2017 to specifically include call recording. Tip of iceberg There is more to compliance than call recording regulations for the financial sector. For example, there are a number of European regulations which apply to any business handling personal data. These regulations are defined in a number of documents including EU Directive 95/46/EC and summarised in the Handbook on European Data Protection Law. Directive 95/46/EC controls the collection and use of personal data and defines seven principles, including: Personal data may be used only for stated purposes and no other purpose. Personal data must be kept safe and secure from potential abuse, theft or loss. Any organisation processing personal data is responsible for adhering to all seven principles. www.forfusion.com/ucc Telephony Video Instant Messaging (IM) and Presence communication
secure communications. solved. supported. Why this matters to Unified Communications & Collaboration The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights, which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that businesses are responsible for breaches regardless of how those breaches are triggered. The growing number of security breaches has led to new proposals for more EU data protection regulation. These include a requirement to report all security breaches within 72 hours. The proposals also establish a public register of all breaches notified. In addition any breach can result in a fine of up to 5% of global annual turnover. The severity of the fine will depend on the level of data protection measures implemented by the offending organisation. It is imperative that all companies, especially those in finance, ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General commented: If you think compliance is expensive, try non compliance. UCCistheintegrationofreal-time,enterprisecommunication services with existing IT applications and services. UCC includes voice and video calls, Instant Messaging and Presenceinformation(showingtheavailabilityofcolleagues). UCC is designed to improve the efficiency of business communication, both internally (within an organisation) and externally (to a business's customers and partners). The full benefits of UCC are realised only when the service is extended beyond the bounds of an organisation’s network to connect remote users on mobile or fixed line devices and to extend the service to third-parties. UCC is implemented on Internet Protocol (IP) networks and can share those networks with: This brings communication services such as voice and video into the IT remit. UCC services will inevitably carry sensitive and personal data, which means that UCC is subject to the same compliance regulations as any other data service. This means that all UCC deployments must be protected with effective security measures. The security and compliance problems are not confined to UCC. Recent reports show that both cellular networks and the global SS7 (signaling system) phone network are vulnerable to attacks that can allow unauthorised monitoring of calls and text messages. The only response to the security problems on mobile and SS7 networks is to recognise that these networks are not secure. Implementing a well-designed and secure UCC system that meets compliance requirements protects all real-time communications. The protocols used to deliver UCC are complex. This complexity plus the real-time requirements of UCC means that the security measures deployed must be tailored to meet UCC specific security threats. Standard data security measures are not sufficient. This includes the loss of data through any IT security breach, meaning that any IT system which includes UCC services is not compliant if it is not protected against attack. www.forfusion.com/ucc Data services Social collaboration platforms Email systems Cloud services & applications
secure communications. solved. supported. How to Ensure UCC Compliance Compliance obligations extend beyond the financial sector and are about far more than implementing call recording. Compliance also requires that systems used for information processing are protected against attacks that could result in information leakage and loss of confidentiality with regard personal information. As the EU directive states: If an organisation processes any personal data, which includes basic information such as contact and payment details for customers, then that organisation is responsible for ensuring the safety of this data. The specific financial sector regulations may also apply. In both cases the compliance requirements apply to both data and UCC services the latter including all voice, video and IM communication. Personal data must be kept safe and secure from potential abuse, theft or loss. Compliance for UCC is a process, the key steps in this process are: 1. Understand which of the many regulations apply to your organisation. 2. Audit your UCC and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used. 3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc.) do not adequately protect UCC applications. 4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information. 5. Review the need for call recording - any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations. 6. Implement an effective UCC security system which meets the compliance requirements. Why Choose ? Since 2007, Forfusion has helped some of the most prominent finance houses, government organisations, retail corporations and charities comply with complex regulations whilst simultaneously improving efficiencies and reducing operational expenditure. It’s no wonder Forfusion has a 100% customer retention rate. 0203 727 4610 info@forfusion.com @Forfusion linkedin.com/Forfusion www.forfusion.com/ucc Customer Retention since 2007

Recommended

Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Editor IJCATR
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issuesDhani Ahmad
 
Maloney Slides
Maloney SlidesMaloney Slides
Maloney Slidesecommerce
 
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...James McDonald
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paperWesen Tegegne
 
Empowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesEmpowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesGlobo Plc
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 

Recommended

Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Editor IJCATR
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issuesDhani Ahmad
 
Maloney Slides
Maloney SlidesMaloney Slides
Maloney Slidesecommerce
 
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...James McDonald
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paperWesen Tegegne
 
Empowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesEmpowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesGlobo Plc
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Session#7; securing information systems
Session#7; securing information systemsSession#7; securing information systems
Session#7; securing information systemsOmid Aminzadeh Gohari
 
Information Security
Information SecurityInformation Security
Information Securitysteffiann88
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care itDhani Ahmad
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
Network Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaNetwork Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaINFOGAIN PUBLICATION
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i SecurityPrecisely
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Report on Network Security And Privacy
Report on Network Security And PrivacyReport on Network Security And Privacy
Report on Network Security And PrivacyManan Gadhiya
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systemsProf. Othman Alsalloum
 
Information Security
Information SecurityInformation Security
Information SecurityWe Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MISAmirul Shafiq Ahmad Zuperi
 
Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Mohan C. de SILVA
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docxjesusamckone
 

More Related Content

What's hot

ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Session#7; securing information systems
Session#7; securing information systemsSession#7; securing information systems
Session#7; securing information systemsOmid Aminzadeh Gohari
 
Information Security
Information SecurityInformation Security
Information Securitysteffiann88
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care itDhani Ahmad
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
Network Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaNetwork Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaINFOGAIN PUBLICATION
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i SecurityPrecisely
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Report on Network Security And Privacy
Report on Network Security And PrivacyReport on Network Security And Privacy
Report on Network Security And PrivacyManan Gadhiya
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 

What's hot (19)

ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Session#7; securing information systems
Session#7; securing information systemsSession#7; securing information systems
Session#7; securing information systems
 
Information Security
Information SecurityInformation Security
Information Security
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care it
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
 
Network Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaNetwork Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in Nigeria
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i Security
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour
 
Report on Network Security And Privacy
Report on Network Security And PrivacyReport on Network Security And Privacy
Report on Network Security And Privacy
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Maloney slides
Maloney slidesMaloney slides
Maloney slides
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
 
Information Security
Information SecurityInformation Security
Information Security
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MIS
 

Similar to Compliance in Unified Communications & Collaboration- The Financial Sector (1)

Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Mohan C. de SILVA
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docxjesusamckone
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docxRAJU852744
 
CyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) finalCyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) finalRobertPike
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
2 Understand what is meant by professional practice
2 Understand what is meant by professional practice2 Understand what is meant by professional practice
2 Understand what is meant by professional practiceMark Anthony Kavanagh
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network InfrastructureMuhammad Zeeshan
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsTextGuard
 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorCBIZ, Inc.
 
What will be the Impact of GDPR Compliance in EU & UK?
What will be the Impact of GDPR Compliance in EU & UK?What will be the Impact of GDPR Compliance in EU & UK?
What will be the Impact of GDPR Compliance in EU & UK?Cigniti Technologies Ltd
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Secure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorSecure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorEftychia Chalvatzi
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?sohailAhmad304
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
Sarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP ProcessSarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP ProcessCXT Group
 

Similar to Compliance in Unified Communications & Collaboration- The Financial Sector (1) (20)

Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
 
CyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) finalCyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) final
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
2 Understand what is meant by professional practice
2 Understand what is meant by professional practice2 Understand what is meant by professional practice
2 Understand what is meant by professional practice
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network Infrastructure
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communications
 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure Sector
 
What will be the Impact of GDPR Compliance in EU & UK?
What will be the Impact of GDPR Compliance in EU & UK?What will be the Impact of GDPR Compliance in EU & UK?
What will be the Impact of GDPR Compliance in EU & UK?
 
FFIEC overview
FFIEC overviewFFIEC overview
FFIEC overview
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018
 
Secure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorSecure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance Sector
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
 
itgc.pptx
itgc.pptxitgc.pptx
itgc.pptx
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
Sarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP ProcessSarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP Process
 

Compliance in Unified Communications & Collaboration- The Financial Sector (1)

  • 1. secure communications. solved. supported. Compliance in Unified Communications & Collaboration: The Financial Sector White Paper
  • 2. White paper There are two topics that every Chief Information Security Officer (CISO) should consider: 1. How to address the growing demand for Unified Communications & Collaboration (UCC). 2. How to ensure that the organisations compliance obligations are met. Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked because any UCC implementation impacts the deploying organisations compliance status. This white paper examines UCC compliance issues and how organisations can realise the benefits of UCC without compromising compliance status by implementing correct security controls. Compliance secure communications. solved. supported. When compliance is discussed in the context of Information Technology (IT), most think of the myriad of financial sector regulations which apply to data processing and storage. However, compliance is a much broader topic, which is often overlooked. Some may be unaware that compliance applies to all forms of business communication (essentially all of the components of UCC) including: UCC The financial sector has its own set of compliance regulations, which is complicated by the fact that regulations vary from country to country. In 2011, the Financial Services Authority (this body has now become two separate entities - The Financial Conduct Authority and the Prudential Regulatory Authority) extended UK compliance regulations to cover the recording of phone calls. At a European level, the Markets in Financial Instruments Directive (MIFID), which was published in 2007, mandated that records must be kept to enable the reconstruction of each stage of the processing of each transaction. This can be interpreted to include the recording of phone calls, but this requirement is not explicitly stated. Nonetheless, new regulations (MIFID II), which were passed by the European Parliament and Council in 2014 will apply from January 2017 to specifically include call recording. Tip of iceberg There is more to compliance than call recording regulations for the financial sector. For example, there are a number of European regulations which apply to any business handling personal data. These regulations are defined in a number of documents including EU Directive 95/46/EC and summarised in the Handbook on European Data Protection Law. Directive 95/46/EC controls the collection and use of personal data and defines seven principles, including: Personal data may be used only for stated purposes and no other purpose. Personal data must be kept safe and secure from potential abuse, theft or loss. Any organisation processing personal data is responsible for adhering to all seven principles. www.forfusion.com/ucc Telephony Video Instant Messaging (IM) and Presence communication
  • 3. secure communications. solved. supported. Why this matters to Unified Communications & Collaboration The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights, which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that businesses are responsible for breaches regardless of how those breaches are triggered. The growing number of security breaches has led to new proposals for more EU data protection regulation. These include a requirement to report all security breaches within 72 hours. The proposals also establish a public register of all breaches notified. In addition any breach can result in a fine of up to 5% of global annual turnover. The severity of the fine will depend on the level of data protection measures implemented by the offending organisation. It is imperative that all companies, especially those in finance, ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General commented: If you think compliance is expensive, try non compliance. UCCistheintegrationofreal-time,enterprisecommunication services with existing IT applications and services. UCC includes voice and video calls, Instant Messaging and Presenceinformation(showingtheavailabilityofcolleagues). UCC is designed to improve the efficiency of business communication, both internally (within an organisation) and externally (to a business's customers and partners). The full benefits of UCC are realised only when the service is extended beyond the bounds of an organisation’s network to connect remote users on mobile or fixed line devices and to extend the service to third-parties. UCC is implemented on Internet Protocol (IP) networks and can share those networks with: This brings communication services such as voice and video into the IT remit. UCC services will inevitably carry sensitive and personal data, which means that UCC is subject to the same compliance regulations as any other data service. This means that all UCC deployments must be protected with effective security measures. The security and compliance problems are not confined to UCC. Recent reports show that both cellular networks and the global SS7 (signaling system) phone network are vulnerable to attacks that can allow unauthorised monitoring of calls and text messages. The only response to the security problems on mobile and SS7 networks is to recognise that these networks are not secure. Implementing a well-designed and secure UCC system that meets compliance requirements protects all real-time communications. The protocols used to deliver UCC are complex. This complexity plus the real-time requirements of UCC means that the security measures deployed must be tailored to meet UCC specific security threats. Standard data security measures are not sufficient. This includes the loss of data through any IT security breach, meaning that any IT system which includes UCC services is not compliant if it is not protected against attack. www.forfusion.com/ucc Data services Social collaboration platforms Email systems Cloud services & applications
  • 4. secure communications. solved. supported. How to Ensure UCC Compliance Compliance obligations extend beyond the financial sector and are about far more than implementing call recording. Compliance also requires that systems used for information processing are protected against attacks that could result in information leakage and loss of confidentiality with regard personal information. As the EU directive states: If an organisation processes any personal data, which includes basic information such as contact and payment details for customers, then that organisation is responsible for ensuring the safety of this data. The specific financial sector regulations may also apply. In both cases the compliance requirements apply to both data and UCC services the latter including all voice, video and IM communication. Personal data must be kept safe and secure from potential abuse, theft or loss. Compliance for UCC is a process, the key steps in this process are: 1. Understand which of the many regulations apply to your organisation. 2. Audit your UCC and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used. 3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc.) do not adequately protect UCC applications. 4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information. 5. Review the need for call recording - any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations. 6. Implement an effective UCC security system which meets the compliance requirements. Why Choose ? Since 2007, Forfusion has helped some of the most prominent finance houses, government organisations, retail corporations and charities comply with complex regulations whilst simultaneously improving efficiencies and reducing operational expenditure. It’s no wonder Forfusion has a 100% customer retention rate. 0203 727 4610 info@forfusion.com @Forfusion linkedin.com/Forfusion www.forfusion.com/ucc Customer Retention since 2007