Compliance in Unified Communications & Collaboration- The Financial Sector (1)
1. secure communications. solved. supported.
Compliance in
Unified Communications
& Collaboration:
The Financial Sector
White Paper
2. White paper
There are two topics that every Chief Information Security Officer (CISO) should consider:
1. How to address the growing demand for Unified Communications & Collaboration (UCC).
2. How to ensure that the organisations compliance obligations are met.
Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked
because any UCC implementation impacts the deploying organisations compliance status. This white
paper examines UCC compliance issues and how organisations can realise the benefits of UCC without
compromising compliance status by implementing correct security controls.
Compliance
secure communications. solved. supported.
When compliance is discussed in the context of
Information Technology (IT), most think of the myriad of
financial sector regulations which apply to data
processing and storage. However, compliance is a much
broader topic, which is often overlooked.
Some may be unaware that compliance applies to all
forms of business communication (essentially all of the
components of UCC) including:
UCC
The financial sector has its own set of compliance
regulations, which is complicated by the fact that
regulations vary from country to country.
In 2011, the Financial Services Authority (this body has
now become two separate entities - The Financial
Conduct Authority and the Prudential Regulatory
Authority) extended UK compliance regulations to cover
the recording of phone calls. At a European level, the
Markets in Financial Instruments Directive (MIFID), which
was published in 2007, mandated that records must be
kept to enable the reconstruction of each stage of the
processing of each transaction. This can be interpreted
to include the recording of phone calls, but this
requirement is not explicitly stated.
Nonetheless, new regulations (MIFID II), which were
passed by the European Parliament and Council in 2014
will apply from January 2017 to specifically include call
recording.
Tip of iceberg
There is more to compliance than call recording
regulations for the financial sector. For example, there
are a number of European regulations which apply to
any business handling personal data.
These regulations are defined in a number of documents
including EU Directive 95/46/EC and summarised in the
Handbook on European Data Protection Law.
Directive 95/46/EC controls the collection and use of
personal data and defines seven principles, including:
Personal data may be used only for stated
purposes and no other purpose.
Personal data must be kept safe and secure from
potential abuse, theft or loss.
Any organisation processing personal data is
responsible for adhering to all seven principles.
www.forfusion.com/ucc
Telephony
Video
Instant Messaging (IM) and Presence communication
3. secure communications. solved. supported.
Why this matters to Unified Communications & Collaboration
The Handbook on European Data Protection Law
provides a summary of regulations and quotes article 8
of the European Convention on Human Rights, which is
summarised as: a right to protection against the
collection and use of personal data.
The broad scope of these regulations places a
responsibility on all businesses processing personal
data to protect that data, and holds that businesses
are responsible for breaches regardless of how
those breaches are triggered.
The growing number of security breaches has led to
new proposals for more EU data protection regulation.
These include a requirement to report all security
breaches within 72 hours. The proposals also establish
a public register of all breaches notified. In addition any
breach can result in a fine of up to 5% of global annual
turnover. The severity of the fine will depend on the
level of data protection measures implemented by the
offending organisation.
It is imperative that all companies, especially those in
finance, ensure that adequate security and compliance
measures are applied to all information processing
systems. As Paul McNulty, former US Deputy Attorney
General commented:
If you think compliance
is expensive, try
non compliance.
UCCistheintegrationofreal-time,enterprisecommunication
services with existing IT applications and services. UCC
includes voice and video calls, Instant Messaging and
Presenceinformation(showingtheavailabilityofcolleagues).
UCC is designed to improve the efficiency of business
communication, both internally (within an organisation)
and externally (to a business's customers and partners).
The full benefits of UCC are realised only when the
service is extended beyond the bounds of an organisation’s
network to connect remote users on mobile or fixed line
devices and to extend the service to third-parties.
UCC is implemented on Internet Protocol (IP) networks
and can share those networks with:
This brings communication services such as voice and
video into the IT remit. UCC services will inevitably carry
sensitive and personal data, which means that UCC is
subject to the same compliance regulations as any
other data service. This means that all UCC deployments
must be protected with effective security measures.
The security and compliance problems are not confined
to UCC. Recent reports show that both cellular networks
and the global SS7 (signaling system) phone network are
vulnerable to attacks that can allow unauthorised
monitoring of calls and text messages.
The only response to the security problems on mobile
and SS7 networks is to recognise that these networks
are not secure. Implementing a well-designed and
secure UCC system that meets compliance requirements
protects all real-time communications.
The protocols used to deliver UCC are complex. This
complexity plus the real-time requirements of UCC means
that the security measures deployed must be tailored to
meet UCC specific security threats. Standard data
security measures are not sufficient.
This includes the loss of data through any IT security
breach, meaning that any IT system which includes UCC
services is not compliant if it is not protected against
attack.
www.forfusion.com/ucc
Data services
Social collaboration platforms
Email systems
Cloud services & applications
4. secure communications. solved. supported.
How to Ensure UCC Compliance
Compliance obligations extend beyond the financial
sector and are about far more than implementing call
recording.
Compliance also requires that systems used for
information processing are protected against attacks
that could result in information leakage and loss of
confidentiality with regard personal information. As the
EU directive states:
If an organisation processes any personal data, which
includes basic information such as contact and
payment details for customers, then that organisation
is responsible for ensuring the safety of this data.
The specific financial sector regulations may also apply.
In both cases the compliance requirements apply to
both data and UCC services the latter including all
voice, video and IM communication.
Personal data must be
kept safe and secure
from potential abuse, theft
or loss.
Compliance for UCC is a process, the key steps in this
process are:
1. Understand which of the many regulations apply to
your organisation.
2. Audit your UCC and telephony systems to ensure that
they are adequately protected from attacks that could
lead to the compromise of personal information. This
audit should check for both generic network security
vulnerabilities and vulnerabilities specific to the
protocols used.
3. Review your existing security measures, recognising
that most IT data security measures (Firewalls, VPNs
etc.) do not adequately protect UCC applications.
4. Review the need for call encryption, particularly for
mobile devices used to communicate sensitive
information.
5. Review the need for call recording - any financial
sector organisation subject to MIFID will need to
implement this if not already obliged to do so by
other regulations.
6. Implement an effective UCC security system which
meets the compliance requirements.
Why Choose ?
Since 2007, Forfusion has helped some of the most prominent finance houses,
government organisations, retail corporations and charities comply with complex
regulations whilst simultaneously improving efficiencies and reducing operational
expenditure. It’s no wonder Forfusion has a 100% customer retention rate.
0203 727 4610 info@forfusion.com @Forfusion linkedin.com/Forfusion www.forfusion.com/ucc
Customer Retention
since 2007