Taking Pride in our Information Security Standards
By Dave Gaull, Chief Operating Officer and Chief Information Security Officer
When working with our financial institution clients, information security is unquestionably our highest priority. Data breaches, which continue to be reported as the biggest cybersecurity concern, cost U.S. businesses, on average, $8.19 million in 2019. At MKP, we take our responsibility to safeguard our clients’ data extremely seriously.
Financial institutions in particular have a legal obligation to protect customer information under the GLBA Safeguards Rule (16 CFR Part 314). The Safeguards Rule requires financial institutions to have controls in place that keep customer information secure. In addition to implementing their own safeguards, financial institutions must take steps to ensure that their affiliates and service providers safeguard customer information while in their care. At MKP, we are proud to uphold the highest information security standards. Read on to learn more about some of the vital measures MKP takes to protect data.
Information Security Policy (ISP)
MKP’s ISP covers all MKP computing assets used to store or transmit company information. It also applies to any user accessing the system or otherwise interacting with the system. The purpose of the ISP is to establish approved practices for protecting confidential information and digital assets. It sets forth guidelines for accessing and utilizing company information systems and establishes an appropriate response plan to address security incidents.
The Policy and rules contained within it establish a commitment to maintaining data availability and accuracy. They form the groundwork for an ongoing process of improving security through prudent controls, constant monitoring and thorough and expedient incident management.
MKP management endorses the policy and its directives and is responsible for enforcing it. Management reviews our ISP multiple times throughout the year, and wherever possible, systems and procedures are modified, updated, and enhanced to further minimize all risks. Over the past decade, security threats have increased significantly, and so has the breadth and depth of the protection we deploy. As a result, MKP’s ISP has grown from five pages in 2006 to 18 pages in its current form.
As part of our efforts to continuously strengthen the protections we have in place, in 2020, MKP will be adding several new technical controls:
- Penetration testing of our network
- Data Loss Prevention (DLP) to protect and secure confidential data across multiple platforms
- Mobile Device Management (MDM) to add security to smartphones, tablets and other endpoints
MKP’s Information Security Officer is tasked with advising its President of regulations with which the company must comply and reporting any potential or explicit security risks. As set forth in the policy, he or she informs the President of any steps that can be taken to mitigate security risks. MKP’s IT Director is responsible for the management of the network and provisioning equipment in strict adherence to the guidelines set forth and implementing secure settings and procedures that support the ISP. The IT Director supports the Information Security Officer in making decisions on technology-related security issues.
System and Organization Controls (SOC) reporting allows financial institutions to evaluate the protections that service providers have in place.
SOC reports are governed by standards issued by the American Institute of CPAs (AICPA) and are relevant to service organizations who offer services such as software as a service, cloud computing, data hosting, et cetera. A service organization provides services to other entities and they have system and organization controls in place which make up the organization’s internal control environment.
SOC audits and reports play a role in a company’s:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
To maintain the protection of our client’s customer information, MKP’s production partner undergoes an annual SOC audit. MKP reviews the audit to ensure compliance with regulations and protection of client confidential information.
An independent CPA firm, guided by AICPA standards for SOC audits, conducts the audit and provides a report to the service group and, occasionally, other stakeholders such as regulators or financial statement auditors.
MKP classifies Non-public Personal Information (NPI) as any data files that contain personally identifiable information including name/address and at least one of the following:
- Tax ID
- account number
- account balance
- transactional information
When we think about protecting NPI, we ensure it is always protected in any of the states in which it may exist: during transmission, at rest, and while in use.
Securely transfer files containing NPI using encrypted methods:
- Connect to a remote server using Secure File Transfer Protocol (SFTP)
- Send files using secure email
Files containing NPI must be encrypted and stored in a secure environment
- Physical security measures to control work environment
- Technical controls to limit access to NPI
- Administrative controls - written policies, procedures, training
As a partner to our financial institution clients for over 25 years, we understand the consequential risks inherent in working with customer data and communicating sensitive account information. As such, MKP is always seeking to enhance and improve our information security standards. Our efforts to strengthen our information security standards and policies never cease, and we’re proud to have gained and maintained the hard-earned trust of clients who likewise view their information security responsibility with the utmost seriousness.