SAVANTURE is the premier security services provider with a complete set of cloud security tools and solutions to support a variety of delivery options ranging from:

  • Genesis5 for Banking and Financial Services is an in the cloud toolset platform that provides an integrated platform leveraging SAVANTURE’s In-The-Cloud (ITC) Managed Security Services (MSS) including Security Information Element Management Service, Log Management Service, Vulnerability Management System, and Two Factor Authentication service. When integrated with an experienced lead SAVANTURE CISO whom acts as your services advocate and program manager with an assigned team of engineers and an analyst to continually tune the infrastructure to optimize your security posture and reduce the daily research and chasing down of events and threats. Genesis5 is a single security solution for your entire Enterprise regardless of your applications location, Cloud, On-Premise or Hybrid, combined with an expert security team continually tuning your system and reviewing your security posture.
  • SAVANTURE in the Cloud security tools for your specific needs are also available individually. SAVANTURE can provide the same great tools used by our CISOs and staff standalone, or in any combination. The Cloud Managed Security Services include:
  • And for the rare situation that you need customization we offer Consulting Services

SAVANTURE delivers the industry’s most advanced cloud based Security-as-a-Service platform which allows you to dramatically simplify your businesses’ approach to governance and security management. Today’s enterprises understand the need to have a robust Governance, Risk and Compliance (GRC) and Security Program in place to protect their business processes and information assets. Often however, your company’s limited IT, network, and security staff are constantlydealing with today’s tactical problems rather than creating the IT innovations that your company needs to differentiate itself in this high tech world. Outsourcing security tools such as Security Information and Event Management (SIEM), Vulnerability Management System (VMS), Log Management Service (LMS) and associated tools to an In-The-Cloud (ITC) Managed Security Service Provider (MSSP) cuts costs for your business and allows your staff to perform more meaningful tasks.

Managed Security Service (MSS) monitors Intrusion Detection Systems (IDS), firewalls, servers and business applicationand alerts based on threats and security breaches. With MSS, your network is constantly under surveillance so that attacks and security breaches can be stopped in progress. We then combine this with a staff of security experts who routinely conduct traffic reviews, event analysis, and rule reviews, and analyze the accuracy of the correlation engines to ensure that you are seeing the optimal alerting value within our platform. This provides the assurance that your business maintains the highest level protectionand you are exposed to the lowest level of risk.

At SAVANTURE our strategy is to provide you with efficient, effective and cost-effectiveinformation risk management solutions by seamlessly integrating SAVANTURE’s people, process and technology with your unique business needs.  We help your business identify, reduce, and manage information risk to revenue, reputation and regulatory compliance so that you can focus on managing and growing your business. That means we need to understand the regulatory requirements you are subject to today and monitor this ongoing as your business expands and regulations change. 
Specific to Banking and Financial Services, common regulatory requirements include:

  • GLBA/FFIEC
  • Consumer and User Privacy Laws (US State, EU, and other country and geographies)
  • Payment Card Industry (PCI) standards
  • Often Entities also are regulated by SOX and HIPAA regulations as well

Let’s take a quick look at each of these as sample compliance and regulatory fulfillment:

What Guidance does GLBA/FFIECProvide?

Much like the string of compliance measures put in place to protect consumer information, and consumers, the Gramm-Leach-Bliley Act (GLBA) was established in 1999. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to:

  • Ensure the security and confidentiality of customer information
  • Protect against any anticipated threats or hazards to the security or integrity of such information
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any consumer

TheFederal Financial Institutions Examination Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms and to make recommendations to promote uniformity in the supervision of financial institutions for the federal examination of financial institutions by the

  • the Federal Reserve System (FRB),
  • the Federal Deposit Insurance Corporation (FDIC),
  • the National Credit Union Administration (NCUA),
  • the Office of the Comptroller of the Currency (OCC),
  • the Consumer Financial Protection Bureau (CFPB),
  • the State Liaison Committee (SLC), added to the Council in 2006 as a voting member, includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS)

In summary, the FFIEC supports the missions of these agencies by providing extensive, evolving guidelines for compliance. The FFIEC is charged with providing specific guidelines for evaluating institutions for compliance with GLBA, amongst other things. In collaboration, these agencies have developed a series of topical handbooks that provide guidance, address significant technology changes and incorporate a risk-based approach for IT practices in the financial industry.

As a critical technology service provider, SAVANTURE undergoes periodic examinations by the member agencies, as well as a review of all our facilities undergoing an audit and providing an annual Statement on Auditing Standard (SSAE 16) Type II audit (this replaced SAS70).

Specific to IT Security and Security controls, there are 10 key areas that can be derived:

  • Access Control
  • Physical and Environmental Protection
  • Encryption
  • Malicious Code Prevention
  • Systems Development, Acquisition, and Maintenance
  • Personnel Security
  • Data Security
  • Service Provider Oversight
  • Business Continuity Considerations
  • Insurance

How SAVANTURE helps with GLBA compliance?

GLBA defined Control

Summary of Approach

SAVANTURE Solutions

Information Assurance and Security Plan

Develop a plan that follows your strategy that defines control objectives and establishes a clear implementation plan with defined timelines. The security strategy should include controls, processes, policies and metrics that measure your ongoing success.

 

SAVANTURE’s Genesis5 solution provides ongoing consulting as part of its overall value proposition, including an assigned CISO to assist navigating you through GLBA, and other compliance requirements. In addition, these services can be purchased as stand-alone engagements.

Security Process

Implement an ongoing security process and institute appropriate governance for the security functions, assigning clear and appropriate roles and responsibilities to all responsible parties.

Information Security Risk Assessment

Maintain an ongoing information security risk assessment program that incorporates assets, data and threats to prioritize risk.

Security Controls Implementation

FFIEC outline the following sample security controls to:

  • Restrict access to authorized individuals and devices and to disallow access to all others
  • Define physical security zones and implement appropriate preventative and detective controls in each zone
  • Employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit
  • Protect against the risk of malicious code by implementing appropriate controls at the host and network level
  • Ensure that systems are developed, acquired and maintained with appropriate security controls
  • Mitigate the risks posed by internal users (employees, contractors, etc.)
  • Control and protect access to data at rest including legacy storage (paper, film) and computer-based media to avoid loss or damage
  • Collect and test security responsibilities for outsourced operations
  • Provide for business continuity and disaster recovery

Security Process Monitoring and Vulnerability Management

Financial institutions should continuously review and test the effectiveness of the existing security controls.  They should then use that information to update the risk assessment, strategy, and implemented controls.

Security Monitoring

Being able to identify any real-time threats to the business and your business transactions is paramount. In addition, being able to have easy and quick access to reliable data after the fact for forensics is critical. Ultimately, the combination of these capabilities determines your risk posture and ability to quickly resolve an security event or detour a threat.

 

How is your Business impacted by Consumer and User Privacy Laws

Over the past 10 years the individual states within the USA, as well as member countries of the EU and other countries have defined strict policies for protecting employee and consumer data. Most often this has a basic requirement that provides for some combination of user information that allows a third party to uniquely identify a user. This often includes the user‘s name, address, unique identifiers such as a credit card number, social security number, member number, or in some regions, even the user’s IP address.

What most businesses don’t recognize is these laws are not limited to where your business maintains its headquarters, or even more broadly where your business physically operates. Rather, all these laws protect the users’ interest which is most commonly tied to where the user has a residence. As an example, if you’re a company with a HQ in the US state of North Carolina with physical offices in Maryland, Florida, and Washington, with sales made in 47 other states and any European Union country, you fall under privacy law for all 47 US states you have customers in,as well as the European Union. Most businesses do not have the resources to 1) properly evaluate each law and 2) apply the proper reporting and protective measures as outlined by the regulations. SAVANTURE can supplement your capabilities to comply with privacy laws through its CPO services as well as SIEM, LMS, and VMS … and of course Genesis5.

What does are the PCI-DSS Requirements?

The Payment Card Industry Data Security Standards (PCI-DSS) mandate that organizations who "hold, process, or pass cardholder information" meet a minimum level of security. PCI-DSS, first released in 2004, from policies developed by American Express, Visa, MasterCard, Discover, and JCB, is a comprehensive worldwide information security standard aimed at any organization that stores credit card data. Today, the standard has expanded requirements beyond the retailers to include banks and third-party processors. PCI-DSS is a relatively comprehensive standard and includes requirements for security management, data protection at rest and in transit, and other critical protective measures that were developed to proactively secure cardholder data and transaction information for consumer privacy. Simply put, PCI-DSS was designed to protect the integrity of the credit card transaction from end-to-end in transit and when stored anywhere along the transaction path.

This is arguably one of the most important regulatory requirements for any business. Why? First, they require specific audits that vary based on your credit card transaction volume and the credit card companies are known to validate the audits.Non-compliance with the requirements can result in hefty fines from each of the payment card compliance programs, increased transaction processing fees, financial fines in the hundreds of thousands of dollars and ultimately to the suspension of your ability to process credit card transactions. Most businesses cannot operate without accepting credits cards for payment.

How SAVANTURE helps with PCI-DSS compliance.

The core goals of PCI, relative to IT security, are 1) decrease the risk of a compromise that results in the unauthorized disclosure of credit card details or impact to the transaction path, 2) be able to identify and rapidly close a weakness in your IT Infrastructure or processes that could compromise or result in the disclosure of an individual, or group of credit card records, 3) have you fulfill PCI-DSS audit requirements and submit results for review, and 4) have your business establishreporting and documentation which demonstrates you have security and policy programs in place that meet the minimum requirements defined by PCI.
SAVANTURE helps in each of these as follows:

Easy to Implement and Use Authentication

SAVANTURE 2FA can be used to protect administrative access to internal systems, employee user access to the network via VPN or specific applications and we can provide extremely cost-effective integration with user-facing systems to provide the added level of security that modern day customers are demanding … and more and more commonly becoming a regulatory requirement.

PCI outlines protecting remote access logins with strong authentication. Specifically, section 8.3 says that organizations must:
Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

SAVANTURE allows organizations to easily deploy two-factor authentication using the users’ existing devices. Typically, purchasing and managing hardware tokens makes two-factor authentication prohibitively complicated and expensive. SAVANTURE removes this barrier, giving your company a solution that is manageable, inexpensive and easy-to-use.

Real-time Collection, Management, and Alerting across your IT Infrastructure

The collection, management, and analysis of log and event data are integral elements of meeting both NERCand PCI audit requirements. IT environments consist of heterogeneous devices, systems, and applications, all reporting log data. SAVANTURE provides compliance to these requirements through either or both SIEM and Log Management depending on the organizations IT Infrastructure. PCI does not explicitly require SIEM, rather it requires Log Management. Our SIEM however fulfills the log management requirements and provides the added advantages of fulfilling multiple compliance requirements and a high degree of real-time protection all in one platform. If you simply need Log Management Service (LMS), SAVANTURE’s LMS fulfills PCIs requirements.

However, the SAVANTURE SIEM ensures compliance with PCI requirements by not only collecting logs (meeting the monitoring information systems in real-time guidelines) but also provides real-time alerting enabling immediate investigation and compliance reporting. This is the difference between definition and intent. The intent of PCI is to protect credit card information and systems. Being aware of threats in real-time, you have a clear analysis of events that are impacting the integrity of the organization’s data. Areas of non-compliance can be identified in real-time and mitigated before HIPAA non-compliance occurs.

Identification of Vulnerabilities and Weaknesses across your IT Infrastructure

Understanding where your weaknesses are before they are compromised is a logical approach to decreasing risk. SAVANTURE’s Vulnerability Management Service (VMS) vigilantly probes your Internet-connected systems for vulnerabilities before the hackers can find and exploit them. The service identifies holes in your perimeter protection to any Internet-addressable host. In addition, we scan internally to identify vulnerabilities in the event the perimeter is ever breached or someone locally attempts to compromise a system. New vulnerabilities are discovered every day and hackers are becoming more adept at exploiting these security vulnerabilities.

SAVANTURE’s VMS allows us to identify vulnerabilities and weakness, target the fix or identify ways to reduce risk of compromise, and track progression of the organizations ability to maintain a lower risk vulnerability profile.

Organizational Assessments

In addition to the immediate protection provided by SAVANTURE’s products and services, we provide self-driven tools like the SAVANTURE Self Risk Assessment for PCI, the means to uncover and address risks are more readily available than ever before. The assessment then provides recommendations to remedy identified risks through practical guidance and best practices. We recommend the assessment be taken annually so you can measure your progress and confirm that compliance controls are maintained through the natural and continuous changes that occur within any organization. For those companies that use SAVANTURE’s CISO services, we will lead up this effort and ensure the proper individuals in the organization take action and that the appropriate follow-up occurs.

More information on PCI DSS

What Other Compliance Regulations does Savanture help with?

SOX and HIPAA are common compliance requirements many Healthcare and Hospital Systems are governed by. SAVANTURE has a full suite of compliance oriented solutions that we can assist you with. The good news is the core platforms for many solutions are the same, so there is minimal effort and expense in leveraging the existing system capabilities to meet these other compliance requirements.

Learn about our company, read what media and analysts have to say about SAVANTURE , or find open positions and become part of our team. 
We are here to earn your trust, and your business. 

 
Learn about our company, read what media and analysts have to say about SAVANTURE, or find open positions and become part of our team. 

 
We are here to earn your trust, and your business.

 

  • SAVANTURE Services are best in class and provide the most optimal cost performance solution in the marketplace allowing you to focus on your business
  • Best in class offerings allow us to protect your revenue, reputation and regulatory compliance better than any other solution in the marketplace
  • Flexibility in deployment methods allow a low cost entry option, while breath of services allow you to increase your protection logically over time as threats change and regulatory requirements evolve
  • SAVANTURE allows you to leverage best in class or take advantage of SAVANTURE’s Genesis5
  • Ease of deployment and ease of use while always being cost-effective, reliable, and secure
CONTACT US and we can answer any questions or get you started now.