Banking and Financial Services

SAVANTURE is the premier security services provider delivering a complete set of cloud security tools and solutions. These solutions are able to be deployed in variety of delivery options ranging from:

  • Genesis5 which is the industry’s leading security and compliance solution for Banks and Financial Services. The solution leverages SAVANTURE’s cloud-based managed security services platform, proven processes and best practices, and an assigned team of SAVANTURE security experts to each customers. The technology component is SAVANTURE’s In-The-Cloud (ITC) Managed Security Services (MSS) platform, including Security Information Element Management Service, Log Management Service, Vulnerability Management Service, and Two Factor Authentication service. By combining the power of this technology platform with an experienced lead SAVANTURE CISO whom acts as your solution and services advocate, you receive the industry highest level of protection. Your assigned SAVANTURE CISO program manages a team of security engineers and analysts who know and understand your environment. This team, working toward mutually agreed upon goals and priorities, continually tunes the technology infrastructure and refines the defined processes and standards in order to optimize your security posture. In addition, this approach significantly reduces the daily research and workload associated with chasing down alerts, events, and threats. Genesis5 is the single security solution for your entire Enterprise regardless of your application’s location; Cloud, On-Premise or Hybrid.
  • The tools used in Genesis5 are also available individually. SAVANTURE can provide these same great tools used by our CISOs and staff stand-alone, or in any combination. SAVANTURE’s Cloud Managed Security Services include:

SAVANTURE delivers the industry’s most advanced cloud based Security Software-as-a-Service (SaaS) platform which allows you to dramatically simplify your businesses’ approach to governance and security management. Today’s enterprises understand the need to have a robust Governance, Risk and Compliance (GRC) and Security Program in place to protect your business processes and information assets. Often however, your company’s limited IT, network, and security staff are constantly dealing with today’s tactical problems rather than creating the IT innovations that your company needs to differentiate itself in this high tech world. Outsourcing security tools such as Security Information and Event Management (SIEM), Vulnerability Management System (VMS), Log Management Service (LMS) and associated operational responsibility to SAVANTURE cuts costs for your business and allows your staff to perform more meaningful tasks.
Managed Security Service (MSS) monitors Intrusion Detection Systems (IDS), firewalls, servers and business applications and alerts you on threats and security breaches. With SAVANTURE we add incremental levels of human analysis and tuning that you won’t receive with other providers. We continually evaluate the protection level of the network and provide continual tuning and adjustments to reduce risks. We then combine this with a staff of security experts who routinely conduct traffic reviews, event analysis, and rule reviews, and analyze the accuracy of the correlation engines to ensure that you are seeing the optimal alerting value within our platform. Your network is constantly under surveillance so that when attacks occur we reduce the likelihood of it becoming a security breaches or reduce the level of impact as quickly as possible. This provides the assurance that your business maintains the highest level protection and you are exposed to the lowest level of risk.
Our strategy is not only about delivering the best services in the industry, but recognizing that every decision is scrutinized in today’s cost sensitive world, we must provide the highest value. At SAVANTURE our strategy is to provide you with efficient, effective and cost-compelling information risk management solutions by seamlessly integrating SAVANTURE’s people, process and technology with your unique business needs.  We help your business identify, reduce, and manage information risk to revenue, reputation and regulatory complianceso that you can focus on managing and growing your business. That means we need to understand the regulatory requirements you are subject to today and monitor them ongoing as your business expands and regulations change.
Specific to Banking and Financial Services, common regulatory requirements include:

  • GLBA/FFIEC
  • Consumer and User Privacy Laws (US State, EU, and other country and geographies)
  • Payment Card Industry (PCI) standards
  • Often Entities also are regulated by SOX and HIPAA regulations as well

Let’s take a quick look at each of these as sample compliance and regulatory fulfillment:

 

What Guidance does GLBA/FFIECProvide?

Much like the string of compliance measures put in place to protect consumer information, and consumers, the Gramm-Leach-Bliley Act (GLBA) was established in 1999. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to:

  • Ensure the security and confidentiality of customer information
  • Protect against any anticipated threats or hazards to the security or integrity of such information
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any consumer

TheFederal Financial Institutions Examination Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms and to make recommendations to promote uniformity in the supervision of financial institutions for the federal examination of financial institutions by the

  • the Federal Reserve System (FRB),
  • the Federal Deposit Insurance Corporation (FDIC),
  • the National Credit Union Administration (NCUA),
  • the Office of the Comptroller of the Currency (OCC),
  • the Consumer Financial Protection Bureau (CFPB),
  • the State Liaison Committee (SLC), added to the Council in 2006 as a voting member, includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS)

In summary, the FFIEC supports the missions of these agencies by providing extensive, evolving guidelines for compliance. The FFIEC is charged with providing specific guidelines for evaluating institutions for compliance with GLBA, amongst other things. In collaboration, these agencies have developed a series of topical handbooks that provide guidance, address significant technology changes and incorporate a risk-based approach for IT practices in the financial industry.

 

Specific to IT Security and Security controls, there are 10 key areas that can be derived:

  • Access Control
  • Physical and Environmental Protection
  • Encryption
  • Malicious Code Prevention
  • Systems Development, Acquisition, and Maintenance
  • Personnel Security
  • Data Security
  • Service Provider Oversight
  • Business Continuity Considerations
  • Insurance

 

How SAVANTURE helps with GLBA compliance?

GLBA defined Control

Summary of Approach

SAVANTURE Solutions

Information Assurance and Security Plan Develop a plan that follows your strategy that defines control objectives and establishes a clear implementation plan with defined timelines. The security strategy should include controls, processes, policies and metrics that measure your ongoing success. SAVANTURE’s Genesis5solution provides ongoing consulting as part of its overall value proposition, including an assigned CISO to assist navigating you through GLBA, and other compliance requirements.  In addition, these services can be purchased as stand-alone engagements.
Security Process Implement an ongoing security process and institute appropriate governance for the security functions, assigning clear and appropriate roles and responsibilities to all responsible parties.
Information Security Risk Assessment Maintain an ongoing information security risk assessment program that incorporates assets, data and threats to prioritize risk.
Security Controls Implementation FFIEC outline the following sample security controls to:

  • Restrict access to authorized individuals and devices and to disallow access to all others
  • Define physical security zones and implement appropriate preventative and detective controls in each zone
  • Employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit
  • Protect against the risk of malicious code by implementing appropriate controls at the host and network level
  • Ensure that systems are developed, acquired and maintained with appropriate security controls
  • Mitigate the risks posed by internal users (employees, contractors, etc.)
  • Control and protect access to data at rest including legacy storage (paper, film) and computer-based media to avoid loss or damage
  • Collect and test security responsibilities for outsourced operations
  • Provide for business continuity and disaster recovery
Security Process Monitoring and Vulnerability Management Financial institutions should continuously review and test the effectiveness of the existing security controls.  They should then use that information to update the risk assessment, strategy, and implemented controls.
Security Monitoring Being able to identify any real-time threats to the business and your business transactions is paramount.  In addition, being able to have easy and quick access to reliable data after the fact for forensics is critical.  Ultimately, the combination of these capabilities determines your risk posture and ability to quickly resolve an security event or detour a threat.

 

How is your Business impacted by Consumer and User Privacy Laws

Over the past 10 years the individual states within the USA, as well as member countries of the EU and other countries have defined strict policies for protecting employee and consumer data.  Most often this has a basic requirement that provides for some combination of user information that allows a third party to uniquely identify a user.  This often includes the user‘s name, address, unique identifiers such as a credit card number, social security number, member number, or in some regions, even the user’s IP address.
What most businesses don’t recognize is these laws are not limited to where your business maintains its headquarters, or even more broadly where your business physically operates.  Rather, all these laws protect the users’ interest which is most commonly tied to where the user has a residence.  As an example, if you’re a company with a HQ in the US state of North Carolina with physical offices in Maryland, Florida, and Washington, with sales made in 47 other states and any European Union country, you fall under privacy law for all 47 US states you have customers in,as well as the European Union.  Most businesses do not have the resources to 1) properly evaluate each law and 2) apply the proper reporting and protective measures as outlined by the regulations.  SAVANTURE can supplement your capabilities to comply with privacy laws through its CPO services as well as SIEM, LMS, and VMS … and of course Genesis5.

What does are the PCI-DSS Requirements?

The Payment Card Industry Data Security Standards (PCI-DSS) mandate that organizations who “hold, process, or pass cardholder information” meet a minimum level of security. PCI-DSS, first released in 2004, from policies developed by American Express, Visa, MasterCard, Discover, and JCB, is a comprehensive worldwide information security standard aimed at any organization that stores credit card data. Today, the standard has expanded requirements beyond the retailers to include banks and third-party processors.  PCI-DSS is a relatively comprehensive standard and includes requirements for security management, data protection at rest and in transit, and other critical protective measures that were developed to proactively secure cardholder data and transaction information for consumer privacy.  Simply put, PCI-DSS was designed to protect the integrity of the credit card transaction from end-to-end in transit and when stored anywhere along the transaction path.
This is arguably one of the most important regulatory requirements for any business.  Why?  First, they require specific audits that vary based on your credit card transaction volume and the credit card companies are known to validate the audits.Non-compliance with the requirements can result in hefty fines from each of the payment card compliance programs,  increased transaction processing fees, financial fines in the hundreds of thousands of dollars and ultimately to the suspension of your ability to process credit card transactions.  Most businesses cannot operate without accepting credits cards for payment.

 

How SAVANTURE helps with PCI-DSS compliance.

The core goals of PCI, relative to IT security, are 1) decrease the risk of a compromise that results in the unauthorized disclosure of credit card details or impact to the transaction path, 2) be able to identify and rapidly close a weakness in your IT Infrastructure or processes that could compromise or result in the disclosure of an individual, or group of credit card records, 3) have you fulfill PCI-DSS audit requirements and submit results for review, and 4) have your business establishreporting and documentation which demonstrates you have security and policy programs in place that meet the minimum requirements defined by PCI.
SAVANTURE helps in each of these as follows:

 

Easy to Implement and Use Authentication

      SAVANTURE 2FA can be used to protect administrative access to internal systems, employee user access to the network via VPN or specific applications and we can provide extremely cost-effective integration with user-facing systems to provide the added level of security that modern day customers are demanding … and more and more commonly becoming a regulatory requirement.

PCI outlines protecting remote access logins with strong authentication. Specifically, section 8.3 says that organizations must:
Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
SAVANTURE allows organizations to easily deploy two-factor authentication using the users’ existing devices. Typically, purchasing and managing hardware tokens makes two-factor authentication prohibitively complicated and expensive. SAVANTURE removes this barrier, giving your company a solution that is manageable, inexpensive and easy-to-use.
Real-time Collection, Management, and Alerting across your IT Infrastructure
The collection, management, and analysis of log and event data are integral elements of meeting both NERCand PCI audit requirements. IT environments consist of heterogeneous devices, systems, and applications, all reporting log data.  SAVANTURE provides compliance to these requirements through either or both SIEM and Log Management depending on the organizations IT Infrastructure.  PCI does not explicitly require SIEM, rather it requires Log Management.  Our SIEM however fulfills the log management requirements and provides the added advantages of fulfilling multiple compliance requirements and a high degree of real-time protection all in one platform.  If you simply need Log Management Service (LMS), SAVANTURE’s LMS fulfills PCIs requirements.
However, the SAVANTURE SIEM ensures compliance with PCI requirements by not only collecting logs (meeting the monitoring information systems in real-time guidelines) but also provides real-time alerting enabling immediate investigation and compliance reporting.  This is the difference between definition and intent.  The intent of PCI is to protect credit card information and systems.  Being aware of threats in real-time, you have a clear analysis of events that are impacting the integrity of the organization’s data. Areas of non-compliance can be identified in real-time and mitigated before HIPAA non-compliance occurs.
Identification of Vulnerabilities and Weaknesses across your IT Infrastructure
Understanding where your weaknesses are before they are compromised is a logical approach to decreasing risk.  SAVANTURE’s Vulnerability Management Service (VMS) vigilantly probes your Internet-connected systems for vulnerabilities before the hackers can find and exploit them.   The service identifies holes in your perimeter protection to any Internet-addressable host.  In addition, we scan internally to identify vulnerabilities in the event the perimeter is ever breached or someone locally attempts to compromise a system.  New vulnerabilities are discovered every day and hackers are becoming more adept at exploiting these security vulnerabilities.
SAVANTURE’s VMS allows us to identify vulnerabilities and weakness, target the fix or identify ways to reduce risk of compromise, and track progression of the organizations ability to maintain a lower risk vulnerability profile.
Organizational Assessments
In addition to the immediate protection provided by SAVANTURE’s products and services, we provide self-driven tools like the SAVANTURE Self Risk Assessment for PCI, the means to uncover and address risks are more readily available than ever before.  The assessment then provides recommendations to remedy identified risks through practical guidance and best practices.  We recommend the assessment be taken annually so you can measure your progress and confirm that compliance controls are maintained through the natural and continuous changes that occur within any organization.  For those companies that use SAVANTURE’s CISO services, we will lead up this effort and ensure the proper individuals in the organization take action and that the appropriate follow-up occurs.
More information on PCI DSS

 

 

What Other Compliance Regulations does Savanture help with?

SOX and HIPAA are common compliance requirements many Healthcare and Hospital Systems are governed by.  SAVANTURE has a full suite of compliance oriented solutions that we can assist you with.  The good news is the core platforms for many solutions are the same, so there is minimal effort and expense in leveraging the existing system capabilities to meet these other compliance requirements.
Learn about our company, read what media and analysts have to say about SAVANTURE, or find open positions and become part of our team.
We are here to earn your trust, and your business.

 

  • SAVANTURE Services are best in class and provide the most optimal cost performance solution in the marketplace allowing you to focus on your business
  • Best in class offerings allow us to protect your revenue, reputation and regulatory compliance better than any other solution in the marketplace
  • Flexibility in deployment methods allow a low cost entry option, while breath of services allow you to increase your protection logically over time as threats change and regulatory requirements evolve
  • SAVANTURE allows you to leverage best in class or take advantage of SAVANTURE’s Genesis5
  • Ease of deployment and ease of use while always being cost-effective, reliable, and secure
CONTACT US and we can answer any questions or get you started now.