Data Access Security Compliance for Financial Services

Payment card data

Finance professionals have access to payment card data

Customer data

Financial professionals have access to this

Other data

Financial professionals don’t have access to any data

Level of access

Percent of finance workers who believe they have a level of access which is greater than necessary

Monitoring specific file access

Finance workers are aware of their organization monitoring or tracking access to specific files and folders

Monitoring specific actions

Finance workers are aware of their organization monitoring specific actions (copying, moving, deleting) when accessing specific files and folders

* Research with finance workers in the US and UK (250 in each)

What are finance organizations doing to ensure employees have only the necessary access to sensitive data?

It is hard to imagine anything more important than data in the financial industry. The very reputation of financial organizations rests on their promise and their ability to protect customers’ personal and financial information. As well as setting up security protocols to protect the physical network itself, measures should be taken to ensure that sensitive data does not fall into the wrong hands, intentionally or otherwise.

Having access to data

From employee’s personal data to customers’ credit card and bank account numbers, protecting sensitive data should be top of the organizations’ security policies. In line with this, the US Federal Trade Authority (FTC) published Start with Security, a document on how organizations manage and monitor access to sensitive data. Our research shows us that 79% of finance personnel have access to payment card data and 29% have access to customer data.

In the UK, the FCA complies with the regulation the Data Protection Act on the use of personal data and the appropriate security arrangements to be in place to protect and manage rights to access this sensitive data. More than a third (37%) have access to payment card data with a lower number of 14% having access to customer data.

Accessing only necessary information

Not every employee needs unrestricted access to the network. Controls should be put in place to make sure that employees have the right access for them to do their work effectively. Both the FTC and FCA support the need for financial organizations to ensure that they have procedures in place to ensure that employees can only access information that they need to. Our research shows that 87% (US) and 83% (UK) think that they the data they have access to is necessary for their role. However, it was worrying to see that 17% (US) and 14% (UK) believe that they have a level of access that is greater than necessary.

A good start is to create access controls on networks that will prevent files from being accessed by unauthorised personnel. Then consider how to further protect sensitive data using secure passwords.

Monitoring file access

Once organizations have ensured that their users’ actions are identifiable the next step will be to monitor these actions. The research identified that only 34% (US) and a lower 20% (UK) are aware that their organization monitors access to files and folders. Some organizations may be monitoring employees file access activities without their knowledge, however, mostly this is done as a precaution to protect company data and minimise loss.

Navigation

Introduction
Financial services user security compliance checklist
Part 1: Executive summary
Part 2: On-boarding new employees
Part 3: Security training, awareness and procedure
Part 4: Network access
Part 5: Data access and necessity
Part 6: Moving jobs or roles

Check if you are compliant

A guide to US and UK financial services access security compliance

Data access and necessity