Security and Compliance for Financial Services
Automating regulatory compliance assurance, audit control, and asset protection in private clouds
“If I had Catbird last year, it would have saved us $2,000,000 in audit costs.” CISO at Top 10 Financial Institution
Financial services institutions are among the most heavily regulated in the world. Laws and regulations covering this sector govern many aspects of business operations. The Sarbanes-Oxley Act (SOX) requires strict controls for IT systems used to process financial information for auditors and public reports. The Gramm-Leach-Bliley Act (GLBA) requires protection of sensitive consumer financial and account data. The PCI Data Security Standard requires protection of consumer cardholder data. The Health Insurance Portability and Accountability Act (HIPAA) requires protection of personally identifiable health data. And there are many others. Financial institutions have implemented many IT security controls to address these requirements, but there’s a new requirement that traditional IT controls are unable to address with certainty: protecting sensitive data in the cloud.
Challenges of Compliance for Virtual Environments
Most financial institutions are rapidly adopting virtualization technology for hardware consolidation, reducing costs and speeding deployment of applications. The use of virtualization to create private clouds, however, also poses challenges for security and compliance. Traditional physical security components that are usually deployed at the network edge are difficult if not impossible to effectively monitor and control virtual components. This complicates virtual data protection, makes continuous monitoring difficult, and prevents the ability to deterministically enforce policies in the cloud for compliance. For these reasons, it is vital for financial institutions using virtual technology to adopt a tool like Catbird to protect cardholder data within that environment.
Benefits of Catbird for Compliance
Catbird is a unique solution engineered to automate seamless, comprehensive security and compliance for organizations with sensitive data in virtual environments. Catbird provides three major benefits:
- Segments Environments with Sensitive Data Catbird enables easy segmentation of sensitive data in a virtual environment with its logical zoning container called a TrustZone. By dragging and dropping virtual assets into Catbird TrustZones®, the assets automatically inherit security policies set for the containers (similar to how Microsoft Active Directory assigns policies to its objects).
- Automatically Maps & Manages All Virtual Assets With TrustZones, Catbird provides precise visibility and management of all virtual networks, network devices and system components. This includes a perfect inventory of all assets as they are turned on or off in the dynamic virtual environment – including mapping capability that diagrams all sensitive data flows across systems and networks.
- Automatically Enforces & Documents Compliance Policies Security policies are automatically assigned by Catbird to all virtual assets placed in TrustZones, which enables the solution to automatically and deterministically enforce those policies to protect cardholder data wherever it may be processed, stored or transmitted in the virtual environment. For example, Catbird automatically executes virtual firewall policies such as blocking, alerting and quarantining according to respective regulatory framework. Catbird uses the same control frameworks as auditors, so its virtual network diagrams, Net Flow maps and operational reports instantly provide “audit-ready” documentation whenever you need it.
How Catbird Helps Businesses Meet Audit Requirements
Catbird maps the compliance posture of a virtual data center to PCI security controls and produces real-time audit diagrams.
Catbird automatically maps its security and enforcement policies to frameworks relevant to financial institutions, including:
- Control Objectives for Information Related Technology (COBIT) used for Sarbanes-Oxley Act (SOX) and Gramm-Leach-Bliley Act (GLBA) compliance.
- Payment Card Industry (PCI) Data Security Standard (DSS) v.3.0 used for PCI compliance.
- The U.S. Dept. of Health and Human Services Privacy and Security Framework used for Health Insurance Portability and Accountability Act (HIPAA) compliance.
These policies are automatically assigned by Catbird to all virtual assets placed in TrustZones, which enables the solution to automatically and deterministically enforce those policies and protect sensitive data wherever it may be processed, stored or transmitted in the virtual environment.
Catbird uses the same control frameworks as auditors, so its virtual network diagrams, Net Flow maps and operational reports instantly provide “audit ready” documentation whenever you need it.
Learn More About Catbird and Compliance Requirements
From ISACA (formerly Information Systems Audit and Control Association)
From the PCI Security Standards Council
From the U.S. Dept. of Health and Human Services
Privacy and Security Framework - Overview
Contact us for more information.
Take a test drive of Catbird vSecurity.