How To Manage Data Confidentiality And Security?

Today when ONLINE is the buzz it is extremely important to have data security and privacy in place for your office. Many times, this is Greek and Latin to practicing financial planners as they don’t have the domain knowledge of the subject.

As a financial planner you are signing the confidentiality agreements with your customers. It can be a part of either “Letter of Engagement” or a separate agreement. But what needs to be done at the back end?

Here are some simple data security, Business continuity plan (BCP) and Disaster Recovery (DR) concepts and measures which are very important and can be implemented in your practice.

Information Security

Financial planners will always have information of the client which is very confidential and sensitive in nature. The complete practice revolves around Confidentiality, Integrity and Availability of the data to authorized people only.

Here are important steps

1. ‘Identify’ critical IT assets and risks associated with such assets,
2. ‘Protect’ assets by deploying suitable controls, tools and measures,
3. ‘Detect’ incidents, anomalies and attacks through appropriate monitoring tools/processes,
4. ‘Respond’ by taking immediate steps after identification of the incident, anomaly or attack,
5. ‘Recover’ from incident through incident management, disaster recovery and business continuity framework.

So how can financial planners implement this in his / her office? Let’s look at it in a step by step manner.

a) Identify -This exercise is very critical. You need to identify the critical IT assets. This will consist of things like your hardware assets (Desktop machine / Laptops/pen drives / mobile phones etc.), software used (e.g. Microsoft office, any third-party software), details of network resources (your internal as well as external connections) and data flows (Internal data / Data on the cloud) etc. One needs to ensure security at all these levels

b) Protect – How will you protect these assets?

• Physical Security: This requires the protection of the assets physically. This involves protection of all these assets by deploying features like restricted physical access to your systems, protecting it from perils like fire, flood and more, protecting it from physical theft. The solutions involve different measures like lock and key, biometric physical access control to core area anti-fire systems (Detections and prevention of fire), installation of anti-theft systems, cameras etc.

• What is the chance that your hard disk gets damaged due to electrical fluctuation and lose all your data? So, it is important to protect it from electrical glitches. One should always deploy good stabilizers / UPS to be safe from such mishap.

• Restrict Printing. Generally, financial planners have very confidential data like pan card / Aadhaar card/bank statements etc. It is always best practice to print these documents if necessary. You are confident that you or your staff is going to use the printed copy diligently but printouts should not go to unauthorized access. (This may lead to identity theft). So even if extra copies are printed by error please shred those using shredder. This aspect is generally the most neglected aspect

• Logical security

1. You need to deploy an official version of the operating systems. When you buy the official version of the operating system, you will get regular updates (patches) which will close the loopholes which are there in the current operating system. Thus, this would ensure that the latest security features are maintained in your system.

2. The next biggest threat is that you may lose the data due to virus attacks. You will always need a very good antivirus deployed in your machines and ensure that it is updated on daily basis. A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users’ systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. The antivirus will also protect your data from trojans and malwares.

3. What if someone copies data from your machine? For this, you need to ensure the restricted access to your computers, USB drive, and emails. You can restrict access to a machine with simple solutions like username password to complex access control like RFID cards / Biometric authentication etc. USB drive protection can be done using antivirus solutions. One should always use 2-factor authentications while accessing emails. (Like password + OTP). You can also restrict access to your pen drive by giving a password to access anything on the pen drive. Nowadays pen drives come with such security features.

4. Are you using any cloud-based software? The biggest advantage that it is accessible from anywhere but is also the biggest disadvantage as far as security is concerned. To handle this risk, ensure that access to cloud/website etc. is in a secured manner (One can install SSL certificate so that encrypted communication happens over the internet. i.e. https) Most of the clouds have this inbuilt security feature but you need to ensure it. Also, you can restrict the access to the cloud only from your office by implementing IP based access to your cloud.  (For this feature you must buy static IP / fixed IP address from your internet service provider and restrict the access to the cloud only from that IP address). Once you have static IP address you must deploy good firewall so that nobody can enter your network in an unauthorized manner from outside.

5. If you are using wireless internet / Wi-fi etc. ensure that it is separate from your internal network access and always give secured access to your clients if they need connectivity to the internet when they visit your office.

c) Detect – incidents and anomalies. Unfortunately, if any incident happens one needs to detect it immediately. One can do regular scans or auto scans which can be initiated automatically at regular intervals. Also, observe the firewall and system logs on your machines.

d) Respond – to incidents and anomalies. As soon as there is any incident happening you need to take corrective action immediately. This will help to mitigate the effects by such incidents and protect the information resources from future unauthorized access, use or damage.

e) Recover – Once any incident happens you must restore the operations seamlessly and quickly. Data backup plays a very important role. You can have simple solutions like an auto backup at regular intervals to sophisticated solutions like SAN, NAS or cloud-based backups. Storage area networks (SANs) and network-attached storage (NAS) both provide networked storage solutions. A NAS is a single storage device that operates on data files, while a SAN is a local network of multiple devices. The latest cloud-based backups store your data in a secured manner at remote places which is other than your office. This enables you to quickly start your operations even if your office is inaccessible due to some events like fire, flood, earthquake etc.

Summary:

• Build and Maintain a Secure Network.
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
• Have systems which will help you to continue business and recover from any disaster quickly

This write up is to give you a brief idea about Data security, Business continuity plan (BCP) and Disaster Recovery (DR) concepts. The back-end technology used is continuously evolving and changing very fast. You can outsource this to your computer/software vendor as it requires technical skills to detect understand and take corrective measures if needed.

---