Block-Purchase-Pipeline--Third-Party-Insurance-Administrator-of-块购买管道第三方保险管理员-精选课件.ppt

1、Data Security:A RoadmapDodi Iverson,Executive Vice PresidentDRIASIRichard Bellanca,Senior Vice PresidentBank of America CorporationBank of AmericaOver 38 million consumer&small business relationshipsOver 5,800 retail banking officesOver 16,700 ATMsOver 14.7 million active online usersNo.1 overall Sm

2、all Business Administration lender in the USBank of America Corporation stock(ticker:BAC)is listed on the New York Stock ExchangeHigher StandardsInsurance Services GroupLine of business within Global Consumer&Small Business BankingProducts Include:qCredit Protection ProductsqLoan Protection Products

3、qTerm Life InsuranceqAccidental Death&DisabilityqHealth Savings AccountsqLong Term Care InsuranceqHomeowners and Auto InsuranceDRIASIOutsourcing solution for insurance and non-insurance productsCarrier and product independentService 250+financial institutions and 50+insurance companiesCore focus adm

4、inistrationEnd to end or modular solutionsRetention and process optimizationSAS 70 Type IIOperational excellence driven by security,innovation and reliabilityData can only be shared internally on a need to know basis.Examples include consumer information such as date of birth,marital status,social s

5、ecurity number,health claims.Information intended for internal distribution only.Examples include organizational charts,inter-office mail,unreleased pilot offerings.Information obtained from or intended for public disclosure.Examples include marketing brochures,press releases,annual reports.Terms&Ov

6、erviewData vs.InformationConfidential Data Proprietary DataPublic DataEncryption068567839068-56-7839Transmitted data is coded,making it unintelligible if intercepted by a 3rd party.Only the sender and the recipient have the“key”to unlock the code.Security BreachesCommunications company robbed of emp

7、loyee dataIn efforts to recycle used paper,company exposes confidential customer dataLaptop stolen,Grad Students info exposedID verification service provider sends personal,financial info to con artistsUn-encrypted data with 20 years of employee data vanishes while in transportBehavior&ValueManageme

8、ntAwareness&ResponsibilityRiskAssessmentSecurity Design&ManagementExecutionKeyComponentsData Security RoadmapMethods of the TradeSystem hackingCodes/scamsPhysical negligenceStolen equipmentDisgruntled employeesIdentity Theft CategoriesPersonal Identifiable Theft:qExamples:social security number,onli

9、ne banking log-in/passwordqTheft is beyond a single accountqThief has ability to create additional accountsqLoss potential is greaterqCriminal may wait in excess of 15 months before strikingAccount Theft:qExample:credit card is stolenqTheft is typically limited to a single accountqShort-term window

10、for thiefRoot Causes for Identity TheftPrevalence of SSN as a unique identifierInformation security not equal among organizationsMore information about individuals stored on central databasesPersonal securityExpansion of electronic fraudKey Customer Data Customer data that can be used against you:qC

11、hecking or credit card account numbersqSocial security numberqDrivers license numberqATM cardqDate of birthqHome addressqPhone numberqCredit reportsqPasswordsCommon Security ConcernsCyber threats rank higher than physical breaches73%felt domestic suppliers posed less riskBuyers dont believe security

12、 claims of suppliers and are conducting their own audits 30%factorISO 17799 ISO 27001SAS 70 Type IISource:Booz Allen Hamilton study,June 2019Data Security A Supplier DifferentiatorThenNowAssessing Data Security RiskFailure Modes&Effects AnalysisExpense vs.Security AchievedDollarsSecurity Achieved100

13、%SecurityDollar Amount Losses by TypeSource:CSI/FBI 2019 Computer Crime and Security Survey;Computer Security InstituteSecurity Technologies UsedSource:CSI/FBI 2019 Computer Crime and Security Survey;Computer Security InstituteData StewardData Stewards ensure that a critical asset,customer and accou

14、nt data,is received,verified and delivered to all appropriate information users in an accessible,consistent and timely manner.Data Exchange Process MapParticipants:3RD Party Vendor(Bus)3rd Party Vendor(Tech)BAC Product Manager BAC Information MgrPurpose:Introductory Meeting High level overview of th

15、e data exchange processParticipants:3RD Party Vendor(Bus)3rd Party Vendor(Tech)BAC Information MgrPurpose:#of Files File Layouts Frequency Contacts Exchange Protocols Quality Assurance requirements SLAParticipants:BAC Information MgrPurpose:Register data exchange in the central repositoryParticipant

16、s:BAC DTS 3rd Party Vendor(Tech)Purpose:BAC DTS provides email with instructions for data exchange processParticipants:BAC DTS 3rd Party Vendor(Tech)Purpose:Exchange IP Addresses Exchange Passwords Notification procedures Automate scripts,if necessaryParticipants:BAC Information Manager 3rd Party Ve

17、ndor(Bus)3rd Party Vendor(Tech)Purpose:Review field definitions Determine valid values that vendor will provide Answer additional questionsParticipants:BAC Information Manager BAC-DTS 3rd Party Vendor(Tech)Purpose:Test end to end file submission,connectivity testParticipants:BAC Information Manager

18、BAC-DTS 3rd Party Vendor(Tech)3RD Party Vendor(Bus)Purpose:File receipt and load Continual feedback on new valid values or data anomaliesData Management EnvironmentMitigating TheftTechnical InfrastructureqMulti-tier architectureqMulti-factor authenticationqContinuous server monitoringqAccess control

19、sBusiness ProcessesqEmployee trainingqPolicy enforcementqNo confidential data on hard driveqCross shreddingqAccess controlsTechnical ToolsqEncryptionqAnti-virus/spywareqElectronic Transmissions(Secure Sockets Layer(SSL),FTP/PGP,NDM)Infrastructure CategoriesProduction Contact routines/calendarRoles&r

20、esponsibilitiesChange controlAdding new sourcesQualityQuality assurance practicesMetadata managementDefect resolution processGovernance The Data CouncilDownstream SLASource data provider SLAUser access/standardsCommunicationsCommunication planData Steward ProgramCorporate partnershipsSAMPLEDO NOTUse

21、 your name in any formUse a word contained in dictionaries,or standard word listsUse other information easily obtained about you Write a password down or store it online Reveal a password to anyoneUse shared accountsPassword Best PracticesDOUse a password with mixed-case lettersUse a password that c

22、ontains alphanumeric characters and punctuationUse a password that can be typed quicklyChange passwords regularly blaK4borD2L8againSeeeSHorrAbf&r2ocInformation ExchangeAll data exchanges must be submitted via encrypted electronic transmission.Never submit customer or account data via tape,CD,disks,e

23、tc.Any email communication that contains confidential information must be encrypted.Data exchanges between vendors that contain BAC customer data must adhere to same standards as exchanging with BAC.Never store customer or other sensitive banking data on computer/laptop hard drives.Governance Elemen

24、tsMajor Deliverables:Service Level Agreements Source Providers Service Level Agreements Information Users User access request forms Encryption Standards Data Transmission Standards Information Quality C.O.E.CIS Assessments/Audits Information Sharing Request The Data Council General Power Desktop Des

25、igner Normal Super Power AdministratorASKISG User Access FormAccess Level Request:*Name:Work Phone:Business Division:*See Roles tab for detail matrix on access levelsNBK#:eMail Address:Business Justification:Digital Signature:DateResources for the RoadmapBITSqbitsinfo.orgISO 17799qiso-17799SANS Inst

26、ituteqsans.orgCERTqcert.orgISSA(Information Systems Security Association)qissa.orgCollaborationTask force commitment10/24/2022“Security is not a product,but a process.”-Bruce Schneier“When you know that youre capable ofdealing with whatever comes,you have the only security the world has to offer.”-Harry Browne