How SDS Helped a Financial Services Firm Meet PCI DSS Requirements while Protecting Sensitive Information
Standards governing banks and other financial institutions are an ever-changing area of security risk and regulation. Secure Digital Solutions partners with organizations that handle a large volume of transactions subject to PCI DSS, FFIEC, GLBA and SOX.
A bank had recently grown through a number of acquisitions, and retained Secure Digital Solutions (SDS) to help assess its security status. Business processes and risk levels varied a great deal across business units, and the risk management office needed better visibility into the maturity of each business.
Specifically, SDS was charged with completing a business impact analysis (BIA) with all business process owners across the company. This discovery would establish risk levels for each unit, and enable the bank to represent the company’s information security status to industry regulators and examiners.
The challenge: consistent assessment instruments
The primary challenge was developing a way to gather consistent, complete information from all business units. To do so, SDS developed a robust data intake process. SDS first analyzed the bank’s existing security survey and brought it into alignment with the bank’s own Archer GRC system (a platform for managing corporate policies).
SDS then established a BIA Questionnaire Process Training program to ensure the survey would be embraced and completed by business process owners across divisions. The training step was crucial in getting key staff to understand, gather, provide, and compile the required documentation. The SDS action plan included:
- An initial meeting with each business process owner to discuss the purpose, process, expectations and BIA questionnaire form and response template
- Follow-up meetings with business process owners to review their BIA questionnaire input and answer any outstanding questions
- Risk assignment to identified business processes based upon gathered information
Results and findings
Concurrent with this process, SDS uploaded the survey template and supporting documents into the bank’s Archer system. Approximately 95 BIA questionnaires have been imported into the bank’s Archer GRC system, and the information gathering process is currently underway. The outcome so far includes a compliance-ready survey, business processes to gather and input data, roles and responsibilities, a timeline, and a template for obtaining technical manager input.
The deliverables for the project included a BIA executive summary report that spelled out process results and findings, as well as recommendations on efficiencies the bank can gain by standardizing or consolidating information security maturity within their Archer GRC platform.