FSA Data Protection Compliance – Best Practices Review
I was recently commissioned, on behalf of a compliance adviser practice, to carry out an information security review of a 30 user financial services organisation located in the Midlands. Obviously fully aware of the likely penalties the FSA can administer, as well as the threat of the Information Commissioners Office imposing a fine of up to £500,000 for Data Protection breaches, the firm’s directors had taken a hugely responsible approach to this very serious matter.
Despite already implementing a variety of security controls under the guidance of their IT service provider, it was considered important enough to perform a review to re-assure clients and stakeholders that they do take information security seriously – a philosophy that is often overlooked in favour of so called “higher priorities”.
What did it involve?
To minimise costs and the time it takes to carry out a full security audit, I gave them an initial questionnaire to fill out. It was developed primarily around the FSA’s best practices guidelines, as detailed in their scathing report titled “Data Security in Financial Services – Firms’ controls to prevent data loss by their employees and third-party suppliers”.
After looking at the results, I carried out an interview with the practice manager (although it can be a partner / director responsible for IT and security), and the contracted IT service provider. Sometimes it’s considered inappropriate to include the IT service provider due to a lack of technical expertise, although it certainly wasn’t in this case.
I was then able provide them with a report outlining the good and bad practices within the organisation and highlighting areas of concern that need addressing according to their priority. From start to finish, the whole thing took two days.
This was a high level system security review intended to establish the risk appetite of the business in general, and not a thorough interrogation of the systems internally or externally through penetration testing. But, what it does do, is help the senior management focus their attentions and help mitigate the threats the financial sector faces. It is, after all, the most targeted industry sector for the cyber criminal.
Feel free to contact me directly if you believe your organisation could benefit from a similar review.