security compliancy for financial institutions

schwags

schwags

Member
Reaction score
0
Location
Iowa
All - I have recently been asked to help a few small companies become compliant with their client's security standards. Mainly, my client's clients are banking or financial institutions of some type. I am noticing a heavy focus on auditing and documentation and I do not really have much experience in these areas.

These clients are smaller, and not really in need of a full server system for anything other than meeting these compliance requirements. I am wondering if anyone has ever helped a small company meet standard security compliance requirements WITHOUT installing a server with AD and all that jazz.

I know I can use a SAS 70 compliant data center for off-site file storage, but how about workstation auditing? I have no way that I know of to audit update and software installations, control access to workstations through policies and network profiles, or remotely monitor activity without having the users in an AD environment. I imagine there is a software package out there that can help me do all this through the cloud, but I wouldn't know which one is good without some recommendations.
 
There are tons of 3rd party auditing packages out there. Are they just looking something for tracking computers and software compliance? (software licensing, updates, keeping track of hardware) We have a sister company that is a mortgage company that requires disk encryption as well. (They use PGP as it can be managed) That may be a requirement for them as well. Local policy will be a nightmare. You need something centralized. The big question is what security guidelines do they have to meet. What is required in my state may differ where they are at. Once you know that then you will know how to proceed. Setting up a server and AD isn't all that bad. Then you have centralized management where you can control access, policy etc. Also dont forget about physical security. They may require a secure data center for servers and networking equipment etc. Alot to think about.
 
Last edited:
One of the problems is that you're asking for help with "standard security compliance", unfortunately there is no such thing.

What *exactly* do they have to comply to? A certain ISO standard?
A clients list?
"General high security"?

To help, we would need more information.
But, if you get the information you should be able to tell if you're capable of auditing/implementing what would be needed.
 
thanks for the replies. I do not have a certain ISO standard yet that I am supposed to be following. Mainly I am getting prepared to be able to talk about these issues. I do get the impression that these clients mainly need to show documentation of standards, and those standards need to be more than "Mary has all the passwords, ask her if you want a file". I'm sure all of you know what I am talking about when I refer to a haphazardly organized office.

Basically if anyone knows of a certain software package that would allow remote security policy application, monitoring (without the user knowing), and other features normally done through AD, please let me know. The clients are too small to really need an actual server. Maybe there is something that is priced per workstation? I have Googled what I am looking for, but the results were so numerous or non-specific that I didn't know where to start.
 
Without doing your homework for you, a good start would be here: http://www.iso.org/iso/home.htm

Is there a quick solution for a small business that doesn't have any server hardware? Not likely.

The ISO standards relating to security are probably out of their reach unless they're willing to purchase some hardware and audit their *whole* system, piece by piece, policy by policy.
 
schwags said:
All - I have recently been asked to help a few small companies become compliant with their client's security standards. Mainly, my client's clients are banking or financial institutions of some type. I am noticing a heavy focus on auditing and documentation and I do not really have much experience in these areas.

These clients are smaller, and not really in need of a full server system for anything other than meeting these compliance requirements. I am wondering if anyone has ever helped a small company meet standard security compliance requirements WITHOUT installing a server with AD and all that jazz.

I know I can use a SAS 70 compliant data center for off-site file storage, but how about workstation auditing? I have no way that I know of to audit update and software installations, control access to workstations through policies and network profiles, or remotely monitor activity without having the users in an AD environment. I imagine there is a software package out there that can help me do all this through the cloud, but I wouldn't know which one is good without some recommendations.
Click to expand...

have fun if it is regulated by the FDIC. there is a reason that most of the IT managers i know that work for banks are bald and have heart conditions.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Is there anyway to add 'groups' as teams members?
Replies
4
Views
171
Sky-Knight
Sky-Knight
ThatPlace928
Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
Replies
4
Views
298
ThatPlace928
ThatPlace928
Metanis
[TIP] Automatic updates to digital wallets!
Replies
1
Views
258
britechguy
britechguy
britechguy
Alternatives for QuickBooks
Replies
5
Views
156
mmerry
mmerry
ThatPlace928
[SOLVED] Best Recommendation for UPS
2
Replies
22
Views
467
NETWizz
NETWizz
Back
Top