Automation of IT security systems in response to the requirements of the European Central Bank
The digital transformation and the massive use of technology in the financial sector has put the various players in a situation where they will be forced to face enormous challenges.
These challenges are usually accompanied by quite significant upheavals in the field of computer security. For teams that are in charge of the security of computer networks, whether in terms of applications or other terminals, they are under a lot of pressure. For it will only take a simple mistake of a poor assessment of a situation or poor visibility to cause huge problems whose impact will be quite incalculable. This is because the issue of compliance with the requirements of public institutions is one of the first barriers to corporate neglect.
This article will also interest you: When banks are saved by a good faith hacker
"The fundamental question of what can communicate with what, through the network, is a question that many would find difficult to answer in a global way. observes Nick Lowe, VP EMEA at Tufin. This is supposed to be the main question that will enable banking institutions to comply with the regulations of the European Central Bank. Regulations that have been published in its evaluation guide and the security of payments on the internet.
It should be noted that the European Central Bank's regulatory provisions deal with a set of security measures relating to:
– The demonstration that to access the workflow and applications used in the various transactions is limited only to people specially approved for this purpose.
– the certified implementation of audit practices to safely upgrade the various flows emanating from financial institutions and over reviewed and determined periods.
However, there is a certain limit to the level of manual practices for collecting information during audits. It is noted a potential failure during attempts in such conditions. And for good reason, the task requires too many resources, and in most cases very complex. However, there is a very simple solution. Automation. "A comprehensive and automated system of security policy discovery, supply and verification that integrates with the authorization and access flows, banks will be able to provide accurate and timely information regarding the commercial justification of security policies and how all assets are compliant and have remained compliant throughout the relevant period. explains Nick Lowe.
The needs are there and this does not escape the leaders of even traditional companies. They do everything they can to innovate as best they can. Because as we can say without raising an eyebrow, they have no choice."They see the banking industry moving from a point-of-sale, personal contact, brick and mortar model to a highly agile model that is always available to customers by deploying fintech solutions. ». Note N. Lowe. This development creates even more competition, and transforms the consumer by making it a little more demanding. Especially in circumstances where these new so-called digital banks are able to provide virtually the same services to the customer of traditional banks without investing the same resources to attract or even retain them.
However, we must not go quickly to work. Because the more complex the systems of its old banks become more complex by trying to adapt to new models that will be able to offer more commercial advantages, mainly on the basis of new technologies, we should be sure that they put themselves in the situation of great vulnerabilities. There are mistakes in this area, are difficult to make up for. In this context, the European Central Bank decided to conduct security audits.
On the other hand, it must be said that the sanctions that could be applied in the event of non-compliance with the regulations imposed by the ECB are not clearly defined. However, if after an audit it is determined all network applications are not used under conditions deemed safe by ECB auditors, it will first be given time to the organization to resolve the problems that will be detected. If the deadline has not been resolved, the European Central Bank could then demand that the relevant computer programme be put out of service.Unfortunately this is not likely to improve the circumstances of the company especially if the application concerned has to respond to a key function. This will surely pass the latter to comply.
If it is only this year that the banks' computer security checks have become a requirement for the European Central Bank, it should be remembered that this verification process has been going on since 2014. Unfortunately, many organizations have underestimated the importance of this task. "These banks thought that if they had a defined list of policies that controlled network connectivity to their applications and was allowed to access it, then it would satisfy the ECB. But banks have discovered that access control has become complex. To comply, banks must take several different actions, including keeping documentation of each access request, its justification, its commercial owner and whether it has been approved. tufin's VP EMEA, Nick Lowe, pointed out.
Now access an unlimited number of passwords: