1 / 9

Experian – SCV file security

Experian – SCV file security. FSCS Security & Audit. Data security is likely to be a important factor to organisations involved in the SCV Verification project. To address this, FSCS has partnered with Experian who are renowned for their robust security and data protection

keala
Download Presentation

Experian – SCV file security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Experian – SCV file security

  2. FSCS Security & Audit • Data security is likely to be a important factor to organisations involved in the SCV Verification project. To address this, FSCS has partnered with Experian who are renowned for their robust security and data protection • Deposit Takers will directly send the SCV data to Experian and they will have sole possession of the SCV data whilst the file is being verified. • However, as Data Controller, for the SCV data, FSCS has a number of responsibilities to ensure security, key to these are: • The right, at any time, to audit Experian's processes and systems • Maintain access to the SCV data in order ensure files can be reconciled, currently via a SFTP link. Note: SCV data is only downloaded in the event of a deposit taker going into Default.

  3. Security at Experian Security sits at the core of Experian’s operations. The vast majority of modern organisations face a significant number of risks relating to loss of information and due to the nature of our business, Experian is no different. In order to defend our data from such risks, Experian has developed a best of breed security framework based around ISO27001; the cornerstone of which is our information security policy. Handling sensitive data, including the hosting of extensive, confidential databases in a fully-secure environment, is one of Experian’s core business activities. Security, Governance and Data Protection are of major importance to Experian in achieving our legal compliance obligations. As well as our commitment to ensuring that our staff continues to meet our high standards, we have also made a significant investment in establishing a Global Security function to ensure that security is embedded within our day to day activities across the world. Experian is committed to maintaining the security of the data that we process.

  4. Security Access Control Group – ISO 27001 • Independent function who provision user access to data and systems • Work to the “Principle of Least Privilege”: • Authority matrix • Role based access • Regular access reviews • Robust Starters and Leavers Processes • Strong Inactive Account Monitoring • Achieved certified compliance status to ISO 27001 in 2005 – ongoing independent reviews of control effectiveness. 4

  5. Security – Global Risk Committee • Experian has a specific Global Risk Committee that owns and supports our comprehensive Global Information Security Policy based on the ISO27001 standard, which covers : • Organisation and Management • Information Security • Asset Classification • Physical and Environmental Security • Communications and Operations Management • System Access • Systems Development and Maintenance • Compliance • Personnel and Provisioning • Business Continuity Management • This policy is supported with a sub set of defined standards to accommodate various areas of security, ranging from physical through to environmental controls. This is then supported with specific detailed guidelines relating to areas requiring specific controls such as Internet usage. 5

  6. Physical Security – Experian Data Centre Our UK based data centre provides clients with a safe, secure, highly resilient facility for delivering mission-critical services: • A dedicated £30m data centre built in 2004 • Access is strictly controlled with escalating levels of security introduced as progression is made towards the most sensitive areas of the building where the 24-hour command centre is housed in a concrete pod. Site access is monitored 24/7 • The network is fully protected by Intrusion Detection systems which are proactively monitored both internally and by third party specialists. • The network is protected by two independent firewall layers of different manufacturer equipment • All mail and web traffic is monitored using mail and web scanning software both for content and use. Anti-virus scanning is performed both on inbound and outbound traffic flows. • The core information systems from the UK are further protected by an Experian owned Public Key Infrastructure (PKI) which allows Experian to not only validate clients but end user devices as well. • All client traffic is independently routed through to target systems using dedicated Virtual Networks (VLANs) ensuring that one client can never see another clients data. 6

  7. Physical Security - Heightened Security Area (HSA) The Verification solution as been designated as a service to be provided within an Experian Heightened Security Area (HSA). HSAs are specifically designed areas for people working with sensitive information and include the following controls. Physical Access Controls Only people who work within the HSA will be able to enter the area. Physical security controls control access to these areas Personal belongings and mobile devices Lockers are provided to store and protect personal belongings such as bags and phones as these are not allowed within the HSA Electronic Media and Data Transmissions Access to email, internet and data transmissions (such as printing and writing to CD/DVD/USB devices) is only provided to employees working within HSAs if it is a specific requirement of the job role. 7

  8. Security - Steps throughout the Verification Process Data transfer - File submission Experian are offering several secure methods of file transmission, listed below EFT (Secure File Transfer Protocol). It is expected that most Deposit Takers will select this as the preferred secure transmission method. Establishing an SFTP connection is a simple process. The Experian Media Centre team will guide Deposit Takers through the process to enable access to the EFT URL address. A dedicated Username and Password validates the logon and folder permissions for the file upload. Connect Direct - C:D+ (Existing clients only) This is used for secure mainframe to mainframe file transfer and provides a SPOE (Single Point of Entry) in conjunction with firewall and routing rules Email All Deposit Takers who want to submit SCV Files via email must agree with Experian the encryption method to be used to ensure secure transmission, and submit the emails to a specific email account to ensure appropriate levels of control Encryption – Experian encourages the use of encryption such as WinZip, PGP and Entrust Experian will use the information provided within your Pre Implementation Report to set up the agreed transmission method ahead of the pilot. 8

  9. Security – Steps throughout the Verification process Mainframe processing The file will be transferred automatically to the Experian mainframe once formatted to the preferred format Data provided by Deposit Takers is compared to Experian data and a series of flags are appended to the file provided by Deposit Takers. No Customer data provided by Deposit Takers is written to the Experian mainframe. Mainframe processing is automated and is run within a dedicated LPAR (Logical partition) with no manual intervention Data provided will not be used for any purpose other than to undertake the Verification exercise on behalf of FSCS. Verification results are written to an MI database. No customer data is provided in the MI solution, all MI is based on unique SCVID. Destruction of data The final stage in the verification solution is 'Housekeeping'. Once FSCS have confirmed successful receipt of the MI file the final stage of the Verification solution “Housekeeping” is Triggered, this involves the automatic deletion of the file. Confirmation will be sent to Deposit Takers when the Housekeeping routine has completed and files have been deleted 9

More Related