Independent and Assisted Technical Data Auditing
of Enterprise AML Infrastructures
What is at risk?
Your AML data is a highly valued target for hackers and malware across the globe. AML/CFT solutions touch transactions and data sourced through PTA's, foreign financial institutions and wires and are unlike any solution ever implemented in our financial markets. It sees all and has access to all vertical and horizontal areas of your enterprise. Auditing how your AML data is secured from internal and external threats and how the data is used, stored and transmitted is paramount to building a compliant and trustworthy financial solution.
AML Solution Audit
We're here to help and a simple call is all it takes to get started.
To meet NIST 800.xx, STIG, GLBA, FFIEC or any of the many rules, standards, guidelines, policies and best practices, your financial institution must ensure every item is correct and tested. We can schedule a call at your convenience to go over our available technical audit services to see how we can build a more secure AML environment, while exceeding all regulatory requirements.
Each standard has a long list, but we're here to help.
Call today to find our more: 954.426.4248
Most AML environments "touch" or connect to the most valued data in a financial institution. This increases the number of attack vectors or typologies that can be used against your solution.
Achieving the goal of compliance with the ability to reduce money laundering activity within your institution is usually the forefront of any AML/CFT solution. But in many cases, the need and focus to meet regulatory requirements has put these same solutions at risk. When completing an audit of an AML solution, one of the first items that comes up is that in many cases, the AML department and managers are not responsible for the technical side of the enterprise solution (the computers and servers). They are only responsible for the system's information, analysis and data use. For many financial institutions, the AML solution is secured using the same security standards and framework as a finance department or treasury department, which may not take into account the disparate nature of an AML solution and/or investigation.
At CodeCenters, we address the regulatory side, the technical side and model threats that may be specific to your AML/CFT solution.
From the server that holds the transaction to the data flow that is seen and analyzed by the machine learning model, to the security of the final SAR, we can work with all stakeholders to ensure all areas of your enterprise solution is audited to the highest level.
There are numerous technical standards to which banks and non-bank financial institutions are audited.
CodeCenters has taken the lead in understanding the differences between each one of these frameworks and specializes in implementing and auditing the following Security Frameworks and standards:
1. NIST 800.xx - National Institute of Standards and Technology
2. FFIEC - The Federal Financial Institutions Examination Council
3. DOD- DISA - The Defense Information Systems Agency
NIST - National Institute of Standards and Technology
NIST 800.xx - Framework for Improving Critical Infrastructure Cybersecurity.
Based on “The Cybersecurity Enhancement Act of 2014 (S.1353)”. The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities.
Which Tier are you?
NIST Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. If your corporate solution is already NIST standardized to a specific tier, we can ensure your AML solution is also in line with that environment. If it is found to have deficiencies, we can help implement a solution that brings it in alignment or advances it to the next tier.
FFIEC - The Federal Financial Institutions Examination Council
The Cybersecurity Assessment Tool CAT Audit
The FFIEC Cybersecurity Assessment Tool (CAT) is an audit test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs. The tool measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. Ultimately, the tool allows management to make risk-driven security management decisions through regular cybersecurity assessments using standardized criteria for risk measurement.
Question: How does the FFIEC Assessment align with the NIST Cybersecurity Framework?
The FFIEC Information Technology Examination Handbook (IT Handbook), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and industry accepted cybersecurity practices were used in the development of the FFIEC Assessment. A mapping of the NIST Cybersecurity Framework to the Assessment is included as Appendix B of the Assessment. NIST reviewed and provided input on the mapping to ensure consistency with NIST Cybersecurity Framework principles and to highlight the complementary nature of the two resources.
DISA - The Defense Information Systems Agency
STIG - Security Technical Implementation Guide (STIG)
The Security Technical Implementation Guides (STIGs) produced by DISA are the specific configuration standards for devices such as database servers, e-mail servers, personal computers/laptops and a range of solutions. These standards are commonly used to define a baseline of security for specific financial and corporate computer systems including AML/CFT infrastructure solutions. DISA has played a critical role enhancing the security posture of computer systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.
What areas are covered in a technical audit? Download the consolidated list or the latest deep-dive whitepaper to see how implementing five security controls can reduce your AML/CFT attack surface.
AML Audit Areas
AML Security Deep-Dive
Governmet Auditing Solutions
We're here to Help, a simple call is all it takes to get started.
We can schedule a call at your convenience to go over our available services and to see if they are the right choice for your environment. There is no charge for the initial consultation and if our services are needed, we can work with your team to ensure the project tasks fit within any financial or time constraints that you may have.