One piece of the puzzle must be addressed regardless of all other consideration factors. You must comply with the laws applicable to your industry. So, before you make your decision, you need to understand your regulatory environment and the corresponding required IT controls.
For good reasons, the financial services industry is highly regulated. Among the many regulations potentially applicable to you are the following:
* Sarbanes-Oxley Act (SOX), Section 404
* Health Insurance Portability and Accountability Act (HIPAA)
* Payment Card Industry Data Security Standard
* Gramm-Leach Bliley Act (GLBA)
* Basel II
While not all of these laws may be applicable to you or your use of SharePoint, many likely are. The key to compliance with all laws is understanding what information technology controls you need to have in place to meet the laws’ requirements. Thankfully, many of these requirements overlap, which means key controls will address many different laws. Required controls include (but are not limited to):
* Controls to protect customer accounts and other financial data from unauthorized access. Key requirements include strong encryption and hashing with industry-approved, that is not custom-developed, techniques.
* Authentication controls to ensure only authorized agents are able to initiate financial transactions. This includes requirements for strong passwords and periodic password changes,
no guest or other shared accounts, and encryption of password data at rest (when stored) and during transmission.
* Controls to maintain data integrity, including controls to ensure unauthorized individuals or systems cannot access or modify the data and that access to systems for support is only granted when required and only at the level required (principle of least privilege).
* Maintaining an audit trail and logging system events. This can be tricky; the audit trails must be clear and up-to-date; logs must be backed up regularly to protect logging data during a system failure, and the logs must NOT contain the actual confidential information to prevent system support personnel using the logs from accessing personally identifiable information or financial data. A critical part of logging includes the need for analysis of access and usage patterns to reveal inappropriate behaviors.
* Availability: Systems should be minimally doubly redundant with immediate and automated failover (BASEL II). This is clearly a very expensive requirement.
* Change Management: You must prevent unauthorized and inadvertent changes to your systems that could circumvent or prevent the operation of other controls and / or that negatively impact the inherent system functionality and controls.
Come back tomorrow to learn hear about the required IT controls.