Block-Purchase-Pipeline-Third-Party-Insurance-Administrator-of-塊購買管道第三方保險(xiǎn)管理員-精選課件

1、Data Security:A RoadmapDodi Iverson, Executive Vice PresidentDRIASIRichard Bellanca, Senior Vice PresidentBank of America CorporationDodi Iverson, Executive Vice PBank of AmericaOver 38 million consumer & small business relationshipsOver 5,800 retail banking officesOver 16,700 ATMsOver 14.7 million

2、active online usersNo. 1 overall Small Business Administration lender in the USBank of America Corporation stock (ticker: BAC) is listed on the New York Stock ExchangeHigher StandardsBank of AmericaOver 38 millioInsurance Services GroupLine of business within Global Consumer & Small Business Banking

3、Products Include:Credit Protection ProductsLoan Protection ProductsTerm Life InsuranceAccidental Death & DisabilityHealth Savings AccountsLong Term Care InsuranceHomeowners and Auto InsuranceInsurance Services GroupLine oDRIASIOutsourcing solution for insurance and non-insurance productsCarrier and

4、product independentService 250+ financial institutions and 50+ insurance companiesCore focus administrationEnd to end or modular solutionsRetention and process optimizationSAS 70 Type IIOperational excellence driven by security, innovation and reliabilityDRIASIOutsourcing solution forData can only b

5、e shared internally on a need to know basis. Examples include consumer information such as date of birth, marital status, social security number, health claims.Information intended for internal distribution only. Examples include organizational charts, inter-office mail, unreleased pilot offerings.I

6、nformation obtained from or intended for public disclosure. Examples include marketing brochures, press releases, annual reports.Terms & OverviewData vs. InformationConfidential Data Proprietary DataPublic DataEncryption068567839068-56-7839Transmitted data is coded, making it unintelligible if inter

7、cepted by a 3rd party. Only the sender and the recipient have the “key” to unlock the code. Data can only be shared internSecurity BreachesCommunications company robbed of employee dataIn efforts to recycle used paper, company exposes confidential customer dataLaptop stolen, Grad Students info expos

8、edID verification service provider sends personal, financial info to con artistsUn-encrypted data with 20 years of employee data vanishes while in transportSecurity BreachesCommunicationBehavior& ValueManagementAwareness &ResponsibilityRiskAssessmentSecurity Design& ManagementExecutionKeyComponentsD

9、ata Security RoadmapBehaviorAwareness &RiskSecuritMethods of the TradeSystem hackingCodes/scamsPhysical negligenceStolen equipmentDisgruntled employeesMethods of the TradeSystem hacIdentity Theft CategoriesPersonal Identifiable Theft:Examples: social security number, online banking log-in/passwordTh

10、eft is beyond a single accountThief has ability to create additional accountsLoss potential is greaterCriminal may wait in excess of 15 months before strikingAccount Theft:Example: credit card is stolenTheft is typically limited to a single accountShort-term window for thiefIdentity Theft Categories

11、PersoRoot Causes for Identity TheftPrevalence of SSN as a unique identifierInformation security not equal among organizationsMore information about individuals stored on central databasesPersonal securityExpansion of electronic fraudRoot Causes for Identity TheftKey Customer Data Customer data that

12、can be used against you:Checking or credit card account numbersSocial security numberDrivers license numberATM cardDate of birthHome addressPhone numberCredit reportsPasswordsKey Customer Data Customer datCommon Security ConcernsCyber threats rank higher than physical breaches73% felt domestic suppl

13、iers posed less riskBuyers dont believe security claims of suppliers and are conducting their own audits 30% factorISO 17799 ISO 27001SAS 70 Type IISource: Booz Allen Hamilton study, June 2019Common Security ConcernsCyber Data Security A Supplier DifferentiatorThenBetterServiceCostHigherQualityImpro

14、vedSatisfactionFreedResourcesInnovationNowCustomerCentricityCostDataSecurityRetentionData Security A Supplier DifAssessing Data Security RiskFailure Modes & Effects AnalysisAssessing Data Security RiskFaExpense vs. Security AchievedDollarsSecurity Achieved100%SecurityExpense vs. Security AchievedDDo

15、llar Amount Losses by TypeSource: CSI/FBI 2019 Computer Crime and Security Survey; Computer Security InstituteDollar Amount Losses by TypeSoSecurity Technologies UsedSource: CSI/FBI 2019 Computer Crime and Security Survey; Computer Security InstituteSecurity Technologies UsedSourData StewardData Ste

16、wards ensure that a critical asset, customer and account data, is received, verified and delivered to all appropriate information users in an accessible, consistent and timely manner.Data StewardData Stewards ensuData Exchange Process MapParticipants:3RD Party Vendor (Bus)3rd Party Vendor (Tech)BAC

17、Product ManagerBAC Information MgrPurpose:Introductory Meeting High level overview of the data exchange processParticipants:3RD Party Vendor (Bus)3rd Party Vendor (Tech)BAC Information MgrPurpose:# of FilesFile LayoutsFrequency ContactsExchange ProtocolsQuality Assurance requirementsSLAParticipants:

18、BAC Information MgrPurpose:Register data exchange in the central repositoryParticipants:BAC DTS3rd Party Vendor (Tech)Purpose:BAC DTS provides email with instructions for data exchange processParticipants:BAC DTS3rd Party Vendor (Tech)Purpose:Exchange IP AddressesExchange PasswordsNotification proce

19、duresAutomate scripts, if necessaryParticipants:BAC Information Manager3rd Party Vendor (Bus)3rd Party Vendor (Tech)Purpose:Review field definitionsDetermine valid values that vendor will provideAnswer additional questionsParticipants:BAC Information ManagerBAC - DTS3rd Party Vendor (Tech)Purpose:Te

20、st end to end file submission, connectivity testParticipants:BAC Information ManagerBAC - DTS3rd Party Vendor (Tech)3RD Party Vendor (Bus)Purpose:File receipt and loadContinual feedback on new valid values or data anomaliesData Exchange Process MapPartiData Management EnvironmentData Management Envi

21、ronmentMitigating TheftTechnical InfrastructureMulti-tier architectureMulti-factor authenticationContinuous server monitoringAccess controlsBusiness ProcessesEmployee trainingPolicy enforcementNo confidential data on hard driveCross shreddingAccess controlsTechnical ToolsEncryptionAnti-virus/spyware

22、Electronic Transmissions (Secure Sockets Layer (SSL), FTP/PGP, NDM)Mitigating TheftTechnical InfrInfrastructure CategoriesProduction Contact routines/calendarRoles & responsibilitiesChange controlAdding new sourcesQualityQuality assurance practicesMetadata managementDefect resolution processGovernan

23、ce The Data CouncilDownstream SLASource data provider SLAUser access/standardsCommunicationsCommunication planData Steward ProgramCorporate partnershipsInfrastructure CategoriesProdSAMPLEDO NOTUse your name in any formUse a word contained in dictionaries, or standard word listsUse other information

24、easily obtained about you Write a password down or store it online Reveal a password to anyoneUse shared accountsPassword Best PracticesDOUse a password with mixed-case lettersUse a password that contains alphanumeric characters and punctuationUse a password that can be typed quicklyChange passwords

25、 regularly blaK4borD2L8againSeeeSHorrAbf&r2ocSAMPLEDO NOTPassword Best PracInformation ExchangeAll data exchanges must be submitted via encrypted electronic transmission. Never submit customer or account data via tape, CD, disks, etc.Any email communication that contains confidential information must be encrypted.Data exchanges between vendors that contain BAC customer data must adhere to same standards