Information Security: the role of partners

Posted on

July 13, 2022

Posted in

For those of us who work in fintech, the security of systems and data is our highest priority. Gone are the days where uptime and systems’ availability were the critical measures. In today’s highly interconnected world, where significant new threats emerge daily and the use of machine learning is accelerating rapidly, the price of online freedom is constant vigilance.

At Fimatix, we are constantly striving to improve our information security posture, while maintaining accessibility to data across the customer lifecycle, a growing concern for key-decision makers in the fintech space.

We already hold several industry security certifications which, important as they are, we regard as nothing more than a recognition of the policies, controls and behaviours we apply across the whole business.

We expect our key partners and suppliers to conform to the most rigorous information security standards too, and when these organisations go further to proactively encourage best practice, we readily embrace their recommendations and control frameworks as a product-led business.

By way of example, our Prodigy Product Lifecycle Management and Governance tool was developed and is hosted on the Salesforce.com platform.

Salesforce has very exacting information security and development standards and requires that we regularly submit our code for their independent assessment.

This is no box ticking exercise. It is a thorough forensic review to ensure we have adopted coding best practices and that we include sufficient test code coverage, as well as checks for potential security vulnerabilities or performance problems.

The Salesforce review is both interactive and iterative, and involves us having to respond to challenges and questions raised on technical design decisions and, occasionally, having to amend our code to meet the very latest security requirements.

On completion of this process, getting the email from Salesforce that announces that Prodigy has passed the latest Security review is always very welcome.

Another example of a partner organisation working to improve the industry’s security posture is the excellent work that the SWIFT banking system has done in developing and evolving their Customer Security Programme (CSP).

The CSP is designed to help SWIFT members, such as Idea Group – recently acquired to become a Fimatix company – who ensure that their defences against cyberattacks are up to date and effective, and in so doing, to protect the integrity of the wider financial network.

Developed within the CSP, the Customer Security Controls Framework (CSCF) consists of a comprehensive set of mandatory and advisory security controls. These controls evolve over time to combat emerging threats and to advocate implementation of new cybersecurity developments.

SWIFT requires that all member firms adhere to the CSCF and that they annually attest their level of compliance with these important controls. From 2021 onwards, to further increase the rigour of the CSCF, SWIFT insisted that the security attestation is subject to independent assessment.

Last year, Idea Group commissioned Guidehouse to provide this independent review of controls and were able to submit the annual attestation following Guidehouse’s sign off that these were implemented and effective.

As Fimatix looks to sustain its strong growth trajectory in the fintech sector over the last year, we will continue to review and refine our information security posture, working closely with our partners and suppliers, to keep our cyberattack defences as robust as possible.