Beyond IT compliance: What Irish companies need to know about data protection

Submit a Feature

Specialist

Beyond IT compliance: What Irish companies need to know about data protectionEstablishing comprehensive IT procedures while taking a considered approach to data retention is not just good business practice for Irish financial services providers.

FSP IT environments will likely be audited by central bank regulators as part of their overall auditing process.

Some of the critical elements they will look at include:

  • How your company tests and facilitates intrusion protection. A broad set of measures must be taken to prevent sensitive information being accessed from both external and internal sources.
  • How your company manages its security processes on an ongoing basis.
  • What internal auditing procedures are implemented to monitor these security processes.
  • What steps your company takes in the data protection of end user financial details.
  • How data leakages are prevented. These include internal data leaks by staff. Measures may include cordoning off the IT environment with encryption, restricting access and setting up IT audit trails.

Two other critical data security measures Central Bank auditors will look for are Business Continuity (BC) and Disaster Recovery (DC). Both BC and DR plans refer to the reliance, recovery and contingency of an organisation’s systems. BC planning concentrates on the recovery time objective (RTO) and recovery point objective (RPO) for a business to continue with users remaining onsite, while DR planning refers to the recovery of a business data and system in another location.

What Central Bank auditors want to see is that registered financial services providers have tested their data systems and can prove that they have taken all appropriate steps to ensure data systems are secure.

Data Retention Policy

Any company that stores or processes the data of living people becomes in effect a data controller. Storing or processing this data brings about legal responsibilities as to how this information is handled and kept whether in computerised form or in a structured manual file.

The Irish Data Protection Commissioner provides this useful Data Protection Checklist on their website. An experienced Managed Services Provider will be able to assist Irish Financial Services Providers in developing a comprehensive Data Retention Policy that allows them to meet and exceed all of their data retention requirements.

Change Control Process

An important part of adapting and developing new IT systems and environments is the Change Control Process. This process ensures that introduced systems are not redundant, do not cause faults or do not undo necessary changes made by other software.

It also includes monitoring a new system to ensure it meets regulatory guidelines and legislation. This process will be carried out by developing audit trails and authorisation requirements. These are important preventative measures to that avoid potentially large future costs.

If requirements are not met during the development process Central Bank regulators may insist on whole sections of a company’s IT system being overhauled. Such an operation will not only be expensive but will also drain IT resources from other projects. Putting a secure and robust system in place in advance will prevent such setbacks.

Working with a strategic IT partner can make the auditing process much simpler. A strategic IT partner will not only document your IT environment and processes but will also work with you to develop a long term IT plan that maps out your path to a more efficient, more powerful and more dynamic IT system.

By Siobhan Griffin of Trilogy Technologies