A lock on secure banking
To help the U.S. division of a large global bank protect its data, KPMG responded quickly to test IT security controls and standardize access protocols.
A lock on secure banking
To help the U.S. division of a large global bank protect its data, KPMG responded quickly to test IT security controls and standardize access protocols.
Client
The U.S. division of a large global bank
Sector
Financial services
Project
Security controls testing and identity access management
Facing material weaknesses and regulatory issues, the main U.S. division of a highly decentralized global bank needed help fast. Auditors had identified an immediate need to re-test the IT security controls implemented by a third party to help ensure compliance with Gramm-Leach-Bliley Act (GLBA) and Financial Accounting Standards Board (FASB) regulations.
Acting on the referral of a former client now employed at the bank, KPMG began testing IT security controls within 48 hours of the introduction. Less than three months later, we discovered deficiencies in the installation of a privileged access platform being installed by another third party. We fielded an experienced team to begin on-boarding over 200 identity access applications. Since then, we have been helping four of the bank’s six U.S. divisions with overall project management, governance, identity access, and IT controls testing.
Time was short. The bank had discovered that work done by a staff augmentation company was subpar. Yet, security controls compliance milestones had to be met.
Though we had not worked with this bank before, a new executive vice president called us in based on our work with him at two previous banks. Because of his recommendation, our insights, and the urgency of the situation, we were asked to provide a statement of work within 24 hours. One day later, we were awarded a sole-source contract and immediately set to work testing security controls.
Time was short. The bank had discovered that the previous nine months of work by a staff augmentation company was subpar. It was now Fall 2017. Certain milestones had to be met by year-end so that the security controls would comply with the GLBA and regulations from the U.S. FASB. Our team worked nonstop through the holidays, testing the controls for compliance and scoping out work to be done for the rest of the year and for the first quarter of 2018 and beyond.
Then, just before the end of the year, we found something that the bank’s internal auditors had missed—the third-party implementation of SailPoint, a software platform for digital identity governance, was incomplete and inaccurate. The bank had made commitments to regulators that 80 of the platform’s 200 applications would be installed by the middle of the following year.
Working quickly over the weekend in late 2017, the head of our SailPoint practice and other specialists in privileged access management talked with the client and put together a team:
1
To begin onboarding the apps in two of the bank’s six U.S. entities.
2
Ultimately, the client asked KPMG to install the entire platform of more than 200 apps in all six organizations, work that is still ongoing.
3
KPMG’s quick response has allowed the bank to:
1
2
3
4
5
Have a plan and a methodology for proceeding with major system implementations
We provided a roadmap and checkpoints so that the necessary resources, skill sets, and direction could be determined in advance.
An outsourced managed service can provide innovative, scalable and customized services
KPMG Global Services leverages the experience and talent of 7,000 professionals with deep risk competencies and broad regulatory, technology, process, and control knowledge. This knowledge can help clients tackle business challenges more effectively and bring about a significant improvement in their performance.