FINRA Security Frequently Asked Questions
Are the fingerprint files (print images and personal data) sent by our firm stored by FINRA? If so, where and for how long? How are those files kept secure?
If a firm chooses to send the fingerprint data to FINRA via EFS transmissions, it must be from FINRA certified vendor equipment. The EFS transmissions are kept secure through the use of Digital Certificates and S/MIME encryption.
EFP/EFS fingerprint images and demographic data are stored in a database with FINRA while they await disposition by the FBI. All information sent to and information received from the FBI is encrypted. After the FBI responses are received, the data is maintained in this database for 30 days after which the information is only available from offsite secure storage databases.
All FBI CHRI (Criminal History Record Information) data is encrypted during transmission to long-term storage and is encrypted inside the repository.
Who controls the Access Permissions for the systems in which our data is stored?
The FINRA Operations and Engineering group strictly enforces the short-term database access, which is limited to a subset of FINRA employees.
The FBI CHRI is available to the firm that submitted the fingerprint card along with any affiliated firm that is using that fingerprint card to satisfy its fingerprint requirements. The FBI CHRI is also available to regulators with whom the individual is requesting registration, has, or had a registration with the firm that submitted the fingerprint card. A limited number of FINRA employees have access to the long-term storage of the fingerprint images.
Is the data sent between FINRA and the FBI encrypted?
The data between FINRA and FBI is transmitted over a secure transmission line and is encrypted with a hardware encryption device. The FBI has certified this line and configuration.
Does FINRA have a group of personnel assigned to the implementation and maintenance of information security? If so, please provide a brief explanation of what they do.
Yes, FINRA Corporate Information Security is the group responsible for overseeing Information Security at FINRA. This would include creation of security policies and standards, compliance verifications to those standards and policies, risk assessments of all applications, working with development teams on securing applications during design phases and oversight of operational security programs such as antivirus, firewalls, and intrusion detection. The actual security maintenance of our systems is the responsibility of the systems' administrators with compliance monitoring performed by FINRA Corporate Information Security.
Are the information systems that store our employees' personal and fingerprint information audited by a third-party group?
FINRA has their own Internal Audit Department, which is empowered by the Board to perform such audits. Our Internal Audit staff frequently hire outside consultants to conduct or assist in conducting audits. In addition, our external auditor performs audits as well. The audits serve to validate the integrity of the system, however, neither the Internal Audit staff or external auditors are provided access to the fingerprint data.
Are the systems regularly tested for weaknesses, and patched appropriately?
Vulnerability scans are performed on all internal and externally facing production systems on a regular basis. Reports are provided to the appropriate technology teams to correct any uncovered issues. In addition, all System Administrators are required to monitor for the release of security related patches. FINRA Corporate Information Security will also monitor and follow up with System Administrators. FINRA has a very aggressive patch management process and critical patches are installed as quickly as feasible. All other security patches are installed during scheduled maintenance windows.
How does FINRA mitigate the risk of both internal and external information systems breaches? This would include Extranet (web-based) portals, VPNs, and FINRA's internal Local Area Network.
FINRA mitigates security risks through strict preventive and detective controls, which include placement of firewalls on borders and gateways providing tightly controlled access. Through Change Management, policies, and standards, we direct how these controls are setup and changed over time to meet business needs and limiting access. We monitor system borders, gateways, and machines and are alerted at the signs of possible intrusion. In addition, FINRA requires up-to-date Antivirus on all workstations, servers (including mail servers) and gateways, utilizing a central console for automatic updates.
Access to the EFP system, from a user and system maintenance perspective, must be specifically requested and approved by designated FINRA staff. System accounts are reviewed periodically to ensure accounts have the appropriate levels of access. System accounts are disabled when a staff member resigns from FINRA.