Electronic Fingerprint Security - FAQ

Q1: Are the fingerprint files (print images and personal data) sent by our firm stored by FINRA? If so, where and for how long is this data maintained? How is this data kept secure?
A: If a firm chooses to send the fingerprint data to FINRA via EFS transmissions, it must be from FINRA certified vendor equipment. The EFS transmissions are kept secure through the use of Digital Certificates and S/MIME encryption.
Fingerprint images and demographic data are stored in a database with FINRA while they await disposition by the FBI. All information sent to and information received from the FBI is encrypted. After the FBI responses are received, the data is maintained in this database for 30 days after which the information is only available from secure storage databases.
All FBI Criminal History Record Information (CHRI) data is maintained in encrypted format both during transmission and storage.
Q2: Who controls the Access Permissions for the systems in which our data is stored?
A: FINRA technology strictly enforces the short-term database access, which is limited to a subset of FINRA employees. A limited number of FINRA employees have access to fingerprints and CHRI if that access is necessary to perform their regulatory responsibilities.
CHRI is made available to the firm that submitted the fingerprint card along with any affiliated firm that is using that fingerprint card to satisfy its fingerprint requirements through Web CRD. In addition, this CHRI is also available to other regulators with whom the individual previously held, currently holds, or is requesting registration with that regulator through Web CRD. All Web CRD users require specific entitlement to view fingerprint information in Web CRD.
Q3: Is the data sent between FINRA and the FBI encrypted?
A: The data between FINRA and FBI is transmitted over a secure transmission line and is encrypted with a hardware encryption device. The FBI has certified this line and configuration.
Q4: Does FINRA have a group of personnel assigned to implement and maintain information security? If so, please provide a brief explanation of what they do.
A: Yes, FINRA Corporate Information Security is the group responsible for overseeing Information Security at FINRA. This includes creation of security policies and standards, compliance verifications to those standards and policies, risk assessments of all applications, working with development teams on securing applications during design phases, and oversight of operational security programs such as antivirus, firewalls, and intrusion detection. The actual security maintenance of our systems is the responsibility of the systems' administrators with compliance monitoring performed by FINRA Corporate Information Security.
Q5: Are the information systems that store our employees' personal and fingerprint information audited by a third-party group?
A: FINRA has their own Internal Audit Department, which is empowered by the Board to perform such audits. Our Internal Audit staff frequently hire outside consultants to conduct or assist in conducting audits. In addition, our external auditor performs audits as well. The audits serve to validate the integrity of FINRA's systems; however, neither the Internal Audit staff nor external auditors are provided access to fingerprints.
Q6: Are the systems regularly tested for weaknesses, and patched appropriately?
A: Vulnerability scans are performed on all internal and externally facing systems on a regular basis. Reports are provided to the appropriate technology teams to correct any uncovered issues. In addition, FINRA technology monitors for the release of all relevant security related patches. FINRA has a very aggressive patch management process and critical patches are installed as quickly as feasible. All other security patches are installed during scheduled maintenance windows.
Q7: How does FINRA mitigate the risk of both internal and external information systems breaches? This would include Extranet (web-based) portals, VPNs, and FINRA's internal Local Area Network.
A: FINRA mitigates security risks through strict preventive and detective controls, which include placement of firewalls on borders and gateways providing tightly controlled access. Through Change Management, policies, and standards, we direct how these controls are setup and changed over time to meet business needs and maintain limited access. We monitor system borders, gateways, and machines and are alerted at the signs of possible intrusion. In addition, FINRA requires up-to-date Antivirus on all workstations, servers (including mail servers) and gateways, utilizing a central console for automatic updates.
Access to the EFP system, from a user and system maintenance perspective, must be specifically requested and approved by designated FINRA staff. System accounts are reviewed periodically to ensure accounts have the appropriate levels of access. System accounts are disabled when a staff member terminates with FINRA.