Financial Data Security
INFORMATION SECURITY
Yodlee’s Security Office focuses on three main areas of security: Information, network and application. The team manages a comprehensive program of risk-driven policies and procedures to maximize the Information Security Program (ISP), including guidelines and frequent audits. The ISP covers all aspects of the Production, Development, Staging and Corporate environments as well as vendor relations, BCP and personnel management and is organized around three main functions:
- Information Security
- Network Security
- Application Security
RISK MANAGEMENT
Yodlee prioritizes its comprehensive risk management program designed to intelligently focus resources and efforts to minimize security risk profiles. The process consists of formal risk assessments at the organizational and product level. In addition, risk management is incorporated into all facets of our processes, including integration with application development, data center operations and internal security processes.
DISASTER RECOVERY
Yodlee has formal DR programs for our internal services and our clients’ applications. Our approach requires regular tests of our internal DR and annual testing with clients of their DR option. Our client DR options include contracted RPO and RTO designed to map with our client’s requirements.
BEST PRACTICES
Yodlee follows industry best practice guidelines in the design and implementation of our network security environment. We use zones to separate our Production, Staging, Development, Corporate and specialty networks from each other with access control devices between each zone. We further segment networks within each zone in order to apply granular security and audit controls appropriate to each function. Other key controls include:
- Central bastion hosts
- Multi-factor authentication
- Resilient and redundant infrastructure
- Data encryption
- Centralized Security Incident and Event Management (SIEM)
YODLEE’S COMPLIANCE WITH BANKING STANDARDS
Yodlee is examined under the FFIEC Supervision ofTechnology Service Providers guidance. We receive a multi-agency examination, with the OCC taking the lead. For US-based financial institutions, our Report of Examination (RoE) is available from your regulator. On July 10 2012, the FFIEC issued an information-only document on Outsourced Cloud Computing. They state this type of deployment is subject to the same risk considerations and oversight requirements as more traditional outsourcing arrangements.
As the leading provider of personal finance management applications, a pioneer in bringing SaaS applications to the financial industry and an FFIEC supervised Technology Service Provider, Yodlee has been addressing the questions and concerns of outsourced cloud computing for over a decade. We are very pleased that the FFIEC has provided their opinion to help guide institutions as they work to evolve their service provider oversight programs to allow them to capitalize on the benefits of cloud-based services while maintaining their risk posture and adhering to their compliance obligations. More about this process can be found here.