FINANCIAL DATA SECURITY
Yodlee’s Security Office focuses on three main areas of security:
- Information Security
- Network Security
- Application Security
The team manages a comprehensive program of risk-driven policies and procedures to maximize the Information Security Program (ISP), including guidelines and frequent audits. The ISP covers all aspects of the Production, Development, Staging, and Corporate environments as well as vendor relations, BCP, and personnel management.
Yodlee prioritizes its comprehensive risk management program designed to intelligently focus resources and efforts to minimize security risk profiles. The process consists of formal risk assessments at the organizational and product level. In addition, risk management is incorporated into all facets of our processes, including integration with application development, data center operations, and internal security processes.
Yodlee has formal DR programs for our internal services and our clients’ applications. Our approach requires regular tests of our internal DR and annual testing with clients of their DR option. Our client DR options include contracted RPO and RTO designed to map with our client’s requirements.
Yodlee follows industry best practice guidelines in the design and implementation of our network security environment. We use zones to separate our Production, Staging, Development, Corporate, and specialty networks from each other with access control devices between each zone. We further segment networks within each zone in order to apply granular security and audit controls appropriate to each function. Other key controls include:
- Central bastion hosts
- Multi-factor authentication
- Resilient and redundant infrastructure
- Data encryption
- Centralized Security Incident and Event Management (SIEM)
Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
Yodlee’s Compliance with Banking Standards
Yodlee is examined under the FFIEC Supervision of Technology Service Providers guidance. We receive a multi-agency examination, with the OCC taking the lead. For US-based financial institutions, our Report of Examination (RoE) is available from your regulator. On July 10, 2012, the FFIEC issued an information-only document on Outsourced Cloud Computing. They state this type of deployment is subject to the same risk considerations and oversight requirements as more traditional outsourcing arrangements.
As the leading provider of personal finance management applications, a pioneer in bringing SaaS applications to the financial industry and an FFIEC supervised Technology Service Provider, Yodlee has been addressing the questions and concerns of outsourced cloud computing for over a decade. We are very pleased that the FFIEC has provided their opinion to help guide institutions as they work to evolve their service provider oversight programs to allow them to capitalize on the benefits of cloud-based services while maintaining their risk posture and adhering to their compliance obligations. More about this process can be found here.