How Northern Trust Protects Data
We work hard to protect your information. At Northern Trust, our pursuit of information security and data protection is driven by the same commitment to excellence that we apply to understanding the financial needs of our clients. Want to learn more? Read on for highlights of the security controls that Northern Trust implements to support data protection.
At Northern Trust, we employ a multi-layered approach to security. Among the systems we use to protect information are firewalls, malware identification programs, fraud detection systems, data loss prevention infrastructure, email filtering, virus controls and system redundancies, including network segmentation.
Real time intrusion detection is managed through our Security Incident Response Process. Sensors located on both the interior and exterior of the network are monitored by our Cyber Coordination Center and configured to monitor internet traffic, identify patterns of known attack signatures and log critical information for trend analysis. Security incidents identified from logged activity are summarized and reported to management and appropriate follow-up action is taken. Additionally, real time monitoring is used for performance analysis to help ensure system availability.
Our policy requires that a review of system access is completed at least annually by management to validate that access is limited to the appropriate information systems and privileges that are required for an individual to perform their job functions. This certification process also separately verifies that access has been updated for individuals who may have transferred between departments and ensures that access is terminated appropriately for users who leave the company.
High risk access is reviewed using a separate process featuring increased diligence during certification.
If an access certification is not completed within 30 days of the due date, the user’s access (other than basic access such as email, etc.) is suspended until the review is completed by the manager. Separately, in cases of termination, steps are taken to ensure all access is removed promptly.
Threats are brought to our attention by a variety of sources including multiple threat intelligence services, as well as activities seen in various system security logs. Business inputs are also considered from the Cyber Coordination Center, the Fraud Prevention Investigation Unit, the Corporate Risk and Anti-Money Laundering Group, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and technology specific alerts (such as Microsoft or Oracle).
Our people play an important role in the ongoing protection of data. We keep everyone informed via an ongoing Information Security Training and Awareness Program, with a goal to continually educate and update all of our partners on the subject of information security and data protection. Our program stresses the importance of security by providing consistent, timely and accurate content on a wide range of information security and technology risk, privacy and fraud prevention topics. As part of this training, our teams are made aware of the policies, procedures and security control standards that outline the processes necessary for the protection of data. Our partners are also taught the importance of our regulatory responsibilities – compliance with which is required by approximately 53 regulatory agencies around the globe.
Client-sensitive application data transmitted over the public Internet is encrypted. On the client side, this means application users must use browsers with a minimum of 128-bit encryption. For our part, secure messages we send to you are protected using PGP or TLS encryption. We will not send any communications to you with Personally Identifiable Information, such as Social Security numbers, account numbers or other confidential information, without encryption. Encryption could be via our Passport portals or through an encrypted message. We use 128-bit encryption technology to protect your username, password and other personal account information when you are using our site or applications. You will know your information is encrypted when the Northern Trust Passport site you are using starts with “https://” and you see a lock symbol in your web browser.
How We Develop our Program
We follow the guidance of the NIST Cyber Security Framework, the ISO 27002, ITIL and COBIT 5.0. Built on a base of structured risk management processes which are used across the Corporation, our program identifies, assesses, controls, measures, monitors and reports on compliance risk. The framework is designed to minimize compliance risk and maintain an environment in which criminal or regulatory violations do not occur. It includes a comprehensive governance structure and a Compliance and Ethics Program approved by the Business Risk Committee. Additionally, the Outsourcing Risk Management Program establishes procedures to be followed and industry appropriate practices for due diligence (including risk assessments) and management of outsourcing relationships.