News

Sammons Balances Compliance, Security and Privacy

• By Kathleen Ohlson
• September 28, 2005

The Sammons Financial Group wanted a handle on the information on its network to satisfy compliance, security and privacy requirements.

Sammons is a group of insurance and financial companies owned by Sammons Enterprises. Its members include Midland National, North American, Sammons Securities and the Sammons Annuity Group. The Sammons Financial Group has more than $25 billion in assets and more than $245 billion of life insurance in force.

The Sammons Financial Group complies with various regulatory requirements, including the Securities & Exchange Commission, the U.S. Patriot Act and the Gramm-Leach-Bliley Act. It also complies with HIPAA because of Sammons employees’ insurance information.

The question that keeps CIOs “up at night, ‘Is do you know where your data is tonight?’” says Anna Sherony, Sammons’ information and privacy officer. “Who has access to it, who’s doing what, where’s it going and where does it reside?”

Sammons tracked its data whether it was on fax, mail, FTP, disk or e-mail, and how it was stored whether on CD-ROMs, microfiche or paper. The company implemented Vericept’s network management tool to collect information about what data enters and leaves Sammons’ network. The Vericept Intelligent Protection Platform analyzes, captures and controls all Internet-based communications, including e-mail, instant messaging, chat rooms, blogs, FTP and peer-to-peer file sharing that violate government regulations, corporate guidelines and acceptable use policy.

The VIP Platform’s main responsibility was tracking regulatory information, but the software took on human resources responsibility, Sherony says.

Sherony and her staff lacked some knowledge about what information its 1,200 users were accessing. “After reading a couple of e-mails, I needed a cigarette,” she says. “I was shocked at what was going out.”

The platform’s results were an “eye-opening response,” for the human resources department, Sherony says. HR later issued a memo regarding acceptable Internet-based communications, and usage numbers dropped, she says.

Dealing with regulatory issues also helped Sammons tackle security and privacy issues more thoroughly.

Sammons addresses security and privacy separately, though they often intertwine, according Sherony. Security protects information and assets from unauthorized access, disclosure, modification, loss or harm, while privacy controls personal identifiable information, including the manner in which data is collected, stored, managed, communicated and disclosed.

Access to new applications is done by job description and responsibility, she says. Information is also protected, for example, by encrypting social security, banking and credit card information. When transactions occur, customers and employees receive either certification or a note verifying its security.