Global financial services leader chooses leading application security partner

CHALLENGE

FIS was fed up. Their enterprise and operational risk teams maintain the multiple Secure Software Framework (SSF) certifications for their Data Navigator, Connex, IST, and Clear Commerce solutions, but the process with their Qualified Security Assessor (QSA) was not working well.

“Our previous QSA firm was painfully slow at completing our reports on validation (ROV),” notes Chelsea Lopez, risk manager at FIS. “The process to get our ROV took over 10 months from start to finish. This was partially due to unresponsiveness [on behalf of our previous assessor] and the failure to perform a pre-assessment to identify gaps like we’re able to do with CoalfireOne.”

Given the importance of maintaining SSF validation to meet contractual obligations and revenue expectations, as well as the number of solutions involved, FIS decided to identify replacement partners.

APPROACH

“Coalfire’s responsiveness stood out immediately, and their integrity and willingness to work with us as partners was incredibly positive,” said Lopez. Additionally, FIS had previously worked with one of the Coalfire QSAs, creating a level of confidence right from the beginning. “This gave our team comfort,” said Lopez.

During the first year, Coalfire leveraged industry expertise, best practices, and efficient assessment techniques to complete five validations, meeting deadlines in partnership with various FIS teams around the globe.

RESULTS

Since 2014, FIS has used Coalfire as their trusted PA-QSA, and now, Secure Software Assessor, based on the integrity, connections, and professional relationships they’ve built with the Coalfire team. “One of Coalfire’s many strengths is their ability to communicate – good [and bad] news,” explains Lopez.

As a preferred partner, Coalfire continues to consistently deliver application validations, thanks to its proven [application validation] methodology, deep knowledge of the SSF requirements, and team of highly skilled security assessors who have invested in understanding the FIS product suite. These efforts make what some organizations may see as just a compliance process into an important security checkpoint in the FIS product release cycle.