Travelex exchanges employee risk for User Awareness and IT Compliance

Travelex, the world’s leading specialist foreign exchange business, is a globally recognised brand. Operating in over 30 countries worldwide, the company provides foreign exchange services through a number of different streams; international business to business payments services; outsourced travel money services for financial institutions and travel agencies; and a global retail foreign exchange network in airports, tourist and downtown locations.

This global presence means that Travelex must comply with a number of standards, such as the Payment Card Industry Data Security Standard (PCI) and Anti Money Laundering legislation. The company has a dedicated IT Security and Compliance team that ensures that Travelex not only remains compliant with multiple regulations, but maintains a best practice approach to ensure ongoing IT security

The IT Security Challenge

Travelex employ 6,500+ people worldwide. With IT operations being coordinated from UK headquarters, the company required an effective method to communicate its corporate IT Security Policy. It also required a solution which would allow the IT Security and Compliance team to implement an ongoing User Awareness programme that would educate employees as to their responsibilities regarding IT Security, allowing the company to maintain best practice standards.

Duncan Phillips, IT Security Manager at Travelex explains: “The initial requirement was based around PCI. We recognised that compliance with the standard would be an issue for us without using a specialised tool. However, with other regulatory commitments and business requirements, we sought a solution that would tick a lot more boxes than PCI.”

A Best Practice Solution

The Travelex team considered a number of internal solutions to fulfil its requirements, including email and intranet solutions. A paper based system was also considered, however with the geographical spread and size of the company, none of these were viable options as they all required the chasing of employee signatures. When they turned to the market for electronic delivery alternatives, they discovered that MetaCompliance was the only product that met all business requirements. Not only would the solution allow them to disseminate and capture employee response to IT security policies and risk assessments, it could also be utilised right across the business in areas such as HR and training. According to Duncan, this scalability allowed the IT Security team to gain senior level buy in from the outset:

“We recognised straight away that beyond the IT Security Policy delivery there was going to be room for expansion and added value. When we demonstrated the adaptability and the power and scale of the system, it was immediately obvious to senior management that there were lots of different ways that we could use it, to fulfil other requirements beyond the basic delivery and click to agree functionality.”

Deploying MetaCompliance

The MetaCompliance project management team worked extensively with Travelex to ensure seamless integration with current systems, something which Duncan feels has been instrumental to the success of the project:

“The relationship between MetaCompliance and Travelex has added value to the project from day one. The support that we’ve received has been excellent and a valuable part of the project.”

The rollout of the corporate IT Security Policy was a resounding success, for a number of reasons, some of them unexpected. Immediate response was captured from 65 per cent of employees; MetaCompliance reporting provided a list of non respondees, and further investigation allowed the team to identify system anomalies and technical challenges that needed to be resolved. According to Duncan, the global scope of the project allowed them to gain valuable insight into the corporate infrastructure, providing further added value.

User feedback was extremely positive, reflecting the ease of use of the system, and requests have been made from numerous departments as to the timescale of business-wide roll out, confirming the initial view that MetaCompliance would benefit many other areas of the business.

As to the future of MetaCompliance in Travelex, Duncan Phillips is expecting even further return on investment in 2009. The next regulatory requirement will be to transfer the existing delivery of Travelex’s Anti Money Laundering Policy to MetaCompliance, and also to explore the use of Dynamic Intercept, a unique feature of the solution that allows organisations to manage user awareness around specific computer events, such as USB insertion or internet usage. Duncan feels that this is an ideal way of helping employees to understand that they have personal accountability for the guardianship of corporate data and systems, thus further minimising risk.

Beyond the company’s regulatory requirements, Travelex plans to expand the way in which it uses MetaCompliance. The unique risk assessment and surveying functionality provides the opportunity to test user acceptance and understanding not only of policies, but also training. The ability to target specific user groups allows them to tailor content to particular business areas, ensuring that the right people receive the right training, and that the whole process is recorded in MetaCompliance secure audit and reporting. Duncan sums up how integral to Travelex’ systems MetaCompliance has become:

“The utilisation of MetaCompliance has become a key part of our security programme and we are working to integrate this into other areas of the business.”

The benefits of deploying MetaCompliance at Travelex

Travelex recognises a number of different benefits from deploying MetaCompliance:

  • An increase in user understanding and awareness which will bring an improved culture of IT security to the organisation;
  • The ability to cost effectively obtain employee agreement to IT security and compliance policies across the global organisation;
  • The protection of corporate infrastructure from malware and viruses;
  • Minimising the risk of data leakage;
  • The ability to demonstrate to regulators and customers that Travelex takes its commitments seriously;
  • The improvement of IT security will raise the corporate profile and attract new business;
  • Return on investment will be realised from the product being used across the organisation.

MetaCompliance Deliverables

  • User accountability via automated self certification;
  • 100% response from ALL user types;
  • The measurement of IT security posture with MetaCompliance Risk Assessment and Survey;
  • Demonstrable compliance via secure audit and reporting;
  • The automated repeatable processes that are the key to sustainable compliance.