What is the threat?
Aside from competition and operating efficiency, securing customer data is the one of the key priorities facing Financial Services today. From the regulatory perspective, protecting the Personally Identifiable Information (PII) of your customer is a must while continuing to secure their related account information! From the payments industry perspective, operating agreements from the credit card companies stipulate compliance with PCI standards to safeguard the Primary Account Number (PAN) of your cardholders. Importantly, the resulting risk can be damaging from a reputational, financial and operational perspective. The threat population (that’s Information Security speak for those individuals who are likely to circumvent your security controls to get access to your customer data for illegal use) consists of potentially internal employees and external individuals. Regardless of their motivations, the financial penalties in the payments industry along with the risks noted above can be financially damaging. For internal personnel who manage banking systems and have access to confidential data, the temptation to look and capture some part of the customer information is tempting. While such actions violate information security policy, it can impact consumer confidence in the bank if the incident were to become publicly known. Malicious Individuals or entities external to a bank will continuously attempt to seek information security vulnerabilities to steal demand deposit account numbers and cardholder account information wherever possible. Long story short, without the proper controls to safeguard their information assets, there is a higher probability banks will suffer a security incident.
Proactive Risk Management
For the most part, banks have done a pretty good job instituting Information Security and Risk Management Programs to safeguard their information assets and manage the related risks. Importantly, after the initial IT Audits and related tests are conducted on all enterprise systems, the majority of risks to banks occur when changes are made to their environments, such as, the introduction of new technology, changes to existing bank business processes and underlying systems, or the integration of technologies. Where adequate security controls may have previously existed, just slight changes to information technology can result in the creation of vulnerabilities where previously there were none. Just one significant risk incident can cause a bank to move the dial to increase corresponding risk management and security controls, thus moving the pendulum to stricter policies and increased oversight from a risk/audit perspective. Accordingly, consistent risk management procedures are necessary for all business and technology projects, as well as, ongoing operations. Being proactive about monitoring your business systems 24 X 7, understanding the evolving threat universe, and adjusting your information security processes and procedures accordingly are imperative. Regarding bobile applications, it is imperative for every bank to employ strong authentication and encryption mechanisms as part of each release. A bank would be wise to leverage a third-party security firm to review and test their mobile applications.
Cornerstones for an Effective Information Security Risk Management Program
An approach for safeguarding a bank’s information assets can be achieved through the implementation of an enterprise Information Security/Risk Management Program based on best practices. To be effective, these programs are best coordinated from an enterprise level with sponsorship from both the Enterprise Risk Officer and Information Security Officer of the bank. Enforcement of such programs typically rests with the Chief Compliance Officer. When considering an approach for implementing an Information Security program, at a high level, here are my suggested foundation components to use as cornerstones to ensuring a bank’s information assets continue to be safeguarded.
Information Security Policy: A sound information security policy should address confidentiality, integrity, availability, accountability and assurance. It should communicate the objective of the policy leveraging a sound risk-based management approach. An important aspect of a sound policy is to ensure it includes the integration of technical and non-technical security mechanisms into all of a bank’s systems.
Information Security Standards: Establishing standards for the bank are essential to implementing, managing, monitoring and reporting in a consistent fashion. Such standards should be designed to address documents, digital information flows (in flight and at rest), messaging, mobile, software, hardware, and physical environments. There are a some really good information security standards that provide guidance on implementing strong information security controls. Most security specialists I know rely on both www.sans.org and www.nist.gov for standards. In many respects, the standards need to be interpreted by each and every bank who has responsibility for setting the risk tolerance of their organization. When setting standards, ensure they are clearly understood so that they can be applied and implemented quickly by accountable individuals who manage your business processes and systems.
Information Security Controls: Information security controls can take the form of procedures, processes, access control, hardware configuration parameters, software parameters and coding methods, architecture, vulnerability scanning and compliance testing. Once business processes and/or systems are placed into operation, continuous monitoring and testing is the most effective way to manage risk and reduce the likelihood of a security incident. Regarding application development for a new system, and when integrating one with other systems, it is important to know the security requirements and/or expectations from the onset. Once known, engineers and architects can design and build a system to meet the customer specifications. It is challenging to retrofit security controls into an existing system and /or environment.
Information Security Audits/Assessments: I am a big proponent of having someone look over my shoulder to ensure there are no security vulnerabilities with anything I have ever touched or reviewed. I have leveraged Internal Audit teams extensively in my career and the results have always been positive. Engaging Internal IT Audit in a proactive fashion is the best way to approach them. It is best to get them to test before a system and/or process goes to production. In parallel, you can engage an independent third-party to develop a system security plan and another to conduct independent testing of your environment. The downside to this is that the latter approach requires a lot of time to educate third-parties on your environment, communicate your business requirements, and to stage then implementing their testing approach and methods.
PCI Compliance: For an acquiring bank, who relies extensively on third-party processors and who underwrites a diverse group of merchant types, the PCI compliance model can be challenging. While the standards have been defined by the PCI Security Standards Council, banks must ensure their PCI Compliance programs are structured adequately to educate, provide tools, and test the compliance of their merchants. While not immune from information security vulnerabilities, the large third-party processors are a large link in the payments chain between the banks and the merchant. A close partnership between the banks and third-party processors who facilitate the processing of payments transactions (credit card, ACH, debit, pre-paid) is required. The PCI Security Standards Council has put together a pretty comprehensive implementation program manual which you can rely upon for use with your bank (which I will feature in an upcoming post).
Security Awareness Programs: Last but not least, continued security awareness, both internally and externally, is essential to maintaining an effective information security/risk management program. Many bank employees see these programs as taking time away from their business duties, but they can be very effective. How would the normal business user be aware of the concept “social engineering” without having learned it from Bank Security Awareness Programs? Each bank should institute an enterprise program that focuses on educating internal employees on the threat population.
Having written this without referencing any books, guides, or internet sites, please send a response back to with any thoughts you may have.