|
 |
 |
 |
 |
|
Swart: Well, speaking of accounting, a lot of executives are quite concerned that achieving ISO compliance, or excuse me, IS certification, will significantly increase their costs, and lead to the adoption of significantly more controls. Is that perception accurate? Bernard: Actually it's not. ISO is a big thing to take on, and there has been a lot of reluctance, as you know. We are going to be likely the first on-line banking system in North America, perhaps even the globe, to become ISO certified. And I think the reluctance is because they just haven't found the right person or the right group who can deliver that package in a way that they can accept. In fact, the ISO framework, once it's properly implemented, will actually help reduce controls, which is usually a big selling point with senior managers. As we have external consultants and monitors coming in and telling us to implement more and more controls, the concern is that we have layers and layers, and all of the sudden productivity slows down within the organization. We have to hire new people to manage the controls because there are so many of them. And ISO is not about that at all. There are 133 controls within ISO. And they can be basically applied in a number of different ways.
"I wonder what it would be like to go home at 5 PM today?" says Bruce Coffing, an information security officer responsible for identity and access management at LaSalle Bank, a large Midwestern bank ($113 billion in assets) serving individuals and businesses with over 400 branch locations. He cannot recall the last time he actually left for home on time.
"A bank never sleeps, and the job never finishes" he says.
What Does Security Leadership Entail? Information Security Media Group (ISMG) publishers of BankInfoSecurity.com and CUInfosecurity.com, recently posed this and other questions to Debbie Wheeler, Chief Information Security Officer for Fifth Third Bancorp. In her current role she is responsible for establishing policy, standards and governance over the implementation of Information Security controls and procedures, as well as end user education and training for the Bancorp. Here are her thoughts on security leadership. Upasana Gupta: What makes a good CISO?
Debbie Wheeler: I believe...
Richard Swart: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with Ed Zeitler, executive director of ISC2. Ed has extensive experience has the head of information security at Fidelity Investments, Bank of America and Security Pacific National Bank.
Best-Practices for Getting Across the Right Messages The board members at a financial institution are responsible for oversight and implementation of a sound security program, including the overall guidance and direction of setting a cultural value related to risk awareness, driving policy and strategy, defining a global risk profile and creating security initiatives and priorities for the banking organization. They are the drivers that define and signify security, and as such have very little time at their disposal for training and education.
Expertise and Interactivity Key to Developing a Collaborative Security Education Program The perspective on information security changed forever on September 11, 2001. From being a check box response on a training attendee sheet or just a mandatory requirement, security training awareness education has today transitioned into a “hands-on” intensive and integrated program, based on a well-founded training strategy that includes a formal course curriculum in addition to other learning interventions designed to deliver the appropriate security information and messages to all levels of employees.
Richard Swart: Hi, this is Richard Swart with Information Security Media Group. Today I’ll be speaking with Debbie Wheeler, CISO of Fifth Third Bank. How are you doing this morning, Debbie? Debbie Wheeler: I’m doing well. Thank you. Swart: I appreciate you taking time to talk to us today. I’d like talk about some of your experience. I know you have an extensive background in information security, and you’ve also spent quite a bit of time there at Fifth Third Bank working on issues around identity access management. I was wondering if you would tell our listeners, what are the critical success factors for an identity and access management program. Wheeler: I’d have to start with understanding what roles the organization uses or needs. That’s probably first and foremost. And some of the conversations that Fifth Third has had with some other financial organizations that are attempting to implement identity and access management programs, specifically around provisioning; roles are the number one concern that’s raised over and over again. Fifth Third started about four years ago defining the roles that they were going to use to provision access, and having that structure in place has allowed us to very rapidly deploy over 200 applications to a centralized provisioning product from which we delegate and administer access and entitlement. I think the biggest challenges in trying to obtain or administer an access and identity management program are really selling the value to senior management.
Steering Clear of Danger Takes Smart Tactics and Good Habits The best offense is a good defense, it’s often said, and keeping spyware from invading your computer is a solid combination of both offensive and defensive measures. Defense First To prevent spyware from installing on your computer, follow some good security practices. Don't click on links within pop-up windows. Because pop-up windows are often a product of spyware, clicking on the window may install spyware software on your computer. To close the pop-up window, click on the "X" icon in the titlebar instead of a "close" link within the window. The answer is “no” when asked unexpected questions. Watch for dialog boxes that query you if you want to open a piece of software or do some other task.
The evolution of the Internet was a relatively fast one. The first advertisements were those really schlocky flashing red boxes that begged you to “click to win,” or those horrible rotating ads that made you dizzy when you looked at them the wrong way. Now, the internet ads are just as slick (or slicker) than TV ads and advertisers are really starting to spend money on them. So too follows the “spyware” or “adware” that hangs on every click you make (without you even knowing it.) Have you sat down in front of your screen and tried to discover why it is taking forever to download or you’ve found while troubleshooting there’s been something added to the numerous operations that your PC computes? It may turn out to be that the source of your PC’s slowing is spyware, software that was installed on your machine without you doing anything.
Imagine the scene – it is the final battle of a prolonged war. No, we’re not talking about the Iraq war, this war is against your financial institution, and the last waves of enemy soldiers (hackers or other evildoers) are crashing in to take over customer data or computer networks. There are many different ways to find vulnerabilities in your institution’s computer systems and you and the other information security professionals in your institution strive to find and block them all.
Every time I see the movie “Rebel Without a Cause” I think what James Dean’s character would end up like when he went into the workforce. And I wonder how long he would last at most financial institutions. Do you, as a information security professional feel like you’re surrounded by rebels at your institution? Are some of them in your senior management? Well, those rebels and everyone else in your institution are the ones you’ll be forced to tame to make your institution “policy central” and compliant with the slew of regulatory guidance citing information security training for all employees must be a part of your information security program.
How would your employees respond to a phishing email? Would they immediately forward it to your information security officer, or would they shrug it off and hit the delete key? What if they receive a call or voice message from someone asking for what (at the time) seems to be innocuous information on a customer? Have you trained your employees to raise a red flag of suspicion on phone calls or voice mails that don’t seem 100 percent legitimate or are coming from an unidentifiable source? Whether your institution is a small asset sized bank, savings and loan, credit union, or a multinational financial institution, there is something these institutions have in common –
The idea of having as many eyes and ears on the street is any police officer’s dream come true. The same idea applies to information security officers at financial institutions. What would you think if you could add to your headcount exponentially? Unless your senior management is on a spending spree that action is not likely to happen. There is another way, however, to add to your headcount – through information security awareness training. The more involved your institution’s employees are in reporting information security incidents and knowing what they are accountable for in keeping your institution secure, the better prepared your institution will be.
The original use of the term “firewall” was the description of the brick and mortar wall built in between houses to prevent a fire from spreading from one house to the next. A computer firewall does basically the same thing, it prevents bad things from entering your computer. A properly installed firewall protects you from many online threats, all dangerous to your data. A firewall protects you from hackers attempting to break in, some viruses called worms that spread from computer to computer over the Internet. Some firewalls block outgoing traffic that might originate from a virus infection from your computer.
Developing a metrics measurement for your financial institution doesn’t have to be something that is dreaded or feared. Planning a metric program and implementing it to measure the effectiveness of your entire information security program can yield your group and your financial institution unseen benefits.
While technological solutions abound in financial institutions have installed firewalls, intrusion detection systems, robust anti-virus and anti-spyware solutions, and strengthened authentication methods, financial institutions have forgotten security awareness training. One reason? There isn’t a recognizable “brand” for the information security program at many financial institutions. According to information security expert Rebecca Herold, branding your information security program is the first step in building the basic awareness for the increased information security issues facing your institution.
RICHARD SWART: Hi. This is Richard Swart, Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com Today, we’ll be speaking with Gigi Hyland who was appointed by President George W. Bush to a seat on the National Credit Union Board effective November 18, 2005. Her term expires on August 2, 2011. When nominated to the NCUA Board, she served as the Senior Vice President and General Counsel for Empire Corporate Federal Union in Albany, New York. She previously served concurrently as Vice President, Corporate Credit Union Relations at the Credit Union National Association and Executive Director for the Association of Corporate Credit Unions.
RICHARD SWART: Hi. This is Richard Swart, Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today, we’ll be speaking with Mr. Ben Chisolm, recently the Chief Information Security Officer of the United States Treasury. He has 16 years of experience in federal government, and has coordinated information security projects on a national scale for a number of agencies, including the IRS and Commerce. Can you explain what your position was at Treasury, and also could you tell us a little bit about how Treasury interacts with other financial institutions from an information security perspective?
If it ever happened to you before, you know better than not to perform regular backups on your computer. Now, if you’ve never had your hard drive wiped out by an attacker or a virus that crashed your system, you will want to take this piece of advice and really think hard – do you want your data to become corrupted or get wiped out by a hardware problem?
Before you launch your information security awareness and training program, did you put any mechanisms in place to measure what your employees think, learn and retain on information security? To have an effective security training program, you will want to have metrics in place from the beginning. If you don’t already measure what you’re doing, get ready to start measuring. Measurements will help establish a baseline of your employees and your institution’s knowledge of, ability and skills in information security.
The often repeated “Information Security isn’t a destination, but a continuous journey,” rings true for financial institution’s information security professionals. What is taken along on any journey? A map showing where you’ve been and where you plan to go is usually needed, unless you want to wander aimlessly. In the case of the information security journey, that map is the institution’s information security policies and standards. So what do your information security policies look like? Do they sit on a shelf or exist only as an electronic document to be trotted out when the examiners arrive?
A scavenger hunt. A Jeopardy-like trivia game. A well-known guest speaker. A movie about espionage. Some good ideas for your institution’s party? Sure. But they’re also possibilities in a security awareness training program, according to some experts in the field. “Most people think training has to be boring and dry,” says Rebecca Herold, an information security and privacy consultant, instructor and author. “It’s really only limited by your imagination.” Among the ideas she’s used successfully in security training programs is bringing in a guest speaker with firsthand knowledge of a real-world, high-profile security breach. Another time, she showed “The Billion Dollar Bubble,” a commercial movie dramatizing one of the largest insider frauds ever at a financial institution in the U.S.
RICHARD SWART: Good to talk to you today. Could you provide us an overview of what’s happening in cyber security education and research in the United States right now? How good of a job are our universities doing? DR. EUGENE SPAFFORD: Overall I think we’re not doing very well. We’re doing better than we were but there are still a lot of gaps available. This is particularly well stated in a very recent report from the National Research Council that’s entitled “A Safer and More Secure Cyberspace” that was released just about two weeks ago. And their observation echo what has been said and reports and what many of us have been saying for some time: basically we don’t have enough people who are in the pipeline when who are learning about cyber security. We don’t have it mainstreamed enough in the regular computing curriculum, and we don’t have the resources in place to really be looking at a broad enough variety of both near-term and long-term issues.
Feel like you’re canned in by the spam emails in your inbox? Don’t despair, here are some common sense tips to help stop spam from getting to your email inbox.
Jeff, you are known for your innovative and effective training programs. Could you tell us about the approaches you have used and what has made them so successful? JEFF BARDIN: I think one of the things I’ve been able to do is use different media types, software awareness and training programs. The different multi-media types that are given to crime targets. By that, I mean using different seminars out there, time seminars, some that are regularly scheduled, others that are timely dependent upon what you usually see in the environment on a regular basis, such as social engineering calls that may pop up.
Today, we will be speaking with Stephen Northcutt, CEO of the SANs Technology Institute, a postgraduate level IT security college, and an acknowledged expert in training and certification. He founded the GIAC certification and is author and co-author of numerous books, including the seminal book in intrusion detection. Before taking a leadership role at SANs, he served as the Information Warfare Officer at the Ballistic Missile Defense Organization, he founded the Global Instant Analysis Center, and led the Naval Service Warfare Center Shadow Team. Stephen will discuss careers in information security, and the role of certification.
First question we have for you is how is the role of an information security officer evolving and what advice would you give to concurrent security officers or IT professionals who aspire to the ISO rule? JOYCE BROCAGLIA: Well what I can tell you is that in over two decades what I’ve been doing recruiting it certainly is an evolving role. What we’re seeing is that corporate culture has shifted quite a bit from placing a value on information security to valuing information risk and this is what has caused a large change in the information security officer’s role and it’s forced them to evolve from purely a technologist role to much more of a strategist role.
Knowing what’s important to credit union professionals is key to providing the information and news coverage needed in the financial services industry. Having a “finger on the pulse” is the best way to describe the formation of CUInfoSecurity.com’s inaugural Advisory Board.
The Chief Security Officer (CSO) oversees and coordinates security efforts across an organization including departments such as information technology, human resources, communications, legal, finance management and other groups, and identifies and establishes security initiatives and standards throughout the organization.
The focus on information security is not just a passing phase—we have seen it sustained over the past couple of years, and it continues to grow. So you can now begin to place yourself in a position to become that ideal security professional as this role evolves and expands more so for banking and financial institutions where information security plays a critical role because banks are committed to the security of its customer’s financial and personal information, again, financial institutions have to abide by privacy, customer trust and information security laws and regulations which have increased significantly in the past 5-6 years, additionally the risk of financial loss, security breaches is something which is on the rise and steps need to be taken to address these very significant security issues plaguing the banking industry partic
Certifications are highly sought after by job seekers and employers. They are a major criterion for hiring qualified security professionals, a practice followed by most companies. The challenge for employers, and the key point, is to understand what a specific certification signifies- If a certification along with mastery in key knowledge areas also tests the practical knowledge of the candidate and his/her ability
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication