Regulatory Compliance Priorities: Interview With David Schneier of Icons, Inc.
Despite the economic downturn and its broad effects, banking institutions continue to be held to - and measure up to - exacting standards from regulatory agencies. In this exclusive interview, David Schneier, Director of Professional Services with Icons Inc., draws from his experience in the field to discuss:
David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.
TOM FIELD: Hi. This is Tom Field, Editorial Director with Information Security Media Group. The topic today is regulatory compliance. We are talking with David Schneier, Director of Professional Services with Icons, Inc., an information security consultancy. David, I really appreciate your time today.
DAVID SCHNEIER: My pleasure, Tom.
FIELD: Now, you spend a lot of time out in the field with institutions of all sizes. Given the economic situation we're in right now, what are the compliance issues you find that institutions are paying the most attention to?
SCHNEIER: Well, really, not much has changed from six months ago to now, in terms of what our clients are focusing on, except that now, with November 1st having come and gone, there's a lot more interest in the identity theft red flags rule compliance, and what examiners are going to be expecting from that. But what we hear a lot from our clients is that really, not a lot has changed within their four walls, at least not yet, because most of our clients are community banks and credit unions, and they weren't exposed as much with the risky loans and bad investments.
FIELD: Given what we see in the marketplace, David, and understanding that sort of things are more rife for fraud now than ever, what are the types of regulatory issues that institutions should be paying attention to?
SCHNEIER: Well, I don't want to sound like I'm going to be beating the same drum over and over, but the red flag identity theft regulations couldn't have come at a better time. One of the aspects of the current economic situation that I keep advising our clients on is that in challenging economic times and downturns, particularly like this, which is potentially historical, there is an increase in criminal activity.
There is going to be an increase in attempts to get at people's identity, and trying to get access to their funds, to use individuals with better credit profiles, to try and gain loans, fraudulent loans, and potentially, I advise our clients to look for areas where they may have exposure to good old fashioned criminal activity. ATM's are all over the place now. You can go into just about any convenience store and find one of those machines, and many of them are actually sponsored by banks. And, they have, to a certain degree, an ownership stake in making sure that there are sufficient security controls around that. And, really, it's the avenues into and out of the bank through all the many digital and physical channels that we are expecting our clients to ramp up and address.
FIELD: In terms of the institutions you are visiting with, what do you find that they are doing particularly well, regarding compliance.
SCHNEIER: They are paying a lot more attention to moving beyond the formal documentation. It's not enough simply to have an information security program that talks about what you're supposed to be doing; you really need to extend from that, and be able to actually comply and demonstrate that you're complying with what it is that you say that you're doing. And as we go through multiple iterations of exams as institutions have more time to let these activities mature, we are seeing that there is a better set of activities that are in place now, that actually support what they think needs to be done.
It's in layers, basically, Tom. What happens is the first year you put in an intrusion detection system. The next year you put in place, you know, safeguards to see if there is suspicious activity on accounts. And every year, they just put in another control, and in the aggregate they are actually doing a much better job of going back to address the spirit of what they need to be doing.
FIELD: The flip side of that - what could they be doing better?
SCHNEIER: They could be documenting what they're doing a lot better. A lot of our clients are actually doing -- they're conducting a lot of activity, and they are supporting a wide range of controls that you would never know are in place unless you actually spent time there, doing the field work that myself and members of my practice, you know, do. You look for evidence, you know, it always goes back to the core principles of knowing what you need to do, document that you do it, how you do it, and then be able to provide evidence.
Well, what we do see a lot of is where there is evidence of activity, but there is no formal documentation, explaining that they are actually scrutinizing new account requests, or they're conducting periodic reviews to see who has access to their various systems, but it's not documented that they do it, or how they do it. However, they say they do it, and they talk you through it, and they tell you the various steps, and you know that it is legitimate, but there is no other way to know, if they don't report to show what they've done, and there's no procedure that they follow, where they can check off the various steps. And we see this in a number of key activities.
FIELD: Well, a frightening thing is, what we see in the market right now, with budget crunches and layoffs, that isn't apt to get any better. But, given the situation, David, where do you see low-hanging fruit for institutions, in terms of meeting, or even exceeding compliance?
SCHNEIER: Tom, it always goes back to what I consider to be the core principles of all of this. You know, GLBA does a great job of spelling out at a somewhat high level the key controls that you need to address in order to achieve compliance. But, really, for a fair number of institutions out there, they tend to see complex technical solutions as the path to lead them to where they think they need to be. And the truth of the matter is that we always advise, we counsel that you should use common sense to figure out what is the minimum you need to do, in order to address the spirit of this control. You don't need to go out ... For example, to make sure that there is only approved and legitimate activity on your network, it's great to be able to go out and buy a network monitoring device that actually can detect if somebody even puts a wire into a jack in a wall somewhere, but the truth of the matter is, go back to the core principle, which is to sufficiently configure your network.
Go back to where you don't need to buy any advanced solutions, or implement any new tools, and figure out, "How can I sufficiently reduce the risk, based on what is available to me today, and in particular, with the current economic conditions?" Because, a lot of our clients, you know, going back to your opening question, a lot of our clients, they're not experiencing financial pains yet, but they're anticipating it, so they're looking for ways to try to achieve the desired results without having to commit funds, so the same principles apply. You go back and look for "What can I do, based on what I have, to achieve compliance?" And that is really: Keep it simple. And I mean, you know, some of my clients actually think that I'm downplaying the complexity of this, but I'm not. If you restrict access at the directory level, to what a user can gain access to on the network, then you don't need to really monitor who is gaining access to things on the network. It's just that simple.
FIELD: I'm going to ask you something of an unfair question, David. I'm going to ask you to look into your crystal ball, realizing that these days a crystal ball is good for about two hours. But, given that, what do you see as some of the key compliance issues that institutions are going to be grappling with early in 2009?
SCHNEIER: Well, again, I think there is going to be a staffing shortage, in terms of institutions are going to look to cut back on what they perceive as noncritical positions, or positions where they believe that they could gain additional bandwidth from fewer people and unfortunately, experience has taught us that oftentimes in the IT stage, a lot of, I think a lot of banks and credit unions are going to try and cut back on staff, which is going to put an additional burden on those that remain, to try to get more done.
But bear in mind, Tom, that the examiners aren't giving anybody a free pass. Red flags is expected -- it is expected that you are going to have an actionable program in place, and that is going to require a body to actually implement, to train, and then to monitor the solution that each institution creates and is working. And that is in addition to all the existing compliance work that needs to be done. And really, keep in mind, compliance really isn't, or it shouldn't be a separate set of activities - it's really something that should be imbedded within the day to day job responsibilities of the employees of all of these institutions. But, still, there is a lot of activities that need to occur, and we've already seen some indication that open positions won't be filled, and in many places there is going to be an attempt to try and downsize just a little bit. And these activities may be perceived as optional, but they're not. When the examiner comes in, they're not going to give you a free pass because of tough economic times. You still need to make sure that you are in compliance with each of the key touch points of GLBA.
FIELD: Well, you make great points, David. I appreciate your time and your insight today.
SCHNEIER: My pleasure, Tom.
FIELD: We've been talking with David Schneier, Director of Professional Services with Icons, Inc. For Information Security Media Group, I'm Tom Field. Thank you very much.