Security Expert Rebecca Herold on: Total Information Protection
Good morning Rebecca.
Rebecca Herold: Good morning.
Swart: I would like to start by talking about what are the personal risks that executives of financial institutions face if they fail to implement effective security or to comply with IT security regulations.
Herold: Well, there are many. It is first important though for the financial institution leaders to understand that there are many laws and regulations requiring information security programs and these programs must be built based upon risk assessments directly related to safeguarding customer information. Some of the laws and regulations include the U.S.A. Patriot Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transactions Act. Also the FFIEC IT Examination Handbook, the FDIC IT Examination Workpaper, the OTC Consumer Regulations Handbook and various other oversight agencies guidance requires and emphasizes the importance and responsibilities of executive leaders to ensure security is in place.
Besides those, there are at least 39 state level breach notice laws along with hundreds of other state laws that address and require institutions to provide data protection activities. And then, if your organization has offices outside the U.S., there are over 100 data protection laws within countries throughout the world.
So financial leaders must realize this and must work with their board of directors or a sub-committee of the board to satisfy the specific requirements and make sure that the security program is developed, implemented and maintained. The executives and the board are ultimately personally responsible for ensuring that this takes place and this is done.
Management within financial organizations must provide a report to the board or an appropriate subcommittee at least annually that describes the overall status of the information security program and compliance with all of the different security guidelines.
Of course, under Sarbanes-Oxley Act, the executive leader of any publicly traded organization is personally liable for shortcomings in compliance requirements and they face not only penalties, but also jail time and fines. The financial institution also faces not only penalties and fines, but also they must realize that along with the bad publicity that they get, they also loose customers.
So there are many different risks that executives needs to realize exist in order to comply with the IT security regulations.
Swart: What about starting, or maybe I should say restarting because I canâ€™t imagine one of our banks or credit unions not having a risk management program. How would you restart or re-engineer a risk management program that is not working, or what ensures that a risk management program was effective?
Herold: First and foremost, and this is something I have seen many organizations not have, and many organizations have failed in their efforts because of this, first and foremost you must have strong support, visible support from executive leaders.
Implementing a risk management program is going to involve personnel from throughout the entire organization so it is important for the executive leaders to communicate to all personnel that risk management is important to the business, is a required part of the business, and that all personnel must be involved to be successful. Initiatives that involve the entire company will not be successful if the company leaders do not visibly and actively support them. Personnel will chose not to be involved if they think they donâ€™t have to be involved. So that is first and foremost.
Second, you need to establish a good team and also have a good and strong experienced leader to establish the risk management program. Now many organizations that do not have someone in house with risk management information security or compliance experience benefit greatly by bringing in a consultant who does have this experience to help lead the way in building their program.
Third, organizations shouldnâ€™t try to reinvent the wheel. In other words, they need to look at well-established and proven risk management frameworks. I have seen organizations benefit greatly from using such frameworks as COSO, CoBIT, ISO 17799, which is now called ISO-270002, as the framework around which to building their risk management and information assurance programs.
No single enterprise risk management program though is comprehensive enough to help ensure that the organization meets all of its compliance, government and risk management needs. So, organizations should establish a central framework such as COSO and then selectively combine standards from the other frameworks such as CoBIT and ISO 270002 to build around that central framework to help ensure they do have a comprehensive program in place.
Then, fourth, perform a risk assessment. To many organizations skip this part. However, it is critical to perform a risk assessment. Risk assessments are the foundation of any good risk management and security program. It allows financial institutions to truly understand the climate of their network and computer and information systems along with reviewing the risks involved with how the personnel handle that information.
So after you get those four things in place, then you continue on to build your program.
Swart: Great information there Rebecca.
I would like to switch topics a little bit and talk about specific threats. We know that there are significant issues regarding data leakage out of banks and financial institutions, we also know that mobile devices are becoming a major threat. So I was wondering if you could talk about some of the most important risks facing banks in terms of data leakage and some strategies for preventing that.
Herold: Okay. Well, yes, there are many different ways in which data has been leaking and being stolen and taken out of organizations. We see it in the news basically every day. I want to talk about probably the five most common ways that data is leaked or compromised, and these are in no particular order because they are all happening with much to much frequency.
One way is via email. I have seen a lot of organizations leave emails completely unsecured or they send as attachments, or within the message themselves very sensitive data, personally identifiable data or confidential data that they send outside of the organization. And then that data sometimes is sent accidentally to the wrong email recipients or it is forwarded on to others when the person who created that email never intended for it to be forwarded on or someone intercepts the email. So email is a big threat.
Another threat as you mentioned during the question, is through mobile computing and storage devices. People now are dependent upon their notebook computers, their PDAâ€™s their USB thumb drives for storage and so on. And so data has become very mobile and this mobility puts it at great threat, particularly when most of the time this data is not encrypted.
So whenever you have data that is on notebook computers or any other type of storage devices outside of your secured facilities, it is very easy for that data to be lost. It is often stolen. The people who have those devices often times do silly things such as leaving them in the front seat of their car while they go into a restaurant and when they come back out the device stolen, gone. So mobile computing and storage devices theft and loss is another common way.
A third way is not building security into the applications and systems that the organizations use to run the business. Often times this lack of having security built in results in data being inappropriately posted on the internet or allowing inappropriate access to it. There have been many incidents reported in the news about how different applications on the internet were not created securely and as a result some very sensitive data got posted out on the internet for many people to see. So it is important for organizations to realize that security has to be thought of at the very beginning of the planning phase for an application or system being built from scratch, being built as a new application, or being updated.
Fourth, very real and significant risk is the insiderâ€™s threat and the insiderâ€™s threat comes from authorized individuals either making mistakes with how they handle sensitive information and allowing it to get into the hands of people that it should not be, or when you have authorized people maliciously taking or misusing that sensitive information. And this is what makes training and awareness so very, very, very important. It is very important to make sure that you have a strong and effective training and awareness program in place to tell your personnel how they must safeguard information.
In fact, the human risk, or the human threat is the weakest link in your security program. So that makes the training and awareness that much more important. In fact, I just launched a new quarterly subscription awareness product, multi-media product, to help organizations to address this risk. It is called Protecting Information and it is through Information Shield if anyone wants to go look at it there.
The fifth way that data is looped and compromised a lot is through improper disposal of confidential information. This is something that I mentioned at the beginning how defacto law requires organizations, particularly the financial but including many others, to properly safeguard data, but it talks very explicitly within that law about the disposal rule. There have been many incidents that have occurred through improper disposal not only of electronic storage devices but also of the printed confidential information on papers, and even when people are out with their voice mail or speaking inappropriately in public. So improper disposal of PII is something that organizations have often lost data through.
So those are probably the five biggest ones, but then of course there are many other ways in which data can be linked or compromised.
Swart:When you were with the Principal Financial Group you won an award for your information and protection program. I just wonder if you could share the last question maybe, one or two significant lessons that you learned there about implementing large-scale information and data protection programs.
Herold: Sure. Well, that was a great learning experience and I learned many initiatives but I guess first and foremost what I learned is you must know your business. Information security professionals cannot create an effective information protection program without knowing what their business is. You canâ€™t perform an effective risk assessment upon which to base your security program, your risk management program, without knowing what your business is.
Too many information security practitioners try to implement security programs without first knowing what their business is. They have to remember that security must support and protect the business along with employee and customer information.
Then you must also communicate directly and often with the business unit leaders. This will help you to better understand how they perform their business and it will also provide an opportunity for them to have input into your security program. When people have input into your program they feel a sense of ownership and they will be more likely to not only buy in to your security efforts, but they will also be prone to more actively support and promote your security initiatives.
And then of course you have to take into consideration all of the other factors involved in your business, such as your business locations, differences in languages, customs, and so on.
But, communications and ongoing awareness is key in conjunction with of course knowing and understanding the basics of information security privacy and compliance requirements.
Swart: Well, fantastic information today Rebecca.
Thank you for sharing your knowledge and experience with our listeners.
Herold: Well. thank you Richard. I enjoyed chatting with you for a few minutes.
Swart: Well, thank you for listening to another podcast with the Information Security Media Group. For other education material or to listen to other podcasts on information security in the banking and finance industry, please visit www.BankInfoSecurity.com or www.CUInfoSecurity.com.