Before Y2K, information security was rarely discussed in bank board meetings. Today, evaluating directors' and officers' knowledge and supervision of a bank's information security program is a key component of an information security bank exam.
The importance of information security (IS) in the banking industry has grown tremendously over the last five years due to a combination of factors. These include regulatory requirements mandating information protection, the growth of electronic banking and the increasing number of individuals (employees, customers and third parties) with access to enterprise data. In the banking industry, the catalyst for developing formal information security risk management programs was the Gramm-Leach Bliley Act's section 501B, which requires financial institutions to implement an information security program that can ensure the integrity, security and confidentiality of customer information. More recent legislation, such as the California Senate Bill 1386 and the Sarbanes-Oxley Act, has reinforced the need for strong security controls around customer and financial information.
These laws have led to greater alignment between information security programs and business objectives. Risk assessments and reporting are conducted quarterly and reports are more meaningful to business units. In addition to greater alignment with business priorities, these laws are allowing information security departments to spend a greater percentage of the IT budget to automate risk monitoring and to implement new security controls as needed.
Where Are Banks Investing the IS Budget?
One of the key focuses of 2004 has been on enhancing controls around employee access to information. Several banks are implementing employee access rights management solutions that tie an employee's rights specifically to his or her role, thus ensuring that employees only access the information and systems that they need in order to perform their jobs. Another focus area has been on more secure employee authentication. The focus today is on implementation of single sign-on platforms that allow employees to use the same user name and password to access all applications. For example, one bank disclosed that it was using RSA's ClearTrust Web access management solution to manage single sign-on access. Future authentication solutions may include biometrics or tokens as means of granting access to PCs or applications. Several other large banks have already implemented voice authentication solutions to secure employee password re-sets.
Other major technology projects taking place across financial institutions include investments in detection tools to monitor unauthorized or suspicious movements and access to data and systems. These detection tools range from monitoring of e-mail content from Tumbleweed to intrusion detection solutions from Cisco and Symantec, for example. In the intrusion detection space, newer investments are in host intrusion detection versus network level detection, as most financial institutions already have robust network-level security controls.
Security is a dynamic process. Attacks against systems evolve as hackers and fraudsters continuously identify new ways to break through a firm's security shields. Thus, the most important part of an information security program is implementing processes to continuously assess security risks in order to allow firms to respond as quickly as possible with stronger controls if necessary. Financial institutions have been investing in vulnerability management solutions to automate these risk assessments.
Responsibilities Beyond the IS Department
As the importance of information security has grown, so too has the involvement of information security representatives in technology purchase decisions.
IS groups today are responsible for conducting much more thorough evaluations of vendor security capabilities than in the past, and they have been voicing their opinions about these capabilities directly to the business executives with the purse strings. At one large bank, one of the major IS projects completed recently was the development of a Web-based questionnaire to be filled out by current and potential vendors to evaluate their security capabilities.
Bank IS groups have also taken a leadership role in educating employees about their information security responsibilities. In many cases, this requires more than education. Rather, it requires a true change in corporate culture from one dominated by uninhibited information access and exchange to one where information is viewed as an asset to be appropriately categorized and secured.
Perhaps the more difficult task for IS professionals is trying to reach out to bank customers to teach them about the risks they are incurring when they reveal their personal information. Many banks will admit that their greatest security risks come from their customers who fall into the traps fraudsters design to capture the customer information banks work hard to protect. This is why so many of the largest financial institutions are devoting significant marketing and ad dollars to educate customers on the risks of identity theft.
Sophie Louvel is an analyst with Framingham, Mass.-based Financial Insights. She can be reached at [email protected]