Information Security Plans: From Technology To Testing

Bank Director recently interviewed Katie McGuire, CISSP, Internet solutions security officer, and John San Filippo, marketing manager, both with Jack Henry & Associates, about designing a comprehensive information security plan.

What are some common benchmarks a bank’s board can use to gauge its relative position with regard to deployment of technology strategies, in particular, information security?
Comparing one bank to another isn’t necessarily the best way to gauge how well your bank is doing in terms of information security, because you have no assurance that the other bank is handling information security particularly well. Instead of looking at competitors, the goal should be to determine how well your bank stands up compared to standard practices in the IT security field as a whole. In addition to being a more effective measurement, it’s a much easier one to make.

The best place to start is with the organizations specifically founded to address IT security issues. Two that come to mind are the Information Systems Security Association (ISSA) and the SysAdmin, Audit, Network, Security (SANS) Institute. You can find these groups on the Web at www.issa.org and www.sans.org, respectively. Granted, these organizations and their websites are geared primarily toward the IT security professional, but even a layperson can get a good idea of all that’s involved in this important field.

There are also a number of government agencies that publish IT security benchmarks. Probably the most relevant to the banking world is the Federal Financial Institution Examination Council (FFIEC). There’s a wealth of information on its website at www.ffiec.gov.

One reference you may often encounter is to ISO 17799. The International Standards Organization publishes standards in a wide variety of disciplines, and ISO 17799 is the one that deals with information security. ISO certification is quite rigorous, and if your bank is ISO certified, that shows you’ve achieved a very high standard in information security. If you’re wondering how well your bank stacks up, there’s a free survey you can take on the ISSA website.

What are some of the most progressive banks doing with their information security plans?

The most progressive banks—and I’ll expand that to the most progressive IT shops—recognize that information security is not a product you can buy. It’s a process that you must put in place and continually move forward. You can purchase all the firewall and intrusion protection systems in the world, but if you don’t think of information security as an ongoing process, you’re going to fail. In other words, you can’t just buy a product, plug it in, and think you’re done.

When and how should the bank review or test its information security programs and what follow-up actions should be taken?
In general terms, it goes back to what I said earlier about information security being a process. Review and testing are certainly part of that process. However, the specifics may vary from one bank to the next, because every bank’s needs are different. Many issues—the size and complexity of your IT operation, whether your systems are connected to the Internet, and any unique local threats you may face—will help determine exactly how and to what extent you test.

It is very important to have your information security process periodically reviewed by an independent source. By that I mean a firm other than the one you may normally rely on for information security. Having your regular security firm review itself really defeats the purpose.

It’s also not a bad idea to use a different firm each time. For example, we rotate the vendor who performs our annual intrusion test. Information security is so vital to a bank’s operation, you can’t afford to treat reviews as a routine task.

One thing to keep in mind is that deficiencies in technology don’t represent the only risks. Lack of a clear and concise security policy and poor communication of that policy to employees also represent a significant risk. If you don’t have such a policy, you don’t have anything to drive your actions; if your employees don’t understand the policy, they can’t apply it. Then you may be misdirecting time and resources, which in itself is risky because you’re not focusing your attention where it needs to be focused. Thus, you really need to start out with a risk assessment and a policy. They pretty much go hand in hand, because your policy can spell out the results of the risk assessment and tell you how and where to focus your resources.

Where are some of the most common weak spots found regarding information security?
Probably the most common weak spot is the failure to apply security patches distributed by the software vendor. Sometimes people forget, sometimes they’re lazy, and sometimes the organization simply hasn’t provided a clear policy—yes, back to that whole policy thing again. It’s so important.

It’s crucial to note that vendors make these patches available without any additional changes to their customers. That means there is no cost factor involved in the decision to apply the patches or not. This really should be a no-brainer, but it’s amazing how often this sort of thing is overlooked.

Another problem that could be easily avoided is the weak password. By that I mean one that is two characters long, or is a word that can easily be found in the dictionary. There are a number of tools that hackers can use to crack these types of passwords. IT professionals should know better, and they should make sure that everyone else in their organization knows better, too.

The SANS Institute, together with the FBI, has compiled a list of the top 20 system security vulnerabilities and makes the list available on its website. It’s worth checking out, because according to the SANS Institute, the vast majority of security breaches are due to these 20 vulnerabilities.

With so many competing technology needs today, what part should information security play in the board’s evaluation of its overall technology strategy?
I’ll keep this short and simple. I think it’s a big mistake to look at information security as a separate issue. It’s a critical component of every single technology decision you make, every technology product you deploy, and every technology service you outsource. I’d say it’s very important.

What are some of the ways the board can evaluate outside resource providers for information security?
First and foremost, don’t take the vendor’s word for everything. Insist on seeing documentation that backs up any claim it might make. For example, we share our Statement on Auditing Standards (SAS) 70 results with our customers. We share the results of our intrusion testing. In short, the results of virtually all of our independent review and testing processes are available to our customers. I’d be a little suspicious of any vendor that doesn’t take this approach.

It’s also important to look at any outsourcing vendor in terms of its disaster recovery plan. If anything good has come out of the last year for banks, it’s that they’re a lot more aware of the need for emergency backup. The outsourcing vendor must be able to keep your bank’s processes going when things go wrong.

For instance, with NetTeller (our home banking application service provider), we have a mirror image disaster recovery site. We can switch to it in a matter of minutes if the primary site goes down. The greatest outsourcing operation in the world won’t do your bank much good if that operation isn’t prepared to weather any disaster that may arise. |BD|

© Board Member Inc. All Rights Reserved