RSA Conference

    • RSA Conference USA 2008
    • RSA Conference Japan 2007 (upcoming)
    • RSA Conference Europe 2008

    Email This Page

    Deployment Strategies: Blog BankInfo Security

    Get updated when new blog entries are added.

    RSSSubscribe to the Deployment Strategies: Blog RSS feed.

    Apr 17, 2008

    The State of Banking Information Security 2008 Part IX: Training – Employees, Customers Don’t Get What They Need

    Security awareness – or lack thereof.

    We’ve always known this was an issue with banking institutions, and the State of Banking Information Security survey has only validated our suspicions.

    Whenever I ask a banking/security leader “What are your top challenges?” right there at the head of the list is security training for employees and customers. No one ever seems to have enough time or resources to do the job even to their own satisfaction, never mind the regulators’.

    And speaking of the regulators, they only put added pressure on institutions last year with the announcement of the Identity Theft Red Flag Rules, which (among other things) require these businesses to have documented awareness programs for employees and customers alike.

    So, knowing this is a pain point for our audience, we dedicated a section of our survey to security awareness. And I hate to say it, but … the results weren’t surprising.

    Our respondents generally grade themselves low at providing effective security awareness training to these groups – 66% “average” to “poor” educating employees, 73% for customers.

    And when we ask which media they use for training, the answers are what you’d expect: websites, email alerts and the dreaded statement stuffers (want to ensure that a resource is unread? Stuff it into a bank statement!)

    Resources are tight, we know – and they’ve only gotten tighter since the start of the year – and training budgets always take a hit in down economies. But the Red Flag compliance date is Nov. 1, and between now and then … well, institutions can’t afford to skimp on awareness efforts. There must be strategic education plans in place, and they have to go beyond merely satisfying an examiner’s check box to fulfilling the need for security awareness.

    The risk: If institutions don’t improve their awareness programs, then they won’t merely fail their self-assessments – they’ll imperil their own customers’ confidence. Without that confidence, banking institutions truly have no assets.

    Conclusion
    As we wrap up this RSA Conference blog (and thank you to RSAConference.com for this opportunity), let’s also wrap up our look at the State of Banking Information Security survey.

    There were more commonalities than differences in this inaugural study. No matter the type of institution, its size or its locale, the priorities, responsibilities and challenges are much the same, and so is the information security agenda for U.S. financial institutions in 2008. There clearly is a difference between perception and reality when it comes to the confidence security leaders have in their programs vs. their confidence in vendor security and customer awareness – two key areas that put at risk the fundamental trust banking institutions need to survive. The message from our respondents is clear: What we’re doing now is insufficient; going forward this year, we must ensure that our:

    • Security strategies are documented & shared;
    • Business Continuity Plans account for newer threats, are tested, communicated and updated;
    • Incident Response Plans account for business issues, including incidents at TSPs;
    • Vendor management needs improvement, ensuring that our partners’ security and compliance measures are as air-tight as our own should be;
    • Customer awareness needs improvement; new efforts must focus internally and externally.


    We’ll track and report institutions’ progress over the course of the year, and you can expect to see us back here early in 2009 discussing next year’s information security agenda.

    Thanks for reading, and please be sure to follow our ongoing news coverage of banking/security issues.

    Apr 10, 2008

    The State of Information Security 2008 Part VIII: Banking Services & Spending Priorities

    OK, you can’t talk about information security and not talk money.

    And, clearly, in taking the industry’s pulse with our State of Information Security survey, we wanted to know about threats, solutions, priorities, challenges … as well as how folks are spending their budgets. Where their budgets are coming from, for that matter. Here, then, are some of the key areas of focus:

    Most Commonly Outsourced
    Vendor management being such a key concern, we asked respondents which services they most commonly outsource. And no surprising answers here in the top four:

    • Internet Banking
    • Security Services (firewall/IDS)
    • Check Processing
    • Core Account Processing


    Top Internet Banking Services
    Seeing Internet banking as such a huge priority, we wanted to know more about it. What, specifically, are banks outsourcing here? Their top responses:

    • Account Review/Update
    • Online Bill Pay
    • Funds Transfers
    • View Check Images
    • Cash Management


    2008 Spending Priorities
    The big question, of course, is where are folks spending money this year? Here are the top seven spending priorities they listed for us:

    • Encryption
    • Log Management
    • Intrusion Detection
    • Secure Backup/Storage
    • Anti-Fraud
    • ID Access & Management
    • Anti-Phishing Solutions


    Interesting, actually, to see what didn’t show up in the main survey: Mobile banking. Institutions currently are split on how they plan to adopt (if they even plan to adopt) mobile banking technologies, so this already is shaping up to be an interesting discussion point for our next big survey.

    Budgets – the Haves and the Have-to-Get-From-IT
    The other big financial story is about budgets – where do they come from? As mentioned in earlier installments, given the senior titles and reporting relationships of our respondents, we expected they might also be managing their own information security budgets. Not so. Instead, we find that 54% of respondents do not have their own defined budgets – they’re still getting money from IT. Which again raises the concern: Is information security being funded like a business issue?

    But encouraging news, as we explored the issue further in follow-up discussions. Many departments are at least getting budget increases this year – wherever the money is coming from – to handle the latest compliance issues and threats.

    Now, given the economic events that have unfolded in early 2008, it’s fair to wonder what next year’s budget picture is going to look like. But given, too, that regulatory compliance and security threats aren’t going to go away, I don’t expect these budgets to diminish.

    What do you think?


    Next: Training – Employees, Customers Don’t Get What They Need.


    Again, for more on the State of Information Security 2008, here’s a link to the executive summary of our survey.

    And if you have any questions or comments about the survey or about Regulatory Compliance, please write to me.

    Tom Field is Editorial Director of Information Security Media Group, publisher of BankInfoSecurity.com and CUInfoSecurity.com

    Apr 02, 2008

    The State of Information Security 2008 Part VII: Regulatory Compliance

    When you talk to a banking security officer about current priorities, you tend to get two lists: The things they’d like to do, given time, staff and budget; and then the things they have to do to meet regulatory compliance.

    I wouldn’t say that either list is necessarily longer than the other. But I know which one gets completed first!

    Regulatory compliance is a top priority for banking institutions because it has to be – because every institution is going to be examined and scored on the basis of how it meets the standards enforced by the major federal agencies: Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC) and Office of Thrift Supervision (OTS).

    And if you think that’s alphabet soup, then take a look at the short list of key regulations with which financial institutions must be compliant:

    • Gramm-Leach-Bliley Act, or GLBA, which includes provisions to protect consumers’ personal financial information held by financial institutions.
    • The Bank Secrecy Act (BSA), a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes.
    • The Sarbanes-Oxley Act of 2002, which establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms.
    • Payment Card Industry (PCI) Compliance, a set of security standards created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect their customers from increasing identity theft and security breaches.


    And that’s just a sampling of the banking regulations that could – in fact, do – make up a full-time job at countless institutions across the U.S.

    So, in the course of the State of Information Security survey, it was incumbent upon us to ask how institutions assess their compliance with the major regulations. We expected, of course, to see them say they “meet industry standards” or better. And that’s exactly what we got. Across, the board the marks for “needs improvement” are low.

    In fact, looking at how institutions assess their compliance with these major regs, the only stand-out “needs improvement” is with the relatively new PCI standard, where 11% of respondents say they need additional work. No surprise there.

    Asked how they measure their own compliance with industry regulations, 78% of respondents say they engage third-parties to conduct audits. Just as many, 78%, say they also assess compliance internally, using industry standards and guidance from banking regulators. Only about one-fifth, 21 %, use automated compliance monitoring systems.

    Interestingly, when asked how they evaluate their vendors’ compliance, 71% of respondents say this is done as a part of their vendor management programs – the same vendor management programs they earlier told us were inadequate!

    Anyway, this whole topic of regulatory compliance is a good one to watch – especially this year. Coming into 2008, banking institutions already knew they had to deal with the Identity Theft Red Flags Rules, which have a Nov. 1 compliance deadline. But since Jan. 1, they’ve also been hit with new Business Continuity Planning guidance – particularly re: Pandemic Planning. And it’s always fair to say there are additional requirements in the works.

    When the requirements stop coming, then banking/security leaders can get back to that “like to do” list.


    Next: Banking Services & Spending Priorities

    Again, for more on the State of Information Security 2008, here’s a link to the executive summary of our survey.

    And if you have any questions or comments about the survey or about Regulatory Compliance, please write to me.

    Tom Field is Editorial Director of Information Security Media Group, publisher of BankInfoSecurity.com and CUInfoSecurity.com

    Read 1 comments
    [X]

    Comment: You might read “The Silent Crime” by Michael McCoy. He states that there are 5 major areas of identity theft which can not be prevented and financial is only a small percentage. On page 191 he does a comparison of services. He also states Pre-Paid Legal Services is “Most robust with complete restoration, credit monitoring and access to attorneys 24/7.” You can find out more about the service at http://www.keithdsmith.com

    Name: Keith D Smith

    URL: www.keithdsmith.com

    Mar 24, 2008

    The State of Information Security 2008 Part VI: Vendor Management

    It’s been fun to watch the evolution of outsourcing the past decade or so.

    As companies have become increasingly comfortable with the concept, their own needs and vendor selection, we’ve seen outsourcing customers become smart shoppers and hard negotiators. It’s rare now to find even a prospective customer who hasn’t done good due diligence and given thought to all the terms of an outsourcing contract and when they should be reviewed. In ongoing relationships, it’s rare to find outsourcing partners who don’t abide by a defined set of service level agreements (SLA’s).

    But what about security level agreements?

    Here’s where we found some … well, I don’t want to say surprises. Let’s say we confirmed some suspicions when we asked State of Information Security survey respondents about their vendor management practices. Or, frankly, lack thereof.

    The truth? Too many financial institutions today limit their vendor management to checking customer references and SAS 70 reports, and then monitoring SLA’s in contracts. There’s little, if any, attention paid to an outsourcer’s security program and processes – how the vendor will secure the private data to which it has been entrusted.

    This is a deficiency we suspected, and suffice to say: Going forward, institutions do need to understand their vendors’ security measures, and they must show evidence that they have inspected and ensured the safety of critical information when it’s in third- or fourth-party hands. That’s not me saying so; it’s the federal regulatory agencies.

    Yet, even knowing that vendor management would be a hot-button issue, it’s still an alarming picture when you see that more than two-thirds of survey respondents (67%) outsource a key system such as internet banking, and yet only 41% have moderate confidence in vendor security. Now, you can argue that moderate confidence is average, and what’s wrong with that? To which I reply: Are your customers satisfied with average security protection?

    And by the way, 23% of our survey respondents say they have no idea whether their vendors have suffered a security breach during the past two years.

    Another 21% don’t know or don’t check to see whether their vendors are in compliance w/industry regulations.

    You can see the pattern here. Clearly, financial institutions are paying more attention to the financial terms of their outsourcing agreements than to the secure environments in which these contracts are fulfilled. It’s a disparity our respondents noticed, and it’s one the regulatory agencies have picked up on, too. Both the FDIC and NCUA have announced stricter vendor management standards for financial institutions in their upcoming examinations.

    Call it another step in the evolution of outsourcing. With luck (and regulations) on our side, we’ll soon see a day when SAS 70 reports are but part of the vendor management picture – not the whole darn thing!

    Next: Regulatory Compliance


    Again, for more on the State of Information Security 2008, here’s a link to the executive summary of our survey.

    And if you have any questions or comments about the survey or about Vendor Management, please write to me.

    Tom Field is Editorial Director of Information Security Media Group, publisher of BankInfoSecurity.com and CUInfoSecurity.com

    Mar 17, 2008

    The State of Information Security 2008 Part V: Identity Theft

    At first I was a little surprised.

    We asked respondents to our State of Information Security survey “Has there been a security breach at your institution during the last two years?” And only 15% said “yes.”

    But then I remembered: Those are only the breaches of which they’re aware. What about the breaches they didn’t detect?

    That’s what hammers home just how scary Identity Theft is. When you know the crime has been committed, it’s one level of frightening. When you don’t know about it? Off the charts.

    You know the major Identity Theft stats by now. The FTC reports as many as 9 million cases of Identity Theft per year in the U.S. alone. A recent study by the Center for Law and Technology at the University of California, Berkeley, found that the top 25 banking/utility/retail institutions in the country account for 50% of all the complaints lodged with the FTC. The crime is a huge concern for financial institutions – especially with the Nov. 1 deadline for Identity Theft Red Flags Rule compliance looming.

    That said, it’s no surprise that our polled institutions are wary of their protective measures. Only 23% say they are “very confident” that they are prepared to defend against internal and external attacks. Sixty-six percent are “somewhat confident,” and 8% are “not very confident.”

    We also asked what strategies institutions have adopted to prevent Identity Theft. Here are the top five choices:

    Network-based intrusion detection/prevention systems;

    Employee background checks;

    Application firewalls;

    Network access control technologies;

    Fraud detection technologies.


    One trend that emerged clearly from the survey – and in the early news reports this year is phishing. This crime is shaping up to be a major storyline in 2008. More than 40% of respondents say they’ve been the victim of a phishing attack over the past two years, or don’t even know. And it’s a crime that’s only likely to grow. In fact, already this year we’re seeing new telephone-based phishing (or “vishing”) campaigns preying upon consumers’ trust. These attacks are easy to launch, payback from them is high … and financial institutions stand to lose the most if they don’t do a better job educating customers about how to avoid them.

    File under “ones to watch.” Identity Theft crime stats aren’t going down anytime soon.

    And remember: These stats cover only the crimes of which we’re aware.

    Next: Vendor Management


    Again, for more on the State of Information Security 2008, here’s a link to the executive summary of our survey.

    And if you have any questions or comments about the survey or about Identity Theft, please write to me.

    Tom Field is Editorial Director of Information Security Media Group, publisher of BankInfoSecurity.com and CUInfoSecurity.com

    Mar 10, 2008

    The State of Information Security 2008 Part IV: Risk Assessment and Incident Response

    Risk assessments and incident response – pretty standard stuff, right?

    If you’re a U.S. financial institution, these items are mandatory – not ‘nice-to-haves.’ The government requires them – has for several years.

    And yet …

    When we asked our State of Information Security survey respondents about their risk assessments and incident response plans … well, the answers were a little surprising.

    Take risk assessments, for instance. We asked how often these assessments are conducted and plans are updated. Response: 27% of institutions do not conduct a formal risk assessment annually; 12% of respondents don’t present results of risk assessments to senior management; and 52% of institutions do not test their security controls annually.

    Makes you feel more confident already, no?

    In terms of incident response, 14% of respondents are still developing their plans. Of those that already have them, when asked whether incident these plans account for incidents at vendors, 24% say no or don’t know. And then, asked whether customer communications is built into these plans, only 66% say yes. Worse, 30% either don’t have such a plan or haven’t updated it in the past year.

    Now, these are numbers I expect to see change in 2008, and I’ll give you three reasons why: T-J-X.

    The impact of TJX is not just that the incident happened, but rather it happened w/data entrusted to a partner. This incident hammers home the point that it doesn’t have to occur in your facility for an incident to be devastating. Your partner’s incident is yours, too. And your customers need to be informed when you sniff trouble. The federal regulators have noticed this point, turning up the vendor management heat for banks and credit unions this year.

    So, given regulatory pressures and the risk of negative publicity, institutions in 2008 must update their incident response plans to account for their third- (and fourth-) party service providers and to include quick, open communication to customers in the wake of a disaster.

    The alternative is … well, it’s a different kind of disaster altogether. One no institution wants to risk.

    Next: Identity Theft


    Again, for more on the State of Information Security 2008, here’s a link to the executive summary of our survey.

    And if you have any questions or comments about the survey or about risk assessments and incident response, please write to me.

    Tom Field is Editorial Director of Information Security Media Group, publisher of BankInfoSecurity.com and CUInfoSecurity.com

    Mar 04, 2008

    State of Information Security 2008 Part III: Security Strategy – Who Has One?

    An information security strategy – pretty basic stuff, huh? Everybody has one?

    Well, that’s what you’d think, but that’s not what we found in our State of Information Security 2008 survey.

    True, 87% of our respondents said yes, they do indeed have a formal information security strategy. But what about the 13% who don’t (or don’t know)?

    Interesting, too, to compare the answers of banks and credit unions. Nineteen percent of credit union respondents don’t currently have a formal information security strategy, vs. 9% of banks – a significant difference.

    These are banking institutions in 2008 – how could they not have these plans in place? Clearly, implementing such plans will be a main focus of their efforts this year.

    Some other interesting points about security strategies:

    • View from the Top – We asked whether these plans are led and embraced by senior officers. Eighty-two percent of respondents said yes; 18 % said no or didn’t know.
    • Rank and File – Asked whether strategies are communicated to and embraced by employees, 66% said yes, 34% said no or didn’t know.
    • Customer Awareness – Asked whether these strategies are conveyed to customers, 51% said “Somewhat,” 25% said “Fairly Well,” 18% said communication is limited to website postings, and 5% didn’t know.


    The key takeaway here is that information security strategies aren’t “nice to haves” for financial institutions. They’re a regulatory requirement. Gotta have. Mandate. And implicit in that mandate is that institutions should document and update these plans – and then make every effort to communicate these strategies to senior officers (including boards of directors), employees and customers alike.

    This sounds like basic stuff, but if it were so easy … well, then we’d have 100% of our respondents bragging about their efforts. For information security strategies to be effective, then all constituents need to 1) Understand the plans, and 2) Know their roles in upholding them. Neither goal can be accomplished without a sound, comprehensive communications strategy.

    How institutions go about crafting these strategies – information security and communications – will be one of the developments we’ll track closely this year. If you’ve seen examples of either being done particularly well, I’d love to hear from you.

    Next: Incident Response Plans – Who Has Them, and What Do They Cover – or Not?


    Again, for more on the State of Information Security 2008, here’s a link to the executive summary of our survey.

    And if you have any questions or comments about the survey or about information security strategies, please write to me.

    Tom Field is Editorial Director of Information Security Media Group, publisher of BankInfoSecurity.com and CUInfoSecurity.com

    Feb 25, 2008

    The State of Information Security 2008 Part II: The Security Leader’s Role

    We talked last time about how our State of Information Security survey unveils a contradiction – the difference between the confidence our respondents say they and their customers have in their banking institutions’ security measures vs. the reality of what these security leaders tell us about the state of incident response, vendor management and customer education.

    Well, that isn’t the only contradiction expressed in our survey results.

    Take a look at what our respondents tell us about the role of the security leader in their organizations:

    • The individual is business-minded, prioritizing regulatory compliance and customer data protection in 2008;
    • Reporting relationships are great, with more than 40% of security leaders reporting into CEOs or Boards of Directors/Audit Committees.


    But …

    • When given a list of five possible titles for the security leader (CISO, CSO, etc.), 56% of respondents choose the sixth option – “Other;”
    • When asked whether they have a defined information security budget, only 20% say yes – 54% still get their funds through IT.


    So, what to make of this mixed message?

    What I hear is: Information security is considered a business priority … but it isn’t funded like one.

    Think about it. These security leaders clearly have their priorities straight. They aren’t talking about securing arcane technical systems; they’re protecting their institutions’ crown jewels. They know that customer confidence is key to their banks’ survival, and they prioritize their work accordingly. And they must speak the language of business, too, tied as closely as they are to senior business leadership. The reporting relationships speak to their value.

    But … but … if more than half of these security leaders are still getting their funding from IT, then that suggests that information security isn’t being funded like a business priority. It’s being treated as a technology line item..

    And if the security leader’s title is so hard to pin down, know what that suggests? That the role is being appended as an add-on to someone else’s full-time job. “Oh, that security thing – could you please take care of it?”

    Larger institutions, of course, are more apt to have designated security leaders and budgets. But as you know, larger institutions are a minority among banking organizations in the U.S.

    So, again, what to make of it all?

    Banking security leaders should be both encouraged and motivated.

    The encouragement is: They’ve got the ear of senior management, and they’re saying all the right things about information security priorities.

    The motivation is: Now it’s time to use this influence to persuade senior management to dedicate more resources – people and money – to drive and deliver these key initiatives.

    Business priorities are one thing; business results are another. You can talk about the former all you want, but you don’t get the latter without resources.

    Securing those resources – procuring as well as protecting – will be one of the huge stories of 2008.

    Again, for more on the State of Information Security 2008, here’s a link to the executive summary of our survey.

    And if you have any questions or comments about the survey or about the security leader’s role, please write to me.


    Tom Field is Editorial Director of Information Security Media Group, publisher of BankInfoSecurity.com and CUInfoSecurity.com    </