Don’t Neglect Information Security

November 28, 2008 by ADMIN
Share |

By Kevin M. Nixon, Information-Security-Resources.com Security Editor, and Laura Wilson, Information-Security-Resources.com Corporate Liability Editor (Previously Posted September, 2008)

While the world eyes the valuation meltdown in financial services, don’t neglect the danger to regulated systems and data.  The pitfalls of underestimating the financial risk of transactions are now apparent; the fallout from underestimating the information security implications of transactions is waiting in the wings.

We believe that, in addition to the obvious threat to market stability, the current situation has the added element of national and global security concerns. Misuse of financial systems and information can cause widespread, immediate, and long-lasting disruption to our daily lives and our society.

It is frequently assumed that established financial services firms have the information security threat well-covered. That assumption is frequently wrong. Despite spending hundreds of millions to attempt to manage risk, significant gaps remain in the due diligence and ongoing monitoring of the business relationships that give third parties access to financial systems and data.

We have encountered multiple projects involving vendors providing products and services to financial services companies, thereby having access to the Fort Knox of financial systems and accounts, and the data elements allowing entry to those accounts; however, many of the security protections, reviews, and controls that were supposed to be in place for vendors with this level of data access were bypassed.  And this was during the good times.

Everybody has gaps - that’s why there are internal audit and other control functions. This is not the time for finger-pointing; it’s the time for finding and fixing the material gaps before we further lose control of this data.

Many of these gaps are readily fixable, and can be addressed efficiently without stopping business. Getting a better handle on vendor relationships (frequently called ‘outsourcing’ by the financial services industry) won’t prevent all information security breaches, but financial services companies must know and monitor the parties that access information assets.

The financial services industry is well versed in the multiple laws and regulations to which it is subject.  The industry consortium BITS (www.bitsinfo.org) has long articulated the risks of outsourcing.  Many companies have well-documented policies to address this risk. What they frequently miss is how the gaps occur, and how to fix them.

Many of the gaps happen in the contracting process - the entire life-cycle of selecting, reaching agreement with, and performing the relationship with a vendor of a product or service.  The current threat environment, which includes terrorism, organized theft of individual and corporate financial assets, and just-for-fun hackers, makes new security, due diligence, and risk management demands of financial services companies.

The old way of analyzing and managing these deals and business relationships cannot keep up. Because many different teams are involved in the life-cycle of a deal, because the teams have different vocabularies, areas of expertise, requirements and agendas, and because the teams find it difficult to coordinate these competing needs, the controls that are supposed to protect systems and information are often bypassed if the myriad teams do not understand the risk and how readily it can be addressed.

For a long time, the deal management function was based on a manufacturing, assembly-line model. This approach, and the compensation of the deal team, emphasized speed of the process, cost-cutting, and keeping the internal project sponsors happy (’customer satisfaction’), rather than the due diligence and control functions required for a threat environment. The deal team had little incentive to push back on an unacceptable proposal, and much of the due diligence and risk mitigation was pushed to the back end, after the deal was done and the contract signed.

That’s like agreeing to pay for an expensive piece of real estate that will process sensitive radioactive material, but not inspecting the property until after the contract is signed and the check cashed.

Most business teams don’t want to do the wrong thing, but many have not been given the information or tools to adequately understand the situation and make supportable decisions. Most contract and deal teams don’t want to do the wrong thing, but the old job functions have not been given the gravitas, training, or compensation structure to push back on proposals that carry unacceptable risk.

It’s hard enough to protect this stuff during good times. With layoffs, cost-cutting, companies folding, projects changing hands, and unhappy workers bearing flash drives, keeping track of these information assets and who touches them is a huge challenge.

This is not the time for financial services to cheap out on information security. While the industry, regulators, and consumers are watching the dollar valuation, do not forget to protect the systems and data.

Kevin has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

Laura is a business consultant and an advocate for information security, consumer protection, long-term shareholder value, and better management decisions. Her specialty is finding and fixing risks and threats to sensitive data. Her experience includes international banking, credit card, and mortgage companies, venture capital portfolio companies, and software and technology providers. She practiced law in Silicon Valley during the tech boom and meltdown, handling corporate governance and information protection.

The Authors give permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors and to Information-Security-Resources.com

Stay Informed With RSS Feeds or Email Alerts Here: 

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, Kevin M. Nixon, Military, PCI, Sarbanes-Oxley, Uncategorized, hackers, healthcare, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

2 Comments on Don’t Neglect Information Security

  1. pligg.com on Fri, 12th Dec 2008 9:38 pm

    2. Economic Meltdown Exposes Data to Black Market…

    It is frequently assumed that established financial services firms have the information security threat well-covered. That assumption is frequently wrong. Despite spending hundreds of millions to attempt to manage risk, significant gaps remain in the d…

  2. Heartland CEO: Breach as Bad as Tylenol Poisonings | BigBook.eu on Sun, 25th Jan 2009 6:34 pm

    3. [...] The accumulation expiration collapse at Heartland highlights the fact that aggregation section module be the incoming field investor figuring and D&O badness issue, regulatory, consumer, and domestic section threat, and class-action proceedings subject to effect our peaked economy. [...]

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!