Time flies. This post is already the 100th one of this blog. Today I would like to share a free report "2007 Top Ten Resolutions on Compliance and Security for Banks and Financial Institutions" issued by a security service provider SecureTrust Corporation. Please treat it as a reminder of (at least some) key issues to address in 2007!
Resolution #1 – I will increase employee training.
- Establishment of compliance policies and regulations will not have any beneficial effect if they are not adhered to by the employees. Many institutions fail to sufficiently address closing the loop on employee training. Outlining various venues and events to reinforce employee education of compliance at the start of the year can have a big impact year round.
- With the strict requirements that many IT departments place on the creation and maintenance of passwords (must be at least 8 characters, both letters and numbers, mixing in uppercases) as well as the frequency of changing them, some employees still go to old-fashioned lengths of writing down passwords on sticky pads or notes. Encourage employees to use simple strategies to create inherently strong passwords, e.g. taking the last four digits of home phone number (4386) and alternate between spelling it out and numbers (four3EIGHT6) to create a password.
Resolution #3 – I will appoint a security officer.
- If your financial firm or bank does not have a security officer, immediately begin the search for one, either internally or externally. If your firm already has a security officer, make sure that all employees know the name and contact information for him or her and let them know that they should inform this person of ANY and ALL security concerns.
Resolution #4 – I will increase oversight of service providers.
- Make sure your contracts with various service providers include customer safeguard provisions and that they have appropriate safeguards in place. Most financial firms have taken a lackadaisical approach to this and bank examiners are thus stricter than ever.
- Hire a reputable third party institution to come in, conduct the assessments and make recommendations on both logical and physical security safeguards. Take the recommendations and develop a comprehensive plan to implement the recommendations in a planned process rather than simply working on short-term fixes and patches.
Resolution #6 – I will implement intrusion detection and prevention systems.
- An intrusion detection and prevention system may have been only recommended in the past, but the Federal Financial Institutions Examination Council (FFIEC) examiners now require them. Simply having a firewall is no longer considered sufficient. Although banks will need this implemented in 2007, many are daunted by the increased complexity that comes with intrusion detection and prevention systems which require constant care and maintenance, downloading signatures daily, updates, watching alerts and monitoring false positives. The result is that many banks choose to outsource this function because of the added time and security training required.
Resolution #7 – I will carefully select new and review existing security service providers.
- When choosing a third party security service provider for your firm, carefully check their credentials. Look for service providers that specifically cater to the financial industry as they will have greater understanding about the unique compliance issues that you deal with on a daily basis.
Resolution #8 – I will review my data security insurance coverage.
- Many insurance policies do not provide coverage for data security issues. Getting this type of coverage added to your policy can be costly. Alternatively, some service providers can have you added as an additional insurer on their policy which would provide you coverage in the event that the measures that they provide are found to be faulty and would eliminate the need to bring legal action against them separately should the need arise.
- Active network monitoring system probes your devices and systems ports at all times. In the event that something on your network changes, you can be notified and have a means to investigate long before normal means would detect that there was a potential problem.
Resolution #10 – I will review my current practices for conflicts of interest.
- A conflict of interest can arise in several different ways. One example would be a bank that is doing its own internal security scanning as well as the remediation of potential problems. Another example would be if the same security service provider that conducts the vulnerability assessment who also does the field service and support. Ideally you would want two separate parties to assess and resolve. If your firm has the resources available internally, implement the fixes yourself and use an external service provider to test and retest. If not, make sure you select a different service provider to remediate the issues found by a competent security assessor.
No comments:
Post a Comment