Thursday, October 30, 2008

Information InSecurity

As Finance Roils, Don’t Neglect Information Security

By Kevin M Nixon, MSA, CISSP, CISM, and Laura Wilson, JD, CISA candidate

While the world eyes the valuation meltdown in financial services, don’t neglect the danger to regulated systems and data. The pitfalls of underestimating the financial risk of transactions are now apparent; the fallout from underestimating the information security implications of transactions is waiting in the wings. We believe that, in addition to the obvious threat to market stability, the current situation has the added element of national and global security concerns. Misuse of financial systems and information can cause widespread, immediate, and long-lasting disruption to our daily lives and our society.

It is frequently assumed that established financial services firms have the information security threat well-covered. That assumption is frequently wrong. Despite spending hundreds of millions to attempt to manage risk, significant gaps remain in the due diligence and ongoing monitoring of the business relationships that give third parties access to financial systems and data. We have encountered multiple projects involving vendors providing products and services to financial services companies, thereby having access to the Fort Knox of financial systems and accounts, and the data elements allowing entry to those accounts; however, many of the security protections, reviews, and controls that were supposed to be in place for vendors with this level of data access were bypassed. And this was during the good times.

Everybody has gaps - that’s why there are internal audit and other control functions. This is not the time for finger-pointing; it’s the time for finding and fixing the material gaps before we further lose control of this data.

Many of these gaps are readily fixable, and can be addressed efficiently without stopping business. Getting a better handle on vendor relationships (frequently called ‘outsourcing’ by the financial services industry) won’t prevent all information security breaches, but financial services companies must know and monitor the parties that access information assets.

The financial services industry is well versed in the multiple laws and regulations to which it is subject. The industry consortium BITS (www.bitsinfo.org) has long articulated the risks of outsourcing. Many companies have well-documented policies to address this risk. What they frequently miss is how the gaps occur, and how to fix them.

Many of the gaps happen in the contracting process - the entire lifecycle of selecting, reaching agreement with, and performing the relationship with a vendor of a product or service. The current threat environment, which includes terrorism, organized theft of individual and corporate financial assets, and just-for-fun hackers, makes new security, due diligence, and risk management demands of financial services companies. The old way of analyzing and managing these deals and business relationships cannot keep up. Because many different teams are involved in the lifecycle of a deal, because the teams have different vocabularies, areas of expertise, requirements and agendas, and because the teams find it difficult to coordinate these competing needs, the controls that are supposed to protect systems and information are often bypassed if the myriad teams do not understand the risk and how readily it can be addressed.

For a long time, the deal management function was based on a manufacturing, assembly-line model. This approach, and the compensation of the deal team, emphasized speed of the process, cost-cutting, and keeping the internal project sponsors happy (’customer satisfaction’), rather than the due diligence and control functions required for a threat environment. The deal team had little incentive to push back on an unacceptable proposal, and much of the due diligence and risk mitigation was pushed to the back end, after the deal was done and the contract signed. That’s

like agreeing to pay for an expensive piece of real estate that will process sensitive radioactive material, but not inspecting the property until after the contract is signed and the check cashed.

Most business teams don’t want to do the wrong thing, but many have not been given the information or tools to adequately understand the situation and make supportable decisions. Most contract and deal teams don’t want to do the wrong thing, but the old job functions have not been given the gravitas, training, or compensation structure to push back on proposals that carry unacceptable risk.

It’s hard enough to protect this stuff during good times. With layoffs, cost-cutting, companies folding, projects changing hands, and unhappy workers bearing flash drives, keeping track of these information assets and who touches them is a huge challenge.

This is not the time for financial services to cheap out on information security. While the industry, regulators, and consumers are watching the dollar valuation, do not forget to protect the systems and data.
Kevin M Nixon, MSA, CISSP, CISM

Laura Wilson, JD, CISA candidate
September 24, 2008

The writers are business consultants with experience in deal analysis and information security for international financial services. They have governmental experience in handling classified information. Copyright © - 2008. All Rights Reserved (The writers give permission to link to, post, distribute, or reference the above article for any lawful purpose, provided that attribution is provided to the writers. This article will also be posted at the writers’ own sites.)

More to come…

Control bypass + information security breach = D&O liability claims, shareholder derivatives, class actions, regulatory investigations, no insurance coverage, personal liability. And more.

How to fix this weak link, quick.

Protecting your information during the storm.

No comments: