Information Security Still a Prime Concern for Regulators

Romir Bosu, Credit Union Magazine
June 10, 2005

In the past, regulators have focused on an examination area for a year or two and then found other areas of compliance on which to focus. Recently, we’ve seen a number of institutions beginning to become lax with security testing or remediation, perhaps thinking the examiners have moved on to other areas of focus.

Let me assure you that information security still is a prime concern for regulators. The Office of Thrift Supervision told one of our security assessment clients in Texas that every Texas OTS examiner who performs information technology (IT) examinations is being required to become a certified information systems security professional. This certification implies a detailed knowledge of information security settings and controls within network systems and mainframe environments.

This shows the regulatory agencies still are investing time and money in educating examiners about information security. Examiners aren’t just looking at the security assessments’ executive summaries, they’re digging into details and questioning the institution regarding specific settings or vulnerabilities found within the detail.

Information security will continue to be a prime concern for several reasons. First and foremost, information security threats are real and occur daily. Information security permeates almost every area of compliance. New compliance areas such as the Sarbanes-Oxley Act and Gramm-Leach-Bliley Act have their basis in information security controls to prevent the altering of data (Sarbanes-Oxley) and the leaking of consumers’ nonpublic information (Gramm-Leach-Bliley).

Information security plays an important role in IT governance, safety and soundness, business continuity planning, supervision of technology service providers, e-banking, IT audit examinations, retail payment systems, and outsourcing technology services. In other words, information security is key to the financial institution’s soundness. More than anything else, it’s the failure of information security that will cause an institution to fail.

Insiders Pose Biggest Risk
The Federal Deposit Insurance Corporation (FDIC) provides access to a study called "Putting an End to Account-Hijacking Identity Theft." The study describes how account hijacking occurs. Several of these methods specifically concern how well financial institutions maintain security:

• Breaking into financial institution or service provider computer systems because these systems are gold mines for confidential consumer information
• Retrieving confidential information from financial institutions’ trash
• Stealing of confidential information by employees

The study reports 65% to 70% of identity theft is committed by financial institution employees or participants in transactions or services. This backs up Compushare’s belief that employees, not hackers, pose the greatest risk to consumer privacy.

An August 2004 Carnegie Mellon Software Engineering Institute “Insider Threat Study” examined 23 incidents carried out by financial institution employees between 1996 and 2002. It found the following:

• 87% of the incidents required little technical sophistication
• 70% exploited or attempted to exploit systemic vulnerabilities in applications, processes, or procedures (i.e., business rule checks, authorized overrides)
• 61% exploited vulnerabilities inherent in the design of the hardware, software, or network
• 78% of the incidents involved authorized users with active computer accounts
• 43% of the cases involved the insider using his or her own username and password to carry out the incident
• 26% of the cases involved the use of someone else’s computer account to carry out the crime
• 23% of the insiders were employed in technical positions, with 17% processing system administrator rights within the organization
• 39% of the insiders were unaware of the organization’s technical security measures

Security Trumps Convenience

Financial institutions must not only protect consumers’ money, they must protect their consumers’ identities. The Gramm-Leach-Bliley Act places that responsibility squarely on the shoulders of the board of directors.

Financial institutions must demonstrate their commitment to security through specific budgeting of security controls such as intrusion prevention systems and thorough internal and external security testing. They also must allocate resources to ensure effective remediation of identified vulnerabilities.

In performing security assessments for financial institutions, we quickly can tell through a visit to the site and evaluation of the test data we gather whether the institution takes security seriously. The evidence is in the post-assessment remediation. Those going through the motions will resist remediation. When we see the same serious vulnerabilities over and over again, the lack of commitment to information security is obvious. Trained regulatory examiners will have no problem spotting those institutions either.

Information security must take precedence over user convenience, specifically in the area of password controls—the greatest weakness in security controls within financial institutions today. The FDIC study touches on multi-factor authentication as a way to improve upon the weakness of passwords.

Involve Senior Management

Institutions’ senior management should be involved in the review and tracking of the remediation efforts resulting from security testing. Examiners are looking for this involvement because they know security controls often are inconvenient to employees. Therefore, establishment and enforcement of those controls must come from the top down. Until information security is a prime concern for every financial institution’s senior management, it will continue to be a prime concern for regulators.

Romir Bosu is president of Compushare, a South Coast Metro, California provider of IT consulting, implementation, and support to community financial institutions. Contact him at 714-427-1000. This story was first published by Credit Union Magazine at www.creditunionmagazine.com and is reprinted with permission.