Published July 2012
Written by Rashaad Bajwa for New Jersey Banker Summer 2012
The information security threat landscape changes on a daily basis. How can today’s community and regional banks be proactive in protecting their IT infrastructures and their customers’ sensitive financial information?
Similar to evolution in nature, banks that don’t evolve fast enough face increasing risks. If they can’t keep up with the changing security threats around them, they may not survive a critical security event. The problem is most banks don’t have a comprehensive view of their IT security practice and an understanding of where they are most vulnerable. Due to regulatory mandates, most have basic safeguards in place and can read off the last IT exam results, but they don’t have a tool to evaluate their true effectiveness or areas where they are still at risk.
To help banks become more self-aware, data security industry experts, RSA and ESG, developed an information security management model, which is split into four phases. The model is designed to help banks find out where they are and to figure out where they want to go in the future to protect themselves. As a bank matures over time in its IT security practice, it will find itself moving through these four phases.
Determining which phase is secure enough for your bank will most likely be a function of budget and risk sensitivity. It is very important to note that the most secure banks are not necessarily the ones with the most security products. Security is not about a tech soup of software installed in your environment. It is about developing a mature security practice that mitigates risks and provides a reliable and secure IT environment that enables the bank’s business to safely flourish. Following are some observations and insights for applying the model to your bank’s IT security posture based on the experiences of Domain’s engineers in the field.
PHASE 1: THREAT DEFENSE
Starting in the 1990s with the Internet and our increasingly connected online world, those of us who are responsible for securing IT environments have been trying to determine which security solutions provide the best protection. We all started with the basics: antivirus and firewalls. Most of these are reactive to known threats as we hear about them, or if we are too slow, impacted by them. Over the years the technologies changed and matured and we added more, as budgets allowed or vulnerabilities required. The antivirus category grew to become “endpoint protection” and the firewall category grew to include intrusion protection and content filtering. Every week, a new “must-have” security tool surfaces that is purchased for the toolbelt. Adding security tools, we hope that they work as advertised, keep the bad guys out and make us “secure enough.”
PHASE 2: COMPLIANCE AND DEFENSE-IN-DEPTH
Most organizations are in phase 2.Banks in this phase are generally compliance- and security audit-driven. In this phase, the primary goal of IT security is to remain compliant and pass IT exams, where meeting a regulator or auditor’s requirements is the primary focus, not actual security. Think of it as a “check-box mentality.” This is not to say that all organizations in phase 2 are unsophisticated. It’s just that in today’s regulatory environment with limited budgets, resource priorities need to be made. Sometimes all the security that can be afforded is the minimum to keep the regulators at bay and avoid a negative write-up. Some consider staying in phase 2 as being short-sighted. Others consider it survival. If “secure enough” for you is just making sure you pass your IT examination, then your bank is definitely in phase 2.
Phase 2 normally introduces layered security and defense in depth. This builds on the defenses already acquired in phase one and starts introducing layers and controls, such as multifactor authentication, encryption, etc. This creates a more compliant and secure environment. However, how secure is secure enough? Are your security measures just for the sake of compliance or is your organization actually secure? When you start to believe that the bank’s security is your organization’s responsibility and not just what the regulators require, you start to move into phase 3.
PHASE 3: RISK BASED SECURITY
When the IT security discussion goes beyond which IT checklist requirements have been met, and starts talking about IT risks on an asset-by-asset basis, then you have reached phase 3. In this phase, each IT asset needs to be assigned a value (what data does it hold? Or, what business process is it critical to?) and evaluated independently for all threats and vulnerabilities. The risks for each asset are then accepted, assigned, transferred (perhaps to a third party) or mitigated. This is basic IT risk management.
The hallmark of phase 3 is a more detailed analysis of the entire IT infrastructure. What are the possible risks that may confront each asset and how can they be handled effectively and quickly? This is not a set-it-and-forget-it software application or firewall. This is a real-time evaluation of the threat landscape for a dynamic production environment. On a smaller scale some organizations may use spreadsheets to track risks across IT assets. However, proper risk management software can obtain data feeds directly from the environment to reflect a real-time view.
PHASE 4: THE BUSINESS ORIENTED PHASE
When we started with phase one, we were just desperately trying to add to our defenses and hoping they were keeping the bad guys out. In phase 2, we needed to pass security and regulatory audits, so we started layering our defenses and setting up secure processes and controls. In phase 3, we realized what the regulators were asking for may not sufficiently address the actual risks our organization is facing. Some of what they were asking for may be too much, and some may not be enough. So we evaluated all our assets individually against best practices, not just if they came up in an IT exam.
In phase 4, we complete the evolution to realize that what we are protecting is not against a specific virus, not just to pass an IT exam and not just to make sure a particular server or router is functional. What we are actually trying to protect is the integrity of our business operations. The “IT risk management model” from phase 3 matures into a “business process risk management model” in phase 4. At the end of the day, after all, our IT infrastructure is not the end, it is just a means. This opens up a much more thorough and detailed level of risk management because the business processes are tracked and evaluated in their entirety, not just the IT assets that support them.
A common problem that is successfully tackled in phase 4, but is sometimes overlooked in phase 3, is asset dependencies. Almost every asset has dependencies because almost every business transaction crosses multiple interconnected databases, application servers, service providers or networks. Since the transactions don’t happen on islands, we can’t manage the risk as islands. Server A will likely only work if we have Server B provide authentication services and Server C give the users a front-end to connect into. All of these assets need to be alive, interconnected, and talking to each other properly for the business process to survive. When evaluating whether the risk has been mitigated, it requires end-to-end testing across the entire business process.
We don’t just want to see that the server is on and the data is there, we want to make sure it is secure, that we can log in successfully and actually get work done. For many banks, this holistic view across the entire business process found in phase 4 is the final answer to what it is to be “secure enough.” ■
Rashaad Bajwa, CISSP, is the president and CEO of Domain Computer Services, Inc. He can be reached at email@example.com or 609-395-6900.