BOL TECHNOLOGY GURUS: Bank Technology, EBPP


Site Map Our Sponsors Home

Compliance Gurus
Lending Gurus
Operations Gurus
Security Gurus
Marketing Gurus
eBanking Gurus

Print Friendly!

Email This Article!

Discuss NOW!

Part 2
What Community Bank CEOs & Board Members Need to Know about the New Information Security Guidelines
by BOL Guru Lynndon Michael Guard, J.D., M.S.T.M.

In Part 1, the author detailed the requirements set forth in the proposed Information Security Guidelines and the duties which they will impose on directors and senior management of financial institutions. In Part 2, he looks at ramifications and implications of the guidelines, and best practices.

RAMIFICATIONS AND IMPLICATIONS OF THE GUIDELINES The field of study devoted to protecting information on a computer or telecommunications network is called information assurance. The development of an information security program takes place inside this field of study. Information Assurance is a complex and quickly evolving field. It is the fact that there are so many aspects of information assurance which are in a constant state of change that is the reason for the need for periodic revaluation of a bank's risk assessment and information security program. While the field of information assurance is constantly evolving, the basics of security do not change. The classic model of information security contains only three components, called the security triad, or CIA, upon which all other aspects of a security program are built:

Confidentiality - the protection of data so that it is not disclosed in an unauthorized fashion;
Integrity - protection against unauthorized modifications to data; and
Availability - all systems and resources must be "up and running" as per the needs of the organization, and include protection from unauthorized attempts to withhold information or computer resources, called Denial of Service attacks.

Anyone with responsibilities relating to information assurance should understand the security triad because it helps in understanding many other aspects of security. For example, security products are described in relation to these three concepts.

Guidelines Are Sound Business Practice:
The requirements of the Guidelines are sound business practice for any corporation that values its own internal data. This becomes obvious only after the actual extent of the threats to information security are recognized. The "1999 Computer Crime and Security Survey" is an annual study sponsored by the FBI. It queries private corporations, financial institutions, and government agencies and found all areas of computer crime steeply increasing over the last three years of studies. Some relevant findings of that study were:

System penetrations by outsiders were experienced by 30% of those surveyed;
Insider attacks were reported by 55% of respondees;
Only 31% of the companies experiencing loss could quantify it;
163 organizations cited combined losses of $123 million;
23 firms reported combined losses of $43 million in proprietary information theft;
27 financial organizations showed losses of $38 million in fraud;
90% experienced virus contamination;
62% of the organizations were attacked from the outside;
32% experienced denial-of-service attacks; and
The cost to the company of the average attack was $198,583.

The Survey's press release of findings stated in part: "It is clear that the computer crime and other information security breaches pose a growing threat to US economic competitiveness and the rule of law in cyberspace." Any corporation without an information security program is not implementing sound business decisions.

Security Training:
In order to understand the magnitude of the amount of information assurance education and training that will need to take place during the next year, we must look beyond the Guidelines to a quick review of some of the responsibilities of the directors and officers of banks which existed long before the Guidelines.

Officers and directors of banks have obligations to discharge duties owed to their institution, and to comply with laws and regulations. One of these duties is the duty of care.

"The duty of care requires directors and officers to act as prudent and diligent business persons in conducting the affairs of the bank. This means that directors are responsible for selecting, monitoring, and evaluating competent management; establishing business strategies and policies; monitoring and assessing the progress of business operations; establishing and monitoring adherence to policies and procedures required by statute, regulation, and principles of safety and soundness; and for making business decisions on the basis of fully informed and meaningful deliberation. ... The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation." (Emphasis added.)

Effective bank governance requires cooperation between an institution's board and its management. However, it is a director's duty to oversee the conduct of the bank's business. Therefore, each director must exercise independent judgment in evaluating management's actions and competence. "Critical evaluation of issues before the board is essential. Directors who routinely approve management decisions without exercising their own informed judgment are not adequately serving their institutions, their stockholders, or their communities."

Thus, in order for directors to fulfill their responsibility to make "reasonable business decisions on the basis of fully informed and meaningful deliberation" in regards to approving information security policies they must first be fully informed on the underlying issues involved in the selection of those policies and the potential ramifications from them, and only then consider adopting any such proposed policy as part of the bank's program. It is asserted that unless board members already have personal knowledge of all issues involved in the selection of policies and procedures for the bank's information security program, they have the responsibility to gain an understanding of the managerial issues in the field.

The directors are not the only individuals that will have to have a good understanding of information assurance. At least one member of management will not only have to have as broad of an understanding of the field of information assurance as the directors, but in addition, will need to stay more current in the field in order to carry out management's responsibilities under the Guidelines. It is suggested that it would be appropriate to create a permanent position to fulfill these responsibilities, perhaps an Information Security Compliance Officer. It is further suggested that since the Year 2000 safety and soundness standards for banks have been rescinded, that it would be appropriate to consider appointing the Year 2000 compliance officer to the new Information Security Compliance Officer position. This makes sense not just because this individual no longer has the Year 2000 duties to fulfill, but also because much of what they learned in order to perform those duties would serve the bank well in the information assurance field. There are enough related issues between the two fields that unless another officer has a computer science, telecommunications, or MIS background then the Year 2000 compliance officer is probably the bank's most qualified employee for the new position.

The managerial issues in information assurance do not include the technical details of such things as the steps a hacker follows to exploit known vulnerabilities, or how specific encryption algorithms operate. However, it would appear reasonable to expect someone to understand, for example, why there needs to be such a variety of fundamentally different types of countermeasure to stop, or at least slow down, the known potential threats against customer information. Without understanding the fundamental types of attacks that are possible against customer security, and the general methodology of a hack (there are nine stages, each with it own objectives, techniques and tools) this cannot be realized.

As previously pointed out, the Guidelines require that a bank must do four things as part of its comprehensive risk management plan, the second of which was: "train staff to recognize, respond to, and when appropriate, report to regulatory and law enforcement agencies, any unauthorized access attempts on customer information." The type of training which will be adequate to satisfy this requirement will have to cover several areas, due to the wide range of potential attacks on customer information. Additionally, the training of personnel to know when and what to report to regulatory and law enforcement agencies presupposes the establishment of relevant policies by management and the board. Historically, banks have been reluctant to "share" information related to unauthorized intrusions into their computer networks. This reluctance must be overcome, at least in some areas. This is not only because reporting is now mandated, but also because there are some potential threats against customer information, such as distributed denial of service attacks, which cannot be managed, let alone prevented, by any corporation without the coordinated assistance of the operators of the routers through which the company's Internet traffic flows.

The director of the FBI's National Infrastructure Protection Center, Michael Vatis, said that the above-referenced 1999 Computer Crime and Security Survey "confirms the need for industry and government to work together to address the growing problem of computer intrusion and computer crime generally. Only by sharing information about incidents, threats and exploited vulnerabilities can we begin to stem the rising tide of illegal activity on networks and protect our nation's critical infrastructure from destructive cyber-attacks." A bank must assess the need for sharing information about attempted intrusions and attacks, and establish its policies accordingly. Then it must perform the required training necessary to insure its policies can be followed.

While parts of the described required training are purely technical, (e.g., the utilization, reading, and knowing how to respond to system log-ins, intrusion detection logs, etc.), there are other needed areas of training as well. One such area for all staff is training to prevent social engineering. Social engineering is basically pulling a con job. The object is to get privileged information and gain access to restricted systems. Social engineers try to learn the corporate lingo and pick up tidbits of information only an employee would know. Discarded corporate memos and internal phone directories are a tremendous source of information to that end. Social engineers do not call up and ask for a password; that would be too easy to recognize as part of an unauthorized access attempt. Instead, they will try to make an emotional connection with the person on the other end of the line to create a sense of trust. Then they exploit it. They try to piece together enough information to make an assault on their target a little easier. All staff needs training to guard against social engineering, and directors and management will need to consider how much training is sufficient and when refresher training is warranted.

The investment needed in corporate-wide security training cannot be overstated. Today, many employees are more computer literate than their managers. Even in cases where they are not, the younger generation is typically far more comfortable exploring on the computer than their older counterparts. This often-innocent exploration can lead to the introduction into a bank's LAN of viruses and Trojan Horse programs. Viruses and Trojan Horse programs can result in the loss of vital digital services to the customer, loss of password controls or even to the loss of financial data, any one of which can spell financial loss to the corporation. That is why it is imperative to train employees how to avoid falling prey to these malicious programs, as well as to establish policies regarding the use of the bank's information technology.

While there is a great deal to learn for someone totally unfamiliar with network security, it is believed directors and some officers of community banks will actually have a broad and in-depth understanding of many concepts and procedures which will provide a good basis for them to become "fully informed." For example every community bank director already has a good understanding of issues relating to different types of auditing, and policy and procedural issues relating to the Agencies' previous guidelines establishing Year 2000 safety and soundness standards. Many community banks already have policies and procedures in place which directly relate to information security. Therefore, directors are already familiar with many information security issues, but, as pointed out, that alone is not adequate.

The FDIC long ago recognized that directors may need help in keeping adequately informed to allow them to make "reasonable business judgments on a fully informed basis" on all issues they need to consider.

"Directors also should stay abreast of general industry trends and any statutory and regulatory developments ...Periodic briefings by management, counsel, auditors or other consultants are helpful, and more formal director education seminars should be considered."

the National Institute for Standards and Technology's Generally Accepted System Security Principles;
the British Standard 7799, Code of Practice for Information Security Management;
the Organization for Economic Co-operation and Development's Guidelines for the Security of Information Systems;
the General Accounting Office's Executive Guide: Information Security Management: Learning From Leading Organizations;
the Information Systems Audit and Control Foundation's Control Objectives for Information & Related Technology;
National Security Telecommunications & Information System Security Community's Issuance System; and
Federal Chief Information Officers Council's Best Security Practice Initiative.

In addition to avoiding the potential of defending a homemade patchwork quilt of information security policies to a jury, there are additional advantages in going with a set of industry standard best security practices. Typically these include being able to obtain a description of the BSP in actual use, including the processes involved, the ability to discuss issues with the originator of the BSP; the ability to learn of lessons learned by other users applying the same policies; and suggested tools and training.

Testing of the Information Security Program:
The second Guidelines requirement for directors is to "oversee the development, implementation and maintenance of an effective information security program." Once again, community bank officers and directors had relevant preexisting duties. For example, boards were already required to establish a mechanism for independent third party review and testing of compliance with board policies and procedures, applicable laws and regulations, and accuracy of information provided by management.

"This might be accomplished by an internal auditor reporting directly to the board, or by an examining committee of the board itself. ... The board should review the auditors' findings with management and should monitor management's efforts to resolve any identified problems. ... In order to discharge its general oversight responsibilities, the board ... should have direct responsibility for hiring ... auditors ... In some situations, outside directors may wish to consider employing independent counsel, accountants or other experts, at the institution's expense... Such situations might include the need to develop appropriate responses to problems in important areas of the institution's performance or operations."

These independent but related responsibilities require the board to continually assess the effectiveness of management's implementation and maintenance of an effective information security program. Part of this requirement is fulfilled through analysis of management's reports relating to the information security program. However, it is suggested that directors will also need to have the bank's information security program audited periodically, in addition to the testing and auditing management must perform.

As pointed out above, the Guidelines requires that as a part of its comprehensive risk management plan, a bank must at least do four things, one of which is "perform regular testing of the key controls, systems and procedures." Although not specifically mandated as required tests, the Agencies mentioned both intrusion detection tests and penetration tests within the Supplemental Information to the Guidelines.

Intrusion detection systems ("IDS")are designed to run in real time to constantly monitor the network for attack and to notify the person responsible for responding to IDS notifications in various forms. Penetration testing, on the other hand, is hiring a security professional to attempt to hack their way into the bank's computer systems in an effort to determine security weaknesses. While it would always be best to utilize both types of tests on an ongoing basis, a community bank might find an intrusion detection system too expensive for a particular network (perhaps a network which does not contain customer information).

Community banks do not necessarily have to utilize intrusion detection, in spite of the fact that it can be a vital component in an information security program. After the directors and management understand what intrusion detection is, what it can do, what role it can play in an information security program, and the alternatives to not deploying intrusion detection, it is possible for a board to conclude that it is not necessary on a specific network at this time if the risks warrant such a conclusion. The Agencies expect community banks' information security programs to grow and additional security features will be implemented over time, assuring ever higher levels of security. While intrusion detection might be too costly for a community bank today, with falling computer technology cost and increasing threats, sooner or later all banks probably should end up with intrusion detection capabilities on all networks.

In contrast, penetration testing can provide a less expensive means of testing the security of a bank's network and should provide valuable information about how secure a bank's computer networks are from intruders. A review of the industry indicates that currently penetration tests start at about $5,000.00 and go up. Penetration testing should result in a written report describing all vulnerabilities noted in the process, and recommendations for correcting deficiencies, not just the log files of the procedures followed and port scans. More thorough penetration tests may include an analysis of all public data bases and domain name servers related to the bank, its parent (if any), all the bank's related entities and their Web Sites for information that should not be made available to hackers, recommendations for improvement to the security program, policies or procedures, and suggested follow-up testing that appears warranted.

During the penetration testing process, many different types of vulnerabilities can be identified, such as required but uninstalled security patches. There is also the possibility of identifying what are called false positives, (vulnerabilities which are apparent, but unconfirmed, vulnerabilities which cannot be confirmed without working with the network administrator or spending a lot more time during the penetration test.) Frequently, time and money can be saved by having the penetration testers work with the network administrators to together resolve any issues following the penetration test. The depth and breadth of a penetration test, security audit or other services of a security professional should always be agreed to in advance in writing. Remember, management must document its efforts to comply with the Guidelines, very similar to the manner in which it was required to document its efforts to comply with the Year 2000 safety and soundness standards.

There are many different types of tests and audits which can be performed relating to an information security program. At a minimum all banks should consider adopting policies which would require at least the following types of testing and audits on a regular basis:

information security audits (like those performed by members of the Information Systems Audit and Control Association which utilized the Control Objectives for Information and Related Technology ("COBIT"�) guidelines,
penetration testing,
intrusion detection systems testing,
review of information contained in public data bases and all domain name servers utilized by the bank for accuracy as well as any material that should not be made available to potential hackers,
testing of employee susceptibility to social engineering, and
testing of compliance with information security program policies and procedures.

BEST PRACTICES SECURITY AUDIT
It has been persuasively argued that following the February, 2000 Denial of Service attacks against some of the most popular Web Sites, the required current level of "due diligence" for banks in information security requires them to obtain a best practices security audit which is composed of two things: a technical assessment and a legal assessment. While the Guidelines do not specifically provide the requirement, this conclusion is logical from a review of the Guidelines and the Supplemental Information. The Agencies pointed out that a bank may require the skills of security professionals and lawyers to develop an information security program. It is suggested that any community bank which does not yet have adequate knowledge in-house to identify and assess the risks which may threaten customer information and develop a plan to manage those risks, should seriously consider obtaining both a technical and a legal assessment.

The technical assessment of the security audit should result in a written opinion which:

assesses all potential internal and external technical risks which could threaten a bank's customer information;
defines current best technology practice countermeasures for each identified risk and suggested changes to the bank's policies and procedures;
describes implementation of controls which would improve a bank's ability to deter intrusion attempts;
analyzes the effectiveness of the bank's response system to detect unauthorized intrusion attempts ; and
assesses adequacy of bank's procedures for sharing data regarding unauthorized or fraudulent attempts with regulatory and law enforcement agencies.

The technical assessment also provides an independent method of identifying risks to customer information, sufficiency of existing policies, and tracking and documenting threat changes. It should be noted that these directly relate to all three requirements of the required risk assessment process.

An important responsibility under the Guidelines is the careful selection of security professionals. Not only is it important for a bank to select competent professionals, just as important, they need to look at the background of everyone they consider hiring. There has been a popular trend for ex-hackers to go into the commercial security business. They sometimes even advertise their background as hackers, asserting it better prepares them to protect your networks. In spite of the fact that there is some shortage of qualified security professionals, a bank should be cautioned against hiring anyone with any hacking background or other related criminal activity. Furthermore, a bank must review the employee qualifications of any company it considers retaining to ensure that it does not hire anyone with a hacker background. While ex-hackers have the right to earn a living and can, in the right circumstances, be extremely valuable employees, the stakes are too high with a financial institution a bank cannot afford to take the risk that they might someday have to explain to a jury why they chose an ex-hacker (someone with a known propensity for criminal behavior) as a security professional.

The last step in a technical assessment of the security audit results in a follow-up assessment after the bank has had the opportunity to make any needed improvements or adjustments. The follow-up technical assessment should be in writing, and confirm that all needed improvements reflected in the technical assessment that have been implemented. It is important to document that every weakness identified in any test or audit has in fact been adequately addressed.

The legal assessment of the bank's information security program should result in a written opinion regarding:

the bank's information security program's compliance with Federal security standards;
an assessment of the bank's legal risk exposure in light of relevant case law;
proper execution of officer and director responsibilities in regards to the information security program;
insurance policy evaluation for coverage for damages to customer information, or damage to any part of the bank's information technology which prevents access to a customer's information;
compliance with the scope of licensing agreements;
employee/vendor agreements relating to customer information access levels, the monitoring of the utilization of the banks information technology, procedures for the termination of employees/vendors, hiring practices, etc.;
compliance with prior audits' recommendations; and
contracts with all outsourced suppliers with access to customer information for ability of bank to perform its duty to exercise "appropriate due diligence in managing and monitoring its outsourcing arrangements to confirm that its service providers have implemented an effective information security program to protect the bank's customer information."

It is believed that most service providers will not want each bank they service to hire penetration testers to hack their network. The logical way to allow banks to perform their oversight duties without interfering with the operations of the service provider is for the service provider to establish an information security plan which would be appropriate for the banks they service, (meaning a plan which complies with the Guidelines) and provide the banks access to its information security program, the results of all testing and auditing, and report to the banks on the overall status of its security program, including any attempted or actual security breaches or violations and responsive actions taken. It may be necessary for a bank to negotiate appropriate clauses in its service provider contracts.

These two assessments (legal and technical), which form a best practice security audit, will provide the board and management with much of the information they require to identify and assess risks to customer information, assess the sufficiency of security policies, and provide a foundation to adjust the bank's risk assessment in light of changes that have been made to the bank's network or its telecommunications environment. These are the heart of the risk assessment process required by the Guidelines and they provide means to ensure that the bank's information security program complies with the Guidelines.

CONCLUSION
The new Guidelines impose important new responsibilities upon bank board members and senior managers. Strict adherence to the Guidelines will yield rich dividends by cementing the status of banks as trusted repositories of sensitive and confidential information. By carefully constructing adequate data security safeguards, community banks can extend to their customers the benefits of our rich telecommunications environment while zealously protecting their information and privacy.

Lynndon Michael Guard has a unique combination of strengths in law and technology as a licensed patent attorney, seasoned banking and commercial lawyer, and a telecommunications expert.

Since 1982, Michael has had a varied law practice that has included commercial law, commercial litigation, corporate law and complex commercial transaction contracts. More than a decade ago, he drew upon his extensive science background to become licensed to practice before the US Patent and Trademark Office. Since that time, he has consulted with both individuals and corporations on patent, trademark and copyright applications, as well as patent and trademark disputes.

Michael earned an MS in Telecommunications Management from Oklahoma State University in December, 1998 with a 4.0 GPA. He is currently pursuing a Ph.D. in the same field, while serving as General Counsel and Chief Technology Officer of Glia Group, Inc. Additionally, he is in the process of forming Secure MIS, a corporation which will focus on information assurance, particularly for the financial industry.

A founding co-partner in a ten-year-old company called BankGuard Resources, Michael has also been involved in the development of educational resources for the banking industry, including training videos and seminars, has provided consulting on networking and network security issues, and has taught and written on various subjects of interest to bankers.

BOL Archives Privacy Policy Important Disclaimer Recommend This Site ! Contact Us

BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.