Managing Risk: Information Security
Risk is that four letter word that is most on our minds right now. In the context of information security, managing risk is a front burner issue. But what, exactly, is it? One of the problems in dealing with risk management is that it is such a slippery concept with very few clear, hard lines. In the area of information security, risk management challenges are compounded by the almost daily developments in software.
In the good old days, not very long ago, the concept of risk management boiled down to buying insurance. The agencies have made clear that insurance coverage is not risk management. "Insurance coverage is not a substitute for an information security program."
This instruction is consistent with another directive from the agencies: the information security program should be designed and maintained to protect customer information. The program is not simply designed to protect the institution, but to protect the information about customers that the institution holds as a custodian. With this focus, we need to look at the information security program from the perspective of the institution and the customer.
The guidance contains two key concepts: prevention through controls, and response preparedness. Prevention - the protection of information - must be the heart of the program. Security measures should be developed and maintained with the full realization that when it comes to information security, there is absolutely no passing the buck.
In designing a program, look constantly for loopholes. There are always people on the outside as well as employees who think freely and creatively and would like to play with your customer data. Be ready for them.
Information risk management is ongoing. Any information security program must be updated at least as often as Microsoft issues updates. Also remember that the program should include more than software and system concerns. Those paper records must also be protected.
With these principles in mind, you should be able to answer all of the following questions. While we have added a few, most come directly from the agencies' guidance. Consider these issues as an agenda for your information security meetings.
Prevention and Controls
- Where are all your information systems, including service providers?
- Who has access to information systems?
- What limits are there on access?
- What firewalls are in place?
- What authentication steps are in place?
- Is there a system for tracking access and determining that it was authorized?
- Is access limited to specific locations?
- What controls are at these locations?
- Are encryption techniques for access, storage or transmission state of the art?
- Can anyone modify information systems without proper authorization?
- Are dual controls and segregation of duties in place?
- Are background checks performed and regularly updated on employees who have access?
- What monitoring systems are in place to identify possible hacking or system attacks?
- What action will be taken against a person who accesses or attempts to access information without authorization? Is this action sufficient?
- Are there adequate information protection and back-up systems so that information can be restored following a crisis or disaster?
- If the system can be accessed through the Internet, what protections and firewalls are in place?
- What tools and techniques are ready to identify problems and assess the extent of harm?
- Are procedures in place to give prompt notification to your federal regulator?
- Are procedures in place to give appropriate notification to law enforcement and, if appropriate, file the SAR?
- What measures are in place to limit harm and reestablish information security?
- What is in place to give prompt notification to customers?
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 15, 12/05
First published on 12/01/2005