Full text

Susan Orr spent 14 years as an FDIC bank examiner, holding positions that include regional IT examination specialist, special assistant to the regional director, special assistant to the director of DSC, and special assistant to the vicechairman. Susan was also a lead instructor for the FDIC's technology school and worked on projects such as FDIC E-Risk Strategic Initiatives Risk Monitoring Committee and the Federal Financial Institutions Examination Council IT Handbook rewrites. Currently she heads Susan Orr Consulting, based in Naperville, Ill., with duties that include regulatory reviews for banks.

Recently, she spoke with ABA BJ Senior Editor Lauren Bielski about what she's been seeing at client sites and what her sense is of current concerns and issues.

How would you describe the security stance of the Industry?

On the whole, banks are doing a pretty good job safeguarding digital information and protecting systems. Given the regulatory scrutiny, this makes sense. They are fairing better than, say, mortgage providers or other financial services firms, which are still learning the basics, as a rule. But really, conditions vary pretty significantly from bank to bank. Companies that are the most proactive are doing things like monitoring employee internet usage and blocking specific sites to prevent abuse. Or, they are using log correlation tools to monitor network usage in real-time to get a clearer sense of who is using what applications and systems, and if there is any inappropriate access and usage. Basically, they are creating visibility into a complex operating environment and attempting to ensure some policy enforcement.

Because regulators have been insisting on better perimeter controls as well as controls on key infrastructure and application areas, like internet banking or the core processor, most banks have those systems protected fairly well. Most are also "virus savvy," and are trying to catch up on other malware trends, such as blended threats [e.g. virus worms or Trojans with embedded html files]. And yet, there's room for improvement out there. I'll still find a bank that doesn't have an Information security Program developed, which seems hard to believe given how much has been written about the importance of policy.

What are some foundation elements or key basics of Improving your security effort?

Well, developing a usage policy is critical. GLBA requires a comprehensive information security plan, and when I review bank plans, I use the International ISO 17799 standard, which addresses systems access control, operations management, system development and maintenance, and even physical and environmental security. But the risk assessment is an equally important part of preparation. You have to learn your operational profile and the gaps unique to your company. I see a lot of confusion around risk assessment. People tend to look very narrowly at the practice. There was confusion in recent times when regulators used language such as IT risk assessment versus assessment of information risk. In truth, you can't look at information or systems out of context. Also, being secure requires more than controlling digital information. How are documents being handled? What's going on at that shredder? Are you using it consistently?

The whole area of sodal engineering is a tough one.

Yes, people don't understand how easily information can be taken or be exposed to unauthorized access. A lot of work still needs to be done in what I'd call facilities protection. When I walk through offices, I still see desks with a lot of important paperwork exposedloan documents, documents that only senior officers and board members should have access to that are left on cabinets-that sort of thing. Again, it's not every place, but I see it enough to mention it. The thinking is that everyone knows the employees and there is no reason for vigilance. Yet you don't always know who's gotten in the building under false pretenses, or who has gained access after hours. Also, think about where computer screens are positioned-could someone easily look over your shoulder to get client information?

It sounds like you're advocating a basic security awareness among employees.

Basic security training is a good idea. There are some online courses and guidelines available to help familiarize employees, but I also think a formal presentation makes sense because senior management can really emphasize key policy issues. That personal touch helps drive home the importance of being aware of what your business processes are and what your habits with records and information are.

Getting back to policy development for a moment. What are some of the challenges you are seeing?

Well, I'll see a strong policy and strong enforcement around an isolated area, say, how wire transfers are conducted, or regarding networks or ATMs or core processing operations. But there isn't necessarily a sense of cohesion. The entire operation isn't being looked at from the top down, so that physical security and digital security can be considered in context.

The need for an overall picture of security status is one reason why vulnerability assessments are required by regulators on a quarterly basis. That is a good start, but I think scanning the network and operational environment should be done more frequently.

Penetration testing, which involves simulating hacking attempts, is a part of this. There are also tools for passive vulnerability scans, like microsoft's Baseline Security Analyzer, that can spot bad patch management.

Are insider threats still the big problem?

Absolutely. you need a policy that firmly establishes the access rights of leastprivileged employees and make sure that only authorized personnel have access to sensitive information.

Sometimes, if s not that the employees are purposely engaged in bad behavior, they might fall prey to some social engineering [e.g. pretext calls] and give away information, or they might lose files because they aren't adequately trained on the system. On the other end of the spectrum, you need to know what your system administrators are doing online. This is where monitoring activity in real-time comes in.

Yet, a key challenge on the monitoring side is coping with all the data that is generated. How do you recommend that banks cope with that?

There are some pretty good tools out there that can help shape that stream of alert information. EIQ Network and GFI Event Manager are two pretty good ones that I recommend.

What are other key challenges banks face this year?

E-mail is still an enormous challenge. I read a stat that said about 90% is spam and yet the channel is still being used for business purposes, so you need a way to protect that information. There are some good e-mail content filtering tools-Intrusions and St. Bernard-are two that I know about.

Client data protection and information protection is still an area that many bank staffs are struggling to learn. Laptop protection is another area where I see many banks still falling short. I saw laptops recently that were being provisioned without personal firewalls or data encryption. Also, I think a bank needs to establish usage guidelines of these assets-no internet surfing for other than business purposes. This is because there are risks for spyware infection or other problems with malware on certain kinds of non-authorized sites. Also, banks should devote a section of policy to customer data-for instance not copying information from a desktop record to a laptop or storing it on a USB stick. I think a lot of banks would be surprised how much information leaves the business.