Posted by: David Schneier
assess, assessment, assessments, Audit, audits, bank, banking, banks, compliance, compliant, control, credit union, credit unions, CU, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, exams, FDIC, Federal Reserve Bank, FFIEC, financial institutions, framework, FRB, general controls, GLBA, governance, GRC, guidance, information security, information security office, infrastructure, NCUA, PII, policy, procedure, regulation, regulations, regulations audit, risk assessment, risk assessments, Risk IT, risk management, risk rating, risk-based, risks, threats, vendor, Vendor Management, vendor risk, vendor risk assessment
There’s a joke of sorts within my personal circle of family and friends regarding what it is that I do these days. Ask me and I’ll tell you that I’m a regulatory compliance expert who advises financial institutions on how to comply with the myriad rules and regulations governing information security. Ask my immediate family and they’ll tell you that I work with computers. Ask my extended circle and they’ll tell you that I do a lot of work with banks and credit unions. For those who aren’t in the banking business it’s difficult to understand exactly what it is that I do and so they find it easier to keep it simple; I do a lot of work with computers for places where people deposit their money.
Of course the truth is much more complicated. I don’t just focus on computers, my scope expands to include anything that involves sensitive information. While that always includes a variety of devices it also includes paper-based and people processes as well. I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations. I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information. It’s never just about computers, it is however always about information and how it needs to be protected.
Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that. At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI). Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop. And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world. Risk, risk, risk and risk.
One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based. It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly. But that gets much more difficult to do as the institutions grow in size and complexity. Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine. But while their overall size varies widely risk is still risk and that never changes.
I wish more practitioners embraced this simple concept. While some do, many still don’t. There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors. Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found. Assessing a low risk application yields little value no matter how complete it may be. And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.
Beware the practitioner who wields a hammer for they only know to look for nails.
Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks. They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things. Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution. Then scan through your related program inventory and figure out if you’ve designed things accordingly. Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?
For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.