Which is why I don’t much care for any manner of compliance-based assessments that are self-administered.

Companies have had this crazy notion for more than a decade now that the best way to identify and address risks inherent within the infrastructure is to ask key stakeholders a somewhat generic set of questions and use their responses to figure out what’s what.  Most of the time the people driving these initiatives are either information security professionals or corporate compliance people who either believe they already know where the problems are or are looking for the simplest and easiest way to satisfy some requirement.  But what they often fail to grasp is that it’s almost impossible to draft a common set of questions that either apply to the vast majority or worse, will be interpreted consistently across the stakeholder population.  Plus the perceived benefit of using a self-assessment approach to reduce effort and required support resources is almost always an illusion.  Most of the time saved in not having someone ask the questions and record the answers is instead consumed by needing to explain the format, explain the questions or trying to clarify and clean up the responses.  While supporting one such program recently each assessment required a kick-off meeting, a follow-up meeting to review the status of the assessment, a third meeting to review the initial draft of the questionnaire, a fourth meeting to review the resulting report(s) and a largely untracked number of hours to help generate all of the related support documentation.  Regardless of the size of the entity being assessed each one consumed somewhere close to eight hours.  While that might seem like a scary large number, the really scary part was that based on which risk analyst was responsible for the assessment and the personality/mindset of the stakeholder completing it the results looked very different from one another.  It was almost impossible to generate meaningful metrics across the assessment population because a “Yes” answer for one question might mean the same as an “N/A” in another; there was no way to know that.

Another issue I’ve always had with the self-assessment approach is that while some stakeholders take it seriously and do a remarkably thorough job, others race through it with little hesitation just to fill in the blanks and get it off their desk.  Sometimes you can detect which is which, sometimes you can’t.  Plus the approach fails to capture much of the rich and relevant information related to each question and the underlying risk behind it.  I recall conducting a team-driven risk assessment years ago where one stakeholder after the next covering a very broad sampling of the infrastructure kept lamenting on the lack of a proper disaster recovery plan.  They had something to show auditors/examiners but to a person no one believed it was a truly viable plan.  All but the CIO brought it up as a concern and when pressed a bit about why that was they all shared a common concern: If their main office was closed unexpectedly for twenty-four hours, regardless of the reason, they were likely out of business.  A related self-assessment question would ask “Do you have a current and recently tested DR plan?” – most respondents on that engagement would simply have selected “Yes” and moved on to the next question without ever being challenged to share their concerns.  Where’s the value in having a repository of questions and answers when it fails to capture the true essence or dimension of risk? 

And the biggest issue I’ve always had with self-assessment questionnaires and their related templates is that they’re so often poorly designed.  I can guarantee you that each of them has at least one question which makes zero sense to anyone who reads it.  They either answer it based on what they think it’s asking, answer with an “N/A” or require follow-up with the people managing the process to have it explained.  And you’d be amazed how many times even the author is challenged to provide a meaningful answer (including this guy).  One thing’s for certain, a self-anything needs to be designed and written so that everyone understands what they need to do without having their hand held.  Plus it’s rare that questionnaires are customized so that each stakeholder is only asked those questions that truly make sense.  An application owner should never be asked if their anti-virus solution is current and up-to-date.  A business process owner should never be asked about software change management.  Yet seldom have I encountered a self-assessment process which does anything like this and so the audience is burdened with time consuming yet unnecessary questions.

Really though in the end my overriding problem with the self-assessment approach is that it fails to capture the expertise and guiding hand of true risk and assurance people.  The process is often supported by analysts who don’t really have a feel for conducting assessments and are satisfied that all of the blanks are filled in.  I have a nose for when there’s something beyond a simple answer and know when to scratch at the surface to bring it to light.  By not allowing expert hands to guide the process potentially huge amounts of valuable and possibly critical details are being missed thus undermining any perceived value of the process.  When you consider that all tolled and tallied the self-assessment approach versus the guided assessment approach doesn’t really save you much time (if any) and that it results in a weaker finished product, why would you elect to use it?   One answer is that regulators push for it because perhaps it’s better than nothing (I can’t get any of those I know to comment).  Another is that the people sponsoring these initiatives lack the fundamental comprehension to understand their options and chose what they perceive as the less complicated approach (again, I don’t know for sure it’s just a theory).  What I do know is that when done right a risk assessment is managements best friend, a fundamental belief behind the recent spike in ERM activity.

While recently having my car serviced the mechanic discovered a nest of some sort in the engine block, he thinks it was probably squirrels.  Because of this discovery he went searching for all the wired connections to make sure they weren’t chewed up and destroyed, quite a few were as it turns out (the car had been idle for several months).  The bill only added the cost of the replacement wires but nothing significant for the time it took to first find which were affected and then replace them.  Had I attempted the repair myself I might have noticed the nest and likely would’ve cleared it but know for certain I never would’ve thought to check the wires, where to look for them or what to look for.  I was smart enough to rely on a professional with a nose for that sort of thing and it saved me time, money and best of all the aggravation of having the car break down somewhere unexpectedly.  Good thing I didn’t go the self-repair route.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

It’s a custodial account because of his age and my wife is designated as the custodian of record.  As a result, I’m not supposed to be able to conduct any manner of business with the account because my name doesn’t appear anywhere.  However, of the five phone calls I’ve needed to make to the fund company’s offices over the past few weeks, I’ve only been asked to have my wife authorize the conversation twice.  That means that in 60% of my calls, I was able to present myself as someone with legitimate privileges to conduct business with the account and was successful.  And while you can slice and dice the numbers and draw the conclusion that the fund company’s compliance efforts are partially effective, the truth is that they’re completely useless.

Being a little bit compliant is akin to being a little bit pregnant; you either are or you aren’t.  There’s no gray area in between to take credit for.

Now take into account that I didn’t go looking for this; it just fell into my lap.  I wasn’t researching anything, trying to test a theory or uncover a topic for a new blog post — I was just trying conduct a simple transaction.  And so my first thought upon reflection was that this was too easy.  What if I was really trying to do something I wasn’t supposed to be doing?  What if I’d found a neighbor’s statement in my mailbox and decided to try and access their account?  What if I did some good old-fashioned dumpster diving around town and found a few discarded statements (trust me on this, that’s easier to do than you’d ever believe) and tried to get money out of someone’s account?  Statistically you’d have to figure I could get pretty far without getting caught.

What I find truly amazing is that we’re in the age of compliance.  I receive pamphlets and inserts in my mailings all the time from banks, credit card companies and anyone else I share PII with about how they have an obligation to protect my information.  Every time you visit a doctor for the first time, half the paper work is specific to HIPAA.  And yet in the middle of this sand storm of compliance activity, I was able to bypass the rules three times in five attempts and I wasn’t even trying to break any rule.

They say a chain is only as strong as its weakest link.  The same is true of compliance; if it fails in any measurable way it fails — pure and simple.  And if the compliance folks at these companies can’t keep up, how are they going to adjust as we keep moving more and more onto the lightning fast pathways of the Internet?

But lately I’ve been wondering if it’s even the criminal element that presents the greatest threat to my PII.  I worry that the banks themselves may be slipping just a bit in keeping up with their regulatory obligations regarding my privacy based on news from the field.

Our practice routinely calls on financial institutions with our services.  We’ve spent an enormous amount of time and energy paring things down to what we believe are the most relevant areas based on guidance from the oversight agencies and from practical experience.  And so when we engage a current or prospective client in dialog we’re typically cutting right to the chase in order to make the most efficient use of their time.  We’ll hear a wide range of responses when asked how they’re managing a variety of key control activities (e.g. it’s managed internally, we use a software solution, our audit department does that, etc.) and for the most part it rings true.  However lately we’re being greeted with a noticeable uptick in one response in particular: “The examiners didn’t even look at that so we’re not worrying about it right now.”

Not to belabor the point but as I’ve already mentioned we’re not offering exotic services.  Quite literally everything we have to offer to our clients should make the short list of must-haves for any CISO or compliance officer.  How can the examiners not cover any of these things?

To be fair, it’s typically not a reflection on ability but rather available hours.  I’ve blogged before that when things are missed it’s almost always been because the fieldwork only allows for so many hours and you start with the riskiest areas first and work your way down from there.  So if the examiner needs 80 hours to cover the landscape but only has 40 hours to get it done they have to focus where they think they most need to. But still, how do you not make sure that there’s a current business continuity plan in place or check to make sure that the infrastructure has been tested recently to ensure there aren’t significant vulnerabilities present?  Internally we’re very kind to the entire examination process over the past year or so because safety and soundness has really needed to be at the forefront of the regulatory efforts.   So we balance our concern about what’s being overlooked with an understanding that the examiners are likely doing the very best with what they have to work with.  But still…..

I was reminded recently that the FDIC budget for 2009 included an increase in the number of examiners available by 30%.  At the time it was announced, I figured it was a move intended to ensure that compliance was being properly enforced across all areas during a very turbulent period in our banking history.  However nearly two years later I  wonder what’s happened?  How can I reconcile an increase in the number of examiners with an apparent decrease in information security oversight?

If you think I’m exaggerating consider that over the past decade the FDIC has released three or more Financial Institution Letters (FIL’s) addressing information technology guidance every year right up until mid-2009.  Since then there have been no updates at all relating to IT or information security.  After never going more than a few months offering updated guidance over a 10-year period, they’ve had nothing new to  publish in 14 months.  How is that even possible?

On one hand, I’m hearing that examiners aren’t always looking at key compliance activities and on the other hand, I’m seeing an apparent drop off in IT guidance from the chief banking oversight body.  For someone like me who worries about these things on both a personal and professional level, this is not good.  When I watch that IE8 commercial I’m not laughing; I’m wondering how anyone would even know if that sort of thing was going on right now for real?