GLBA

Information security officers are a must

I was talking with a client last week about a perceived gap in their organization.  Despite having to address multiple regulations cutting across several oversight bodies, they were lacking a single point of contact or central coordinator for all information security related activities.  Their sense was that they were long overdue for some form of a chief information security officer (CISO) and I had to agree.

The same point was underscored earlier this week during a kick-off meeting with a client regarding a pending audit.  Almost all of the requests for information, including policy and procedure documentation were redirected to their most senior IT person.  As we were wending our way through the items on the list and they kept verbally pointing to the IT person, I started wondering how he could be responsible for all of these information security related items and perform his regular IT duties.  The answer of course is that he can’t, not effectively anyway.

There’s a discipline involved with regards to regulatory and industry compliance that requires someone be committed to both understanding what needs to be done and then making sure that it’s happening.  This isn’t a new consideration; I’ve blogged in the past how we’ve moved from an age where you simply needed documentation to one where actionable steps are required.  It’s not enough to have an information security policy in place, you also need to comply with it and then be able to prove that fact upon request.  You can’t talk about how you restrict access to systems and information and not be able to provide a recent access review/report.

I’m routinely amazed by how few of my clients understand the growing need for the role of a CISO despite their awareness and sensitivity to the increasing regulatory burden.  Many financial institutions will offer up that they have a BSA officer and some will introduce a compliance “person” who is almost always focused on AML/Patriot Act activities and not much else.  I’ve interviewed several dozen people over the years who were included in the audit or assessment process because I asked to speak to their head compliance person and it turned out that they had very little if anything at all to do with information security and GLBA-related activities.  How is that possible?

How can you expect someone who is an expert in technology to to also be an expert in information security and GLBA?

The answer is obvious, you can’t.  First, there’s a very real conflict of interest in asking the person who owns many of the required controls to also monitor themselves.  Second, I’ve yet to meet a technology person in all but the largest institutions who didn’t end the day with more to do than when they started it.  Third, it’s very unlikely that a technologist will interpret and apply the myriad rules around information security for all in-scope regulations and apply them correctly.  I’ve been doing this sort of work for more than a decade and it’s a full-time job just keeping up with the changes let alone figuring out how to properly comply.

There needs to be an assigned gatekeeper for information security, plain and simple.  And the size of your institution doesn’t matter.  I’ve worked with very small financial institutions (under $100m in assets) that had a single, non-IT person in charge and it worked out quite well.  In one case the individual was also responsible for business continuity and vendor management, which oddly enough isn’t so odd.  Both of those require a certain degree of expertise that exceeds what you’d expect a technology person to have and more importantly, both of those activities need to cover the entire organization, not just what runs on the network.   When I worked within the technology infrastructure, I never understood why these things always got dumped there and now that I’m on the other side of things I know that it doesn’t make sense.

When the examiners or auditors ask to speak to your CISO, ISO, head security person, compliance officer or compliance manager, you need to have a name to give them not some vague answer or explanation about how it’s done piecemeal.  This is 2009 and the demands of compliance are great and they’re real.  Ignoring the obvious or incorrectly assuming that this is a part-time job is no longer acceptable.

Regulatory compliance bits and bytes

Many years ago I found myself in one of those awkward moments where I needed to pay for something but didn’t have enough cash on hand to cover the bill. Rather than do the smart thing and find an ATM I instead elected to rip through my car and dig up all of the change that had been accumulating over the months and miles. After about five minutes and some disturbing encounters (food can morph into some bizarre forms when left under a car seat for too long) I somehow managed to come up with enough change to cover the shortfall. It’s amazing what you can pull together when you scavenge around and piece together disparate parts into one coordinated effort.

And so it goes with this week’s post. Here are some nuggets that I’ve gathered over time:

Policy and procedure: I was talking to a client today about password reset lengths. Turns out for one of their products they changed the password frequency to expire after 1,000 days. Their logic was that it was low risk because the application didn’t store NPPI and the security was really only necessary to ensure proper segregation of duties. So I asked them if they had a password policy (they did) and if so were they in compliance with the policy (they weren’t). After a momentary silence, their quiet reply was “good point.” Being the auditor that I am I couldn’t help point out that the worst thing any institution could do was to deviate from a documented policy or procedure, regardless of the reason. Once an examiner discovers something like that, they figure it’s an indication of related issues and wind up digging a bit deeper. Document what it is you do and than make sure you’re doing it; while it may seem simple enough, you’d be surprised how many companies fail on that point.

Pandemic planning: There’s still heightened concern regarding the swine flu and my industry continues to beat the drum about needing to have a pandemic response plan in place. While it’s a valid point, I’ve been polling my clients over the past few months regarding their first hand experiences with the flu epidemic. Only a few have been confronted with any legitimate outbreaks and none of them have experienced an absentee rate that required unusual planning or intervention. While I’m not advocating that a pandemic response plan is superfluous, I am questioning my peers who are pushing this as a top of the list agenda item. For my money I’d rather spend time making sure that a properly vetted and tested business continuity plan is in place and spend less time and effort getting caught up in the hype.

SOX: Banks that are required to be SOX compliant need to take some time to make sure that they’re thinking things through. GLBA is a fairly rigorous and encompassing regulation and extends deeply into a financial institution’s infrastructure. To a certain extent, it serves to drive a bank’s general controls framework, be it informal or otherwise, and as a byproduct goes a long way towards establishing controls typically associated with SOX. So when I encounter clients who are tackling SOX as if though it’s its own separate set of requirements I throw up the caution flag and try and force a reset. While it may be true that larger institutions need to extend significantly from GLBA to controls around financial reporting within the infrastructure, that would only represent a subset. Before doing anything different, the bank should bring in someone who has experience working with both SOX and GLBA to identify the (many) commonalities and produce a consolidated framework so that efficiencies are both identified and realized.

Year-end activities: In my last post I discussed how there’s an uptick in services work this time of year when many banks and credit unions remember that they still need to conduct a wide range of audits and assessments in support of GLBA/NCUA regulations. If you spend some time reading through FFIEC guidance (seriously, it’s not nearly as dry and boring as you might think) there are multiple references to “your most recent audit or assessment.” For those of you who think that the need to conduct this work is suggested rather than required, consider how it looks to your examiner(s) when they discover that your most recent risk assessment was either conducted several years ago or not at all. Do you really think it reflects well on your institution that you haven’t taken a serious look at the myriad risk factors swirling about your infrastructure for any considerable length of time? In a day and age when new threats emerge almost daily if not hourly how can you justify neglecting such a critical task? The examiners expect a current set of reports not only because it’s required but also because it’s a clear indication of solid management and oversight activities.

And on a final note, I’d like to share this link to the FDIC website. You’ll find a video message from Chairman Bair on the current state of both the FDIC and the banking industry. It’s really more of a “happy recap” (with all due respect to Mets fans) of similar messages she’s released over the last year. But I think it’s worth your time (about four minutes total) to hear it for yourself and gain a sense of calm about the security of your own deposits. And for those of you who might think I’m keeping to some sort of schedule regarding Sheila Bair references, as long as she keeps doing the right things I’m going to keep bringing her name up.

Should bank examiners rely on audit and assessment reports?

A favorite cliché of mine is “if it wasn’t for the last minute nothing would ever get done.” Personally it’s sort of the way I’m wired and in my industry it’s an unwritten rule when it comes to many annual activities. There’s an appreciable uptick in services work each year beginning in early fourth quarter as banks and credit unions wake up to the realization that the audits and assessments they are committed to conduct have yet to be done. And examiners typically don’t pay much attention to the timing of the work; they only care that it’s done during the expected time frame, so oddly enough this approach works.

But this leads to another interesting quirk about how the examiners often operate. Generally speaking, if the reports are available, they don’t dig much (if at all) beyond the reports contents. And so the information security and IT components of many exams become more about inventorying recent reports and not much else. We see evidence of this all of the time when we conduct a first-year audit or assessment and discover gaps or issues that have been in place for years and which the exams never picked up on.

I’ve written in the past about how surprisingly few institutions maintain a current business continuity plan and even fewer properly test that plan. But what surprises me more is that these conditions have existed for years spanning many exam cycles. How is that even possible?

I’ll tell you how: There’s a documented plan that is provided upon request and by and large the examiner conducting the fieldwork checks off that they received it and voila, you have a non-issue. And because the people in the field are typically given too few hours to cover too much landscape, they don’t have enough time to dig in deeper. Sometimes it happens where an examiner happens to actually open the document and vet it for key details - every now and again we come across a DoR or an MoU where the absence of a recent business impact analysis was tagged - but that happens almost never.

I’m fond of advising clients that you conduct much of the required compliance work for one of two reasons: You do it because it’s the right way to manage your institution and reduce your risk or because you have to. Because of the approach taken by examiners, way too many institutions lean towards the latter and simply want to have a report available to hand over when asked. But is this really the right way to run a financial institution?

And when you consider that the value of the report is largely defined by its contents and the competency of the practitioners conducting the fieldwork behind it, isn’t there an increased likelihood that there are important issues that go undetected? If all you do is pay for the report (often issued by the firm submitting the lowest bid) and all the examiners do is check off that the report was available and issued during the appropriate time frame, is there any real value in even bothering with this process?

I’m a bit biased regarding the value of reports. My firm is on a constant hunt for real risk and not just simply working our way down a checklist to kick out a document and collect our money. We tend to examine our clients infrastructure as if though we have our own money deposited with them and tie what we see straight back to GLBA and NCUA requirements. The value in this approach is that we produce a report that the board of directors can relate to, not just the IT folks.

But again, if no one really even cares about the content of the report and only that it exists, why bother doing a good job?

Maybe our industry needs to adopt an approach similar to the PCI folks. Maybe the FDIC and NCUA should issue certifications to practitioners validating them as properly trained and educated experts with regards to GLBA. There would still be a variance from firm to firm to a certain degree, but at least there would be a recognized standard and an increased likelihood that if an examiner is going to rely on the competency and completeness of a report there’s some justification behind that decision.

Something’s going to have to change though and hopefully sometime soon. Because using the “last minute” logic is flawed and only serves to reinforce my own bad habits.

The COBIT framework isn’t an audit solution

I have an associate who has an addiction to certifications. He’s one of those “too smart for his own good” geniuses who often decides to change his career course and starts by obtaining whatever accreditation or cert is needed to do so. When he lists all of these accreditations and certs after his name it looks as if though someone tossed their alphabet soup lunch. But his logic is that having the appropriate governing body’s seal of approval is akin to knowing the secret password needed to gain access to the right job.

Sometimes I think COBIT is used much the same way.

For those of you who aren’t familiar with COBIT, it’s a framework that has revolutionized the world of governance and compliance for the better. It was the only beacon in the vast, dark ocean of SOX insanity a few years back, providing much needed guidance for corporate America to follow and continues to serve as the best source when designing controls within the infrastructure. It’s comprehensive, well organized and when understood and applied properly, it can be very effective.

But it’s not akin to the Bible and it’s definitely not an IT audit framework or program.

And yet I often hear fellow practitioners dropping COBIT references like it somehow validates them as legitimate members of the IT audit club (which by the way is called ISACA and only requires an annual membership fee).

Just this week, I heard that someone discussed conducting a COBIT-based audit when asked about their approach to conducting an IT general controls (ITGC) audit. Two weeks ago, my partner asked me about an RFP we received in which the institution wanted to know if we based our ITGC audit on COBIT or any other recognized framework. It’s gotten to the point where the term “COBIT-based” has become ubiquitous within the IT audit domain. Years ago during the aforementioned SOX insanity, there was a running joke with a client in which every sentence was laced with a SOX reference (e.g. Good SOX morning, Happy SOX New Year, etc.). Now it seems as if though COBIT has replaced SOX in that regard.

Um, has anyone actually read the framework? I mean actually sitting down and reading it from executive summary through to ME4 (the last of the control objective areas in the PDF). And how many people have actually tried to implement COBIT as it’s intended to be used? It’s a mountain of information that requires a ton of analysis and customization prior to being implemented. And it’s not intended for organizations both big and small. For many of the community banks and similarly sized credit unions that I commonly work with, it’s simply overkill.

But again, it’s not an audit framework and it’s not an audit program. And it’s entirely possible to build out an IT controls framework and never once rely upon COBIT to do so.

By the way, for those of you who aren’t familiar with the IT Governance Institute (ITGI), it’s a research think tank that exists to be the leading reference on IT governance for the global business community. In the time since COBIT made its inroads into corporate America and the audit vernacular, ITGI has amped it up a notch. Now they also publish Val IT and more recently Risk IT.

So now I’m bracing for the onslaught of risk assessments that are “Risk IT” based. But I never had a problem conducting a risk assessment before this standard existed and I doubt I’ll crack it open when conducting one in the near future. Did we really need this? And how will this drive the audit and compliance industry?

Frameworks have a place in this world, don’t get me wrong. But it’s like when I bought my Roto Zip hand saw a few years back; I walked around my house looking for things I could use it for rather than simply using it when it made sense. COBIT is awesome and it’s helped provide clarity in many, many ways. But it isn’t the official book of record for audit and compliance within IT; it’s just another tool in the toolbox. I realize that on the planet of ISACA that’s akin to blasphemy, but I offer no apologies. I refuse to build an audit program for a community bank that’s supported by two IT resources based on the 200 plus control objectives in COBIT.

And on that note I bid you a good COBIT day.

Accountability key to banking recovery

Every day, I receive a semi-deluge of industry related emails.  Between the various agencies, media sites, organizations and associations I tend to receive more communiqués than I know what to do with.  But I developed an interesting habit last year when the banking industry first started its tailspin dive by making certain to read every single issuance from the FDIC.

Going back to at least last September I have read and saved each and every one of them (several hundred I might add).  I’m sure some of my peers will beg to differ, but for me this is where anyone in the industry should’ve been looking during the crisis for the best indicators of what’s going on.

Yesterday, I was glad for this somewhat addictive habit of mine.  For what may be the very first time since Lehman went belly-up, I may have found the first true concrete piece of evidence that we’re on the road to recovery, if only in some small way.

The FDIC agency alert yesterday announced plans to bolster the Deposit Insurance Fund (DIF) by requiring insured institutions (mostly the banks you and I know) to prepay on their quarterly premiums so that the fund remains viable and liquid through the still unfolding resolution of the banking mess.  And that’s significant because unlike a year ago, this time around the plan calls for the industry to take responsibility for itself and not go running to Capitol Hill for help, an option FDIC Chairman Sheila Bair has denounced on several occasions.

Here’s what Bair had to say in the announcement:

“The decision today is really about how and when the industry fulfills its obligation to the insurance fund. It’s clear that the American people would prefer to see an end to policies that look to the federal balance sheet as a remedy for every problem. In choosing this path, it should be clear to the public that the industry will not simply tap the shoulder of the increasingly weary taxpayer. This proposal is a vote of confidence for the banking industry’s resilience, and it will continue to recover its strength as we work through the significant challenges ahead.”

The reason for my optimism is that this action shifts control back to the banking sector to fix its own mess.  It puts greater emphasis on each individual institution to fulfill its obligations to the DIF in advance of using those same funds for more traditional activities commonly associated with generating profits.  I think accountability is necessary, if not essential, to repairing the damage inflicted on the industry and repairing its reputation with depositors, investors and borrowers (something the NCUA had figured out much sooner).  And so I’m feeling a little better about where we’re heading, economically speaking.

Oh, and Comptroller of the Currency John C. Dugan (that’s the OCC head honcho in case you didn’t recognize the handle) agrees with me.  Mr. Dugan said of the FDIC plan: “The actions we are taking today represent a balanced approach to raising needed money for the deposit insurance fund without impairing the ability of our banks and thrifts to support economic recovery.”  He added, “I think this is a very positive proposal. The staff did an excellent job, and I support the way you handled it”.

I’d like to chalk it up to “great minds think alike.”

By the way, if anyone knows of a Sheila Bair Fan Club or is thinking of starting one I’d appreciate if you would let me know.  She won my admiration last year (no surprise to my regular readers) and has routinely found ever more ways to score points with me.  She continues to step up and talk straight, smart and to the point about what’s going on with the banks and what to do about it.  I look forward to the President acting out on the banking reform plans announced earlier this year and I sincerely hope he put Bair in charge of the new entity.

For now, though, I have to go; seven more FDIC email alerts have landed in my inbox and I need to check ‘em out.

Can the economy rebound without the banks?

I had one of those odd moments yesterday regarding the banking industry that I wanted to share with you.

On the homepage of a major news website were two headline stories. The first was about how Ben Bernanke believes the recession we’re in is coming to an end. Immediately to the left of the story was the following headline: “Don’t be surprised to see more banks failures.” I don’t know if the site editors were funnin’ with us or just simply didn’t realize the irony in how they stacked the items, but it certainly caught my eye.

How can the recession be ending while more banks are expected to fail?

I’m not an economist but I’m reasonably certain I don’t need to be in order to grasp the financial fundamentals of the situation. If the banking crisis is far from over, if there are still significant cash shortfalls that need to be flushed out of the banking system, how can we begin a recovery? And as if though the contradicting stories weren’t enough to make me rush to my digital soapbox, there was another headline a short while ago that read “Banks’ commercial real estate exposure probed” with the subhead, “Delinquency rates on commercial loans have doubled in the past year.”

More bank failures expected, commercial real estate portfolios tanking at an accelerating rate….. sure sounds like we’ve turned the corner to me, wouldn’t you agree?

I’m onsite at clients all of the time and one of my favorite pastimes is to spend time with the people who pretty much run their institutions be it from the front or backseat position and get their take on both the banking industry and state of the economy. These are the people who understand how a fractional increase in an interest rate can make or break an institution and see in the dense pile of numbers a pattern that must be very much like tea leaves. They know what they know and don’t much care for the headlines or industry pundits who tell us what to think. And so I look to them for guidance on what to expect and gauge where we are based on what they see.

They’re still freaked out.

One recent conversation was a mini-dissertation on the looming collapse of the commercial real estate market. There are empty storefronts everywhere you look and even emptier office buildings. How many construction sites sit idle with partially constructed buildings waiting for an infusion of cash to get them finished? What happens to the banks that provided the loans for these empty or incomplete structures? You now hold paper on structures that are worth much, much less than what you estimated and there’s no market to sell that paper or move those properties. What do you do next?

Another conversation was with someone who is about as expert as you get on residential real estate and they shared their opinion that the worst is far from over. Too many saturated markets have failed to yield sufficient reductions to bring things back into alignment and that needs to happen before the healing can begin. That means there are more foreclosures looming on the horizon, which will only grease the slippery slope the banking industry is currently on. And when you factor in that President Obama has said there will not be anymore bailout activities beyond what’s already been made available you have to assume that we’re in for even more tough times ahead.

Again, I’m no economist but I get to shoot the breeze with some fairly bright bulbs and they’re not lining up behind Mr. Bernanke.

I’ll admit that I’m ready to see the light at the end of the recession tunnel. I’m ready to stop reading about bank failures and predicting how many more are going to fail (is that even newsworthy anymore?) and start reading about how the industry is going to be regulated in the future to prevent this from happening again. Because the real story to me is that over a year has passed since this financial free-fall first started and nothing has changed to keep it from happening again.

I suppose you can say I’m looking for closure of a different variety.

IT audits versus reviews

I had mentioned in my last post a recent conversation with my partner regarding a proposed IT general controls (ITGC) audit. My primary role in our practice is to head up regulatory compliance services which includes audits, assessments and program development; my partner’s primary role is head of sales and business strategy. However, there’s a significant amount of overlap between our two sides and I sometimes forget that I’m the compliance expert when we’re discussing the industry. His knowledge of the myriad regulations is impressive and there are times where I’ll vet ideas through him to validate my own thinking.

Anyway, he’d mentioned a conversation with the client around the proposed ITGC audit in which the project sponsor asked what the difference is between an audit and a review. I knew right away where the question stemmed from because of my experience in the industry. Many firms we compete with (and some I’ve even worked for in another time and place) don’t conduct audits, they conduct reviews. Sometimes they don’t even conduct a review or an audit but rather an assessment. I’ve struggled with this blurred use of terms because in my mind there are very clear delineations. The lifecycle of the governance, risk and compliance (GRC) domain is as such: identify and assess risk, design controls to mitigate those risks and test to validate that those controls are functioning as expected. And so, a risk assessment is conducted, governance elements are introduced in the form of policies and procedures, and regularly scheduled tests occur to make sure that the whole enchilada is actually getting the job done. And so when practitioners offer services that aren’t specific to one of the key areas of the GRC spectrum, it bothers me.

See, an audit is an audit is an audit; you determine the control objectives that are supposed to be supported by the entity that are in scope for the type of audit, identify the related control activities that either are or should be in place and then design a series of test steps to determine if those activities are occurring and tie back to the overall objective. The auditor has some leeway when it comes to offering an opinion as to what the results actually mean (one auditors pass is oft times another auditors finding) but fundamentally the audit results tend to be binary, you either pass or fail. It’s all fairly straight forward.

Now a risk assessment is not an audit; it’s a bit more arbitrary. Management generally is polled to determine what areas of their infrastructure (including finance, operations and technology) they are most concerned with, factor in regulatory and industry requirements and then come up with a plan for conducting the risk assessments. As these assessments occur, what they reveal would be factored into the overall audit plan to make certain that the areas presenting the greatest risk to the business are being examined closely and in a timely fashion.

So here’s my question: what exactly is a review? If you’re conducting tests and examining evidence you’re conducting an audit. If you’re interviewing stakeholders and determining what controls are in place but not testing their effectiveness then you’re conducting a risk assessment (assuming you’re asking the right sort of questions – a post for another day). Is there some odd dimension between the risk assessment and the audit I’m unaware of where this review occurs? And what exactly are you expecting from the results of this review? Because I’ll tell you this much, examiners only recognize risk assessments and audits. You can present them with a report that’s called a review in the title and tell them it’s actually an audit but you’d better be prepared to produce work papers because they’re going to ask you for them, trust me on this point. But my experience is that reviews don’t produce work papers because evidence is generally not formally collected in support of the report and requires significantly less effort to conduct. Which is why when we discussed the semantics of our industry, my partner is fond of saying that the difference between an audit and a review is about 50% of the proposed amount.

And as long as I’m ranting on the topic, how many of you out there include work papers as a deliverable when you contract with external entities to conduct audits? I’ve long been amazed at how many audit projects I’ve managed where work papers weren’t required or provided because it wasn’t included in the statement of work. I’m of the opinion that a summary audit report by itself is useless if you don’t have the supporting documentation because it’s the only true way to confirm that the testing occurred and support the findings. And of course it’s important to loop back to my earlier comment: Examiners will absolutely ask you for the work papers. I routinely receive phone calls from clients I’ve worked with at my previous firms asking if I still had access to their work papers because their examiner is asking for them. It’s awful for me because I have to tell them that while the evidence is still available (I keep everything for seven years for fieldwork I’ve conducted) there are no formal work papers to provide. Thus the reason that when we started our firm and developed the methodologies, I made certain that part of the scoping process included asking the client if work papers were to be included in the deliverables. It adds time to the project and so there’s a cost implication, but it’s the right way to run an audit and so really a need-to-have. You can take a short cut where applicable and only document findings but even so, how can you prove that a successful test was actually successful? For those practitioners looking for shortcuts it provides the wrong incentive.

If you want/need an audit, schedule an audit. If you want/need a risk assessment, schedule a risk assessment. If you’re considering a review or a generic assessment reconsider; decide which of the two proper categories your work fits into and than schedule accordingly. This isn’t rocket science; the FDIC and NCUA have been quite clear as to what you’re required to do so keep it simple. And if the resources you’re using aren’t speaking in the common audit and compliance vernacular force their hand and make them do so. Audit or risk assess, pick one.

Is perspective on our regulatory landscape a blessing or a curse?

I was away from the office last week trying squeeze in a family vacation before the kids head back to school. Despite taking the occasional phone call and replying to a number of emails, there was still plenty waiting for me today when I returned to my normal schedule.

It wasn’t until somewhere mid-morning after catching up with my partner that the incongruity of my professional life was revealed in an odd pattern. I’d read about a number of bank closings having been announced on Friday (sort of becoming a weekly ritual at this point) and two new reported credit card breaches (also fast becoming a same old, same old scenario) by the time I called into the office to touch base. Turns out we had a busy week beyond what I’d already knew about and we were discussing one proposal in particular to conduct an IT general controls audit (more on that in a few weeks) when the strangeness of the morning finally dawned on me.

Everyone is still working on trying to keep up with their regulatory compliance obligations, companies that participate in credit card processing are still pushing to obtain/maintain PCI compliance, and it just doesn’t seem to be making much of a difference. Despite our practice being busier than ever and there being a heightened sense of regulatory awareness out on the street there’s a general lack of evidence that it’s making a difference.

I’ve already beaten the PCI horse to death with regards to how the PCI-DSS by itself does not really go far enough (nor was it intended to be an be-all to end-all solution). I’ve long griped about how so much of what matters is missed by regulators due to too few budgeted hours available and lack of appropriately skilled and trained resources. So really nothing new about any of this.

But still, with a reasonably fresh perspective and clear head on this, my first day back to reality, it all seems that much more, I’m not sure what the right word would be…. depressing, frustrating, baffling?

How important can GLBA compliance be to a bank that’s just about out of financial options and on the verge of closing? And really, how much money should a company spend to be PCI compliant if that compliance doesn’t go far enough to actually mitigate the associated risks? I was just reading a story about how Intel turned things around in the 1980’s because their two senior most executives (Andy Grove and Gordon Moore) got together and stepped outside of their roles and imagined what someone new, with a fresh perspective would do with their company to address increasing competition and decreasing market share. Forcing themselves to obtain that perspective lead the way to a change in direction that would transform not only Intel’s fortunes but drive an entire industry into the future. So why can’t we do something similar for our financial institutions?

The short answer is that we can but it would require an act of bipartisan politics typically only observed during a true crisis such as acts of war and natural disasters. Of course it wouldn’t be too hard to make the argument that our banking crisis is a disaster, man-made or otherwise, but somehow when one party can blame the other there’s little chance of forging a common peace even if it benefits the citizens.

I’ll likely lose this perspective as the week moves ahead and get back to less of the “Big Picture” thinking and more of the nuts and bolts focus typically required of me, but still, I’m hoping someone, somewhere is reading this and thinking I’m right.

Does compliance equate to secure?

Despite earning a living in the space, I often question the value of regulatory compliance.

How is it that a business can be PCI-compliant but still have glaring vulnerabilities?  How is it that despite layer upon layer of controls it’s still entirely possible for an executive to fudge numbers in a spreadsheet and alter a company’s financial reports?  How is it possible that a financial institution undergoes an annual exam and, despite not adhering to the most basic tenants of FFIEC guidance, still receives a favorable report?  And how is it that there’s a regulation that made an entire industry jump all at once but has never actually been enforced (can I see a show of HIPAA hands)?

And don’t think these statements are pure hyperbole; these all come directly from the field and from engagements I’ve been on in the last few years.

Why, you may ask, am I feeling a bit down on the regs this week?  A couple of three reasons:

It started on Monday when I was catching up on my industry reading.  There was an article about data leak prevention (DLP) software and how sales have been heating up lately.  Of the reasons given by survey respondents as to why they were considering purchasing a DLP solution, the top two were pretty much pointing the finger at either industry or regulatory demands.  The third reason was to avoid damage to the company brand/reputation, the fourth was to avoid lawsuits and finally, all the way down at number five on the list of reasons: to prevent the theft of proprietary information.  That’s just Depressing (note the capital “D”).  I thought it was embarrassing that the vast majority of survey respondents were looking to prevent data theft not because it was the right thing to do or to protect customers’ or employees’ sensitive data but rather because they’re being made to do so.  And so maybe you can make the case that regardless of the reason, at least companies are being forced to do something about protecting their information.  Sadly, that’s exactly my problem.  When it comes to doing things for the sake of compliance most companies only take things as far as they need to in order to achieve/maintain compliance.  The people on the front lines sort of lack enthusiasm for doing these things and figure their job ends once the auditors and examiners are happy.

My week of regulatory woe continued on Tuesday when while reviewing key activities aligned against one of the aforementioned frameworks, I identified what was a potentially significant gap not in how the client was conducting their work, but rather in what the regulation specifically required.  In other words, despite my client being completely compliant with this stringent, well respected framework, there was still the very real possibility that a vulnerability could exist.  I dug a bit deeper, made some phone calls to associates whom I often consider to be way smarter than I and the result was that I was right, the gap existed.  One of my associates pointed out that in a well-run shop with a hardened infrastructure you would expect the situation I identified to be managed properly, but the reality is that unless they have to, few managers have the ability to go beyond what’s required (either by the business or regulations).  I suppose if ever a day comes to exist when an IT department has finally cleared out their project queue and has money left in the budget they may very well get around to it, but I’m not volunteering to hold my breath.

And finally, my week is closing with news that a former client of mine is on its financial ropes and very likely about to declare bankruptcy.  Really, in the end it’s just a sign of the times and the sad state of our economy.  They appeared to be making the necessary adjustments over the past few years by trimming back staff and scaling back on non-critical projects, but they’re a half-inch to the left of the epicenter of this whole financial mess and in the end I guess there was no way to avoid the inevitable.  But still, I think of all the money they’ve spent on compliance-based initiatives since SOX first hit the scene and I can’t help but wonder if all of that spend could’ve been put to better use.  In the end, despite all of the great work that was done they still weren’t going to be able to prevent someone from massaging the numbers in a spreadsheet (a personal pet peeve of mine)   Thinking about the number of people they’d brought in to size up and conduct the work to bring their controls up to the necessary levels and the fees they’ve paid to their external auditors to conduct the SOX audits is just plain depressing.  Maybe if they’d used that money to fund a project to offer a new product line or enhance an existing one, they’d have found additional streams of revenue that could’ve helped them through this mess.

I suppose it comes down to this: anything worth doing is worth doing right.  But in the regulatory space that’s not the general rule and I’m thinking that until the oversight bodies figure out a way to provide the proper incentives, the work will always be lacking if not deficient.  Until being compliant also means being secure the job isn’t truly getting done.

Along those lines check back next week; I have an idea I’d like to share with you about how to make things better for all of us in the regulatory domain and turn things around.

How’s about a federally mandated Information Security Assessment?

I had a eureka moment recently that I’d like to share.

In considering the implications of the recently announced changes by MasterCard that will now require PCI Level 2 merchants to be assessed by a Qualified Security Assessor (QSA) it occurred to me that they may be onto something. Why would the credit card industry restrict who needs to be assessed based on size? Why not simply require any business entity that either issues, accepts or processes credit cards to be regularly assessed against the PCI standard by a properly trained practitioner? The size factor could come into play based on the frequency of these assessments but in general everyone would need to have one conducted.

That wasn’t the eureka moment.

It wasn’t until a day or two later, while reading about newly emerging state data privacy laws, that the clouds parted and the sun shone through. With the MasterCard news kicking around in the back of my mind, I started thinking about how these state-based laws were going to come into play, and when I tried to tie all of this back to the Obama administration’s cybersecurity plan, it happened.

What if all business entities that issue, accept or process personal information, regardless of their vertical, are required to have an information security assessment conducted (think GLBA meets NERC CIP meets PCI) by a Certified Information Security Auditor? Think about it; ISACA could be broken up with the subset that oversees the CISA process becoming federally chartered to both manage the framework and issue the certification (think PCI on steroids). The framework would include portions that are of the one-size-fits-all variety and others that are specific to an industry and would be scalable based on the size of an entity. The CISA practitioners would all be trained on the framework and how to apply it properly and would need to attend agency-sponsored seminars at least annually.

Rather than have multiple frameworks to wrestle with, business entities would be able to distill information security regulations down to a single, stronger entity (and reduce all the redundant activities that so many of my clients are forced to struggle with). It would bump the IT general controls audit up a level to encompass more than just bits and bytes and allow the entity to tie together related activities that are assessed through a single pass. And the icing on the cake is that the resulting report could also be used in place of a SAS 70 (and finally provide a modicum of consistency to the SAS 70 process as well).

But the best part of my idea is that the business entity could staff up with their own certified assessors that would not only conduct the required work, but also serve as internal advisors year-round. They’d still need to be properly certified and maintain that certification, but there would be no need to constantly pay premium prices for external firms and/or resources.

Maybe the idea was inspired by the fact that I’m just burned out a little from working on multiple compliance initiatives or maybe it stems from my concerns that true IT governance is a generation away. However, after my eureka moment and after sharing the idea with a few associates of mine I’m still liking it.

Does anyone have a direct line to the White House I can use?