Posted by: David Schneier
Audit, business continuity planning, GLBA, information security, IT General Controls, red flags, red flags identity theft, Regulatory Compliance, Vendor Management
When I sat down to write my last blog post for 2009, I was planning to write either about my predictions for 2010 or a retrospective of 2009. But that’s just so clichéd; everyone does that or tries to. And as I’d wrote in a recent post about the Verizon report on security threats, sometimes there’s not a whole lot that changes year-over-year and so my bold predictions for 2010 would likely look almost exactly like those I made for 2009.
Instead what’s on my mind isn’t so much a revelation or prediction but rather an observation.
When I first started focusing on the banking vertical a few years back, I was often depressed by how so many institutions did what they did because they had to and not because they viewed any inherent value in the exercise. Information security policies were dust collecting binders, business continuity plans (BCP) were a collection of basic documents that described what needed to be done but rarely provided direction on how to do it, and vendor management was typically just a spreadsheet with a some key data elements. Rarely did any of these artifacts provide real value or come anywhere near close enough to address the spirit of the regulations that required them to exist.
That’s definitely changing.
I’m currently working on two projects that deal directly with business continuity planning. For the first project, I’m rewriting a clients plan and taking it from the aforementioned collection of basic documents and remodeling it into an actionable plan that will allow them to use it as a road map to steer them through various types of business disruptions (they’re not all disasters, sometimes it’s just a power outage or a burst water pipe). They knew they needed to make changes to their existing plan and management saw the inherent value in having something that would actually drive the decision-making process when necessary and increase their chances of successfully navigating through a crisis. The second project is actually an IT general controls audit in which the project sponsor has requested increased scrutiny be placed on BCP related activities. They wanted to make sure that their plan was well designed and properly tested and would at least meet, if not exceed regulatory requirements. The amount of work their management team poured into the plan and its related activities was clearly reflected in the evidence I reviewed. They not only have a viable plan but have tested it from several entry points, have identified potential glitches and fixed them so that should they need to implement the plan, they have a high degree of confidence that it will work. Both of these projects underscore something that’s significant: financial institutions are embracing the value of complying with the regulations. Having a formal BCP is not just a way to make the examiners happy; it’s the best way to successfully manage the unexpected.
And this more than subtle shift has been noted in other key regulatory areas.
Vendor management has moved from a clerical exercise into something that’s more day-to-day, where contracts are being scrutinized and performance measured. We have an ever-growing client list on that front where they aren’t concerned about the regulators so much as making sure that they’re protecting themselves and their customers/members from unnecessary risks and exposure. We’re seeing it with Red Flags – Identity Theft and Incident Response plans where the banks and credit unions want to leverage the “have to” and convert it into something that helps them manage risk better. Regarding Red Flags, we’ve found that most institutions have their plans up and running but haven’t implemented it properly and are using it more as a Suspicious Activity Reporting (SAR) mechanism rather than the its intended use. But when we bring that up in our reports, the response has been refreshingly positive where management wants to get it right. That’s what’s different from previous years.
I’ve long advocated for doing it right as long as you have to do it and now it appears that management is coming around to embracing that idea. Perhaps that’s what 2009 will reveal itself to be in the rear-view mirror: The year when our industry matured from “have to” to “want to” when addressing information security. A year when it wasn’t about having a board-approved document but rather a viable plan or program. Now, that would have to be considered a good year.
Happy New Year. May it be a good one filled with an improved economy, fewer breaches and an increase in management oversight.