Regulatory Reality

November 18, 2011  12:22 PM

Why vendor management is a big GLBA deal.

David Schneier David Schneier Profile: David Schneier

I don’t think I’m due to post about vendor management again at least until January 2012 (I try to limit topics to twice a year) but I’ve had something kicking around my head for a few days now and it needs a proper vetting.

Does anyone know why vendor management is such a big issue for banking regulators?  I mean, I’ve long advocated that most of what GLBA covers makes sense and should be part of a healthy business strategy anyway.  But when working with clients I’m often surprised to discover that they just see it as another something they have to do and don’t fully appreciate why that is.  So does anyone know?

One of the basic tenets of GLBA, perhaps the MOST basic goal is to protect customers sensitive data.  Sure you can make the argument that it has hooks into disaster recovery and business continuity planning, both also covered by regulatory requirements.  And you can also claim it has to do with service level agreements and gauging the vendors performance.  But really in the end the primary driver behind why your regulator wants you to do a better job of managing your vendors is to make sure they’re protecting your customers where applicable.  Think about it, it’s so simple it’s almost too simple.

Which is why I’m always amazed how so many institutions fail to not only figure out what they need to do but also never really seem to get where they need to be.  It so often becomes about the document collecting game; do they have a SAS 70?  Do they have an Information Security Program?  Who cares?  That’s not what vendor management is intended to address.  What you’re really supposed to do is step back and assess the nature of the relationship, the types of products and/or services the vendor provides and try and identify where threats to your customers sensitive information may exist.  Vendor management is seldom a thinking exercise but rather an attempt to standardize on what artifacts are required in order to prove compliance with the program.  It blows me away how this important activity gets boiled down to something little better than a baseball card collection.

I offer for example my favorite blind spot in every vendor management program I’ve ever conducted a first ti me review of.  Where’s the information for the vendor who cleans the facilities? It’s almost always contracted out and the vendor who owns the contract is responsible for staffing the work.  Where’s proof that they properly screen the people they’re sending into your allegedly secure facilities to make sure they’re not convicted felons?  Where’s proof that they properly police their crews to make sure they’re not behaving in a reckless manner and perhaps letting their friends and family into your secured facilities to drop off dinner or stop by and say “hello”?  When I challenge the clients on this relationship they look at me like I’m nuts.  Almost all of them fail to even include that particular vendor (and those who do tend to include every single vendor they’ve ever done any business with – another big issue).  But all you’ll ever need to do in order to see why this is a potentially huge threat is to walk around the office after hours and see what’s been left out on desks, in printer and fax queues and examine what sort of documentation has been tossed in with the regular trash.

And because vendor management is never truly approached from the right angle it fails to address the very spirit of the exercise and why the three senators who authored GLBA wanted you to pay more attention to it.  But it really reveals a fundamentally bigger issue with most of the compliance domain – no one really approaches most of the work with a true risk oriented perspective.  Compliance isn’t simply about creating checklists and ticking off all the to-do’s – it’s about really trying to identify relevant risks and make sure your institution has controls in place to manage them properly.  And I know for those of you who read my blog with any regularity you’re thinking I’ve written about this before.   That’s true, I bring this up every chance I get because it’s still a huge issue and those of us who have any practitioners attention need to constantly bang on this particular drum.

This is one of the reasons why whenever I’m given a chance to discuss how any of my clients approaches vendor management I try never to tell them what they need to do but rather try and instead have a conversation about what they think they should be doing.  The back-and-forth often helps them expand on their thinking and come up with better, more effective ways in which they can properly categorize and assess their business relationships.

Oh and as for my “Who cares” comment about collecting documentation, there’s a place for that to be sure.  But when you tell your examiner or auditor that you’re OK because the vendor provided a recent SAS 70 and can’t really discuss any of the details you’ve fallen way short of what you needed to do.  Waving documentation in my face never convinces me you’ve done your job and it absolutely never proves that your customers sensitive information is protected.  Remember, SAS 70’s (and now SSAE 16) are subjective and what each one covers can vary wildly from one to another.  And it absolutely does not prove that they’ve successfully addressed all the items in your checklist either.  One of my favorite cut-through-the-weeds tricks is to pick a single checklist item and ask the person waving the report to show me where that’s addressed in the report.  I’ve met a few who could do it and prove to me they’ve actually read the thing but most just start flipping through pages like a poorly prepared student during an open book exam.

Why is this so hard for so many to do a reasonable job on?

November 11, 2011  7:41 PM

Vishing, Smishing and Phishing: No end in sight.

David Schneier David Schneier Profile: David Schneier

This is something akin to my annual public service announcement (PSA) for anyone who has cash-on-hand, a bank account, an investment account or perhaps even a piggy bank:  As long as you have money there’s someone out there right now scheming to try and take it away from you.

I’m having that kind of month right now where I’ve been learned of one scheme after another to separate people I know personally from their hard earned money.  And much to my chagrin, the schemers are enjoying some measure of success.

Last week I was regaled by a tale of how a senior citizen was stopped on her way to the bank to have a cashiers check drawn for $500.  She needed it because someone contacted her with an offer that was impossible to ignore or turn down.  If she paid for the modest bank fees for a large international wire transfer she could keep a small percentage as a “thank you” gift, a mere $2M (yeah, that’s two million).  The people who contacted her did so because she was recommended as a trusting resource who would be flexible and work with them.  And so the combination of the compliment and the chance to net a nifty seven-figure profit for a simple enough favor was just good enough to make her want to do it.  Fortunately she ran into a friend who happened to ask her where she was off to and when she answered honestly was more or less forcibly snapped back to reality.

Now to be honest with you I was stunned to learn that this scam ever works.  I’ve long advocated to friends and family that they should respond to electronic offers exactly the same way as if though they received it in the mail.  But while we throw out junk mail automatically we’ll read sometimes very cleverly worded emails because they look authentic.  But if you filter all electronic email through the same logic that has taught us to toss mass marketing materials you can cut out much of the clutter.  But what if that email finds someone who is perhaps a little lonely or a little desperate?  What if that email finds someone who is willing to roll the dice that just once what appears to be a scam might be the real thing?  I wouldn’t have thought it possible until last week but sometimes it works.  And when you think about it just a little bit more it’s the perfect scam.  Once a senior citizen falls prey to the trap and comes to realize they’ve been had many will keep it to themselves both because they’re embarrassed and as I’ve come to learn more recently, out of fear that they’ll be labeled as losing their facilities.  And while not all seniors are wealthy a sizable enough percentage have access to $500 easily enough.

Then this week a story was shared with me about how someones identify was stolen but with a twist.  They didn’t try and completely take over the identity but rather borrow it.  The man-in-the-middle attack worked as such: Person A routinely communicates with Person B via email and instant messenger because they’re on opposite sides of the world with a language barrier and about twelve hours separating them.  The electronic communications reduces the impact of the language barriers and allows them to keep in touch outside of the boundaries of a shared work day.  This has proven successful for both Person A and Person B for several years.  Recently Person B asked for special handling of a payment that while unusual within the designs of their business relationship was not otherwise out of the ordinary when dealing with others in the same country – Person A agreed to the request.  After several back-and-forth communications to arrange for the payment which spanned several days Person A sent an email asking Person B to confirm that they finally received the payment.  Person B responded by asking “what payment?”.

Someone had hacked into Person B’s account and was intercepting emails and instant messages and assuming that identity.  They still allowed most communications to pass through but successfully filtered out anything having to do with the payment from Person A.  So Person B had no idea there was something amiss and Person A saw very little outside of  normal communications.  But apparently that one time the hacker must have been off their game and not paying attention and so the two legitimate parties were made aware of the situation.  A long painful phone call ensued and some amateur detective work confirmed their suspicions.  And so a new version of phishing comes into play, one in which the scam is not so apparent or easy to detect.

That’s the thing, while there may be rules to how the scams are being run today those rules are ever changing.  You can’t simply look for one telltale sign that something is amiss because once a trend emerges the hackers change things up.  And while financial institutions and a multitude of agencies are always trying to educate the masses about the perils lurking about it seldom penetrates into peoples way of thinking.  The popular adage about suckers has never been truer only now there are two to the power of X ready to take them.  There are increasing measures available to counter attack some of these scams (e.g. Red Flags – Identity Theft) but by and large they go undetected or unreported.

So here’s the sum total of my PSA: If it seems too good to be true it is.  And if any financial dealing is presented where something is out of the ordinary apply the old audit mantra – trust but verify.

October 26, 2011  8:36 PM

Who examines the examiners?

David Schneier David Schneier Profile: David Schneier

I remember conducting a risk assessment a few years back for a credit union in which they were missing just about every artifact necessary to prove compliance with NCUA Part 748 (if you’re not already aware, thats GLBA for credit unions).  It was, for lack of a better term, a complete disaster.  Halfway through the fieldwork armed with the knowledge that they had an exam kicking off the following week I switched from risk assessment to disaster planning.  I explained to the newly minted CIO (who had never participated in an exam before) that the best strategy at that point was to focus on a remediation plan.  Detail the work that needs to be done, build out a schedule for when that work will occur and rather than try and cover up the all too obvious lack of programs and procedures throw yourself on the mercy of the examiner(s) and be honest.   I figured it was a new guy trying to do all the right things and as long as he displayed an awareness of what complying required and had a plan to get there he’d be given a narrow window of opportunity to fix the problem.

A week went by and I didn’t hear from the client about how the exam was progressing.  Another week went by and despite pinging the CIO a few times I still didn’t hear back from him.  Nearly two weeks after the exam should have concluded I finally received an email from the client and all he had to share was that the examiners hardly asked for any of the things that were missing and only dinged him on a few minor points.  OK, so it’s entirely possible that I overstated how bad things were there and the examiner simply didn’t share my opinion.  That is until I took a big mental step back and thought about it.  They didn’t have a vendor management program (or anything even close to one), they didn’t have a business continuity or disaster recovery plan, they hadn’t done a vulnerability assessment or pen test in more than two years and their firewall allowed me to establish a remote desktop connection on my guest machine while plugged into their network.  How is it possible that anyone with the slightest bit of audit/compliance experience did even the tiniest amount of real fieldwork during the exam?  Sadly it wasn’t an isolated situation.

I’m routinely amazed by how often I encounter financial institutions that have real and significant issues sitting right out in the open and somehow their examiners don’t notice.  And every time it happens I’m left wondering who examines the examiners?

One of the reasons our practice first committed to developing our vendor management software was because of how many of our existing clients were badly in need of a solution.  We almost always found that either they didn’t have something already in place or it was at best partially baked (a spreadsheet does not a vendor management program make).  We reasoned that if we could offer something that was user-friendly and focused on what the regulations required we’d have an anxious and ready market to sell to.  Fast forward three years and while we’ve had a healthy measure of success the number of institutions still needing help with vendor management remains shockingly high.  Why is that?  Because no one is going to spend money on a solution or commit resources to working on something their examiners never seem to care about.  And why is it that examiners don’t seem to care about it?  It’s either because they don’t look for it or they don’t know exactly what to look for.

So here’s my head scratching moment: How can anyone ever pass an IT exam without having a truly viable vendor management program?  How can someone pass an IT exam without a business continuity plan?  How can someone pass an IT exam without providing evidence that their network is secure?

Two years ago we anticipated a spike in services work when the Red Flags regulation from the FTC was due to go into effect – we’re still waiting.  Most of our clients have something in place to show when asked about Red Flags but when pressed to provide evidence of its effectiveness they have little to share.  This was not some obscure requirement that’s been around forever or is ancient or poorly designed or explained – this had awesome marketing material to accompany its launch so that everyone who had to comply clearly knew how to do so.  Everyone was talking about it in the months leading up to the effective date and everyone made sure they were working on some sort of program.  And still there’s little to show for their efforts.  Isn’t anyone paying attention to this fact?

What makes all of this extra frustrating is that there are safeguards in place where exams are audited.  But there are limitations to how much can be covered and if what I suspect is true, they’re not so much focusing on artifacts that are missing but rather on making sure that conclusions formed based on available evidence are solid.  So if the examiner doesn’t collect a current BCP and doesn’t write it up anywhere that it was missing or inadequate no amount of double or triple checking will identify a gap.   And to compound my frustration the blind spots are generally regional in nature.  Some of our clients get hammered on everything and others are barely pressed to provide evidence.  When we take a step back to see if a pattern emerges it does and it’s almost always defined by geography.  How does any of this make sense if all of the examiners are trained using the same methodology?

I don’t think I’m expecting too much from the process.  I’d like to know that if my banks main data center is hit by a meteor they have a plan in place to ensure that I can still access my money and pay my bills.  I’d like to know that my social security number is not being shared with a vendor who subcontracts out their work to a rogue group comprised of known felons.  I’d like to know that the tellers in my local branch aren’t able to cut and paste my account information from their teller software into a Yahoo email on their workstation and send it to an accomplice.  Or in other words, I’d like to know that my bank is compliant with GLBA.  Is that too much to ask?  I don’t think so, I really don’t.

October 13, 2011  10:42 PM

Does everyone value their privacy or is it just me?

David Schneier David Schneier Profile: David Schneier

I just came to find out that I’m old.  It was somewhat sudden and sort of unexpected as I’m not quite half way to one hundred and have fooled myself into thinking that old doesn’t roll in until somewhere beyond sixty.  But apparently one persons middle-aged is another persons old.  Let me explain…

I read an article in which Reid Hoffman, LinkedIn’s founder was quoted this past summer as saying that privacy was for old people.   To be at least a little fair he was making a point about transparency of data and how it’s shared is an important component of social networks.  Young people are more interested in enhancing the experience and less concerned about revealing too much information in exchange for making that happen.  But really, isn’t it both a bit self-serving and irresponsible for someone atop the world’s largest professional social network to be thinking along those lines?

First of all it sort of makes him seem like a visionary rather than irresponsible for allowing LinkedIn to take certain liberties with regards to protecting my personally identifiable information (PII) in exchange for furthering the platform – he’s not irresponsible, he’s forward thinking.  Second he marginalizes the concerns of experienced people by making such a statement as if to say “you’re too old to understand that it’s more important to be out there too much rather than not enough” – it conveys a message that I’m not cautious, I’m slow to adapt and that’s primarily because I’m not young.  Third it makes it so much easier and cheaper for LinkedIn to continue building out their platform if security isn’t their top priority – wouldn’t we rather have them introduce cool new features rather than enhance their controls?

Well Mr. Hoffman here’s what I have to say about all of this.  What you call old, I call experienced.  I’m not concerned about my privacy because I have a dated way of thinking, I’m concerned because I know too much about identity theft and the damage it can cause.  I know that sites such as LinkedIn and Facebook have made it sooo much easier for the criminal element to develop profiles on people and figure out how to crack passwords, hijack email accounts and obtain information that allows them to assume someone’s identity.   I know that features such as TripIt and Foursquare allows criminals to figure out when people are going to be away from home and plan break-ins accordingly.  I know that it’s much easier to obtain inside information by trending activities on LinkedIn (e.g. I always know when someone works for a company facing downsizing or layoffs based on the type of profile updates they’re making).

And you’re right that privacy is for old people.  So are life insurance, money management and parenting.  We’ve worked long and hard to get what we have and we understand the value of losing it.  Anyone much under the age of twenty-five likely hasn’t a clue as to why privacy is such a big deal because their exposure is so much less.  If someone stole my identify when I first started my career they would have had access to a few hundred dollars, maybe one or two credit cards with ridiculously low limits and have discovered that my house was sparsely furnished with hardly anything worth stealing.   I could have repaired most of the damage from a stolen identity within a couple of paychecks.  At that point I would have totally thrown caution to the wind and have leveraged the full offerings of today’s social networks in order to market myself both professionally and socially.  At this point I simply want to protect myself from unnecessary risks and exposures.

Last night I watched a story on the news about how insurance companies are using Facebook as a way to investigate disability fraud as well as profile policyholders who engage in high-risk activities in order to decide who’s too risky to insure.  Do you think those people think their privacy is an issue for the old?  And doesn’t LinkedIn process credit cards for its paying customers?  Is PCI for old people too (now that would be a newsworthy quote)?

I’m sure at some point Reid Hoffman has backtracked on his statement in some measure because whether you hear it in or out of context it still sounds awful.  And I can only imagine that officially LinkedIn will point out that he’s no longer running the company (officially anyway).  And I also realize that his statement didn’t convey in any way that LinkedIn didn’t value privacy just like I know from firsthand experience that LinkedIn as designed allows me to throttle what I share with the rest of the community in a way that I’m comfortable with.  But still, comments like that make my blood run a little cold and make me jump online right away to make sure that I’ve kept my information sharing to a minimum.  Because in the end while “I’m older and I have more insurance” I don’t want to have to use it.

October 3, 2011  10:39 PM

Dodd-Frank Section 165(d) : Is this really what was needed?

David Schneier David Schneier Profile: David Schneier

Ever since Dodd-Frank legislation first started rolling down the turnpike towards the banking industry I’ve been reading and listening to all manner of rhetoric about how none of it’s going to solve any problems, that it’s going to impede the business of banking and force money to be deposited and invested outside of the borders of the U.S.A.  And to be fair, most of what has been enacted seems more to be a nuisance rather than a solution.

So with the ratifying of the most recent bit of the legislation by the FDIC last month I’m all the more curious to see how the industry reacts.  For those of you who don’t know what it is I’m referring to it’s Section 165(d) – the new law that requires banks with non-banking assets in excess of $50B to draft a plan that would in effect put its sponsoring institution out of business in a neat and orderly fashion.  Or rather, as I’ve come to think of it, it’s a Business Continuity Plan of a whole ‘nother color (or perhaps it’s simply a Business Discontinuity Plan – BDP).

Think about what this law requires.  Banks that are in-scope for this now have to draft a plan that would allow regulators to step in and break off the various spokes of the wheel and either sell things off or shut them down in a way that is as minimally disruptive to the financial system as is possible.  What I don’t understand about this is how would that even be possible?

You’d have to make an awful lot of assumptions to even draft such a plan.  In 2007 when the banks started spiraling out of control you would have thought the very first thing to do was to divest themselves of the root cause of the problem, their consumer loan portfolio and primarily their mortgage business.  But who was buying that pile of rotting paper for anything other than pretend money (how’d Countrywide make out playing that market)?  So documenting in a plan that you’d sell off your various units assumes that there’s a market looking to buy them and you can’t really count on that, can you?  The truth of the matter is all you can really lay down on paper is a very high-level approach that specifies how each segment of the business needs to be evaluated to determine what if any value it possesses and than shop it to the market and see if there’s a buyer.   But how is that any different then how a business is dissolved in bankruptcy?  And we already have all sorts of laws on the books to guide that process.

How do you even test such a plan?  In order for this legislation to deliver on its promise the regulators would need to know that the plan would work somewhere close to as it’s designed to if ever it was needed.  How can you possibly step through it and know for sure?  Wouldn’t the various markets need to participate as well and how reliable would that be?  Wouldn’t everyone need to pretend that it was real?  Say Citi, would you be willing to buy BoA’s commercial loan portfolio and if so, how much would you be willing to pay for it?  If I’m Citi I’m thinking make the pretend offer high because it’s not binding and if a once in a lifetime disaster occurs again we can totally low-ball on the real offer if it ever comes to that.  So how reliable is that test?

But here’s the thing that keeps tap-tap-tapping away at the back of my mind – those who have to comply are the same institutions who can’t successfully design, implement and support a viable business continuity plan and that’s something they’ve had years to perfect and still haven’t even come close to doing.  And they’ve actually had disruptions where they needed to rely on these plans and still haven’t quite gotten them done right.  If they can’t successfully design a viable BCP when that’s something they’ve often enough desperately needed how are they supposed to design a viable plan to dissolve their business relying entirely on speculation and imagination?  Seriously, was the lack of such a plan one of the the primary reasons that the banking behemoths weren’t allowed to fail or was it simply our leadership being fearful that if a Citi or Chase went belly-up the economy might never recover?

Lewis Black loves to poke fun at the whole banking mess and about how banks were instructed by Capital Hill shortly after things got ugly to make sure that before making a loan they needed to be certain the person has the financial wherewithal to repay it.  He suggested that the next piece of direction should have been to remind the banking leaders to breath occasionally because it was about as simplistic and obvious.  Well perhaps the lawmakers should have kept things simple here as well.  Rather than require a BDP, let the FDIC oversee things as they have for many, many years and shepherd a failing institution through the various stages of liquidation finding suitable buyers for the pieces that are worth selling off or that need to be absorbed.  Sure the bigger institutions would present some issues and complexities that would require a certain degree of creative thinking but isn’t that better than trying to rely on a plan that was conceived of pure speculation and whimsy?

The real problem wasn’t that any of the monster banks couldn’t fail, it was that they weren’t allowed to.  Even if any of them had something drafted that specified how they should be dismantled the government wouldn’t have let it happen.  Much like a financial institution tends to look at their BCP well after the disruption occurred (happens all the time) I suspect a BDP would serve in much the same capacity.  And if I was an examiner and was going to hold the feet of one of my institutions to the fire for something I’d rather they focus on having an actual, honest-to-goodness BCP that would help them navigate the next hurricane, earthquake, blizzard, blackout, etcetera rather than preparing for something that may never happen again.

September 14, 2011  6:27 AM

A new twist on regulatory guidance.

David Schneier David Schneier Profile: David Schneier

One of the oddity’s of my career is how some issues present themselves in a wide range of my clients despite the fact that there’s often no meaningful way to compare them in size.  Some have a single compliance person who is part Compliance Officer and part Information Security Officer and some have true CISO’s, Chief Compliance Officers and even Chief Risk Officers who themselves have teams of resources reporting into them.  And so you’d think that many of the challenges that confront them would look about as different.  Sometimes they do but many times (and more than you’d likely believe) they’re all staring down the same exact problems.

Most of what I do falls under GLBA-defined requirements and what that really means is that any institution I work with has identical goals.  The designs of the related programs and procedures certainly can look different because everything that falls under the guidance of FFIEC is supposed to be adjusted based on the size and complexity of your institution.  But they all need to conduct risk assessments, they all need to have current, up-to-date and recently tested business continuity plans, they all need to have viable vendor management programs and so on and so on… And I have many years of experience building out and/or supporting these very activities and know quite clearly what works, what doesn’t, what presents well to the examiners and what falls well short of expectations.

Sometimes though I’m caught off guard when a client rejects my advice because they’re confidant that what they’re doing or intending to do is consistent with their examiners expectations.  I’m a fan of confidence, I sort of dabble a bit in the discipline myself and appreciate how it can be very effective when trying to sell something to the audience.  But with regards to compliance there’s really not a whole lot of wiggle room.  In fact sometimes it can be interpreted as binary – either you’re compliant or you’re not.  So when I encounter a client who hasn’t updated or tested their BCP in years (if ever) and tell them that’s going to be a problem with their regulator I recoil when their reply is the dreaded “well the examiners haven’t had anything to say about it”.   “Yet”, I typically reply, “they haven’t had anything to say about it yet.”  All because the examiners haven’t dinged you for something doesn’t mean that you’re in good shape, it often means that they simply had bigger issues to focus on and haven’t quite gotten to it.  I have a list longer than my arm regarding vendor management and the common mistakes most institutions make and how those mistakes are going to lead to trouble with the examiners.  But when I bring this to the attention of the appropriate stakeholders I’m often treated as if though I’m simply trying to sell them my services and not giving them solid advice.  It can be very frustrating particularly because our practice was built on giving out solid and oft times free advice.  We’re willing to make the trade-off between generating revenue and doing right by our clients.  However you can lead a horse to water, but, well y’know.

I have an idea, maybe a great idea that might help solve the problem.  What if the examiners created a list of findings and issues culled directly from their reports and compiled them in a repository?  They could make the verbiage appropriately anonymous to avoid any privacy issues but share with the public what it is they’re finding out in the field.  The findings can be sortable based on the related requirement and or size/complexity of the institution so that any institution that shares the regulator can figure out where they may have issues.  Remember, the purpose of compliance and the regulators charged with ensuring that it’s being addressed satisfactorily is to protect us, the customer.  So it’s a very good thing to use all available resources to make sure that everything that can be done to make that happen is being done.  If your bank or credit union is able to access such a repository and use that information to identify where they’re weak or deficient doesn’t that help protect all of our sensitive information?  And it also removes the thin veil of ignorance associated with the logic that all because your examiner hasn’t documented any issues with a particular activity that must mean that you’re doing things right.  And when a client tells me that they don’t need to conduct a periodic review of all high risk vendors I can show them where that’s recently been an issue in a report.  Or when they tell me that testing their DR plan satisfies the need to test the BCP it’s part of I can show them how that logic failed to hold up under recent scrutiny.

Really in the end this isn’t so different than what happens now.  All of us practitioners gather information from the field regarding what the examiners are focusing on and use that information to update our own guidance and advice.  For example, when we recently heard that examiners are looking for greater scrutiny to be placed on SLA tracking as part of the vendor management program we made sure to include that advice in any of our audit and assessment reports.  But why should the industry need to rely on an informal approach?  Why not make it formal, take ownership and put the right information in the right hands to affect the desired results?

Is this idea a bit self-serving?  Sure, at least a little.  But really in the end if it helps get the right things done and in place who really cares?  If I can prove to a client that a Red Flags program that’s recorded only a handful of incidents during the previous twelve months is likely ineffective and be able to get them to do something about it everybody wins.  And can something like the proposed repository actually happen?  Maybe.  I’m sure the lawyers would weigh in with all kinds of issues.   But it’s difficult to argue against the merits of such an offering and in this age of greater accountability this would potentially be well received.

Anyone have any better ideas?

August 28, 2011  3:17 PM

Will Hurricane Irene reveal your BCP’s strengths or weaknesses?

David Schneier David Schneier Profile: David Schneier

I’m violating my own standards by using such an easy topic to blog about but it’s too big to ignore.  With the increasing insanity being inspired by 2011’s first true hurricane I’d be remiss if I didn’t at least explore the impact this is going to have on the business community.

I just heard that Mayor Bloomberg is evacuating low-lying areas in New York City and that mass transit will more or less be cut off tomorrow (Saturday) sometime around mid-day.  New York’s Governor Cuomo also discussed the possibility of closing the bridges as well if weather conditions become so severe that using them might be dangerous.  Upon hearing this my first thought was “how the heck are key stakeholders going to get to their disaster sites if they’re called in?”  The obvious answer is that many companies will likely require that the important people go to their DR sites tonight so that they’re already there “just in case”.  How wonderful for these people to have to leave their families in the midst of a potentially epic natural disaster.  I can’t help but wonder how many are willing to comply and how many are going to insist that they can’t make it.  Did any BCP/DR test ever take into consideration the possibility that key stakeholders would simply refuse to show up?

And with the enormous range of Hurricane Irene is it at all possible that certain recovery sites might not be able to provide the proper services, resources and support to meet such a potentially large demand?  I know that they all claim that they’ve factored that in to their models and are able to provide sufficient capacity.  But until they know for sure how do they really know for sure?  Who among us has yet to witness any BCP/DR plan that didn’t start experiencing hiccups and delays during testing?

One element of a BCP that I’m also now wondering about is the day-after scenario.  I’ve reviewed dozens of plans during my career and upon reflection cannot recall any that placed significant attention on what happens after the official disruption is at an end.  I’m looking at pictures of severe flooding from Irene from those places already affected and have to wonder how many business are going to be able to open on Monday despite the fact that the roads are clear and the skies sunny and blue.  In thinking about some of the more common disruptions over the years (e.g. heavy snow, ice, etc.) it was somewhat obvious that once the roads were passable it was safe to head back to the office.  But that may not be the case this time around.  How many plans are designed to accommodate that?  Is someone from facilities charged with the responsibility of conducting a site inspection on Sunday night to see if their buildings are ready to open the next day?

Admittedly I’m picking on the entire concept of a business continuity plan but you can’t blame me, Hurricane Irene is only one reason.  Middle of last week I was in the Northeast and experienced my very first earthquake event.  Now I realize that anyone from California or Japan would chuckle at that statement because what I personally experienced was little more than an overloaded truck driving past me on a pothole-ridden street to those who deal with the phenomenon regularly.  But still, for me it was a big deal.  In the aftermath I asked around to see what happened in other places where the tremors were felt to see if anyone was formally evacuated from their building – no one was.  I expected in the days following to read about how companies had dedicated time and resources to inspect their structures to ensure that everything was as it should be and that there were no signs of damage from the unexpected movements – again, almost nothing to be found.  Well for all those BCP’s that I’ve reviewed where the likely threats were documented and addressed as part of their plan, how many think that maybe they should update their documentation to cover earthquakes?  They can no longer justify leaving it out because it’s not a likely threat, it just happened.  And now that they know it happened once they need to accept that it not only could happen again but likely will. But I’m willing to bet that a year from now I won’t find a single plan that has been modified to include what should happen in the event of an earthquake.

I’m just thinking that regulators and auditors need to stop rewarding those they’re responsible for monitoring for simply having a plan in place.  At some point they’ll need to shift their focus from simply checking off that a plan exists and start digging into it a bit more.  The same degree of scrutiny that emerged in 2009 because of the “Great Swine Flu” threat and making sure that BCP’s had a thorough pandemic response component now needs to become standard fare for the overall plan.  Companies need to conduct more than tacit testing exercises and really start thinking things through.  Between companies having antiquated and irrelevant plans, to those who have partially baked plans and worse yet, those who don’t even have one in place it’s time to do something about it.

The worst time to discover that you need a viable plan and don’t have one is, well, when you actually need it.  If enduring both an epic hurricane and your first earthquake don’t inspire you to action nothing will.

August 15, 2011  8:45 PM

NCUA vs. Wall Street: Who’s going to win?

David Schneier David Schneier Profile: David Schneier

I had the good fortune to rediscover a recent favorite book while driving to a client engagement last week.  It was the audio version of Michael Lewis’s “The Big Short”.  I had first listened to it last year and thought at the time it was about as good a read (figuratively speaking) as I’ve ever enjoyed and was happy enough that the randomizing play-all option on my MP3 player offered it up again.   One of the best reasons to re-read a favorite offering is that quite often different elements jump out at you which is exactly what happened this time.

There’s a passage in the book where the author shares an important insight about how advanced industry minds couldn’t quite figure out what was actually contained within the bonds being offered related to sub-prime mortgages.   Referring to an article published in Grant’s Interest Rate Observer the books tells of an analyst with remarkably impressive credentials when it came to complex formulas and analytics who couldn’t quite figure out what the bonds actually contained.  If someone who should be reasonably able to figure out what’s what with such things couldn’t, how than did the various rating agencies?  How did the investment firms that packaged together the various loans do so in just such a way that very smart people couldn’t figure out exactly what it contained?  This is an important consideration when you step back and realize that each of these investment vehicles was purchased with a few assumptions in mind: First that a highly rated bond was properly assessed by the agency issuing the rating.  And second, that these bonds were issued in reasonably good faith and not with the intent to defraud.

So why am I semi-rehashing an important part of a New York Times best seller?

Because when catching up on my industry news later that day I stumbled across the latest press release from the NCUA regarding their attempts to sue the investment firms behind the aforementioned bonds.  Although I’d read their previous releases it didn’t exactly connect with me the way it did this time around.  Someone was actually going after the issuers of the bonds that were really the central cause of the banking crisis.  Because of the perspective afforded me via rediscovering the Michael Lewis book when combined with the NCUA press release I found myself seeing the story just a bit different.

In describing the details of the lawsuit the NCUA said that it’s “against securities firms alleging violations of federal and state securities laws and misrepresentations in the sale of hundreds of securities. Additional law suits may follow in order to recover losses from the purchase of securities that caused the failures of five, large wholesale credit unions.”

NCUA Board Chairman Debbie Matz  explained that “NCUA has a responsibility to do everything in our power to seek maximum recoveries from those involved in the issuing, underwriting and sale of the faulty securities that resulted in the failures of five of the largest wholesale credit unions.”  She concluded by explaining that “those who caused the problems in the wholesale credit unions should pay for the losses now being paid by retail credit unions.”

The press release further expanded on the logic behind the lawsuits: “The NCUA’s suits claim the sellers, issuers and underwriters of the questionable securities made numerous material misrepresentations in the offering documents. These misrepresentations caused the corporate credit unions that bought the notes to believe the risk of loss associated with the investment was minimal, when in fact the risk was substantial. The corporate credit unions invested in mortgage-backed securities that experienced dramatic, unprecedented declines in value, effectively rendering the institutions insolvent. These suits are the culmination of lengthy investigations into the circumstances surrounding the purchases of these securities.”

But what I don’t quite understand is why the lawsuit isn’t targeting the rating agencies who said the bonds were investment worthy.  Do I think the investment houses who issued the bonds knew what they were doing?   I’m about as certain of that as I can be without having been there.  But that’s nothing new in a free market economy – there are plenty of people trying to sell you something based on their valuation and not yours.  That’s why there are rating agencies.  Their job is to assess these bonds and provide an expert determination so that the market can make informed decisions and purchases.  They failed to do their job, or so it would seem to me.

It reminds me of when I bought my last house pre-collapsed bubble.  The appraiser from the mortgage company parked in front of the property, took his pictures, looked up the most recent comparable sales, asked the real estate agent what the agreed upon price was and miraculously his estimated value was equal to the purchase price.  He shared with my Realtor that with prices escalating so rapidly it was impossible to conduct a meaningful analysis and arrive at a proper value.  Really?  Why?  Why couldn’t he perform the job he was being paid to do?  And if he really couldn’t calculate a meaningful estimate because of dramatic and rapid changes in the market that’s what he should have reported.  Instead of being the last line of defense against the insanity he became a co-conspirator and allowed the problem to further escalate.

I sincerely hope that the NCUA achieves some measure of success with their lawsuits.  The one missing piece to the post-collapse puzzle for me is that I never felt that the guilty were ever truly punished.  The banks that sought to make money off the investments (and probably should have known better about what they were buying) were bailed out for the most part by the government.  Millions of homeowners who were sold mortgages that never made any sense in the first place were foreclosed upon.  And even more millions of people were left financially devastated by the major losses to their 401k’s and investment portfolios.  But the bond issuers were able to keep their profits and the rating agencies continued on their relatively merry way.  That just doesn’t seem right.

August 3, 2011  6:16 PM

Are you security unaware?

David Schneier David Schneier Profile: David Schneier

When I first started blogging professionally a colleague of mine cautioned that I should avoid posting anything where a client might recognize themselves in any story or example I might relate, good or bad.  And so in the years since I’ve gone to sometimes great length to anonymize my content to protect the names of both the innocent and the guilty.  When an old nemesis of my industry popped its ugly little head out of the ground last week and inspired this weeks post I realized that just about every client I’ve ever done fieldwork for is likely going to think that I’m writing about them – sadly they’ll all be right.

Why do organizations struggle so mightily to manage the most simple and straight-forward of all controls; their own interior physical space?  They’ll spend seemingly limitless dollars on implementing state-of-the-art security software and related devices.  They’ll build out robust vulnerability and scanning schedules to root out issues and loopholes.  They’ll implement all manner of physical security controls from key-card access locks to bio-metric devices to video monitoring cameras at every conceivable point of entry.  But walk through the interior office space and check out what’s sitting unclaimed in the output bins of the various copiers, printers and fax machines or sift through the papers scattered about in wide-open cubicle spaces and you’re likely going to find a treasure trove of sensitive information that’s there for the taking, all without the slightest chance of detection.  How is it possible that in this, the era of security enlightenment when security awareness is a recognized corporate initiative being hailed from the upper echelons of the org chart, that all anyone needs to do to steal choice non-public personal information is to simply pick up a stack of papers from any one of the many output devices spread around the office?

I hear about desk top audits where someone is designated to walk the floor and identify when someone has left sensitive information laying about but I never see evidence of it.  I read emails provided as evidence during audits that staff is constantly being reminded to secure their work space but while conducting fieldwork I still walk past wide-open offices with loan applications laying about or even the occasional pocketbook or wallet sitting right there on top of the desk.  And quite literally every client site I have ever visited has things sitting in printer and fax machine trays that should never be left out in the public space.  Does it really make a difference to prevent an online hacker from gaining access to customer data when the cleaning staff can simply stuff dozens of documents with the same information into a garbage bag and sell it to someone on the black market without any fear of detection?

And I’m not sure why this keeps happening?

Seriously, how hard is it to enforce such blatantly simple rules?  Why can’t organizations assign an individual to walk the floor before leaving each night to at least make sure things aren’t laying around?  Well over a decade ago while working on Wall Street the team I was part of had someone designated each day to conduct a desk audit of a randomly selected floor.  If someone was caught with sensitive information sitting unsecured in their work space they received a smiley face with a note reminding them to be more diligent in the future.  If they were caught a second time their manager was contacted with a slightly sterner warning.  No one was ever caught a third time in the year plus the program was in effect.  It took about fifteen minutes for the walk through and the job was rotated amongst a group of people so it wasn’t just one sheriff or one bad guy.  It was simple and effective.  Perhaps if it cost hundreds of thousands of dollars to purchase and required a six month implementation plan it might hold greater appeal.

It’s been said that an organization is only secure as its weakest link and for most that means they have a significant vulnerability.  The only way it can be addressed sufficiently is via a true and robust security awareness program.  Sadly most organizations seem content to be security unaware which is just mind boggling in 2011.

July 17, 2011  10:01 PM

Vendor management: What’s missing in this big picture?

David Schneier David Schneier Profile: David Schneier

I do a whole lot of work with vendor management, a fact which most of my regular readers are quite aware of.  And while I typically recoil when somebody else says of themselves what I’m about to say, I’m going to say it anyway; I’m really something of an expert on the discipline, particularly as it relates to financial institutions.  I designed my very first vendor management program nearly eight years ago (very manual, very spreadsheet oriented) and have progressed with it to the point where my practice now supports well over one hundred institutions who are all users of our automated VM solution.  So as you can imagine I put a lot of time and effort into thinking about how to go about identifying and assessing vendors.

Two separate but (very much) related events occurred recently regarding vendor management that sort of has me scratching my heads and so I wanted to share.

First, while conducting some research on FFIEC guidance surrounding vendor management for a client I realized that simply as a force of habit I knew which InfoBase documents to access.  There’s one that covers 3rd party service providers and another that’s specific to outsourced relationships.  Together they combine to provide solid content on the details related to vendor management.  But here’s what I noticed for the first time ever; nowhere on the FFIEC site or in its documentation is anything ever directly referred to as vendor management.  Examiners are constantly hammering away at our clients for more and more information regarding their vendor relationships, comments are routinely found on reports addressing the same.  And yet nowhere in their core guidance documentation is anything specifically referenced as vendor management?  Why is that?

Second, back in May our practice participated in a bankers conference in New York and presented on the subject of vendor management.  When the audience was asked “Who’s happy with the guidance you get from your examiners, raise your hand?” nobody raised a hand… nobody.  Now to be fair, we didn’t ask how many in the audience ever thought to even ask their examiner for direction which is an other issue altogether.  But out of roughly fifty people in attendance no one, not a single soul felt that their examiner was helping them figure out vendor management.

So what exactly is a financial institution to do?  You’re not getting specific direction from the examiners themselves and the one source for guidance you’re encouraged to rely upon doesn’t even define it in such a way that you know for sure what to look at.  Seriously, it can be remarkably maddening when you get right to it.

And to make things all the more confusing, when you start researching vendor management on the Internet you find that the discipline mushrooms quickly into focuses on procurement, financial accounting and contract management and so you can’t even find a simple or straightforward concept to use as a guide to either build or enhance your current vendor management program.  Or at least that’s what you wind up concluding at the end of the day.   But really in the end what your examiners are going to hold you accountable for are only those things that you’re required to do.  Within the vendor management space that boils down to GLBA and what’s required in order to comply with it.  To some that might seem overly simplistic but it’s not, it’s the right answer and the correct strategy.

But here’s the kicker: Since I first started working within the banking sector and helping institutions comply with GLBA I’m amazed by how pitiful few people even know what they’re expected to do.  I think the regulation is fairly straightforward (and always have) but when our practice engages current or potential clients that’s not always the case.  And so if you don’t understand what compliance looks like how do you add another layer (in this case vendor management) and align it so that it matches up on the key points?

It sure would help though if the people who are responsible for making sure you’re doing what you’re supposed to be doing actually pointed you in the right direction.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: