Regulatory Reality

March 15, 2011  9:58 PM

Is your examiner a friend or foe?

David Schneier David Schneier Profile: David Schneier

I was catching up on my industry emails the other day and buried in my FDIC email folder was Financial Institution Letter FIL-13-2011, sent out on March 1st. Truthfully I usually pay close attention to their Friday afternoon blasts regarding bank closings and only skim the rest. But this one jumped right off the screen because it addresses one of the great mysteries I’ve struggled with in this industry.

Whenever I’ve been engaged by a banking client to help them resolve findings surfaced during an exam, my first question almost always is “What did the examiner suggest you do about this?” which is usually met with a blank stare. When new or modified regulations are issued and go into effect, I’m fond of recommending to my clients that they contact their examiner for guidance on how best to address it. Again, the typical response is either a strange look or they pretend I didn’t say anything at all. Why is it that financial institutions are so reluctant to engage in dialogue with their examiners?

That was the spirit of the FDIC FIL. It was titled “Reminder on FDIC Examination Findings” and it was intended to remind their member institutions to work with them when dealing with findings and establish a dialogue. It pointed out that “an open dialog with bank management is critical to ensuring the supervisory process is effective in promoting an institution’s strong financial condition and safe-and-sound operation.” It further went on to point out that “if an institution disagrees with examination findings, it should address those concerns through communication with the examiner, field office management, or the appropriate regional office staff.” Good advice, but likely words falling on deaf ears (or blind eyes).

I’ve only conducted audits in my career, as I’ve never been an examiner for any of the oversight bodies. But one thing I can tell you is that when I detail a finding in an audit report it’s always accompanied by recommendations for remediation along with suggestions on how best to approach managing the work. I would never write up anyone or something where I didn’t have a clear idea about how it should be working along with a solid approach for getting there. I can assure you that by and large the same is true for your examiners. They are not only experts on measuring and assessing procedures and controls, but because they see such a wide range of solutions during their travels, they are uniquely positioned to provide guidance on how you should be doing things.

If you disagree with a finding, you need to let your examiner know. But you will need to qualify your position and articulate it in such a way so that they can consider compensating factors that they might have missed.

A few years back I coined the following definitions: an auditor is someone who knows if your answer addresses the question, a good auditor is someone who knows if you gave the right answer to the question and a great auditor is someone who knows if you offered your best answer to the question. I’m always amazed by how many findings I’ve encountered in my career where there were clear compensating controls in place to mitigate the associated risk that no one ever took into consideration. I’m also often amazed how despite a clients being aware that an examination finding doesn’t hold up under scrutiny, for similar reasons makes no attempt to discuss it with their examiner. It’s almost as if though they’re afraid to engage them in conversation lest they find even more issues to report.

The problem I suspect is rooted in the basic fear that the examiners are looking for something to write about in their reports and so the less attention you bring upon yourself or your institution the better off you are. The reason so few institutions dispute what they consider questionable findings is that no one wants to anger the person writing the report, lest they seek revenge the next time around. Of course that’s all remarkably flawed logic.

Let me share a secret with you; my favorite audits are those where I find a cooperative staff and a management team committed to running things right. It sort of inspires me to do my best work and only present them with findings that are relevant and which will help them strengthen their infrastructure in a meaningful way; and I’m certain a vast majority of examiners for the FDIC and their oversight partners are the same exact way (in large part because I know a few of them).  If you seek to forge a partnership with them you’ll find a productive relationship that winds up benefiting both sides. However, if you continue to perceive the relationship as somewhat adversarial, that’s what you’ll be burdened with.

The examination process and the people who staff the function play an important role in helping keep the industry running right. At a minimum they’re there to measure and assess their member institutions to identify issues before they grow into problems. What they’re really there to do is help you figure out how to manage things more effectively to protect depositors that fall under their jurisdiction. Fundamentally that’s what you’re supposed to be doing and so it only makes sense that you work together.

Am I advocating that “examiners are your friends, don’t be afraid?” No. I am recommending that you engage their knowledge and expertise and trust that they want to work with you. Odds are quite high that it will result in a less painful examination process and one where everyone comes out ahead. Oh and one more thought, if they recommend you manage something a certain way, it’s almost a guaranteed pass on the exam because they’re likely to think what you did was pure genius.

March 8, 2011  4:58 PM

Does GRC scale to size?

David Schneier David Schneier Profile: David Schneier

We were having an internal conversation this past week about governance, risk, and compliance (GRC) and I was asked about its role in the small and mid-sized community banking space. The question, to be more specific, was did I think that GRC would work for smaller institutions whose business infrastructure wasn’t nearly as complex as the larger ones that typically are at the forefront of such initiatives.

I couldn’t spit out my “yes” answer fast enough. Not only did I think it would work for scaled down institutions, in some ways I thought its impact would be more dramatic.

GRC at its core is really just about coordinating the related disciplines so that economies of scale are realized where applicable and ensure that all three work with and not against one another. While some of my fellow practitioners are all too happy to bury that simplified interpretation under a deluge of formula’s and/or related methodologies I prefer to keep things simple. I do so because the only way GRC works at an institution is if it receives the full support from the C-level community (tone-at-the-top is a must) and if you make the message difficult to understand, well, no one understands it.

So the question begs to be asked; why wouldn’t a CEO/CFO/COO be interested in applying a methodology that would allow their institution to address compliance in a way that encourages efficiencies and reduced effort? The answer of course is that they would be interested, likely very interested. The problem is that for the small and mid-sized banking space no one is offering or marketing GRC in any measurable way and so business continues as usual.

As it stands right now, most conduct the related GRC work in a one-off fashion. They schedule audits to occur based on when they were last conducted and independent of a recent risk assessment. They schedule Board review and approval of the various policies at the same time each fiscal year regardless of whether the related audit and compliance activities have occurred to validate their effectiveness. As for risk assessments, those typically only occur if they’re required and almost never happen as part of an overall strategy. Then there’s almost always a mad scramble before each of the exams trying to pull everything together.

But think about how applying the principles of GRC would benefit a smaller institution. Imagine if all of the work required over the balance of a year is organized so that they work together and are timed so that one feeds into the next. Imagine if they kick-off the compliance cycle by conducting the various risk assessments that are either required or recommended and use the output to adjust their audit plan so that they’re testing what needs to be tested. Consider how effective their efforts would be if at various points along the way they assessed these activities against what’s required to ensure that where applicable they’re tied together. How much stronger would a financial institutions risk posture be if when senior management and the board of directors signed off on the various elements it conveyed more than a tacit approval of the work; what if their acceptance was more than a required step to appease the examiners and actually allowed them to make informed decisions?

GRC solves a different set of problems for scaled down institutions than those encountered in the larger ones. It requires that a true plan be developed to coordinate the related activities, something that’s often missing in smaller banks and credit unions. It allows for a review of these activities to both understand their interdependencies and identify reusable artifacts and test steps which just about never happens because no one has time to spare to do such things. It also allows management to achieve a holistic view into these activities thus affording them a chance to make corrections when or where necessary and before they become a bigger issue waiting to be discovered by an examiner. Perhaps the best byproduct of applying GRC – it allows your institution to avoid the all-too-common mad scramble leading up to an exam. If you can demonstrate to an examiner that a required activity isn’t scheduled to occur until later in the year, show them the plan and provide evidence that it’s being adhered to they typically consider that a valid response. So instead of pulling the late nights and long weekends trying to update documentation or conducting assessments, you can wait to do the work when it’s scheduled to happen.

GRC doesn’t necessarily mean less work (though that’s likely) but it always results in an institution working smarter, not harder. In those GRC projects in which I’ve participated in, there was clearly an improvement in the value the company derived from its audit and compliance work. Regardless of the size and complexity of an organization, that has to hold appeal to its management.

GRC is not a one-size-fits-all solution, it’s a one-size-fits-all concept. Regardless of whether you’re a single branch CU or a global bank it’s a concept that will work if only you give it a chance.

February 27, 2011  7:31 PM

Does an IT auditor need to be CISA certified?

David Schneier David Schneier Profile: David Schneier

It’s been a while since my last post as I’m in hunker-down mode as we prepare our next compliance software offering for release.  But in the midst of my coding/testing insanity, a conversation occurred that brought up the value of certifications that I haven’t been able to completely let go of.

On occasion I receive phone calls from recruiters looking for resources to take on contract work. An important part of our practice is comprised of services work and so I’ll look into the opportunity; if it’s consistent with what we do and it’s a good fit for someone in our practice we’ll try and make it work. In this particular instance, the hiring client had some very specific requirements that presented as unusual. It wasn’t so much in what they were looking for from a definition perspective but rather their method of vetting the candidate. The recruiter told me right up front that any candidate needed to present proof of their certifications before being considered for the position. In more than a dozen years working in audit and compliance I can’t recall ever being asked right up front for such information and it caught me off guard.

The certification in question was the Certified Information Security Auditor (CISA) designation issued by ISACA. Generally speaking it’s the defacto standard when it comes to my professional space but only because it’s the only one available. While there are a number of IT auditors who also have the CIA designation it’s somewhat rare and unusual. But while it may be the standard cert for IT auditors, it’s certainly not a hard requirement and not something that all practitioners aspire too. I probably know more excellent IT auditors who don’t possess a CISA than I do those who do. I sat for the exam (and passed) back in 2005 because I was looking for a way to bookmark my audit experience; too many recruiters saw my resume and thought of me more as an IT practitioner than as an audit/compliance resource. I wanted to distinguish myself as an auditor and that seemed to be the best, most direct way to do so.

What I learned during the period of time while studying for the exam was that I already knew what was necessary to pass the test. There were a few disciplines covered during the exam that exceeded my knowledge (primarily around cryptography, encryption and key management) but I was okay with that because those were areas I would never pursue work in (we throw that stuff to our CISSP’s). Midway through the exam preparation experience, I questioned the validity of the certification. I genuinely believed that my previous eight years of experience spoke more to my expertise than any certification ever could. A year or so later I came to learn that when ISACA issued new certifications they also allowed for grandfathering – you could simply pay for the certification if you could prove that you already had the experience doing that sort of work. That cemented my opinion that experience was far more significant than the cert (and it also meant that a solid number of CISA’s I knew never had to pass the exam).

Within the first two years after I passed the exam I knew three people with almost no audit experience who studied for and passed the CISA exam because they believed audit and compliance work was their best way to stay employed. None of the three knew how to conduct a risk assessment, develop an audit plan, write an audit program or build work papers after taking the exam, yet all three were CISA’s. With some minor modifications to their resume they could present themselves as true audit professionals. That also cemented my opinion that the certification wasn’t as much of an indicator of ability as I once thought.

I recall a conversation with someone who was an IT audit instructor, but who at the time didn’t possess the CISA certification. His issue with the certification was that he didn’t believe multiple choice exams proved competency because you knew one of the provided answers was correct and so you just needed to be good at taking exams and making educated guesses. I don’t know if I completely agree but I have come to believe that the CISA certification would be that much more meaningful if the candidate had to display a basic ability in conducting the related work. Give them a set of criteria about an environment (e.g. software, networking, etc.),  have them create a risk assessment to determine what should be assessed, develop an audit plan based on the identified risks and write the audit programs to test the necessary controls. A panel of reviewers could grade the material and decide if the candidate possesses the necessary competencies. At least with such an approach you would know that if you hire a CISA certified practitioner, they have the skills to do the job. By the way, of the three aforementioned  practitioners who are CISA-certified, only one could actually pass such an exam today, three-plus years after having obtained the designation.

And so in an industry where you don’t need a certification to work (unlike the medical or legal professions), I’m not sure that a similar value should be placed on possessing one.

February 10, 2011  4:07 PM

Should banks and social networking coincide?

David Schneier David Schneier Profile: David Schneier

A few weeks back my wife asked me, as a favor, if I could join one of Facebook’s community-based games because the more “neighbors” you have, the easier it is to succeed and so I did. Truthfully it was a rare moment of weakness for me because I tend to avoid those sort of things as if it were the plague. It detracts from my primary reason for being on Facebook which is to keep in touch with my extended network of family and friends. In the two weeks since joining the game I’ve been receiving nearly a dozen requests per day from others in my Facebook network who also play the game.  The net result is that my Facebook screen is filled with what can best be described as Spam and I’m not happy. There’s already so much clutter coming through on Facebook that the last thing I needed or wanted was something not directly related to why I spend time on the hugely popular site.

I’ve recently come to the conclusion that several of my Facebook choices are proving to be questionable across the board. As a baseball fan I “Liked” several Facebook pages to track my favorite team and any of their front office moves. As a movie fan I “Liked” certain movie pages, as a fan of certain shows I “Liked” their official page, as someone who moved away from Long Island I “Liked” the regional newspaper and also “Liked” the town blog from where we moved away from. I also wound up “Liking” a few charitable organizations we support, a few local businesses we frequent and one online electronics retailer because that was the only way to enter into a contest they were promoting. Lately it takes me forever to sift through all the Facebook chum to find out what’s going on in the lives and minds of real people that I actually know. It’s become something of a mess, pretty much the equivalent of having mixed my legitimate email with everything in my Spam folder, sorting it in no particular order and then trying to figure out what deserves or requires my attention.

Which got me to thinking, why are financial institutions looking to leverage this remarkably unwieldy domain?

The FDIC has been talking up their role in providing guidance to member banks on how to implement and secure controls focused on social networking. Both the FDIC and NCUA have designated internal resources to firm up and promote their own social networking strategies. Several of my banking clients have entered into the Facebook fray to try and market their products and services to a variety of market segments. LinkedIn routinely displays ads from the big banks (e.g. Chase, Bank of America, etc.).  And while I haven’t signed up for any related Twitter feeds I know there are several financial institutions tweeting away.  OK, does anything sound less like a respected financial institution than when you can say they’re “tweeting”?

I’m not one of those technology nay-sayers who’s always questioning why we need all of these new fangled devices. Quite to the contrary, I tend to embrace advances in both technology and its capabilities. I’m a fan of mobile and online banking. I consider email alerts from my bank an important tool in both managing and monitoring my financial life and have always felt that way right from the beginning of when it was first offered.

However, I just don’t see where I need to receive updates from the FDIC, the NCUA or my (very big) bank via Facebook, LinkedIn, MySpace or Twitter. They’re not going to be able to provide me with anything beyond what I already receive via email or can access upon demand. They’re only going to leverage these platforms as a way to expand their marketing strategies and I just don’t see how that benefits the common user. I don’t want the FDIC posting bank closing announcements on my Facebook page sandwiched between the latest Frontierville requests and pictures from a friends bachelor party (a very real example from yesterdays News Feed). I’m already souring on Twitter as an effective communication tool because a few of the feeds I signed up for and which I considered to be worth my time inundate me with run-on, cryptic sentences that often require I click on a link and navigate to a website. So the odds that I’ll notice a special loan rate being offered via Twitter by my personal bank in a timely fashion is slim at best. I just conducted a basic tweet-test; I went looking for the most recent tweet by one of my favorite Information Security sources (Security Curve’s, Ed Moyle) and couldn’t easily find it. Ed sends outs several such tweets each day and I’m not a heavy Twitter user so you’d think it would be easy enough to find, it wasn’t. It’s easier to simply navigate to his website and find what I need there.

I receive about a dozen email bulletins/alerts each week from the various sources I prefer to receive industry content from. When they arrive in my inbox they’re automatically moved into a special folder I set up for such things and when I have time I scan through them and read what I like (and the headlines and subject lines are typically complete sentences that don’t require learning a new form of shorthand). Plus I can do most of this offline and on a full-blown display, not my impressive-for-what-it-is but too small Droid screen.

This rush that’s underway to move into the social network space within the banking industry is reminiscent of what lemmings go through each year when the begin their mad, senseless but instinctive rush to dive off that cliff and swim away to their all-but-certain demise because that’s the direction everyone is moving in. I suggest that someone be forced to  come up with a legitimate business case for why banks, credit unions and their regulators should establish social media presences beyond “because everyone is doing it.” Besides, so many businesses block Facebook and Twitter access anyway, you have to question the logic in relying upon such forums as a legitimate communications vehicle.

Here’s the kicker though, I just checked up on those clients of mine who established Facebook presences over the past two years and guess what I found? Nothing new, literally. There are no recent posts, no recent planned events and nothing that would ever inspire me, as either a customer or member, to visit their pages. I went to their respective websites and found plenty of relevant and current content but none of it found its way to Facebook. I don’t know for certain why that is but am willing to speculate that when the people in marketing are formulating their strategies and Facebook comes to mind, visions of Farmville, poke-ing and embarrassing pictures with funny captions subliminally affect them.

Do I want to know about special teaser rates from my bank? Yes. Do I want it to be tweeted as “Spcl tzr r8 4 xisting cstmrs”? No. And I don’t want it to be embedded between weather commentaries from my connections in New York and daily quotes from the movie “The Princess Bride” on Facebook or MySpace. I suppose in the end I would remind the banking world that all because you can, doesn’t mean you should.

January 29, 2011  1:34 AM

Regulatory compliance is not easy

David Schneier David Schneier Profile: David Schneier

Something happened within our practice this past week that made me recall a story from the very beginning of my audit and compliance career. Way back in 1998 when I was first transitioning from being an application developer/manager to a compliance/audit professional, my first long term engagement was working on a Y2K project for an international company. As part of a team that assessed each of the business units (BU) on their Y2K readiness, I quite literally circumnavigated the globe. Each BU was measured based on where their assessment and remediation efforts were relative to where the parent company expected them to be. Early in that year there were only a few BU’s that were considered on-schedule and I had the good fortune to be assigned to two of them.

Each of them had all of their inventories prepared, documentation created and project teams busily working away to get everything Y2K-ready. Their project stakeholders were all forthcoming and willing to share information and made the assessment process flow smoothly.  As part of the approach we used, it was common for the person conducting the assessment to meet with the Y2K project leadership and share findings before issuing the report to the local CEO and CIO. For each of these assessments I was asked point-blank what I thought in terms of their being able to successfully manage through the Y2K challenge. For one BU I shared that they were really on top of things and were in good shape to wrap everything up well before they needed to. For the other BU I cautioned that while their answers were all the right ones and they had appeared to have everything in place there was something off that I couldn’t quite explain. I cautioned  that they shouldn’t be dissuaded into thinking the BU was in good overall shape and defer their next assessment. As a matter of fact I recommended that they keep close tabs on how the BU progressed.

It wasn’t until a few years later that I came to understand what was wrong and I why I detected it. While both BU’s presented well on the surface, the one I was concerned about exhibited no pain or stress from the experience. One of them not only provided all the right information but also discussed in detail how they came to gather it and struggled to leverage it. The other one simply provided the information but didn’t have much to share about how they captured it or what they were doing with it. Six months after my first assessment, the local CIO was transferred and in his absence it was revealed that much of the work being reported as completed either wasn’t or wasn’t done adequately to meet the overall project standards. Because the CIO was a forceful personality, his direct reports and their staff weren’t as forthcoming as they should have been and focused more on providing the “right” answers even if they weren’t completely honest ones. Fortunately with guidance from the Y2K project team they eventually caught up to where they should have been.

And so I learned a valuable lesson early on in conducting audits and assessments. I learned to sort out answers that sound right from the right answers. Which brings me back to this week…

A senior IT executive was asked about their overall compliance initiatives and his reply was that they had a good handle on everything, that the work was properly distributed and things were current. When this exchange was shared with me it took me back thirteen years and to the lesson I learned during Y2K. Regulatory compliance is not easy to obtain and it’s even harder to maintain. When someone throws out a statement like the one above,  I can feel the professional hairs on my neck stand razor straight. My first thought was that he didn’t really know if that was true or if he did believe what he said, then he’s due for a rude awakening at some future point in time.

I talk to enough C-level executives each year to know that no institution that takes compliance seriously ever feels like they truly have a handle on everything. They all struggle to keep everything current, find the resources to get the necessary work done and make sure that everyone who plays a role is doing their part. And that’s true whether it’s a small credit union or a large community bank (their issues are all roughly the same, just scaled based on size). I have yet to audit or assess any financial institution that has everything current, functioning properly and organized in such a way that examiners can validate. There’s always something outdated, missing, or poorly designed; always. In the best organizations I’ve encountered there’s always something that needs fixing (e.g. business continuity and disaster recovery plans are almost always in need of TLC).

So when I hear someone offering the equivalent of the old “all is well, there’s nothing to see here” rhetoric it makes me want to pull out our GLBA risk assessment methodology and start hammering away to dispell that myth. Or even better, I’d love to invite the executive to a round table with his peers from some of our better organized clients and have them dissect his assertion because they always know where the bodies are buried.

On a different note, the Friday after I observed that bank closings seemed to be slowing to a trickle, the FDIC announced four banks failed and followed that today by announcing that another four banks failed.  So in the ten days since I made that statement there are eight fewer banks in our country.  I suppose I stand corrected.

January 17, 2011  1:55 PM

Is the U.S. banking crisis over?

David Schneier David Schneier Profile: David Schneier

As my professional mind started winding down this evening in anticipation of the weekend, my thoughts started drifting towards yard work and time with the family. Then my Droid started chirping it’s little sing-song of alerts as a round of emails hit my inbox and I was brought back to reality for a little longer.  It was the usual blast of junk email, some personal correspondence and because it’s Friday evening, a notification or two from the FDIC regarding bank closings.

It started me to thinking about how that sort of thing seems to have tapered off lately. I went back and searched my inbox for all FDIC correspondence over the past three months and I’m fairly confident it revealed a trend that such activities slowed down. Then I remembered a story I read today about how the bigger banks (e.g. Citigroup, Bank of America, etc.) are expecting to restore the issuance of dividends sometime this year for the first time in nearly three years. Fewer bank closures plus healthier balance sheets has to equal the end of the crisis, right? I mean, what other indicators are you going to look for to prove such a theory?  Bigger banks are generating profits, surviving banks are managing to keep their balance sheets sufficiently above water, so now we can all breath a collective sigh of relief, finally.  What a great way to end the week and sail off into a three-day weekend, right?

But then I remembered another story I’ve been tracking, the one about how analysts expect 2011 to set all kinds of ugly records for foreclosures of private residences.  One expert estimated that nationwide 1 in 50 homes will experience some form of foreclosure activity and that 1.2 millions homes will actually be repossessed by the banks.  That’s a lot of housing inventory about to be added back to the books, a bundle of legal expenses about to be incurred and a tremendous hit to any banks balance sheet.  So in addition to not receiving the anticipated revenue from the lost loans, the banks now have to face the harsh reality that much of the real estate coming back onto their books isn’t worth quite what they appraised it for when the loan was issued. It makes me think that while the rate of closings might be slowing, it’s nowhere near the end.  Plus as I’ve shared with you in the past, banking industry insiders that I’ve talked to are firm in their belief that until the commercial real estate market experiences a serious correction, the bleeding can’t end and the healing can’t begin.

If you want to gain a visual understanding of the enormity of the foreclosure crisis beyond just numbers, check out the Google Maps real estate feature which allows you to display foreclosed properties in any view. I played with it a bit and was stunned by how much of just about any geographic area I have connections to was covered in little red dots.  Seriously, seeing it in front of me like that was shocking despite my being intimately aware of the numbers.

So I’m thinking that until the concept of foreclosure returns to its previous status as rare and uncommon, the banking crisis is not quite over. Until the value of a banks portfolio is solid and reliable, the bank itself cannot be.  It’s just plain common sense. I’m no economist and I’m no real estate expert but I can’t figure out how anyone can legitimately declare the crisis over until the underlying cause is satisfactorily addressed. Plus I still know way too many people who are out of work or who are certain they’re about to be; what’s going to happen when they run out of savings?

I want this to be over as much as anyone (probably more considering too many of our clients are still worried on keeping their doors open and not so much on standard compliance issues).  But I’m not going to believe we’ve turned any corner in a meaningful way until those Friday FDIC bank closing emails return to their previous status of being rare and unusual.

January 8, 2011  5:41 PM

New year advice on developing a business continuity plan

David Schneier David Schneier Profile: David Schneier

One of the first things I had to work on this week (and thus one of the first things to work on in the new year) was finalizing a report from last year. The report covered the results of a Business Continuity Plan desktop test and the client needed some clarifications around the results.

I’ve been working on BCP’s since the late 90’s, cutting my teeth on a plan for the technology business unit I worked in at Citigroup and have continued working with clients on their plans in a variety of business verticals in the years since.  Whether the client is a multi-billion dollar enterprise or a single branch bank, there remain commonalities that defy the entities complexity. On one hand it’s difficult to compare the plan I worked on at Citigroup to one I recently reviewed at a banking client with a single physical location (everything was quite literally under one roof) but on the other hand, the key elements were exactly the same.

Ask questions about who is responsible for activating the plan, who has copies and where are they located and you’d get similar replies (mostly shoulder shrugs, lots of “um’s” and finger tapping).  Select a sampling of employees and ask them what they’d do in the event of a business disruption and you’ll get a wide range of answers that are typically intelligent and sensible but have nothing to do with what’s documented in the plan. Review the plan and conduct a logical walk through to determine if someone without intimate knowledge of the various sections could rely on it in order to help navigate through a disruption and you’re likely going to have a list of questions longer than your own arm. Of course one of my favorite measures of a plans effectiveness is to gauge its overall size and complexity relative to the entity it’s supporting. The single branch banking client had a binder filled with a plan that was nearly twice the size of the one I worked on at Citigroup.  Despite the fact that the Citigroup entity clearly dwarfed the small banking client, you couldn’t tell from the plan.  I’m not suggesting there’s a size rule to apply but typically the thicker the plan the less effective it becomes after a certain point.

However, the reason we’re talking business continuity to kick-off the new year isn’t so I can rant but rather to illuminate an important aspect of a BCP (and perhaps any of your regulatory activities as well).  Your business environment is dynamic, it’s ever-changing with new considerations, concerns and risks emerging almost daily.  Employees come and go, business needs change to keep pace with the economy and your physical and logical infrastructure changes to accommodate both.  It’s just about impossible that any plan you developed last year remains relevant this year.  Thus the reason why the FFIEC guidance hammers home the point about conducting frequent risk assessments and conducting periodic reviews of your key compliance activities.  You simply cannot rely upon any documented procedure that hasn’t been reviewed recently and assessed for accuracy and relevance.

In terms of a BCP, you need to conduct an annual business impact analysis to determine if each critical area of the institution is properly factored into the plan, if the area’s needs have changed since the last update and if the current set of procedures adequately support its needs. You need to update your contact lists, inventories and your escalation plans.  You need to reissue the updated plan and make sure that all stakeholders are aware of it’s changes and have access to the new version readily available. Perhaps the  most important recurring activity is to conduct a basic test of the BCP to ensure that it will work and that your staff knows how and when to rely on it.

As for the client for whom the report was issued, they’re in good shape.  The test revealed some common issues (e.g. critical stakeholders answers were often extemporaneous and did not come from the plan itself, many in the room did not think to bring a copy of the BCP) but by and large they did well. They did well because the plan had been updated earlier in 2010 and reflected on what they knew had to be done in the event of a disruption. Although they didn’t rely upon the actual document, they didn’t need to because they were the ones who contributed to its content and were able to react rather than read. Unfortunately they’re part of the minority because typically the plans I review are detached from reality to the point where they’re almost fictional and almost completely useless as written.

Like all compliance requirements there’s real value to be derived from addressing them properly and you shouldn’t need an examiner, an auditor or a blogger to point that out. It’s the first week of the first month of a new year; is there a better time to plan reviews of your key procedures and activities?

December 28, 2010  8:55 PM

Risk versus reward: Data warehouses and the cloud

David Schneier David Schneier Profile: David Schneier

It’s a popular time of the year for people like myself who publish any form of content to either reflect on the year that was or make predictions on the year that’s to be. Confidentially those are typically easy pieces to write and I’m generally happy to take advantage of such opportunities. However, I’m ending 2010 preoccupied with my latest concern which has me a bit on edge, and so I’m using my last post of the year to vent.

In the past few weeks I’ve participated in several conversations that focused on both cloud computing and data warehouses. As I’ve stated previously, I have some very real concerns about security in this ever growing amorphous collection of computing resources commonly referred to as “The Cloud.” Forgive a onetime science fiction fan a little leeway but I keep conjuring up images of “The Blob” whenever I hear that phrase. It’s sort of like the dimensions of our universe; no one is really sure where it begins or where (or if) it ends. So how do you lock it down and apply the necessary controls to sensitive data? Honestly, companies have struggled for years to properly classify their data and build appropriate controls trying to protect what needs protecting and that was when the data was stored in clearly identifiable repositories and servers. Now they’re moving the same information into an architecture that is harder to segment (because it defeats the very purpose of its design) which can often change dynamically. How can you properly secure and monitor a moving target? Based on my experience, I’m thinking you can’t.

As for data warehouses: Does anyone really know how these things are being used? After a recent call with a client, I had reason to question a few of my associates who either work with or have familiarity with how companies are using their related solutions and quite frankly I’m stunned. It seems that it’s quite common for data warehouse architects to reach out and grab data from whatever systems they happen to come across without even having a legitimate reason. One of my contacts told me that the project lead at his company is fond of throwing around the CEO’s name when met with some resistance, as if not sharing data from your applications database will create a blind spot and result in the company making a poorly formed decision. I clearly remember the original purpose of a centralized repository and that was to consolidate related information that allowed management to obtain a broader perspective on their business. It was never intended to duplicate all bits and bytes so that information existed in multiple locations and it was supposed to be driven by the business, not IT. But apparently it’s now quite common for the data warehouse team to participate in the change management process to determine if enhanced or newly implemented applications should be plugged into their repository. What if there’s a table with sensitive data that’s properly secured but is now being shared with the data warehouse? Is it properly secured? Who has access to the warehouse?

So what happens when you start using a cloud computing architecture to locate your data warehouse? You can’t provide the same enhanced level of protection to all your data because there’s a very real cost associated with that. And if you can’t properly predict where the data is going to be stored (either in the cloud or in a separate repository such as a data warehouse) how do you even know where to begin?

Perhaps when you consider how much audit and assessment work this is likely going to generate over the next few years, I should be more grateful than concerned. But I’m happier when things are done right to begin with and all I have to do is prove it.

Anyway, Happy New Year to all!

December 10, 2010  6:45 PM

Year-end begets regulatory compliance audit panic

David Schneier David Schneier Profile: David Schneier

Sometime back in August I blogged about addressing outstanding compliance tasks before the year’s end. We see it every year in my practice: Compliance  and security folks wake up sometime right around now in a bit of a panic and realize that they’re about to miss hitting on certain key regulatory deadlines  Be it an audit, an assessment, developing or updating one of the many programs that need to be in place — there’s just a ton of things that need to be completed within a calendar year.  These things keep getting pushed off because it doesn’t seem significant to day-to-day operations; retail lending isn’t going to make their numbers because a pen test was conducted or because the vendor management program was maintained. And so these activities are constantly being put on the back-burner to a moving point in time that never seems to be reached.

Of course now that we’re facing down New Year’s Eve in exactly three weeks, we’re finding ourselves busy with all manner of work that wasn’t even on our radar as recently as Thanksgiving.  It’s like the old adage: “If it wasn’t for the last minute, nothing would ever get done.”

But why does this keep happening?  Why are these activities treated as necessary evils and not as something that helps support the business, reduces risk and maintains reputation in the marketplace?  Quite literally, all of the have-to’s thrust upon financial institutions by their regulators serve an important purpose and address some very real problems that confront us every day.  And yet despite that important fact, the vast majority of stakeholders view compliance as a bit of a drudgery and something they’d rather do later, not now.

I recently read a report that stated that nearly one of every two information security professionals spends at least 50% of their time working on regulatory compliance tasks.  The angle of the report seemed to be that it was time consuming, possibly excessive, and that the infosec people had more important things to focus on if only they could.  I was surprised by the report because I would think that somewhere in excess of 75% of every infosec professional’s work day would be consumed with tasks that are directly related to regulatory requirements.  Most of what a properly managed and matured IT organization needs to have in place dovetails quite nicely with the related regs.  I’ve written before about how I thought PCI should be applied in a broader sense (though modified somewhat when it comes to the more extreme elements) as a security standard.  It addresses just about every key security control objective and related activities, provides tools to conduct periodic assessments, and allows you to leverage what’s required with how you should conduct business.  A properly managed infrastructure shouldn’t have to jump through any special set of hoops to be compliant; it should be a natural byproduct of doing things the right way to begin with.

But when you read a report that places an emphasis on how much time compliance consumes in a work day and makes it seem as if though that’s a separate body of work apart from what the infosec person should be doing, it’s clear to see why compliance is viewed as the aforementioned necessary evil.  It’s not though; it’s actually a great assist in managing risk.

We have several clients who are all over the broad range of required activities.  They don’t approach compliance as a point in time exercise but rather as an ongoing set of actions that are ingrained within their day-to-day activities.  They identify issues with vendors before those issues impact their operations (particularly relevant in this economy).  They uncover terminated employees who continue to maintain application or system access before any harm is inflicted.  They modify and strengthen programs (e.g. Red Flags and incident response) so that they’re increasingly effective in helping to identify and reduce fraud (again, particularly relevant in this economy).  They react to findings on audit and assessments with concern and not defiance because they value the resulting improvements and the risks they help mitigate.

And what’s particularly interesting is that size doesn’t matter.  We have proactive clients whose asset sizes range from  $100M to $2B (and beyond); some with vast resources and some with scant few.  But regardless  their approach, commitment and results are equal.  They have no fear of the ball dropping in Times Square.

It’s just about too late to do much of anything if you’re already late in getting things done this year.  But it’s not too early in getting a head start on planning what you’re going to do in 2011.  Remember, an examiner won’t let you off the hook for being deficient in any area, but they will grant you more time if you have a viable plan in place to address things in short order.  For those of you who can’t be fully compliant, at least make the effort to be fully aware and prepared.  Do you really want to be the one standing in front of the board of directors or CEO trying to explain how a key business partner just up and closed in the middle of the night and you didn’t even realize they were in financial trouble?

November 29, 2010  3:19 PM

You can’t have partial regulatory compliance

David Schneier David Schneier Profile: David Schneier

I recently decided to establish an automatic link between my personal checking account and a mutual fund account that was established for my son years ago when he was a baby.  The account was originally funded with a gift from a family member and while it’s grown reasonably well percentage-wise, its overall numbers remain low because we’ve never added to it.  So I thought now would be a good time to do something about it.

It’s a custodial account because of his age and my wife is designated as the custodian of record.  As a result, I’m not supposed to be able to conduct any manner of business with the account because my name doesn’t appear anywhere.  However, of the five phone calls I’ve needed to make to the fund company’s offices over the past few weeks, I’ve only been asked to have my wife authorize the conversation twice.  That means that in 60% of my calls, I was able to present myself as someone with legitimate privileges to conduct business with the account and was successful.  And while you can slice and dice the numbers and draw the conclusion that the fund company’s compliance efforts are partially effective, the truth is that they’re completely useless.

Being a little bit compliant is akin to being a little bit pregnant; you either are or you aren’t.  There’s no gray area in between to take credit for.

Now take into account that I didn’t go looking for this; it just fell into my lap.  I wasn’t researching anything, trying to test a theory or uncover a topic for a new blog post — I was just trying conduct a simple transaction.  And so my first thought upon reflection was that this was too easy.  What if I was really trying to do something I wasn’t supposed to be doing?  What if I’d found a neighbor’s statement in my mailbox and decided to try and access their account?  What if I did some good old-fashioned dumpster diving around town and found a few discarded statements (trust me on this, that’s easier to do than you’d ever believe) and tried to get money out of someone’s account?  Statistically you’d have to figure I could get pretty far without getting caught.

What I find truly amazing is that we’re in the age of compliance.  I receive pamphlets and inserts in my mailings all the time from banks, credit card companies and anyone else I share PII with about how they have an obligation to protect my information.  Every time you visit a doctor for the first time, half the paper work is specific to HIPAA.  And yet in the middle of this sand storm of compliance activity, I was able to bypass the rules three times in five attempts and I wasn’t even trying to break any rule.

They say a chain is only as strong as its weakest link.  The same is true of compliance; if it fails in any measurable way it fails — pure and simple.  And if the compliance folks at these companies can’t keep up, how are they going to adjust as we keep moving more and more onto the lightning fast pathways of the Internet?

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: