Regulatory Reality

July 22, 2010  6:32 PM

Compliance doesn’t ensure data security

David Schneier David Schneier Profile: David Schneier

I’m fond of saying that a business entity complies with regulatory and industry requirements for one of two reasons: because it helps protect sensitive information or because they have to.  Some may argue that regardless of the reason, both will get you to the same place with the same results.


Doing something because you have to almost always converts into doing the bare minimum necessary in order to appease the regulators and auditors.  It’s an approach that encourages addressing all key points within scope for the requirement, but all but ensures you’ll never think past it and look for additional risk factors to address.  I speak from experience having seen clear examples where this proved to be true.  For example, take a client I did work for last year who was absolutely PCI compliant but who also would occasionally create Excel spreadsheets that included credit card information and used to support batch payment processing.  Those spreadsheets would be created by one person and emailed to another for processing.  Because the client’s corporate policy prohibited using email to convey personally identifiable information (PII) between their employees and customers, the company did not pursue any testing or further documentation of controls to address the associated risks.  I asked all sorts of questions about what happens to those internal emails: Are they archived, backed up and stored somewhere off-site?   Can the attachments be downloaded to a USB storage device without detection?  Can the email be forwarded to an external email address without detection?  The client didn’t really have all the answers (though they certainly did a short while later).  And yet they were PCI compliant.

This subject came to mind this week after news out of Boston about a loss of nearly 800,000 patient records by South Shore Hospital.  This first caught my eye because most (if not all) of my Boston-area based nephews and a niece were born there and several of my in-laws had stays  there over the past fifteen years. My first thought was how could this have happened?  There’s no doubt that they had some manner of controls in place to address this, which is how they first came to realize there was a problem.  When shipping almost anything there are tags and bar codes everywhere so you know who picked up what, where they picked it up, when they picked it up and where it was moved to along the way.  I mean honestly, I can track a new Dell laptop across their production floor, onto a truck, through a few distribution centers and back onto a truck right up until it shows up at my front door.  How is it that something far more significant wasn’t tracked similarly?  And from all available information, it sure seems as if though South Shore Hospital followed proper protocol on its end.

Still, despite having controls in place and being able to establish that the rules around those controls were followed, there are 800,000 former patients who have no idea who has access to their personal information.

This is a perfect example of why compliance by itself is not enough.

I’ve advocated for years that any regulation is an excellent starting point but there’s a healthy dose of vigilance required in order to ensure the spirit and intent of that regulation are properly addressed. At best,  compliance is a point in time validation and absolutely no guarantee that the most significant risks are being properly managed.

When a client tells me that his goal is to be compliant with whatever set of regulations govern his industry, I counter with, “Your goal should be doing whatever is necessary to avoid being on the front page of your local newspaper.”  Hiding behind a statement claiming that you were compliant with all necessary regulations at the time of the security breech is cold comfort for your customers (or patients) and a poorly formed management strategy.  I’m willing to bet I can find 800,000 people to agree with me up in Beantown.

July 12, 2010  6:31 PM

The banking crisis gets another dose of common sense

David Schneier David Schneier Profile: David Schneier

Summertime often means vacation time and while I’m not sure I’ll take a true vacation ever again, my wife imposes her will upon me and makes me at least try.  I try and circumvent the process a bit by using the downtime to catch up on some of my reading and this year the book of choice is Michael Lewis’s “The Big Short,” which is all about the real estate bubble and how Wall Street fed it with hot air before it was blown to pieces.  Right at the onset of my reading the book, I received an email from the FDIC regarding a speech recently given by its chairman, Sheila Bair.  Her subject of choice is coincidentally all about the collapse of the real estate market, its impact on the banking industry, and what needs to be done in order to prevent the same thing from ever happening again.

Now I’m not sure if everyone enjoys reading Michael Lewis’ books the way that I do, but his approach to framing a story and providing seemingly unrelated perspectives so that you gain a much fuller understanding of the situation is perhaps the best I’ve ever encountered.  And in detailing the mess on Wall Street, he has provided me with more to think about than anything previously.

I recall when I purchased my last house in the New York market, I was concerned that the lenders were willing to finance deals in which houses were selling for more than double what they had sold for just a few years earlier.  I couldn’t figure out what the banks were thinking by entering into those deals.  The day I moved into that house I started forming predictions regarding when the real estate bubble would burst, how it would impact me personally and what it would mean to the economy at large (I was right more than wrong but not all results have been reported as of yet).  I’ve since sold out of that market, moved to another part of the country where financially everything made a bit more sense to me and have watched as events have continued to unfold.

But there’s that one question that has been stuck in my mind for nearly eight years: what were the banks thinking?  The short answer is that they weren’t.  They were along for the ride like most of us and  in order to keep pace with the market, shed solid lending practices that had always provided some measure of sanity to the process.

Now I have a new  question that’s knocked the older older one from its place of prominence: What are we going to do in order to make sure this doesn’t happen ever again ( a question perhaps only a regulatory compliance professional such as myself could be consumed by)?

Enter Chairman Bair. As most of my readers know, I’m a longtime, big time fan of hers and she’s done nothing to disappoint me this time around either.  In her speech, she said that the “pervasive breakdown in financial practices at the peak of the housing bubble points to the need for fundamental reforms in mortgage finance.”

She continued: “While regulation is necessary to set the ground rules and protect consumers, excessively proscriptive rules are likely to either stifle the initiative of the market or be circumvented by new practices. Instead, we need a whole new set of basic ground rules that go from origination to securitization to the servicing of the loans. These rules should create the transparency and incentives needed for this market to do what competitive markets do best – efficiently allocate resources and price risks.”  I like her thinking is because it’s all encompassing.  One of the most glaring problems in obtaining a mortgage based on my own experiences is the origination process.  The first time I practically had to submit DNA samples and waited for weeks to get a decision, the second time I was pre-approved for both the primary loan and a home equity line-of-credit after barely more than a 15-minute conversation. The third time, I didn’t have a clue what was going on until a week before the closing despite multiple attempts to get someone, anyone, to return a phone call.  Shouldn’t there be a consistent process that’s followed and perhaps even required by law?

Chairman Bair added: “We need to have some basic underwriting guidelines that apply to mortgages originated not just by FDIC-insured depository institutions, which are already heavily regulated, but also for the thousands of mortgage brokers who fall outside the rules for banks and thrifts. Basic limits on loan-to-value and debt-to-income ratios, and consistent documentation requirements should be set for any loans held by a depository institution or sold to a securitization trust.”  Do you think the real estate bubble would have grown so large if loan-to-value and debt-to-income ratios had been in place, required by law and enforced?  In “The Big Short,” Michael Lewis writes about a farm worker earning $14k per year  securing a mortgage for a house worth over $700k.  If there had been a way to prevent such deals, it’s not likely we’d be in this mess.  And regarding those lenders who fall outside of the banking industry, there definitely needs to be a new set of rules to govern what they do.  I recall talking with a mortgage broker when purchasing my first home who said, “Don’t worry about your credit score or income, I’ll find you a deal somewhere”.   Well if there were enforceable rules in place governing the various formulas used to assess an applicant, that would no longer be possible.

And lastly, for those who rail against the idea of new legislation and insist that the market can manage itself and that government should stay out of it, I offer Chairman Bair’s closing comments: “We need to get back to a world where our financial sector supports the functioning of our economy, and not the other way around. And we need to fix what caused the crisis by reforming our mortgage lending and securitization practices. Only by getting back to basics in these most fundamental areas of our financial system can we begin to restore balance to our broader economy and confidence in our economic future.”

Let’s face it folks: Left up to their own devices, the lending markets will repeat these mistakes at some point in the future.  Without a set of enforceable rules that ensure some measure of sanity and sensibility, a future generation who didn’t really feel the pain of the experience will figure out they can make a boatload of money in the short run, enough so that they won’t have to worry about the potential (and inevitable) collapse that’s sure to follow and do this all over again.  The bigger mistake would be to let that happen again.

I sure hope Chairman Bair has a fan or two up on Capitol Hill who finds her words and ideas as refreshing and relevant as I do.

June 25, 2010  4:08 PM

Security pros need to practice vigilance not avoidance

David Schneier David Schneier Profile: David Schneier

A week or so ago, I received an invitation from a professional friend of mine to connect via Facebook.  He’s someone whose brain I’ve picked time and again as he’s one of the brightest information security people I’ve worked with but more importantly, he’s also someone who I enjoy talking to, and so I accepted.  A day or so later, I received a Facebook instant message from him suggesting I check out a website for which a link was provided.  I have a few fundamental rules that I never deviate from, one of which is that I never click on an unqualified or unsolicited link or attachment.  Plus the person allegedly sending the link would never send anything via that protocol unless he prequalified it.  And so I ignored it.

The next day I received another message from him with a different link, thus confirming my earlier suspicions that something was amiss. After letting him know about the wayward messages, I started thinking about what had just happened.  This is someone who lives security every minute of every day.  He knows about every threat old and new, the tools and techniques to combat them and is one of those people I go to for advice when I don’t know where else to turn.  And his Facebook session was sending out phantom messages without his prior knowledge.  A little scary when you get right down to it.

But wait, it gets just a bit scarier for me.

Fresh on the heels of the Facebook incident, I came across an interview on a security website I visit now and again in which the interviewee offered his opinion that security threats from social media sites are greatly exaggerated.  Really?  Based on what?  Here I am having just been presented with evidence that the threats are real, swift and plentiful and I’m being told just days later that it’s really not that bad.  And why I’m writing about it here is because although the person being interviewed is not offered as a security expert, the website itself conveys a certain degree of legitimacy.  The opinion was followed up by a recommendation that if you’re concerned about the threats imbued in the use of these sites that you should simply not use them. Hmmm.  My takeaway from the interview boils downs to “security threats from social networks sites are not so bad” and “if you’re concerned about threats, don’t use them.”  So your choices are either ignorance or avoidance; nice.

I remember way back when Palm Pilots first became popular.  Corporate IT reacted by banning them, claiming it would be a support nightmare.  Not long afterward, the use of personal email became pervasive and people wanted to be able to access it from their work place.  Corporate IT reacted by blocking access to most common external email sites.  A short while later, USB storage devices started showing up and almost a minute later corporate IT reacted by, you guessed it, banning them.  Fast forward to 2010 and smart phones (the modern day equivalent of the Palm Pilot) are common place within corporate infrastructures, USB devices are allowed, and the demand for access to external emails has subsided quite a bit (thanks to the aforementioned smart phones).

Now the greatest threat presented by the most recent wrinkle in the ongoing evolution of technology is access to social media sites.  I keep reading articles and coming across polls exploring whether or not companies should allow access to Facebook and LinkedIn.  I’m wondering why anyone seems to think it’s optional.  Exactly which technological advance has corporate America successfully derailed since technology first landed on our desks 40 years ago?

Here’s my take on all of this:

  • First, the threats presented by social networking sites like Facebook, MySpace, and LinkedIn are real.  Hackers were among the first to see the potential of these social networks and have quickly moved to take advantage.  I’m hammered on Twitter with suspicious links and receive odd communications via Facebook all the time.  And I consider it remarkably irresponsible for anyone remotely having to do with information security to claim anything else.
  • Second, you’d better figure out how to safely manage use of social networks.  While I can make an intelligent argument why all but the professional social networks should be blocked by your Web filters, I’ve personally witnessed over the not quite two years I’ve been using Facebook that it’s fast becoming the most common way for people to keep in touch.  Accordingly, your users will continue to seek out ways to access their network of choice and bypass your controls.  So you have a choice: Try to stop the next advance in the digital evolution or figure out a way to manage it better.  But remember, historically telling users to not use something and trying to prevent them from doing so has proved to be a flawed and largely ineffective  strategy.
  • Third, and this is a biggie: Educate your users on the types of threats they’re likely to encounter, how to identify them, and how to handle them when they appear.  Rather then spending all of your time trying to prevent this already entrenched advance in technology from being used, split off some of that time to prepare your user community on best practices.  And have rules in place so that if someone fails to follow them you retain the option to take action.
Remember that there’s historical precedence proving that it’s pointless to stop the advances these networks are making into our professional lives.  So what it comes down to is either adapt or suffer the sting of its blade.  But whatever you do, don’t ignore the risks presented by technological advances and don’t ever assume you can safely eliminate them.
Check back next week when I’ll share with you why FDIC Chairman Sheila Bair remains my favorite person in Washington.

June 17, 2010  3:36 PM

Should it be this easy to bypass network security?

David Schneier David Schneier Profile: David Schneier

A few weeks back, I went online to pay my cable bill.  There’s a long story behind the struggles I’ve had in doing so since becoming a customer, but I’ll save that for another time.   Part of the longer story, though, involves my bookmarking the sign-on page where I can access my account and make payments.

I clicked on the link and instead of being directed to the desired page was instead routed through to a Websphere Administration panel.

But that’s not even the best part of the story.

After confirming that in fact I was somehow through their firewall security and at some point along the way into their infrastructure,  I decided to be a good citizen and let them know.  I tried calling their customer support department twice and both times, after being routed through some crazy series of automated menus, wound up being treated as someone who was simply having trouble accessing his online account.  One customer support representative had no clue what I was describing to them and the other one seemed to grasp what I was saying conceptually but didn’t have a page in his playbook to manage the call and so he defaulted to trying to help me pay my bill.

The funny thing is that once I navigated from their homepage through to the payment page it worked just fine, but if I selected the bookmark it deposited me right back at Websphere Central.  And as of 30 seconds ago it still does.

Now I know that bashing the local cable company is a popular thing to do and has fast become one of our nation’s favorite pastimes.  But I’m not so much picking on them as I’m amazed that they have such an obvious flaw in their network security.  My firm conducts basic penetration tests all the time and this is the sort of thing that would be flagged without much of an effort.  Why haven’t they found it yet?  And if I’ve found it entirely by chance what about the hackers who go hunting for these sort of things?  Or have they discovered it and are currently feeding large while it remains available?

It’s amazing any of us are ever willing to conduct business online, when you get right down to it.

June 14, 2010  6:57 AM

An update on governance, risk and compliance

David Schneier David Schneier Profile: David Schneier

I just had an article published in Information Security magazine on GRC titled “Demystifying governance, risk and compliance.”  It’s a piece I’ve sort of had kicking around in my head for a while now and was glad for the opportunity to put my thoughts down on paper.  For anyone who has been following my blog posts over the years, you know that GRC is something I’ve had what can best be described as a mild obsession with; it just makes sense to me.

I don’t need to recite the article’s contents, you can click on the link above and read it for yourself.  I mention it here because there were a few things that didn’t make it to the final version that I wanted to share with you.

I had asked two associates of mine to be interviewed for the article; they agreed but were traveling out of the country for several weeks and we could never get together.   I selected them because they were instrumental in applying some of the key concepts of GRC to ease the suffocating burden compliance work had placed upon their IT organization.  Not only were they successful, but they also proved that GRC works.  And the best part was that they didn’t rely upon complex theories or expensive software solutions but rather good old-fashioned common sense.  Although their stories didn’t make it to print, I’ve asked them to honor their commitment to me and be interviewed for a GRC follow-up article right here in a future Regulatory Reality post; stay tuned.

I had also invited Michael Rasmussen from Corporate Integrity to participate.  It’s sort of difficult to separate Mr. Rasmussen from any conversation about the GRC movement because while he may not be its official leader, there’s certainly no greater advocate of its myriad benefits.  Plus, his perspective is broader than what I typically cover as he targets the entire organization and not just information security and the underlying technology architecture.  I plan to loop back to him in the near future for an interview; once I do, you’ll hear about it right here.

Lastly I wanted to shine just a little bit more spotlight on the folks at Network Frontiers who bring us the Unified Compliance Framework.  It was shortly after I first discovered the UCF collection of mappings that the idea for an article about GRC started forming.  GRC is all about gaining efficiencies and reducing effort and there’s no more significant tool available to consolidate the number of controls and related tests than the UCF.  Every practitioner I’ve shared this product with has become an instant fan.

Oh, one more thing.  I have a bit of a track record in spotting trends or technologies that are about to hit the mainstream.  I don’t pick many, but those that I have all panned out.  GRC is going to continue to grow and become huge in corporate America about 30 seconds after the economy bounces back.  If you’re not already doing so, start keeping an eye on how things are developing around it. Trust me on this.

June 1, 2010  7:32 PM

Flu pandemic plan: No need to go overboard

David Schneier David Schneier Profile: David Schneier

I’m returning to the office after having given in to the siren song of Memorial Day weekend.  Despite enjoying the long break and all its trappings (way too much I might add), something that hit my radar last week remained on my mind.

Earlier in the week, I came across a comment in an IT audit report in which the auditor recommended that the institution for which the report was written plan to conduct a test of their pandemic policy.  Before I continue, I need to come clean and admit that all auditors, myself included, are typically allowed a wide swath when writing our reports because while we stick to a somewhat standard approach to testing, our experiences and opinions heavily influence our findings and recommendations.  However, I found this comment to be way too granular and oddly specific.  First of all it would be the company’s pandemic procedure that would be tested, not its policy.  While this may seem trivial I can show you the scars I’ve received at the hands of auditees when confusing such terms.  Policy is how management specifies what needs to be done and procedure is how the organization gets things done; an audit confirms there are procedures in place to support the policy, that those procedures are sufficient to address the underlying risks, and that they’re being followed. My second issue with the recommendation is that the part of the overall business continuity plan (BCP) that addresses a possible pandemic scenario is only a subset.  You might recommend that a test of the overall plan be conducted but it’s a bit unusual to specify which parts should be included.

You may recall all the hysteria just about a year ago courtesy of the H1N1 (swine) flu epidemic that had everyone on edge for most of the late spring and early summer.  In the end, the numbers didn’t really reveal a remarkable increase in the number of flu cases reported year-over-year, only a shocking increase in the amount of media coverage it received.  But one of the residual effects was an increased awareness in how a financial institution would manage through a quarantine situation.  While there is real value to be derived from the planning for such an event, the bottom line is that most banks and credit unions are far more likely to confront evacuations and shut-downs due to fire, extreme weather or loss of services (e.g. electricity, heat/cooling, etc.).  When you consider that it’s challenging enough for small and midsize institutions to conduct any form of testing, you’d want them to focus on their greatest and most likely risks.  A quarantine situation, should one ever actually occur, would likely develop over a period of days and allow for a controlled transition from normal to reduced operations.  I’m just not sure that beyond covering the pandemic response plan as part of the annual training curriculum that there’s much value in conducting either a table-top or off-hours test.  It just doesn’t seem like good use of an already constrained staff.  For so many of my clients, there’s so little time to get everything done that they can ill afford to focus on the wrong things.  Perhaps a better recommendation would have been that the institution vary the parts of the plan they test each year, beginning with the pandemic section first.

At some point during the past year, it occurred to me that the difference between panic and pandemic was but a few extra letters.  It reminded me of a bit that Kevin Nealon did on Saturday Night Live years ago with subliminal messages and I’ve thought since then that might explain all the hoopla.  Because if you move past the Hollywood hype that usually fuels our fear and and think about it in practical terms, it’s just not that scary.  We have ATMs for cash and deposits, and online banking for statements, bill pay and account transfers (I can’t recall one single bank or credit union that doesn’t offer these services).  We have remote, encrypted connectivity from home for critical staff (not all of my clients make it available but the vast majority do) and most branches have drive-throughs, which further reduce the risk of exposure to airborne disease.

As I advised one BCP client recently, the annual pandemic test should consist primarily of making sure that the surgical masks and anti-bacterial soap are readily available.

May 21, 2010  1:55 PM

The new Senate finance bill: not what I hoped for

David Schneier David Schneier Profile: David Schneier

I’m an optimist:  Ask anyone who knows me either personally or professionally and they’ll agree.  And I’ve been eagerly anticipating new legislation ever since the banks spiraled out of control and needed government intervention to save themselves.  As my wife likes to tell people, when the economy takes a hit it’s usually good news for my end of the industry because the echo boom that follows is typically caused by an explosion of new regulations and I am, after all, something of a regulatory compliance expert.  But as I’m reading through all the content that was generated today about the newly passed Senate finance bill I’m not feeling any optimism.

The bill talks about things like establishing a new council of “systemic risk” regulators to monitor growing risks in the financial system and allow the government in extreme cases to seize and liquidate a failing financial company in a way that protects taxpayers from future bailouts.  But that basically gives the government the right to step in whenever it deems appropriate to either derail a business strategy it considers too risky or seize control of an institution and dismantle it should a team of government appointed bureaucrats conclude that it’s the right thing to do.  How about taking a giant step back in time to 2009 and consider what FDIC Chairman Sheila Bair said of these same institutions: let them fail.  We live in a country that promotes a free market economy.  You take a chance, gamble the rent money on a risky strategy, it fails and you’re forced to own up to it and suffer the consequences.  If Citigroup imploded and was sliced up and sold off in pieces to the competition so be it; the economy would rebound and the only lingering pain would be felt by the shareholders who, you guessed it, also gambled when they invested in the company.  Instead, the bill reeks of creating a situation where there’s almost a guarantee of no risk and only reward.

The legislation further outlines plans to  create a new consumer protection division within the Federal Reserve and give regulators new powers to oversee the giant derivatives market.  On paper (or a Web page), that may seem like a good idea but here’s my problem with it: The current set of industry regulators already struggle to enforce the existing rules and now the federal government is planning to throw even more on the pile.  Every week my practice encounters banks and credit unions who are missing key or current GLBA components and who have recently passed exams where the gaps weren’t identified.  So tell me how anything new is going to work when the current set of requirements can’t be properly enforced or policed?

And to that point, when the bill discusses empowering the Federal Reserve to “supervise the largest, most complex financial companies to ensure that the government understands the risks and complexities of firms that could pose a risk to the broader economy” I have to ask, how is that any different than what’s already in place?  Between the SEC, FDIC and the OCC, you’d have to figure there are already enough oversight bodies in place to get the job done.  And even with all of them hovering about and trying to keep an eye on things, the banking crisis came to pass right under their noses.  What’s going to be so unique and different about what the Fed will be doing to convince me that anything is going to truly change?

And so the optimism is reigned in and replaced with a healthy dose of pessimism.

I’m just not convinced that this bill will solve any of the problems it was supposed to and I’m all but certain it will generate an exhausting amount of additional compliance and reporting activity regardless of that fact.  As a regulatory compliance practitioner this may be a good thing, but as a taxpayer not so much.

May 10, 2010  4:59 AM

FDIC bank closure hits close to home

David Schneier David Schneier Profile: David Schneier

In the past, I’ve made sometimes flip and irreverent comments about the weekly FDIC announcements that land in my inbox regarding bank closings.  Despite the mind-numbing number of institutions that have been closed over the past year or so and the somewhat extensive list of institutions I’ve done work for, I’ve somehow managed to avoid any direct connection to any that have been shut down.  On Friday, that changed and I’m not happy about it.

I’m not sure if I can legally mention the institution’s name and so I won’t, but I wish I could.  I wish I could because from working there just over two years ago, I know it was not an institution being mismanaged or poorly run.  Quite to the contrary.  I met with roughly half of the firm’s management team while conducting an information security risk assessment and what I recall is an institution that was well managed and took regulatory compliance seriously.  The people responsible for the infrastructure were on top of things, smart and capable.  As a matter of fact, I developed a new technique to frame risk-related information for them so that they could continue to use the information to guide their compliance activities after the engagement concluded.  They didn’t want only a point-in-time assessment but also the ability to track related activities to ensure ongoing compliance.  Does that sound like an institution that would be ripe for closure?

I don’t understand enough of what goes into the balance sheet to assess their overall management and business strategy.  These are tough times and previously viable institutions are being caught in the still tightening grip of the real estate crisis all the time.  But I’ve come across financial institutions that were not nearly as organized, where the people I interviewed didn’t present nearly as well. If I was asked to pick five banks I’ve work with that might be closed I’m not sure the one shut down Friday would have even crossed my mind.

Now that the banking crisis has a face (or two) I can associate with it, I’m pretty much certain I won’t have any clever quips to make when the next round of FDIC bank closing announcements lands in my inbox.

April 23, 2010  10:14 PM

Compliance professionals need thick skins

David Schneier David Schneier Profile: David Schneier

I’ve often surprised people when it comes to conducting audit/assessment work or developing compliance programs.  Generally speaking I’m a reasonable person who typically exhibits an abundance of flexibility in my day-to-day life.  However when it comes to my career, I tend to be much more of a hard-liner, someone who shuns gray areas and instead tries to view everything in a binary fashion: You’re either compliant or not, you’re either following your rules or you’re not.  I’m the guy who hates to take findings out of an audit report in order to appease the client or accept excuses (legitimate or otherwise) as to why things aren’t being done according to the rules.

But every now and again I find a situation that makes me think that maybe, just maybe, an exception can be made.

In working with a client on implementing a compliance program, it became apparent that by adhering to the exact letter of the law specified within the documentation, they’d immediately be out of compliance on day one in a very large, obvious way.  Typically when dealing with such a situation, I advise the client to develop a schedule indicating the dates by which they expect to get all their work done and be fully compliant.  For vendor management, I usually recommend twelve months, for Red Flags it’s usually six months and for security awareness it’s three months.  As long as the plan and related schedule is documented and you can prove that you’re adhering to it, examiners and auditors alike will usually give you a free pass until the next time around.

Even so, in this instance nearly half of all the in-scope work would be displayed as overdue right up front.  No one wants to see that on a screen or in a report, no one wants to risk having senior management see that information and absolutely no one ever wants to explain to an examiner/auditor why they have so much work still to do (even with a solid explanation and plan).

And so I blinked.  I considered in this instance a way to introduce a new rule that would allow the client to theoretically use my approach of scheduling all the work to be completed within a set time frame (twelve months in this case) but wouldn’t have to show anything as being overdue.  It didn’t seem so much like the right thing as much as the kind thing to do.  I even went so far as to scope out my idea in writing and share it with my fellow compliance experts in our practice.

As it turns out, I apparently have had an influence in how all of us view such matters because the first question I was asked was what would I do if I was managing the program.  I wouldn’t come up with any special rules to avoid being accurate and honest, that’s for certain; it is what it is.  I was then asked if I was willing to bend the rules in other projects, say like an audit for example.  Well considering I’ve excused myself from audits in the past because management (at previous companies) elected to remove findings or soften them in order to keep the clients happy I knew the answer was a resounding “no.”  So I was asked why I was looking to bend the rules now.  Good point.

What audit and compliance practitioners have to do is often unpopular and sometimes very difficult.  We’re often perceived as inflexible or unreasonable.  But the truth is that your compliance and/or controls framework is only as effective as its weakest link; if you start making exceptions in one area it quickly becomes expected in others.  Once one control is weakened in exchange for making things easier or more palatable, the integrity of the whole enchilada suffers.

Compliance requires hard decisions, thick skin and consistency.  If you’re more inclined to be affected by acceptance rather than respect, it may not be the right line of work for you.  Or as I’m fond of saying, it requires that you’d rather be right than popular.

April 16, 2010  4:56 PM

Regulatory compliance is not optional

David Schneier David Schneier Profile: David Schneier

If I haven’t already shared this with you, I’m a partner in a regulatory compliance advisory firm.  We offer services to the banking sector that pretty much cover the entirety of the information security spectrum.  And as you might imagine, there’s a fair amount of sales and marketing that go along with the job with which I’m typically involved.

It’s important to develop a relatively thick skin when participating in the sales cycle because an unfortunate part of its process is rejection.  Despite the fact that we’ve built a successful practice during arguably the worst economy any of us working folk can ever recall, we still don’t close every deal we pursue.  But every now and again I hear something new as a reason why we lost out on a deal that just flat out catches me off guard and knocks me for a loop.  Last week was one of those times.

We’ve been enjoying a great deal of success over the past year in selling an automated vendor management product that aligns quite nicely against both FDIC and NCUA requirements.  Along the way just about every client and prospective client we’ve talked to has shared their concerns and frustrations in struggling to come up with something that would satisfy their examiners but not add considerably to their workload.  In the end, their decision to purchase or not purchase has fallen into somewhat traditional categories until last week when someone threw us a curve ball.

We had followed up with a prospective client that recently demoed the software and indicated interest in proceeding with us.  They told us that they’ve decided to delay doing anything with vendor management at this time.

Was it because of financial constraints on their part?  No.  Was it because of resource constraints on their end?  No.  Was it because they were going to develop something internally?  Again, no.

Their reason for not proceeding with us came down to this very simple and scary fact: They had just completed an exam with their regulator and vendor management wasn’t covered during the fieldwork.

Their management had made a conscious decision that if the examiners aren’t looking at something they’re required to do they’re simply not going to do it; just like that.

First of all, does that logic freak you out anywhere nearly as much as it does me?  Is this really how a financial institution being trusted with people’s money is conducting business?  My first thought was “what else aren’t they doing because their examiner ran out of hours and never looked into it?”

I mean, there’s a reason why the FDIC and NCUA came up with a set of rules by which you’re supposed to comply if you’re a bank or credit union.  These are things that are intended to protect the depositors who trust you with their money and personal information.  I’ve yet to come across anything a banking client is required to do that I thought of as being “made work.”  One of the simplest reasons I moved exclusively into the banking sector was because after several years of working on SOX projects I wanted to focus on something where the required activities actually made sense.

I’m not naive, far from it as a matter of fact.  I know that our clients activity is driven in large part by what they’re expecting their examiners to be most interested in during the next exam.  But even though money will be spent accordingly, each client typically makes an attempt to address all of the key compliance requirements.  For example, not everyone has the time or bandwidth to test their business continuity plan  but they all make sure they have something in place and try to update it with some frequency.   I can’t think of even one client who knew they had a deficiency in a key area and decided to leave it alone until the examiners made them do so.  Quite frankly it’s a horrible strategy.

In an ideal world you have all of your required controls in place, functioning and routinely tested.  However in the real world that’s not always possible.  And so I advise my clients that they need to at least have a plan in place on how and when they’ll be in compliance; don’t ever let an examiner find a deficiency on their own, it’s just a bad, bad idea.

So I wonder what this one institution will have to say next year when their examiner rolls around again and they still don’t have a vendor management program in place.   Because rest assured, if they avoided discussing it this year it’s not likely it will be missed the next time around (vendor management is about as hot a topic with the examiners as there is).  I can only hope that they come to their senses along the way and realize there’s a reason these things are called “requirements.”

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: