Jamie Davis, Education and Product Manager
5 Key Security Concepts
5. “Don’t ask me! I outsourced decision making.”
Vendor Management (FFIEC IT Examination Handbook – Information Security – Page 76)
Outsourcing is a large part of most companies’ strategic plans. The key is to do it well. In the financial institution arena there are two reasons to do it well: 1) for the growth and success of the company 2) because the FFIEC says so. To outsource successfully takes time and effort. I’ve seen institutions go as far as to have an employee whose job is to manage third-party relationships. This institution realizes their future success will be based to a large degree on getting the most out of their vendors and therefore have assigned a resource to ensure this. Here are a few keys to success:
- Review and follow up with all references before signing up
- Locate your own references when possible instead of using the ones provided by the company
- Review the contract with the salesperson
- Review the SLA
- Have an open dialog with the salesperson on vendor relationship
- Review the relationship annually
- Appropriate security documentation (SYSTRUST, SAS70, SOC TYPE 1-4, WEBTRUST, etc.)
- Reports of service(s) provided (when possible)
4. “Patches? We don’t need no stinking patches.”
Patch Management/Hardening (FFIEC IT Examination Handbook – Information Security – Page 60)
Software hardening is the process of limiting the security risk of a given application or service. As soon as you plug a computer into a network, the machine is susceptible to a breach. Hardening the device is the key to limiting the chance of a breach. Some things like a firewall will limit this risk for all your devices, but you should still perform critical measures on each individual machine as another layer of security. These include:
- Keep the machine patched
- Windows, Adobe, Java, Browsers, Banking Applications, etc.
- Change default user names and passwords
- Firewall, Windows Server, Windows Desktop, Banking applications, etc.
- Maintain current, up-to-date antivirus and anti-malware solutions
- Uninstall unused or unneeded software (review software inventory on network regularly)
- Disable unused or unneeded services on servers and workstations
3. “Encrypt? Sure do, I got a great buy on this Enigma machine. Now I just have to learn the German alphabet.”
Encryption/Data Security (FFIEC IT Examination Handbook – Information Security – Page 72)
Keeping data in your office secure is a big deal. If data only existed between the walls of your main office, then life would be very simple. Between the door locks, security cameras, alarm system, and lockable cabinets you would only have to enforce a few rules and policies to secure data. The securing of your main office should be taken seriously, but should only be one aspect of you securing data. Of equal importance is securing data in transit. As a general rule, any data that does or could leave your institution should be secured with encryption. Laptops that could contain nonpublic information, email, communication lines, mobile phones, backup drives/tapes etc. should all be considered when evaluating security and encryption. Each of these are easily transportable so even if you don’t PLAN on taking them outside the office, if they could potentially contain any nonpublic information, they should be secured.
2. “So glad you agreed to accept our job offer to answer the phones, here is our standard issue key to the vault.”
Least Permission/Least Privilege (FFIEC IT Examination Handbook – Information Security – Page 18)
You wouldn’t give the same key(s) or physical access to all employees when they start, so why would you create all user accounts with the same permissions? The concept of Least Permission/Least Privilege is one of the foundations of information security. To setup a firewall, the best way to start is to deny access to everything and then add exceptions to that rule. You should treat creating user accounts the same way. Create an account with the minimal rights possible and then add rights based on job function(s). The easiest way to do this is to manage users by groups when possible. To start this process, create job function groups in Active Directory and build on this as you see fit.
And finally, number 1. **Drum roll** “I’m more of a risk taker than risk assessor. Want to go parachuteless sky diving this weekend?”
Risk Assessment (FFIEC IT Examination Handbook – Information Security – Page 9)
Risk Assessments must be the cornerstone of decisions for all financial institutions. When evaluating a new technology or software, one of the first steps should be to perform a Risk Assessment. If done correctly, this should be a great way to evaluate the TRUE cost of the product you are evaluating. You may determine that to secure this technology properly the costs are too high. Or you may find that by performing this process, you and your management team have a better understanding of the pros and cons of what you are doing and therefore can address your needs more thoroughly. In the end this should be a benefit for your customers, employees, and bottom line as technologies with issues are avoided while approaching other technologies from the correct angle gives you a business advantage over your competitors.