Solving the Security Riddle
By Joe Lockwood
Are we mastering security or are we getting lost in a maze of risk? That’s often the senior executive’s response to news of the latest virus or spyware attack. Many believe they are fish out of water.
Bill Lidestri, senior vice president at $255 million Windsor Federal Savings, recently commented, “Bank management is trained to evaluate and manage risk within the context of a mature banking industry where seasoned executives apply knowledge and experience acquired over many years. In contrast, information technology is a developing discipline that is constantly changing, complex and presents risks that are not always well understood.”
With today’s regulators increasingly focused on security risks, banks are busy identifying their information assets, assessing and mitigating the risk of new products and proving the overall effectiveness of their processes. While many of the new risks are a consequence of the new technologies, ironically, those same technologies can now help banks assess and mitigate those risks going forward.
For example, $949 million First County Bank based in Stamford has deployed a new computer network to identify and mitigate its network security risks. The network enables First County to manage all access to its entire computing environment from a single administrative workstation.
Highly Secure Platform
“Our network administrator can lock down any workstation on the network, make programs available or take them away,” said Peter Rugen, vice president of operations at First County Bank. “This approach gives the bank a highly secure platform on every desktop. We assign access to functions and information on a person-by-person basis. If there’s a problem, we shut it down on the spot.”
The centralized computing approach also simplifies the bank’s audit process. Reports prove which staffers had the ability to perform particular functions and which ones actually did. The system also handles “floaters” because their security profile goes wherever they sign onto a workstation.
First County’s system carries over to its disaster preparations, which include a live server installed at its servicer’s hot disaster recovery center in Wallingford.
“The server is actually connected to the bank’s network,” said Rugen. “All work at the disaster site is controlled and reported the same way as all other First County locations.”
Windsor Federal Savings has focused on implementing a number of automated processes and procedures as the backbone of its IT security strategy.
“We take a holistic approach to managing our IT risks and begin with the overlap of multiple automated processes and procedures as a best-practices approach to IT security,” said Lidestri.
Windsor Federal limits access to particular software applications by job function and limits Internet access on a majority of workstations to a “white list” of business-related Internet sites. In addition, the bank limits access to the wide area network through automatic log-off features and time-of-day restrictions. Windsor has also integrated its alarm system access to the physical bank locations into its IT risk assessment process.
“It’s important for everyone to know that automation is not the end of the risk management process,” said Lidestri. “Automation narrows the focus for the individuals responsible for reviewing the reports generated by each process. In the end, the review process is critical to the IT security strategy’s success. Hopefully, the automated processes enhance the effectiveness of the individual reviewing reports and documenting exceptions.”
Windsor Federal Savings’ IT security strategy also involves outsourcing some of its IT security processes, including software patching and firewall monitoring. The bank uses COCC’s “Patch Plus” automated workstation patching service as well as COCC’s Internet Services group to review the exceptions found on the bank’s Internet intrusion reports and to make necessary adjustments to the bank’s system access controls.
“We believe there are some IT security functions that are best outsourced to an outside vendor based upon cost and resources,” said Lidestri. “For example, we outsourced our workstation patching program simply due to the cost effectiveness of the service and the depth of the resources at COCC. We don’t necessarily take pride in doing it ourselves but rather in making the best decision for the organization.”
The increasing weight of today’s security demands have pushed all third-party bank processors to expand their services as well.
“In the last 12 months, we have added 20 products,” said Linda Stahl, COCC’s managing officer of strategic products. “Nearly half of those products are security-related.”
Education has also become a large part of the security equation, and bankers can now attend “Tech Forums” which describe technology trends and focus on issues of immediate concern, such as anti-money laundering and business resumption strategies. Questions are posed ahead of time so that the experts can research their answers.
Lidestri and Rugen attend these events regularly. “One big advantage of the Tech Forums is the opportunity to share ideas and information with other bankers and IT specialists,” said Lidestri. “With information technology changing so rapidly from a time and resource standpoint, it only makes sense for community banks to collaborate with one another.”
Rugen added that the purpose of these efforts goes well beyond compliance.
“We’re doing something that makes sense,” he said. “If the bank experiences a disaster, we are ensuring that we can continue to stay in business.”
First County’s disaster preparations are built off of the bank’s business continuity plan, which dictates the bank’s scope of recovery.
“We are going to recover from certain events in a certain way,” said Rugen. “That’s our commitment to our customers. We’ve communicated it, and they expect that we’re going to do what we say.”
Going forward, Rugen and Lidestri talk about practical methods for meeting security needs. Lidestri is looking to improve the ability to separate pertinent information from the volumes of data produced by various systems and software applications.
“Automated systems have created a tremendous amount of data, but if that data obscures important events or trends, the systems will provide a false sense of security,” said Lidestri. Products such as those for anti-money laundering are designed for this finer level of reporting because the bank can more precisely define potentially fraudulent patterns.
For the time being, banks and bankers will continue to gain experience in the field of information technology and continue to adapt to the rapid pace of change within this area.
“The risks will continue to evolve at this rapid pace and will need to be managed,” said Lidestri. “I doubt that any of this will change in the foreseeable future. In the meantime, bankers will continue to acquire experience and knowledge, adapt our skills in risk management, outsource when most appropriate and, of course, collaborate with our peers.”
Joe Lockwood is chief technology officer of COCC, a Connecticut-based outsourcing and software development company that provides computing services for community banks and credit unions.