Network Security a Priority
By Susan Orr
The role of a board member has grown in importance and complexity with the adoption of the Gramm-Leach-Bliley Act and Sarbanes-Oxley. Corporate and IT governance obligations are now mandated, and non-compliance can carry stiff monetary penalties and prison sentences. To employ effective corporate and IT governance, the board must have a clear understanding of risk management, which entails identifying vulnerabilities and threats to information resources used in achieving business objectives, then deciding on the appropriate security and internal controls to mitigate the risks. Basically, the board has the ultimate responsibility for ensuring a secure physical and information systems environment, and ensuring the institution has protected itself from the inherent risks associated with the use of emerging technology and business processes in general. While this doesn’t mean the board has to be involved in the day-to-day operations of the institution, the board does need to oversee the development and implementation of appropriate and effective policies, procedures and controls to ensure the security, confidentiality and integrity of customers’ financial information.
Even though today’s risks really haven’t changed, the threats and vulnerabilities the institutions are exposed to are growing more frequent and have increasingly more damaging payloads. High-profile problems, such as system failures resulting from these threats and vulnerabilities or the lack of availability of systems due to a Web-site hacking, have elevated reputation-risk to greater importance. Reputation, operational, strategic, liquidity, market, regulatory and legal damage can be significant and culminate in a loss of customers, financial losses or a negative impact on earnings and capital.
The concern over risks has also escalated among customers, stockholders, investors and regulators, making security a top corporate priority rather than a technology problem. Security is clearly a business issue and must begin in the boardroom. Risk management strategies must address the organization as a whole, since neither IT nor the board can operate in a vacuum. Risk mitigation strategies, which include people, processes and products, must fit into overall corporate governance and are a key factor in the alignment of IT to the overall business objectives.
Effective Corporate Gorernance
There are two factors for corporate governance to truly be effective. First, the board and executive management must implement some basic practices, starting with establishing ownership for risk management and security at the board level. Second, executive management must ensure that business and IT management share the responsibility while integrating it into the corporate security business objectives.
To properly implement IT governance, these four basic tenets need to be followed:
• Strategic Alignment – to ensure security controls fit processes, that the security requirements are driven by corporate requirements and that the investment in security is aligned with the overall strategy and risk profile of the institution.
• Value Delivery – developing a set of security procedures that are based on best practices and are prioritized and communicated throughout the organization. The solutions must cover all business processes as well as IT.
• Risk Management – there must be a clear understanding of risk by the board and executive management, an awareness of risk mitigation priorities and an agreed-upon risk profile.
• Performance Measurement – there must be a well-defined process for measuring progress and effectiveness of security controls and risk mitigation strategies.
In addition to the laws, regulations and increased dependence upon information systems, risk-focused examinations have also amplified the need for understanding risk and implementing mitigation strategies, security and internal controls. Too many institutions appear to inappropriately view governance and risk management as a compliance exercise evidenced by recent examination findings which cite lax board oversight, the lack of appropriate risk assessments, inadequate audit coverage and weak security controls as the top deficiencies.
To successfully comply with regulatory mandates and pass examiner and auditor scrutiny, the board of directors must implement an effective governance program and take the necessary steps to enhance risk management oversight by implementing a top-down approach to securing corporate and information assets. If these are not implemented, the institution could face the very real possibility of incurring regulatory enforcement actions, monetary penalties of up to $1 million and/or up to 10 years in prison.
Susan Orr is senior security compliance advisor for Perimeter Internetworking and a former FDIC examiner. Perimeter Internetworking is an association member of the Connecticut Bankers Association and can be reached via www.perimeterusa.com or at (800) 234- 2175.