After an examiner or external auditor reviews the information security of your financial institution, you are likely to receive a recommendation that you “improve your information security program.” But Assurity River Group finds that many institutions struggle to understand this recommendation and act on it.
To understand what to do next, you need the answers to these questions:
What is my institution’s “information security program?”
What are its weaknesses?
What do we do to improve it?

What is my institution’s “information security program?”

Information is an important asset. You need to protect your information assets to ensure the trust of your customers and to avoid financial loss that can result from unauthorized disclosure, misuse of information, or changes to critical account information.
To be successful, information asset protection must be a well-defined and well-executed program rather than piecemeal, ad hoc efforts. The Federal Financial Institutions Council (FFIEC) defines information security and an information security program as follows:
“Information security is the process by which an organization protects and secures systems, media, and facilities that process and maintain information vital to its operations…These security programs must have strong board and senior management level support, integration of security responsibilities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities.”
The regulations go on to state the following requirements for an information security program:

• Process: Implement an ongoing security process.
• Responsibility: Assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.
• Strategy: Develop a strategy that defines security objectives and establishes an implementation plan. Weigh security costs versus complexity of your environment, and implement multiple layers of controls between threats and information assets.
• Policies: Write policies that guide officers and employees in implementing the security program.
• Risk Assessment:  Perform risk assessments that gather data on the information and technology assets of the organization, threats to those assets, vulnerabilities, and existing security controls. Analyze the probability and impact of known threats and vulnerabilities, and prioritize the risks to determine the appropriate level of controls, training, and testing for effective mitigation.
• Access Rights: Implement effective processes to control access to information. Limit access to the information a user needs to perform their required functions, update access rights when personnel or systems change, review access rights at an appropriate frequency based on risk, and design appropriate acceptable-use policies with a requirement that users sign them.
• Security Testing: Gain assurance of the adequacy of your risk mitigation strategy and implementation by testing. Use test results to evaluate whether security objectives are met.
• Monitoring and Updating: Continuously gather and analyze information on threats, vulnerabilities, attacks, and effectiveness of security controls. Use this information to update the risk assessment, strategy, and security controls.

FFIEC regulatory requirements for the information security program:

FFIEC workprogram that guides examiners─and Assurity River Group─in evaluating your information security program:

What are its weaknesses?

Implementing an effective information security program is difficult. When Assurity River Group performs a risk assessment for a financial institution, at a minimum we find opportunities to strengthen the program, but at times we also find that some aspects of the program are missing entirely.
Your organization may have these shortcomings in your information security program:

• The board does not understand the institution’s information security program or the board’s security responsibilities; the board has simply approved numerous detailed, piecemeal policies.
• Security responsibilities of the Chief Security Officer, board, management, IT staff, and employees have not been specifically defined in policy.
• The board has limited visibility as to whether or not the institution has good information security.
• The board has limited involvement.
• Information assets have not been specifically identified.
• Protection measures have not been defined for each information asset.
• Many employees have virtually unlimited access to a wide range of sensitive information, with limited review and monitoring.
• Dual controls are lacking for sensitive activities such as changing access privileges on core processing functions or changing firewall rules.
• There are no internal audit procedures based on information security risk.
• Policies to control the security of information assets entrusted to external service providers are lacking.
• New threats keep appearing, and your information security program isn’t improving fast enough.
• You are not sure if you are safe.

What do we do to improve it?

Because information security is complex, and your information security program may not be well documented, it is hard to determine what to do next to improve security. Also, you need to be careful that you don’t simply spend your entire budget on hit or miss efforts that don’t address your most critical security issues. Assurity River Group recommends the following approach to improving your information security program.
Start with a comprehensive risk assessment that identifies and prioritizes risks, and provides specific recommendations on how to improve your information security program. This establishes a baseline and focuses your improvement efforts.
Next, work to resolve the specific vulnerabilities that were discovered. You will likely find several serious vulnerabilities that should be fixed immediately. Other minor vulnerabilities can often be fixed immediately at low cost. An understanding of the risks may lead to a key initiative that would effectively address numerous vulnerabilities at once or substantially improve your security on an ongoing basis.
Concurrent with these efforts, address weaknesses in your policy by analyzing what policies could be improved to reduce risk on an ongoing basis. This will include the commitment to a comprehensive information security program, periodic risk assessments, definition of security responsibilities within the organization, a business continuity policy, and definition of responsibility for audit reports for management and board assurance of security. The policy improvement effort should also document information assets and define security policies to protect each asset.

How Assurity River Group Can Help

Assurity River Group offers specific services to help you assess and improve your information security program::

• Our comprehensive Risk Assessment is will provide you with detailed, practical findings.
• Assurity River Group’s Information Security Program Charter and policy architecture define a policy structure that starts with board approved policies and extends down to specific policies that protect all information assets.
• Our consultants can help you with mitigation projects that resolve numerous vulnerabilities with one effort, while improving your overall security stance on an ongoing basis.

Assurity River Group’s consultants are available to assist you, regardless of where your institution is in the development of a complete and effective information security program.
Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.