From the Editors of CIOSC
Over the past several years, the financial services industry has been the focus of unprecedented scrutiny by both domestic and international regulatory bodies. The result has been a dramatic increase in demand for customer privacy, data reliability, integrity and security. In the United States, for example, corporate boards of directors and executive management are now legally accountable for the internal controls that protect their key systems and processes. In Europe, meanwhile, the protection and privacy of personal customer data has become highly legislated.
Scanning the regulatory landscape
To prevent a decline in consumer confidence in the financial services industry, regulators around the globe have been enacting laws mandating corporate responsibility for the security of financial and customer data. Among the more publicized regulations have been the Sarbanes-Oxley Act, the California Senate Bill 1386, the Gramm-Leach-Bliley Act, the EU Data Protection Directive and the Basel II Accord. Each one has implications for C-level IT executives:
• Sarbanes-Oxley Act. Sarbanes-Oxley holds a company's officers personally responsible for providing accurate public financial information to investors. "Internal controls" are highlighted as a foundation of information integrity and accuracy and, increasingly, security controls are seen as central to any effective system of internal control.
• California Senate Bill 1386. Also known as the Security Breach Information Act, this law requires companies that do business in California, or that have customers in the state, to notify those customers promptly whenever specific personal information may have been exposed to unauthorized parties in unencrypted form. Other than establishing encryption (of unspecified strength) as a "safe harbor" against the requirement to notify, this law does not specify other controls required for compliance.
• Gramm-Leach-Bliley Act. GLBA mandates privacy and protection of customer records maintained by financial institutions, by, in part, establishing "administrative, technical and physical safeguards."
• EU Data Protection Directive. The Directive requires each member nation of the European Union to pass legislation requiring confidentiality and integrity controls for networks, systems and data containing personal information. Where most U.S. regulations address only the relationship between an organization and its external customers, the EU Data Protection Directive explicitly includes employee personal information along with customer information, and states that all personal information that is collected must be protected against accidental or unlawful destruction, loss, alteration and unauthorized disclosure or access.
• Basel II Accord. The Basel Accord II provides guidance on the calculation of risk (credit, market, and operational) to a bank. Although there is no direct discussion of an information security component, the calculation of risk requires the identification, assessment and management of the risks an organization is facing. For financial institutions, there is a direct and potentially beneficial connection between the effectiveness of security controls and the bank's bottom line.
A look at frameworks
Complying with these regulations has been a daunting task across the industry, especially since many regulations do not take into account the myriad functions involved in the IT infrastructure, beyond the concerns of the new rules. To help ensure compliance endeavors are met with success by legislators and industry-wide, a set of best practices for securing enterprises and their data was developed. Such standards will likely lead to a common, consistent approach to compliance. Here are a few worth consideration:
• ISO 17799 (and its cousin BS 7799). Widely regarded as the de facto standard for information security policy. Although compliance with ISO 17799 is not mandatory, it provides a strong foundation for an information security program. The standard addresses the following 10 areas: Security Policy, System Access Control, Computer and Operations Management, System Development and Maintenance, Physical and Environmental Security, Compliance, Personnel Security, Security Organization, Asset Classification and Control, and Business Continuity Management.
• OECD Guidelines for the Security of Information Systems and Networks. The Organization for Economic Cooperation and Development has released a document specifying guidelines for the security of information systems and networks. Similar to ISO 17799, compliance with these guidelines is not mandatory; however, they too provide a strong foundation for an information security program. The guidelines address the following nine principles: Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment.
• Other frameworks. Other recognized information security program frameworks include CobiT, the ISF Standard of Good Practice, and the IT Infrastructure Library (or ITIL).
Competitive advantage
Building an institution's enterprise information security program around a standard framework should permit common solutions in varying regulatory areas, should be more efficient, and should help convey the credibility of the program to the various auditors and examiners who may come calling.
Furthermore, such frameworks may provide a competitive advantage to financial institutions by helping them improve customer confidence and increase brand reputation.