Is Meeting Regulations Really Enough When It Comes To Security?

 

By Ron Dinwiddie
Chief Information Officer
Texas Trust Credit Union






Being in a heavily regulated industry, we have an obligation to comply. It is understandable that the regulatory burden often leads some to consider doing the bare minimum to get through the next audit. When faced with an overwhelming number of requirements, we are tempted to calculate the minimum our team needs to do in order to be in compliance and avoid a finding.

As a former consultant and now CIO for my fourth financial institution, I have experienced policies, procedures, and practices that represented the bare minimum needed to satisfy requirements. The reasons for that were either “we don’t have the time to do it better” or “the auditors and examiners didn’t ding us, so it must be OK.”

Maybe this is acceptable in some areas, but how about when it comes to your data and network security?

I am in touch with other IT senior leaders that include CEO, CIO and CISSO and clearly there is great interest in this industry about how to provide a higher level of security for our credit unions. Topics include multi-level security implemented at the brick and mortar level as well as the newest and most difficult to control – mobile devices. Why are mobile devices so difficult? At the brick and mortar level we can control what security solutions, policies and procedures are implemented but we have absolutely no control over what our members (customers to non-credit union industries) implement on their own device(s). We can make our mobile banking app secure, but if the member saves their login ID and password on their device and then their device is compromised so is their banking account.

In my discussions with other industry leaders, we all understand that just meeting regulations was not enough. Several of my peers have stated they were implementing the SANS Top 20 Critical Controls. So why are we all thinking this way?

• There are multiple regulatory compliance bodies overseeing various industries and they don’t all provide the same guidance or requirement levels, suggesting one or more of these guides is missing something or the developers of the guidance have a different idea about what is most important.
• These regulatory bodies are mostly reactive; once a vulnerability is identified they then develop the regulation, have it reviewed and approved, and publish it to their constituents. This takes time and leaves us vulnerable if we merely adhere to their publications.
  
• Most regulations, though not all, are geared towards a specific industry, such as credit unions. But those of us in IT understand that bad guys use some of the same tactics from one industry to another to gain access.
• It’s very difficult for regulatory bodies to draft a regulation that fits every environment. Not all credit unions have the same network structure, support staff, or ability to implement security solutions. A $40 million credit union doesn’t have the same resources as a $4 billion one, so regulations are designed and written to address organizations of all sizes.

As far as why some IT shops don’t do security as well as they could, let's look at the first excuse, that "we don’t have the time to do it better.” I would ask them “do you have the time to identify, counter, and remediate a network or data breach?” And how much time does it take for one of your IT staff to research and work their way through finding out how to fix a problem when your expert on that particular system or area within IT is not available as opposed to having your Subject Matter Expert (SME) develop proper procedures so their backup can easily follow them to fix a problem?

If there are loopholes in your policies because they meet the bare minimum requirement, of course you will get compromised. Using lack of time as the reason for not doing things in the best manner possible is inexcusable. By blocking out dedicated time each week to work on these items, and having your direct reports do the same, you will make progress.

"As to the second excuse, that "the auditors and examiners didn’t ding us, so it must be OK," auditors and examiners have checklists to follow. And since some of them are auditing and examining multiple departments, their level of expertise is somewhat limited in one or more of those areas. IT audits and exams are, perhaps, the most difficult. Most auditors and examiners don’t come from an IT background; they get training and look for specific words or phrases in policies and procedures and certain types of software and hardware settings when they come onsite. Your customers – members in the credit union world – deserve more. They deserve the best security you can provide for their personal information.

Think about airports and how many people complain about the TSA security and how it slows everything down. But if those agents slacked off and let someone through who caused harm to people in one way or another, everyone would then scream about how TSA failed to catch them. Think about how many of your users, and in some cases members, complain about your security measures. What would those same people say if it was their personal information that was compromised because you lowered your security standards just to make them happy?

Here are some facts, as reported in Homeland Security/FBI communications I receive, concerning security threats and breaches:

• BP reports it suffers 50,000 attempts of cyber-intrusion every day;
• The Pentagon reports 10 million attempts every day;
• The National Nuclear Security Administration records 10 million attacks every day;
• Attackers average 205 days inside an environment before they are discovered;
• 69% of victims learn from a third party that they have been compromised; and
• Healthcare has become a much higher target than financial institutions because their records contain more personal information and the black market has become flooded with compromised debit/credit cards.

Most auditors and examiners you encounter will readily agree that meeting regulations may be the minimum that you should do, but as a responsible senior IT manager you should constantly review and upgrade your security. There are many organizations you can join and become part of to help keep your security knowledge up-to-date. These organizations include the FBI, Department of Homeland Security, InfraGard and FS-ISAC for financial institutions.

Ron Dinwiddie’s 42-year career in IT has spanned most areas of IT in a wide-ranging variety of industries. Ron started his IT career in the United States Navy working with mainframes as an operator, moving into programming, networking, system administration and security before retiring after 22 years on active duty.

After the Navy Ron became a Unix instructor and consultant before moving into his first CIO role with a financial institution. Ron continued to expand his area of influence by moving to other financial institutions requiring his expertise in rebuilding their IT infrastructure and restructuring the IT services to provide the highest quality of service to end users. Ron also developed and updated Information Security policies and procedures so they complied with regulatory compliance standards.