Information security is a significant business risk that demands our attention. But too many times, the personnel tasked to oversee information security don't have the time, resources or knowledge to do the job right. Although this article cannot provide the time or knowledge needed to make a true evaluation, it can help get the internal conversation stared. Answering the following 21 questions can help you measure your overall information security posture.
Risk assessments are the foundation of a good information security program, so the risk management process needs to be strong for the overall program to be strong. In regards to risk management, ask yourself:
- Have we conducted an Information Security Risk Assessment within the past year?
- Do we have appropriate participation from various departments during the development and analysis of information security risk management process?
- Have results from risk assessments been presented to the Board or an appropriate committee of the Board?
- Is the risk assessment process enterprise wide?
Service Provider Oversight
We cannot just abdicate responsibility for information security to our vendors, instead we must manage the relationship. Questions to ask about your vendor relationships include:
- Do we have a formal due diligence process for service providers?
- Do we have confidentiality agreements with all third-parties that have access to our customer information?
- Do we have a vendor oversight program to review/monitor applicable information such as contracts, SLAs, financials, SSAE 16 reports, audit or security testing reports, business continuity plans and/or tests, etc.?
The ability to recovery from even a minor disaster situation is paramount in maintaining long term business viability. An organized and prioritized recovery plan ensures we are ready to implement recovery measures to maintain business operations at the primary location (if operable) or secondary location with only minimum business and operational interruptions. In regards to your IT business continuity planning (BCP), ask:
- Have we conducted a Business Impact Analysis (BIA) within the past year?
- Are backup and recovery procedures documented and approved?
- Do we have a BCP test plan? If so, does it adequately cover technology, processes and people?
- Has BCP training taken place within the past year?
- Does the BCP include Pandemic Planning?
- Does the plan provide effective guidance to assist management under a disaster situation?
In a hearing with the US Senate Committee in 2000, Kevin Mitnick, a notorious hacker, stated "Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information." In regards to your employees, ask yourself:
- Has Security Awareness Training (SAT) been conducted within the past year?
- Did SAT include acceptable use and social engineering?
- Are employees required to sign an Acceptable Use Policy (AUP) on an annual basis?
- Do we conduct social engineering tests?
The FFIEC IT Examination Handbook, Information Security Booklet states, "The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution's information security program, and making senior management accountable for its actions." Evaluate oversight by answering these questions:
- Is the status of the Information Security Program reported to the Board at least annually? Does the report address issues such as: risk assessments; risk management and control decisions; service provider arrangements; results from testing; security breaches or violations, and management's responses; and recommendations for changes to the program?
- Do we have an Information Security Officer?
- Do we have an IT Strategic Plan?
- Is there a committee (Security, IT Steering, etc.) that oversees IT? If so, does it meet regularly and include appropriate management?
It is necessary to evaluate your bank's information security. The above list of questions should not be considered exhaustive. Instead, use these questions as a starting point to help you gage your information security posture. Each bank should be using appropriate personnel to conduct audits, assessments, penetration tests, and/or security assessments periodically. A good resource to assist in management, audit and oversight of information security is the FFIEC IT Examination HandBook InfoBase (http://ithandbook.ffiec.gov/).