Information Security Strategy

Posted by ISL Admin on Πέμπτη, Σεπτεμβρίου 25, 2014 with No comments
An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements.  Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.

The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation.  The cost comparison typically contrasts the costs of various approaches with the potential gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data.  Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance.  Any particular approach should consider:

  1. policies, standards, and procedures; 
  2. technology design; 
  3. resource dedication; 
  4. training; 
  5. testing.
For example, an institution's management may be assessing the proper strategic approach to the security monitoring of activities for an Internet environment.  Two potential approaches are identified for evaluation.  The first approach uses a combination of network and host sensors with a staffed monitoring center.  The second approach consists of daily access log review.  The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost.  The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment.  The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Governance
Governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, monitoring, and accountability. Governance is required to ensure that tasks are completed appropriately, that accountability is maintained, and that risk is managed for the entire enterprise.  Although all aspects of institutional governance are important to the maintenance of a secure environment, this booklet will speak to those aspects that are unique to information security.  This section will address the management structure, responsibilities, and accountability.

Responsibility and Accountability
The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution's information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for

  • Central oversight and coordination,
  • Assignment of responsibility,
  • Risk assessment and measurement,
  • Monitoring and testing,
  • Reporting, and
  • Acceptable residual risk.
The board should approve written information security policies and the written report on the effectiveness of the information security program at least annually.  A written report to the board should describe the overall status of the information security program.  At a minimum, the report should address the results of the risk assessment process; risk management and control decisions; service provider arrangements; results of security monitoring and testing; security breaches or violations and management's responses; and recommendations for changes to the information security program. The annual approval should consider the results of management assessments and reviews, internal and external audit activity related to information security, third-party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls.

Senior management's attitude towards security affects the entire organization's commitment to security.  For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.
Senior management should

  • Clearly support all aspects of the information security program;
  • Implement the information security program as approved by the board of directors;
  • Establish appropriate policies, procedures, and controls;
  • Participate in assessing the effect of security issues on the financial institution and its business lines and processes;
  • Delineate clear lines of responsibility and accountability for information security risk management decisions;
  • Define risk measurement definitions and criteria;
  • Establish acceptable levels of information security risks; and
  • Oversee risk mitigation activities.
Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for administration of the security program. At a minimum, they should directly manage or oversee the risk assessment process, development of policies, standards, and procedures, testing, and security reporting processes.  To ensure appropriate segregation of duties, the information security officers should report directly to the board or to senior management and have sufficient independence to perform their assigned tasks.  Typically, the security officers should be risk managers and not a production resource assigned to the information technology department.

Security officers should have the authority to respond to a security eventA security event occurs when the confidentiality, integrity, availability, or accountability of an information system is compromised. by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value.  They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.
Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements.  A central authority should be responsible for establishing and monitoring the security program.  Security management responsibilities, however, may be distributed to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors.  The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization.  To support integration, senior management should

  • Ensure the security process is governed by organizational policies and practices that are consistently applied,
  • Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
  • Enforce compliance with the security program in a balanced and consistent manner across the organization,
  • Coordinate information security with physical security, and
  • Ensure an effective information security awareness program has been implemented throughout the organization.
Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors. Those decisions should be incorporated into the institution's policies, standards, and procedures.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies.  Financial institutions can achieve effective employee awareness and understanding through security training and ongoing security-related communications, employee certifications of compliance, self-assessments, audits, and monitoring.

Internal auditors should pursue their risk-based audit program to ensure appropriate policies and procedures and the adequacy of implementation, and issue appropriate reports to the Board of Directors.

Management also should consider and monitor the roles and responsibilities of external parties.  The security responsibilities of technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should be clearly delineated and documented in contracts.  Appropriate reporting mechanisms should be in place to allow management to make judgments as to the fulfillment of those responsibilities.  Finally, sufficient controls should be included in the contract to enable management to enforce contractual requirements. 
Categories: ,