ABA Banking Journal - September 2007 - (Page 54)

Tech topics Andrew Burton, director of product management, Information Risk Management, Symantec, Waltham, Mass., took some time with ABABJ to discuss the company’s new emphasis—a policybased information protection approach. As part of this, Symantec has released a suite of protections in which several “bots,” or capability areas, make use of a single interface for administrators. Burton has over a decade of software industry experience and has worked extensively with Fortune 500 companies and public sector organizations to build and deliver security product solutions. Prior to joining Symantec, Burton delivered products and solutions at IMlogic, Groove Networks (a Microsoft company), USinternetworking (an AT&T company), and Accenture. Security: Protect information first Dialogue It needs to get operationalized. That seems like a made-up word by the way [Laughs.] It is a little pompous and we use it sometimes. Still, it’s a good word in that it suggests something systematic and widespread that needs to happen. Getting to that point requires the security team and business managers to zero in on workflow. “When you follow the data you begin to see what end users are actually doing day to day” —Andrew Burton, Symantec Why frame the security problem around information? What’s the benefit to viewing it that way? An information perspective allows the bank to be more thorough both in terms of screening malware and other “bad stuff” and managing sensitive content. It also lets us help companies develop more realistic archival strategies, including ediscovery. It’s a reality check: Oh, right, the information is the point of all that equipment, so we shouldn’t just concern ourselves with infrastructure. With this awareness you can set up programs and policy accordingly, involving not just CIOs and chief security officers or storage or network administrators but HR, legal, and compliance. On one level everybody knows that information, people, and process need consideration, but they tend to forget it when planning the security function. Or perhaps, it’s more accurately said that thinking gets short term and tactical in the interest of solving today’s issues, when it makes more sense to be as strategic as possible. When you look at various security challenges in terms of process 54 SEPTEMBER 2007/ABA BANKING JOURNAL tasks and relationships between lines of business and from front office to back, you’ll pick up the things you would otherwise miss. Are most security issues or failures process related, then? Yes. Though inadvertent, errors are caused by people—typically people bypassing a policy or interpreting a poorly designed policy. You see this all the time in storage and back-up of certain types of documents. Sometimes you see it in ordinary records processing—interacting with customer files. Although more rare, schemes involving compromised insiders are definitely a factor too. Those USB sticks and laptops and other portable assets can be particularly challenging to trace and manage and they are constantly leaving the organization. They represent a risk. Conducting a risk assessment, protecting high risk areas through creation of a realistic, enforceable policy—these basic steps can help get a company on track. For security to work it needs to become a fabric of routine operations. Why does looking at information (instead of systems) lend itself to more of a process view? When you follow the data you begin to see what end-users are actually doing day to day. This leads you to see what’s happening in terms of workarounds, in terms of, say, a worker ignoring official policy, as an expediency perhaps, and helps a company decide what can be done to offset those exposures. Then you begin to see how small changes in work habits, policy issues, or system design considerations can reduce bad results like all those unwanted online postings, secondary sale of customer records, or exposure of account data. If you look at the problem from the perspective of an end-user, what you see is that every function, every piece of work, has a security aspect. Are there other reasons to frame the problem in terms of information? It should be incorporated into a broader records protection strategy. What do you have, why are you keeping it? What length of time does it need to be kept? How should it be backed up and at what cost? It makes sense to think in terms of lifecycle protections of assets. So, for example, a company should evaluate its processes around an employee who is moving on. How quickly is that person locked out of the network? How quickly is his or her laptop or other assets turned in? If you have a repeatable process in place you reduce the risk of sensitive information just walking away. BJ www.ababj.com/subscribe.html http://www.symantec.com http://www.symantec.com http://www.symantec.com http://www.ababj.com/subscribe.html

Table of Contents Feed for the Digital Edition of ABA Banking Journal - September 2007

Contents Editor's Column Briefing: Why Money Sense is a Top Priority Briefing: Sleight of Mind Briefing: Snapshot: What the First Half Tells Us About the Second Half Briefing: ABA Resources ABA Chairman’s Position Briefing: Get Away and Get Ahead: ABA's Banking Leaders Forum Community Banking: Trim the Fat: Winning the "Battle of the Buck" Community Banking: Pass the Aspirin Cover Story: Meeting the Challenge of the "Unbanked" Bank Marketing: Don't Miss the Boom! On the Job: Time to Power Up Your Presentations? Insurance Sales: The Art & Craft of Cross Selling Tech Topics: The Price is Right? Tech Topics: Security: Protect Information First Tech Topics: Hackers for Hire? You Bet'cha Tech Topics: Case in Point: Tellers Scan, Too, at First Federal Compliance Clinic: Adverse Action Clarified The Economy Banker’s Mart To Advertise/Index of Advertisers

ABA Banking Journal - September 2007

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.