Western Independent Banker - January/February 2008 - (Page 12)

By Sam Fleming Four Realities of Data Security Policy, Enforcement TODAY’S COMPLEX LAYERED solutions for securing data, applications, networks, and hardware have successfully created a fortress-like shell to limit access to our sensitive data. Unfortunately when it comes to data theft, this entire security paradigm breaks down at the point where access is granted to the trusted user. Like most institutions your company’s fraud metrics likely illustrate that internal incidents make up just a small percentage of overall fraud losses. Conversely, nearly every published statistic—from industry analyst to federal agency investigating fraudulent activity paints a picture that can best be described as the polar opposite to your experience. As you reflect on your own situation, you can place your institution in one of three categories: 1. You have a very low rate of internal fraud. 2. You mistakenly classify incidences as external, when the root point of origination is actually internal (e.g. mortgage fraud may involve a stolen identity). 3. You are honestly unable to identify the internal fraud that is occurring. In reality there are inherent weaknesses in four critical areas of today’s data handling policy approaches that should cause us all to suspect we fall into the latter categories above. 1. Policies which are self-policed are not effective controls. Written policies with weak enforcement mechanisms are further negated by the lack of our ability to see activity on the computer desktop. Many controls depend on self-policing, whereby users are responsible for enforcing policy. In this situation there is little or no accountability assigned for what happens with sensitive data once it has been accessed. 2. Application-level auditing is blind to data theft. Most transaction-centric applications have evolved to incorporate robust fraud detection capabilities. While these applications may identify suspicious transactions, they are limited to transactional activities within the application (such as inappropriate charge backs). From a data theft perspective it is much more interesting to know what is done with the data once it leaves the scope of the trusted application. 3. System lockdown can create a false sense of security. Many organizations have limited access to services such as CD-writeable devices, USB thumb drives or instant messaging. While good ideas, these things alone do little to establish accountability if an employee is moving data inappropriately. Unless you take the impractical approach of eliminating all the vehicles users have at their disposal, they will simply take another approach. 4. Audit trails require indications of risk. Audit trails are critical to any compliance and risk management strategy, but they do little to actually expose risk. Because they are forensic in nature, they generally require some other indicator of risk at which point they may be leveraged. Further, audit trail review tends to focus on privileged user (system administrators) events such as significant system changes or administrative functions, rather than the common system interactions of end users. Conclusion The aspect of security that organizations fail to address is the most creative single point of failure; the end user. We attribute fraud loss blame to external factors, yet we continue to see insider risk activity manifest itself time and time again resulting in damaging public disclosure of data loss and compliance violations by trusted insiders who accidentally or intentionally move data inappropriately. Responsible organizations must respond with continuous auditing efforts that emphasize accountability over data handling activities. Our goal should be to implement effective controls that provide mechanical interlocks, or that enforce rules which shed light on risky user activities. Only then can these activities be dealt with from an incident review perspective. We must establish a holistic view of what users do with data, regardless of whether the transport method is e-mail, removable media devices, printing, or some other digital vehicle. There is far too much sensitive information flowing through today’s Internet and media enabled desktop computers. To remain blind to this activity puts our organizations at far too great a risk to be left to implicit trust alone. Sam Fleming is chief technology officer for NextSentry Corporation in Spokane, Wash. He can be reached at 509-242-0777 ext. 1025 or sfleming@nextit.com. Responsible organizations must respond with continuous auditing efforts that emphasize accountability over data handling activities. Our goal should be to implement effective controls that provide mechanical interlocks, or that enforce rules which shed light on risky user activities. 12 www.wib.org Western Independent Banker http://www.wib.org

Table of Contents for the Digital Edition of Western Independent Banker - January/February 2008

Western Independent Banker - January/February 2008
A Message from the President
Compliance Administration
Four Realities of Data Security Policy, Enforcement
Managing Internet Banking Risks
Understanding Data Breach Notification Laws
The Effect of Business Continuity Management on Compliance Programs
Bridging the GAAP
Top 10 Compliance Fitness Steps for De Novo Banks
Common OFAC Errors and How to Avoid Them
The Intersection of Equal Credit Opportunity and Sub-Prime Loans
Location-Based Tax Credits for Banks
Protect Your Bank and Your Customers
WIB Calendar
Welcome New Members
Index to Advertisers

Western Independent Banker - January/February 2008