Written by Dave McOlgan, CISA
Most CEOs of community financial institutions are fully aware of the assets that must be protected. Money (both physical and digital), reputation, and relationships are readily recognized as deserving of C-level attention, commanding budget and efforts in policy, procedure, management and training. But what about your data. With everything else the leader of a community bank has in front of them, it can be easy to overlook the critical importance of information security. In fact, too often the protection of data is left solely in the hands of the IT department. This is surprising given that, for just about any financial institution, your data is likely the most valuable asset you have.
Of course this isn't to suggest that the CEO should take on direct management of IT or information security efforts. Rather, like many facets of the organization, it's the CEO's responsibility to set the policy and direction so that others can effectively manage. This includes the area of information security. The good news is, contrary to many misconceptions, creating IS policy doesn’t require one bit of technical knowledge or experience.
If you're not already familiar with these, here are some key terms that can help in this effort:
- Segregation of Duties - It's the IT leader's job to manage and secure the infrastructure of the organization. It's the Information Security Officer's job to safeguard your data, digital and otherwise, and to create a culture of security. These are complimentary but distinctly independent roles. In fact, oversight of IT, with respect to information security, is the ISO's responsibility. One person should not hold both of these positions.
- Change Management - Many of your IT controls are created to protect the integrity and security of your data (information security). Any exceptions or changes to these controls should be subject to a change management policy and specific procedures. Again, this is part of the ISO's oversight of IT.
- Life Cycle Planning - Simply put, old equipment = greater risk. Risk of both failure and breach. This can be both hardware and software, but the focus is workstations, servers, firewalls, switches and routers. From a policy standpoint, it's good practice to determine how often these resources should be replaced. It doesn't matter if it's every 3, 4, 5 years or more. Your budget and risk appetite should drive this. But it shouldn't be left to "replace it if it breaks". This policy will also please your CFO and CIO. The CFO is better able to budget and your CIO is better able to plan. They also don't have to beg for funds every time something breaks.
- Principle of Least Privilege - This one is simple; only allow access to those that need it. This not only helps protect your data, but can also reduce necessary system resources and software licensing. This should already be in place in some parts of your organization (think HR records). Extending this across the enterprise will enhance the security of your data and should not impact employee effectiveness.
- Data Classification - Your data will vary greatly with respect to its value and importance. From public information to customer account data. Your data should be categorized and classified based on the nature and sensitivity of that data. If you can't identify it and find it, you can't protect it. Setting policy to identify the owners of your data is a good first step in classifying and securing it.
While this list is by no means exhaustive, it does provide a starting point for a better understanding of information security policy and better protection of your data. Spending some time exploring these areas and working with your team to make them a part of your policy and procedures will be well worth your while.