February 2016 SAFE Newsletter
Security and Compliance: A Necessary Marriage in the Financial Industry
An “effective [compliant] information security program is not static.” It is an ever changing relationship where security protections rapidly grow as technology becomes more progressive, while compliance requirements are slow to change. [i] This tenuous relationship between security and compliance does not have to be a hindrance to advancing security protections within your financial institution or firm. It can actually turn into a symbiotic relationship where the progressive technology landscape assists in the understanding and implementation of compliance principles to create a marriage of two concepts that results in a realistic increase in information security protection.
In order to structure the financial institution or firm to incorporate both security and compliance into a fluid risk-based information security program that actually protects the organization, it is very important to have a complete understanding of compliance rules and regulations, rather than simply following every compliance release from regulatory bodies. Understanding the concept that “A bank’s information security program should evolve as the operating environment and the threat landscape change”, is the first step in creating the fluid marriage between security and compliance.[ii]
The operating environment becomes the rules and regulations that a financial institution or firm are required to implement; the ever changing threat landscape is where more advanced security protection tools can be utilized to achieve the necessary requirements and better protect the organization.
Increasing security protections in your financial institution while adhering to compliance rules and/or guiding principles requires consideration of these four (4) traditional information security components:
- Corporate Governance for Information Security
- Threat Intelligence
- Security Awareness/Training
- Patch Management
By structuring the financial institution’s or firm’s risk control structure to cover these four (4) components, the organization builds a capability to continuously evaluate its information security program and incorporate improvements as well as fostering a corporate culture where processes and procedures are understood and followed in an effort to protect the organization against threats in an ever changing technological landscape. Realizing that building this symbiotic relationship between security and compliance is an important element for financial institutions and firms can really open doors to increased protection of confidential and sensitive data while complying with various rules and regulations financial institutions and firms are required to follow.
Supervisory Insights Journal, Winter 2015 Issue p 5
Supervisory Insights Journal, Winter 2015 Issue
The Identity Crisis of the FFIEC Cybersecurity Assessment Tool