March 2016 SAFE Newsletter
GEIT Compliance: How Governance of Enterprise IT Achieves Compliance
Information Technology (IT) has long been considered an operative cost of a financial institution or firm’s strategy. An enabler to achieve business objectives and goals. Today, this is no longer the case. IT is now an integral part of overall strategy and achieving satisfactory compliance. Building a governance model that incorporates enterprise IT into Corporate Governance with a strong emphasis on regulatory compliance can assist a small to medium sized financial institution or firm in assuring that they achieve IT Compliance throughout the organization.
The concept of Governance of Enterprise IT (GEIT) incorporates a system in which all stakeholders, including the board, senior management, internal customers and departments, provide input into decision making. By incorporating input from all of these areas the financial institution or firm ensures that IT delivers value to the business and that IT risk is properly managed based on various business objectives and more importantly regulatory principles. The most important aspects of GEIT for a small to medium sized financial institution or firm is the need to meet regulatory requirements while selecting service providers that will optimize IT cost and deliver solid technology, while protecting information. Furthermore, a strong GEIT will incorporate information security as it relates to the entire organization. Incorporating security policies from various operations and staff functions to ensure that there is fair representation and that no area or department is favored. By incorporating information security and corporate governance into the GEIT, IT compliance will be fully realized and achieved because the information technology department is focused on protecting all information regardless of the system or department where that information resides.
Conversely, if a financial institution or firm continues to utilize a narrow approach to IT compliance, specifically, relegating it to an operational cost, specific systems deemed critical to the business, and/or relying solely on IT Management or specialists to protect information, then the organization may run into pitfalls when it comes to compliance. These pitfalls occur because a GEIT with a narrow view does not encapsulate the IT values of, benefit realization, risk optimization, and resource optimization. Instead it stagnates IT and creates disconnects between the corporate strategy, the IT strategy, and overall IT compliance. These disconnects can be resolved by incorporating the values of corporate information security into IT policies and procedures resulting in the following specific value drivers: confidentiality, integrity and availability of information, continuity of services, and protection of information assets. By focusing on these value drivers IT can ensure that it is aligning its policies and procedures with the corporate strategy and compliance principles.
Fishing out Phishing Scams
In order to achieve compliant IT, a financial institution and/or firm can no longer solely protect systems that collect, process, and store information. Rather data, as well as the information and knowledge based on them, must be adequately protected. As part of adequate protection, financial institutions and firms should implement end user training with a focus on learning to identify a phishing scam.
Within the financial industry, phishing scams are still the most prevalent method utilized to obtain access to information. Phishing scams come in a number of different forms such as emails, text messages, websites and phone calls. Additionally, cybercriminals utilize phishing formats to install malicious software and/or utilize social engineering to obtain personal information that is then utilized to commit rogue activity. Since phishing scams prey specifically on human behavior, training end users to be vigilant in realizing the tell-tale signs of a phishing scam helps to protect the financial institution’s and/or firm’s network. More importantly being able to detect phishing scams assists the organization in protecting customer information. To a financial institution and or firm protecting customer information is of utmost importance and regulatory repercussions may occur if this information is not properly protected. Training end users to realize and identify potential phishing attacks increases network protection in a proactive manner and incorporates end uses, the people most likely to recognize the first signs of a phishing scam, into the process.
Fill in the Blanks with the correct word/s.
IT is now an integrated part of the overall ___________ and ___________ __________ __________.
2) achieving satisfactory compliance