In the vault
When it comes to protecting financial info, IT security professionals can never rest on their laurels, reports Jean Thilmany.
Financial institutions must go to great lengths when it comes to protecting information, whether that information resides in-house or is accessible to its customers online.
To achieve these goals, these organizations must adopt new technologies, ramp up online banking options, and deal with employee turnover. That's why these firms continually need to review the security measures in place, says Christian Leuenberger, project manager at the Credit Suisse Group, a financial services headquartered in Zurich.
“Reviewing all security aspects is a permanent task of a bank,” Leuenberger says.
People's United Bank, the largest regional banking organization headquartered in New England, certainly adheres to that rule. A recent internal audit pointed out the need to protect and control employee access to data stored on in-house networks. In response, the bank implemented a new tool to review employee access to bank data. In essence, the tool helps IT officials control who has access to what, says Greg Kyrytschenko (right), the bank's director of information security.
The application assigns employee read-and-write privileges only to the files they absolutely need. And it provides insight into file views to get a bird's-eye perspective into how often data was tapped.
The latter information is printed regularly as a report and can be helpful to flag suspicious behavior, i.e., an employee that may be about to resign and plans to take important documents with them.
“This gives us visibility we haven't had in the past,” Kyrytschenko says.
Most users only need access to a small fraction of the data that resides on file servers. Those users with access to information not necessary to their tasks are a security risk, says Johnnie Konstantas, vice president of marketing for Varonis Systems. Her company makes the data governance solution that People's United implemented in March.
Nearly every organization relies on spreadsheets, presentations, documents and blueprints stored on a central server or network. Solutions such as those implemented at People's United Bank, control and manage employee access to broad portions of this information by expressly granting employees permission to access only relevant network folders.
Indeed, according to a recent Identity Theft Resource Center survey, 16 percent of security breaches reported for 2008 came from insiders, up from six percent for the same time period in 2007. Yet, 76 percent of organizations don't have a process in place to determine which employees should have access to pertinent data.
About 80 percent of all business information is comprised of unstructured information, or all information not housed within a database, according to a Ponemon Institute survey. It is this type of information that requires controlled access.
“For financial institutions, that could be customer data with credit card number or software code, or even images from a surveillance camera in your building,” Konstantas says.
With seven banks and more than 300 branches across New England, People's United boasts $21 billion in annual assets. It recently acquired a new bank, bringing employee numbers to around 5,000. And the bank has plans for future growth, says Kyrytschenko. With that number of employees, the bank needed a way to grant permission to only the data an employee needs to get their job done.
When a user opens or touches a file, the application makes a record of it. With those records in hand, IT can review all the files an employee opened or created, as well as see from which IP address they accessed the data. A home address may raise a red flag. IT can also search any number of an organization's file servers when reviewing data.
“This provides very rich forensic detail that would come into play if you had to demonstrate unwarranted activity or over-activity by a user,” says Varonis' Konstantas. People's Bank began assigning file rights and collecting file-view data in March.
“Right now we're identifying forensics and cleaning up some of our access. Where there's been global access, we're scaling that back,” Kyrytschenko says. “And where there's been over permission, we're getting the visibility we need to understand the impact of any changes we make before we make them.”
The solution also ensures permissions to data are revoked when employees change position or quit the bank. Permission revocation is an oft-overlooked aspect of security clearance, Konstantas says.
The audit at People's United pointed out the need for the employee-permit solution. But while Leuenberger of Credit Suisse champions continued security assessment, sometimes those assessments determine things are fine just as they are, he says.
For instance, Credit Suisse constantly monitors the process by which its customers access their own data. For more than a decade, the Swiss corporate customers of Credit Suisse have used security tokens, in addition to passwords, to authenticate themselves for online account access. The physical tokens work in conjunction with a password or personal identification number to provide a reliable level of user authentication, Leuenberger says.
The token hardware generates an authentication code at fixed intervals. Credit Suisse uses the RSA SecurID authentication mechanism from RSA.
But the financial institution assumed the tokens – threatened by the continuous evolving capabilities of potential hackers – would have to be replaced in the future. It recently decided to conduct a security assessment of the tokens. The bank assessed how vulnerable the token-protected sites were to attack and asked customers how secure they felt about the multilayer protection the bank offered.
The security assessment found that the tokens could offer a sufficient degree of security for the next several years. It also found that customers were comfortable with the tokens, finding them simple to use and portable. They also were likely to resist solutions perceived as being less convenient, flexible or safe, Leuenberger says.
SOX: BEST PRACTICES
Research reveals major success factors for SOX compliance Recent research conducted among organizations in North America and around the world helps illuminate what appears to be working when it comes to SOX compliance. Organizations with the least IT control deficiencies:
- Deliver continuous training to employees while ensuring accountability with policy;
- Restructure the risk management function, internal controls, and IT security;
- Reallocate IT expenditures by shifting spending from consultants and contract labor to automated tools;
- Automate IT measurements, reporting, controls, change management processes, and IT security policies;
- Focus on managing risk to improve IT controls, info collection, and reporting.
Source: Symantec, 2008 Annual Report: IT Governance, Risk and Compliance