Pub. 7 2012-2013 Issue 1

May/June 2012 15 Extraordinary Service for Extraordinary Members. Security, Not Compliance Stephanie Chaumont , CISA, CISSP, Security+ and Carl Cope , CISA, CISSP, CoNetrix I ATTENDED A CONFERENCE WHERE I had the privilege of hearing a state examiner speak about corporate account takeover. One idea he expressed has stuck with me the last few days: “We have to make this a se- curity issue, not a compliance issue.” Howmany of you have been struggling with the latest FFIEC supplement for Internet Banking? Are you feeling it’s yet another compliance mandate? Is your biggest concern to please an examiner, or provide the best security for your customers? When understanding this is a secu- rity—rather than compliance—issue, it’s easy to see the importance of a risk assessment. Learning how attackers gain information from your custom- ers and which types of customers are most vulnerable can help your organi- zation understand what controls are needed. You may currently have the same controls for retail customers and commercial customers, but seeing the difference in risk levels for those types of accounts will help you make more informed decisions about multifactor authentication, out-of-band transac- tion authorizations, etc. A risk assess- ment is a valuable security tool rather than a compliance exercise. The guidance also addresses cus- tomer education. So, have you provided yet another disclaimer in a tiny font for your customers? If so, you technically made those resources available to them but, if we’re honest, whoever reads any of those? Your customers (even com- mercial customers) probably do not have the level of security awareness training you provide for your staff. They likely do not understand the need for information security. As a result, they may be the weakest security link against corporate account takeover. They need to know about the risks of online bank- ing as well as the controls they could and should put in place. You, as their financial institution, serve as the best means for education. Just as it is for good teachers everywhere, it’s up to you to make the information relevant and easy to retain. The last area the supplement ad- dresses is the notion of layered security. The supplement specifically states that, “financial institutions should not rely solely on any single control for autho- rizing high-risk transactions, but rather institute a system of layered security.” With layers of security, if attackers get past one security control, there are other layers to thwart their attempts to access information or funds. Most banks have already embraced a layered security approach, recognizing its im- portance aside frombeing a compliance requirement. Prior to the release of this supplement, I have seen banks requir- ing out-of-band authorization for wires, tokens for commercial customers, etc. It was nice tomeet an examinermore concernedwith real-world security than a compliance checklist. Acknowledging the security benefits of assessing risk, implementing layered security controls, and educating your customers will go a long way in providing better quality controls and education materials for your Internet banking customers. And if you are driven by the goal of security, youmight not even notice you took care of your compliance as well.  Stephanie Chaumont and Carl Cope are security and compliance consultants for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit the CoNetrix website at www.conetrix.com .