Why Adopting Good Governance, Risk Management and Security Compliance Creates Value and Lower Costs

A white paper excerpt by the Reymann Group and TraceSecurity on Governance, Risk Management and Security Compliance Just Got Easier for Banks and Credit Unions.

Today’s information security and technology risk management initiatives have evolved from cross-industry recognized best practices. The best practices of yesterday that were recognized by a few are now today’s mandates for the many. Early adopters of these best practices realized that they could successfully address multiple concerns with a simple yet thorough approach to automation of governance, risk management, and compliance practices. By adopting a culture of continuous risk management that leverages the right automated solutions and instills individual awareness and responsibility among employees, they have achieved compliance by default – not as a separately funded project for each compliance mandate. This compliance by default strategy allows them to capitalize on the common theme of best practice that is the inherent nature of many regulations. It also reduces the overall cost of such risk management activities, while increasing their risk management success.

For example: an automated ability to assess risks; monitor the security posture; identify vulnerabilities; alert key personnel to trouble; publish policies; remind employees to stay current and acknowledge policy awareness; and track and enforce internal compliance and acknowledgement of corporate policies will enable an institutions to comply with numerous mandates, while continuously managing risk that could effect its financial stability. Implementing industry recognized technological and human governance, risk management, and compliance best practices will position it with a strong posture for the next wave of audits and attacks, while lowering its cost of operation.

All institutions need to adopt a GRC best practice culture throughout the organization that begins with the strategic and quantifiable assessment of risk to enable appropriate identification and cost-effective implementation of the needed controls. Specifically, every control has some cost associated with it. Therefore, it is imperative that each financial institution implement only those controls that minimize its exposure to probable outcomes that have a material effect on its financial stability. In short, every control needs a cost-effective risk-based business reason to be put in place. Done right, an institution’s risk assessment activities will streamline operations, enhance employee productivity, avoid or lower cost of controls, and eliminate controls that may have an unwanted effect on stakeholder value.

Proactive risk management best practices are needed .

Over the last several years, we have seen institutions enhance the use and management of technology and electronic information. Initially, institutions adopted information technology and security best practices to mitigate the perceived or actual risk to the organization’s network, facilities, employees, and customers. Many of these practices began as a reactive response to a specific risk event or threat. More recently, however, new challenges are emerging from complying with regulatory mandates to ensuring your institution is protected against internal 3 and external threats. The response time from discovery of a new threat or vulnerability to identifying the effect on your institution or customers has reduced from days to hours, and in many instances, seconds.

The immediate and catastrophic effects that such risk events can have to the institution’s financial stability and its survival have dramatically changed over time. Two well know examples that show this include the ChoicePoint and TJX incidents.

ChoicePoint experienced a 16 percent drop in its stock price in the three months that followed its February 2005 data breach. In January 2006, ChoicePoint settled with the Federal Trade Commission for $10 million in civil penalties and $5 million for consumer redress. In January 2008, ChoicePoint agreed to pay $10 million to settle a class action lawsuit.

In April 2007, three states' banking associations (MA, CT, and ME) filed a class action lawsuit against TJX to recover the costs of damages totaling "tens of millions of dollars" incurred for replacing customers' debit and credit cards associated with the TJX December 2006 data theft incident. Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. An InternetNews.com article estimates TJX expenses at $500 million to $1 billion. In a settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach.

Financial institutions have realized that a reactive response strategy leaves them vulnerable.

Everyone, from the security personnel, staff, executive management, and board of directors is increasingly aware of the threats, risks, and responsibilities. They are not only concerned about the internal and external disruptions they cause, but the additional responsibilities and costs associated with ensuring compliance with laws and rules while ensuring business continuity, and safety of corporate and customer data. This is a business problem that information technology and security GRC is intended to address.

Financial institutions now need an automated continuous risk management capability. They need to establish a culture of proactive technological and human risk management throughout the enterprise with a formal methodology that leverages the right people, practices, and technology on a continuous basis – not a point-in-time project basis.

A static information technology and security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. All organizations should continuously assess risk to gather and analyze information regarding new threats and vulnerabilities, actual external or insider attacks on the organization or its interlinked business partners, and the effectiveness and cost benefits of the existing controls.

Each institution should gain assurance of the adequacy of its risk mitigation strategy, operations, and tactics. Security personnel and system owners should collaborate to assess risk, monitor for new vulnerabilities, and develop appropriate mitigation solutions to address them. Technology-based examples of such best practices include:

• Establishing an effective process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches.

• Maintaining up-to-date anti-virus definitions and intrusion detection attack definitions.

• Monitoring network and host activity to identify policy violations and inappropriate behavior.

• Monitoring host and network conditions to identify unauthorized configuration and other conditions, which increase the risk of intrusion or other security events.

• Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to vulnerabilities and security events.

• Responding to intrusions and other security events and weaknesses to appropriately mitigate the risk to the institution and its customers, and to restore the institution’s systems.

By implementing GRC best practices like these, financial institutions can more effectively mitigate information risk, fulfill compliance requirements and ensure that their risk management expenditures are more closely aligned with their actual vulnerabilities.

Download the complete white paper which includes more information on TraceSecurity’s continuous IT GRC solutions or contact TraceSecurity at 1-877-275-3009; fst@tracesecurity.com or www.tracesecurity.com/fst.