02:43 PM
Sophie Louvel, analyst, Financial Insights
Sophie Louvel, analyst, Financial Insights
Connect Directly

Growing Roles and Responsibilities for Bank Information Security Departments

Before Y2K, information security was rarely discussed in bank board meetings. Today, it's a key component of bank exams.

Before Y2K, information security was rarely discussed in bank board meetings. Today, evaluating directors' and officers' knowledge and supervision of a bank's information security program is a key component of an information security bank exam.

The importance of information security (IS) in the banking industry has grown tremendously over the last five years due to a combination of factors. These include regulatory requirements mandating information protection, the growth of electronic banking and the increasing number of individuals (employees, customers and third parties) with access to enterprise data. In the banking industry, the catalyst for developing formal information security risk management programs was the Gramm-Leach Bliley Act's section 501B, which requires financial institutions to implement an information security program that can ensure the integrity, security and confidentiality of customer information. More recent legislation, such as the California Senate Bill 1386 and the Sarbanes-Oxley Act, has reinforced the need for strong security controls around customer and financial information.

These laws have led to greater alignment between information security programs and business objectives. Risk assessments and reporting are conducted quarterly and reports are more meaningful to business units. In addition to greater alignment with business priorities, these laws are allowing information security departments to spend a greater percentage of the IT budget to automate risk monitoring and to implement new security controls as needed.

Where Are Banks Investing the IS Budget?

One of the key focuses of 2004 has been on enhancing controls around employee access to information. Several banks are implementing employee access rights management solutions that tie an employee's rights specifically to his or her role, thus ensuring that employees only access the information and systems that they need in order to perform their jobs. Another focus area has been on more secure employee authentication. The focus today is on implementation of single sign-on platforms that allow employees to use the same user name and password to access all applications. For example, one bank disclosed that it was using RSA's ClearTrust Web access management solution to manage single sign-on access. Future authentication solutions may include biometrics or tokens as means of granting access to PCs or applications. Several other large banks have already implemented voice authentication solutions to secure employee password re-sets.

Other major technology projects taking place across financial institutions include investments in detection tools to monitor unauthorized or suspicious movements and access to data and systems. These detection tools range from monitoring of e-mail content from Tumbleweed to intrusion detection solutions from Cisco and Symantec, for example. In the intrusion detection space, newer investments are in host intrusion detection versus network level detection, as most financial institutions already have robust network-level security controls.

Security is a dynamic process. Attacks against systems evolve as hackers and fraudsters continuously identify new ways to break through a firm's security shields. Thus, the most important part of an information security program is implementing processes to continuously assess security risks in order to allow firms to respond as quickly as possible with stronger controls if necessary. Financial institutions have been investing in vulnerability management solutions to automate these risk assessments.

Responsibilities Beyond the IS Department

As the importance of information security has grown, so too has the involvement of information security representatives in technology purchase decisions.

IS groups today are responsible for conducting much more thorough evaluations of vendor security capabilities than in the past, and they have been voicing their opinions about these capabilities directly to the business executives with the purse strings. At one large bank, one of the major IS projects completed recently was the development of a Web-based questionnaire to be filled out by current and potential vendors to evaluate their security capabilities.

Bank IS groups have also taken a leadership role in educating employees about their information security responsibilities. In many cases, this requires more than education. Rather, it requires a true change in corporate culture from one dominated by uninhibited information access and exchange to one where information is viewed as an asset to be appropriately categorized and secured.

Perhaps the more difficult task for IS professionals is trying to reach out to bank customers to teach them about the risks they are incurring when they reveal their personal information. Many banks will admit that their greatest security risks come from their customers who fall into the traps fraudsters design to capture the customer information banks work hard to protect. This is why so many of the largest financial institutions are devoting significant marketing and ad dollars to educate customers on the risks of identity theft.

Sophie Louvel is an analyst with Framingham, Mass.-based Financial Insights. She can be reached at

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.