July 28, 2006

Computers obviously are an integral component of the modern banking infrastructure. But what becomes of a computer once it is removed from a bank's network? The once-invaluable asset now represents a major risk for financial institutions, according to experts.

Off-network computers often contain sensitive data, but there is a "gray hole" when computers are taken out of secure environments, says Robert Houghton, president of Redemtech (Columbus, Ohio), which has developed a product called Lock-it that encrypts a computer's file system, but not the data itself, making the hard drive appear blank. As a result of the security risks, managing end-of-life products -- hardware destined for resale, recycle or redeployment -- has become a focus of asset-management engagement, particularly following a number of incidents in which firms' old computers have been misappropriated.

For example, in May, San Francisco-based Wells Fargo ($492 billion in assets) reported that a computer containing confidential consumer information was stolen while being transported to Wells Fargo Home Mortgage. While law enforcement officials said the theft likely was for the hardware and not the sensitive data, Houghton stresses that the consequences of not protecting customer data are severe.

The Safeguards Rule under the Gramm-Leach-Bliley Act requires financial institutions to have a security plan in place to protect consumers' personal information. In January, the FTC fined ChoicePoint a total of $15 million for failing to adequately protect customer data. But even if fines are not levied, security breaches can hurt banks' bottom lines. According to Houghton, each customer record that is breached costs the bank $90, and one lost laptop could cost a bank as much as $7 million.

And, "That's just the hard stuff," says Frances O'Brien, research VP for Gartner (Stamford, Conn.) and the author of a February report that outlines best practices for PC disposal (see sidebar below). When security is breached, a bank's reputation is at risk, O'Brien points out. Customers may question whether or not that bank is the right place for their business, she says.

Maintaining Consumer Confidence

Following the May security breach, Wells Fargo tried to assure the public that it was working to protect consumer data. In a release, it listed steps it takes to protect information, including training employees how to safeguard customer information; instituting policies and procedures for the proper physical security of workplaces, equipment and records; ensuring that outside vendors adhere to strict policy standards; and evaluating and adopting new technology to protect against unauthorized access to customer data.

According to Redemtech's Houghton, off-network hardware is most vulnerable when equipment is decommissioned initially and then staged somewhere in the bank, and when equipment is being transported to new locations or to outsourcers. But there are ways to ensure that sensitive data stored on used computers is not compromised. "The best practice [for data sanitization] is encryption," Houghton says. But, he adds, "The reality is that data encryption is expensive."

For this reason, most organizations aren't using encryption, Gartner's O'Brien says. Rather, physically locking up computers is the go-to method of securing off-network assets for many banks, she adds, explaining that this should be sufficient if those assets are closely monitored. "The first point of failure is losing track of it once it's off the network," O'Brien says.

Many banks won't let their off-network assets even leave the premises without being scrubbed, O'Brien says. Some banks even rent mobile shredders to physically destroy used hard drives.

Inventory Control

Short of encryption, Redemtech's Houghton says, banks' options for securing off-network assets revolve around two basic elements: physical control and chain of custody tracking. Physical control involves inventory control and accountability. Unfortunately, many financial organizations don't manage out-of-service assets this rigorously, Houghton contends.

Chain of custody tracking involves tracking where the assets are at each point in time as they are being transported or stored, Houghton says. An audit trail of data destruction is an integral part of chain of custody tracking. "An organization needs to be able to close the loop effectively," Houghton says. There has to be detailed reporting on a hard-drive to hard-drive basis, he explains.

According to Gartner's O'Brien, most large banks now are doing a good job of off-network asset management. Prior bad experiences have led them to make changes. O'Brien relates the story of a bank employee spotting her bank's computer for sale at a local charity auction -- with the bank's name still on the side of the computer. That incident, she relates, led to changes at the bank.

O'Brien notes that while some companies manage off-network assets internally, Gartner recommends outsourcing the process. In addition, the CFO or someone in compliance should be "on the hook" for this, O'Brien says. "Ultimately, this boils down to a risk-mitigation issue." *

PC Disposal Best Practices

• Develop a program for the ongoing disposition of all PCs.,

• Develop strategies to determine the optimal time to retire or redeploy a PC.,

• Inventory equipment in storage to budget for disposal costs, and keep it to a minimum.,

• Document all disposal transactions. ,

• Develop an audit program to ensure that the processes developed are being followed. ,

• Audit service providers at least once a year to ensure that they are following the processes specified.