Employee training programs promote a vigilant corporate culture by addressing information risk measurement and management within a framework of policies supported by documented procedures. All of these features -- management information, communication, training, and an IS framework -- contribute to a strong governance culture. Information security professionals are often the drivers behind the creation of such programs and features.
Here are examples of strategies that security professionals can use to protect a financial institution from the rogue employee:
Evaluate data: Executives should encourage managers to analyze and digest reports by asking probing questions and demanding verification of the answers. In some cases information security professionals may be able to provide detailed guidance about what questions executives can and should be asking.
Evaluate data in an open-minded fashion: Patterns of fraudulent activity may consist of small transactions, large transactions, or a combination of both. Information security professionals can work with the business to help identify intriguing patterns.
Be vigilant: Smaller firms may have more limited resources to invest in controls. However, market makers and award-winning firms have more to lose and more opportunity to do so. No firm is exempt from the need to be vigilant. Information security professionals should promote vigilance, particularly through training.
Exploit external alerts: When regulators or exchanges raise a question, it's often a good idea for information security professionals to take an active interest.
Pierce the cloud: Know the past techniques that have been used by rogues. Those techniques often rely on creating a cloud of distracting information. Reporting and management information (MI) should illuminate business activity, not obscure it. If MI is not furthering management's understanding of business operations, then information security professionals should work with the business to develop MI that does.
Look for anomalies: Exceptions can be typical, even critical, early warning signs. Examining front-back discrepancies, tracking cancelled or corrected transactions, locating deviations from regulatory capital requirements in relation to counter-party risks, defining tolerance thresholds and ceilings for transaction variances: these are all examples of the types of activities that can unearth useful, directional information. Security professionals may be able to educate the business about the opportunities that identifying anomalies create.
Stick to basics: The reasons for awarding access to employees based on job profile -- rather than arbitrarily -- are valid. A successful financial institution may find it difficult to craft the access of every employee upon hire, and it may find the timely recrafting of those credentials when employees leave or transfer within the organization to be challenging. Nevertheless, access credentials must be maintained. Neglecting access credentials, particularly when a transfer occurs, can lead to authorization creep (the aggregation of access rights beyond what is appropriate to a given function). Preventing authorization creep is essential to frustrating rogues. Security pros, with other governance functions, should work to ensure that compliance with access policies and standards is maintained.
About the author:
Keith White is a vice president in Credit Suisse's Information Technology Risk department. He established a global practice for reporting on and delivering against IT audit risks. He later developed and applied risk analysis techniques that were used to assess various technologies and then developed a standard methodology incorporating applicable internal and external standards. His other duties have included COO/CFO Credit Suisse First Boston Infrastructure. Outside of Credit Suisse, he has contributed to the development of industry standards and has published articles on technology risk. He is a member of RMA's Operational Risk Management for IT committee and was instrumental in the organization of its 2005 conference held at Credit Suisse. Prior to Credit Suisse he has held a variety of positions with financial services firms and consultancies including project manager, systems engineer, application developer, and credit risk officer.
This was first published in October 2008