BOSTON – What's the key to sustaining a comprehensive security and risk management program for one of the world's most well-known financial services firms? Its top information security executive says it's as simple as a clearly defined, globally implemented system for security, risk and compliance governance supported by a common policy framework.
It's clear what decisions are made at what level, and what the escalation path is to the next level, so there's never a decision that is not made.
Thursday at the Forrester Research Inc. Security Forum 2010, Daniel Barriuso, CISO of Zurich-based Credit Suisse, spoke about how the company, with more than 49,000 employees worldwide and more than $1 trillion in total assets, implemented and manages a program that can quickly adapt to new regulatory requirements, technologies and threats.
The company has four international business units: Switzerland, the Americas, EMEA and Asia Pacific. Each group operates using a shared set of global policies that provides consistent ground rules for information security, risk management and compliance.
Barriuso said with the help of business partners at Deloitte, Credit Suisse built an information security governance framework, featuring capability definitions and maturity models. It combines ISO, COBIT, Capability Maturity Model Integration (CMMI), and various regulatory requirements.
From there, Barriusso said, it used that framework to create a single catalog of controls applied across all four business groups. Internal policies and standards, authoritative requirements, and even the threat landscape as defined by the organization are all mapped against the controls catalog, which also enables more consistent security, risk and compliance reporting across the organization.
Each regional group has its own risk councils that oversee standard day-to-day policy decisions as dictated by the framework. In circumstances that require a higher authority, like a policy change that would be in conflict with stated policy for the organization as a whole, the issue would roll up to a defined set of global IT, security or risk management committees.
The first committee consists of IT stakeholders responsible for the security decisions within IT. Higher still is an IT risk management committee, which has broader membership and considers a wider range of business issues. At the top is a global risk management committee that serves as the Supreme Court for all major organizational risk decisions, ranging beyond security and compliance to financial risk as well.
"The way we work with this framework, it's clear what decisions are made at what level, and what the escalation path is to the next level, so there's never a decision that is not made. There is no policy on risk mitigation or risk acceptance on which you need to go around in circles to make it happen," Barriuso said. "We go to the right governance body, get an issue decided, make it happen and move on."
All regional groups have their own CISOs and the same staff hierarchies, making information sharing among groups easier. Only one group in each region deals with IT security, compliance and governance oversight.
The framework also ensures a consistent service catalog, which defines how each business unit handles oversight, regulatory management, risk assessment, incident response and ongoing risk remediation. Some services are delivered centrally, like policy, some are delivered locally, like risk assessments, and some are delivered locally but coordinated globally, like an incident response initiative affecting multiple regions.
As a result, the strategic coordination ensures information security, risk management and compliance are ongoing initiatives shared by stakeholders across the organization.
"We don't want to do one-off reviews; we want to know where we are all the time," Barriuso said. "We want to react quickly to the needs of the organization and drive proactive risk management and a wide variety of mitigation programs."
For instance, the company has a consistent user awareness and training program across all regions. Barriuso said the program includes classic online training as well as much more "interesting" scenario testing in which employees are presented with certain situations to assess how they react.
"For us, it's really key, being a financial organization, to be close to our users," Barriuso said. "They are the ones who protect clients' information."
Barriuso said the program wasn't implemented overnight; it took a long time and a lot of executive support. While he said it took a considerable amount of time to talk with senior board members and educate them about the problems and the proposed solutions, he said Credit Suisse has always valued confidentiality of customer data, so selling the program there was likely easier than it may be in other organizations.