The concept of an information security framework is somewhat amorphous, in part because even the phrase "information security" itself can be surprisingly subject to interpretation. At a minimum, a sound framework should provide a blueprint for how information security is governed, define the role of policy and procedure, identify applicable legal or regulatory requirements and support data classification standards and data breach response criteria.
How such frameworks are interpreted and implemented within financial firms remains wildly varied. For instance, are the controls around sensitive system IDs and passwords part of information security or part of a larger control framework? Is oversight of third parties part of information security or a larger vendor management framework? The lack of clear boundaries creates the challenge.
The answer is both. Information security must be highly integrated into many other operations and control frameworks within financial services institutions.
This tip will briefly describe some of the key principles to consider when building a framework and evaluating a number of standard industry resources against these principles.
When evaluating any reference materials for information security governance, the following principles should always be kept in mind.
- Information security must be managed as a business issue, not an IT issue. Unfortunately, many programs have their roots in IT because IT manages the systems with the most data. However, virtually all compromises are ultimately caused by careless people and poor procedure, not weak systems.
- It's a team effort. The governance program must have broad management support, with involvement from senior management, legal, human resources, compliance, audit, risk management and, of course, IT.
- Awareness is key. The more that people are aware of the risks, rules and their roles, the more they can make the governance program stronger. Information security cannot be managed by a team of experts; it must be everyone's responsibility.
With these principles in mind, we can begin to evaluate the various reference sources that are available to financial services firms to support their own information security governance program.
FFIEC guidelines: The materials given in the interagency guidelines on information security are one of the best resources, and certainly the gold standard for banks. Both the material found in the IT Examination Handbook under Information Security (PDF) and the interagency guidelines are the best available in terms of an overall "program" design and should be the main reference document for every financial institution.
ISO/IEC 27002 (formerly ISO 17799): The international standards document, created in 2000 and subsequently updated in 2005 and 2007, has been an influential tactical document since its creation. The roots of it can be seen in the Information Security section of the FFIEC's IT examination handbook. The cons of the ISO standard are that it is too technology-centric, does not provide a governance framework and includes broader themes of availability and integrity. However, it does contain some of the best data-control categories available and should be a standard-issue reference document for any information security officer.
PCI DSS: Created specifically for the payment card industry, the PCI Data Security Standard, like the ISO standard, does not provide a governance framework and is heavily IT focused, but it does provide broader language regarding procedural aspects (who has access to data and why). It also includes a detailed checklist that can be useful in designing an internal self-assessment process.
COBIT: While COBIT is a framework document by design, and a very good one, it is not as strong when it comes to information security. It can be an excellent resource for broad IT governance frameworks, but many of the deeper elements of information security management will be found in the above-mentioned documents.
Information security governance
Regardless of which materials financial institutions choose as a primary reference, the following concepts are central and critical to building a successful information security governance framework.
Policy: The program should be grounded in a clear, board-level information security policy that positions it as a business issue, mandates the need for a comprehensive program, delegates authority to the role of an information security officer (preferably NOT working in IT) and establishes clear reporting requirements back to the board of directors.
Program: A comprehensive program document that defines: clear roles and responsibilities; discrete program elements; how the overall program is governed; a risk assessment methodology; reporting requirements and testing methodology.
Risk Assessment: A risk assessment methodology that evaluates inherent risks; controls and residual risk to systems; data and physical records; and third parties. It is important to note that each of these four areas will have specific and unique business owners that all must participate in the risk assessment and risk mitigation process.
Policies and Training: The framework should include clear operating polices that outline specific dos and don'ts for managing data, as well as a regular, comprehensive training curriculum that is mandatory for all staff.
Response: A clear and well-tested set of procedures to respond in the event of a data breach that, like the program itself, includes both operational and senior management.
The key to information security governance is to remember that the goal is not absolute data restriction. We live with data in motion every day and we cannot do our jobs without the use of confidential data. The goal with information security governance is to build superior resiliency in how data is managed on a day-to-day basis and in our ability to respond should something go wrong.
About the author:
Eric Holmquist is the vice president and director of operations risk management at Advanta Bank Corp. He has over 25 years experience in the financial services industry and is a frequent industry author and speaker. He is responsible for the development and oversight of the bank's operational risk management program. In addition, Holmquist chairs the operational risk management for IT committee through the Risk Management Association. He is the author of "Risk-Sizing ORM – Scaling Operational Risk Management For The Small To Mid-sized Market", is a contributing author to "Operational Risk 2.0 (2007)" and "The Advanced Measurement Approach to Operational Risk (2006)."