October 24, 2008 - David Schneier

It's interesting how with everything going on in our industry this year, between the credit crisis, bank mergers, bank closings and emerging regulatory compliance requirements (and on and on and on), that we haven't had time to discuss much else. However, work continues out in the trenches, money is still moving into and out of a dizzying array of accounts and investment products, exams are occurring and (for what I suspect is the vast majority of our industry) life goes on.

So, when I was having a conversation with the Managing Partner of my firm and touching on some of the more noteworthy details from the myriad meetings and activities that occurred during the week, there was one topic that surfaced a few times and it had nothing to do with current events.

If you frequented a small, local restaurant and used your credit card to pay for the meal, would you accept that their system security was any less reliable than McDonald's?

In a call earlier in the day a client had refuted one of our report findings, using the logic that they were a modest-sized institution that shouldn't be expected to have many of the same infrastructure controls and design features found in larger-sized operations. I hear comments like that fairly frequently, but it stood out because I had just concluded fieldwork in support of an IT General Controls audit the day before at an institution that was smaller than the one that had made the comment, and they had done a great job of implementing and supporting the essential controls. As a matter of fact, I was thrown for a loop in conducting the audit because I'd made certain assumptions based on their size that simply didn't hold up under inspection. The smaller institution managed their computer operations and network infrastructure very much like what I'd expect to find in a large or mid-sized institution. Everything was documented, they had daily logs, strong network perimeter controls, a state-of-the-art network monitoring solution, rigid back-up routines, strong physical security and had conducted a robust and relevant information security risk assessment upon which their compliance framework was based. It was a "WOW" sort of experience for me.

So many of our clients expect leniency from examiners and external auditors because they perceive themselves as being small and not capable of addressing some of the control activities that are both required by law and expected of them. But in assuming their size factors into the equation, they're using flawed logic. The relationship that needs to be forged isn't controls relative to size, but rather controls relative to risk. Not having a network monitoring solution in place may be acceptable if your firewall is sufficiently configured and monitored and you have a strong anti-virus solution running; it's not acceptable if your only justification for not having one is that you're too small to need one. The threat to your customer or member data is every bit as real whether you're a small credit union or Bank of America. Take the "size matters" logic outside of the banking sector; if you frequented a small, local restaurant and used your credit card to pay for the meal, would you accept that their system security was any less reliable than McDonald's? So why would anyone running a smaller financial institution expect that they're obligated to do less than their larger counterparts in building out their infrastructure? The short answer is: They shouldn't.

Any financial institution can justify implementing or not implementing controls based upon a sound information security risk assessment. By identifying the risks to sensitive data within either a business or operational process and assigning controls to manage those risks, you're able to support your decisions. But therein lies the key to all of this: Management needs to make informed decisions about how they've built out their compliance framework. Being too small or not having enough staff to support an essential task is not a valid position. Examiners only understand controls, compensating controls and risk-mitigation strategies and will accept decisions around any of these elements, provided management has done a reasonable job of documenting them. And so when our clients offer the size of their institution as if though it's a compensating control, I've become quite adept at taking a deep breath and working through why the logic doesn't hold up under scrutiny. I figure it's always better to hear it from us rather than an examiner.

Next week I'm going to use the soap box to discuss Red Flags - Identity Theft. We've started reviewing programs during our fieldwork and with the agencies having released their examination procedures, I'll have some interesting perspective and advice to share.... stay tuned.