Created on 2017-08-02 15:57
Published on 2017-08-02 16:23
Article content I recently provided to ABA for July/August issue of ABA Banking Journal, Directors Briefing; Volume 2, Number 4. Copyright (c) 2017, American Bankers Association. Thank you Debra Cope.
During 14 years as a bank information security professional, Anthony Scarola has translated technology-speak to management and board members. Scarola, who cut his teeth in community banking, is now vice president of security and information risk governance manager for Fifth Third Bancorp in Cincinnati. A significant part of his role is to give board members and senior management the tools to interpret the institution's IT strengths, weaknesses, compliance and risk management.
In a recent interview, Scarola offered five questions board members should consider asking when performing their oversight role in IT risk management. These questions are not intended to be comprehensive; instead, they are a way to focus conversation during what may be a 10- or 15-minute presentation to a board or board committee from the IT professionals.
How do we know we're concentrating on the IT risks that matter most? In overseeing IT, the board should be satisfied that the systems and applications with the greatest value to the organization receive more attention than less significant systems and applications. Systems that process more accounts, assets or transactions tend to warrant closer scrutiny than those that process fewer. Qualitative judgments are also important; for example, personal customer information needs to be guarded closely, while data regarding corporate policies and procedures might require fewer protections overall. Understanding the relative value of systems and apps can also guide how resources are allocated. "You wouldn't want to put several backup systems in place for an asset that has low value to the organization," Scarola noted. "The idea is, don't spend your time on the small fish."
How are the policies and standards used to guide information security working for our organization? It's important for banks to have an agreed-upon framework for talking about IT and cybersecurity risks, Scarola said. The National Institute of Standards and Technology Cybersecurity Framework is one of the most widely accepted frameworks. Board members should probe to ensure that the IT team has a framework, understands it, and applies it appropriately based on the profile of the institution.
How are we utilizing the CIA triad, and what does our analysis tell us? With all due apologies to spy novel readers, the CIA triad has nothing to do with the Central Intelligence Agency. CIA is the acronym for confidentiality, integrity, and availability, the three crucial elements of information security. The CIA triad can be applied to anything from new loan origination software to customer-facing Internet apps to help management understand the relative value and riskiness of assets, systems and apps.
What does the latest news development mean for our information security efforts? Board members need to understand the implications of news developments, whether it's the steady spate of website and email hacks or the Wannacry ransomware attack that occurred in May 2017. "It is always appropriate to ask, 'What have we done about this attack? How does it impact our customers, if at all?'" Scarola said. At the same time, it's important not to get bogged down by headlines. Best practices call for a "Iifecycle approach" of refreshing assessments when changes occur, such as new threats and vulnerabilities, reduced or expanded use of the asset, and changes in business goals, Scarola said.
How do we stack up against our peers? "Presentations about what the industry and peers are doing are valuable to boards," Scarola said. "It is prudent to ask whether the bank is in line with what its peers or larger institutions are doing." Bringing in a third party to perform an assessment can enhance management's credibility and demonstrate a commitment to managing risk appropriately.