As IT and information security become ever more critical to the success of any organization, they are no longer just the concern of the CTO or CIO. With changes in global regulatory requirements, the CFO and CEO are increasingly involved in security issues. As a result, all aspects of the audit, including security of information and IT systems, are a key concern for the finance function.
At the same time, CFOs and treasurers are increasingly involved in IT investment decision-making. They are realizing that a security breach of any kind can have catastrophic financial effects on a company. Just as it is important to have a good insurance policy in place to protect against unforeseen business circumstances, so too is it important to have good security protocols in effect to protect against unforeseen attacks on networks and data.
The security concerns of financial institutions and multinational corporates have much in common. For financial institutions, having secure systems and data storage is critical. Any breach in security has not only an immediate price tag but also an often-unquantifiable effect on the trust of clients. In addition to reputation, there are a number of factors driving companies to beef up security systems at the moment, according to James Rodwell, sales director at security consultant BII-Compliance. “Compliance directives are very much a driving factor for companies to look at security,” he says. “If you are not securing your systems, then you are not compliant.”
For any global company with reporting requirements in the US, this is highlighted under Section 404 of the Sarbanes-Oxley Act, which details the responsibility of management in setting up and maintaining internal control structures and procedures for financial reporting. For regulators scrutinizing a company’s internal control framework, security protocols are a key area of interest. Regulatory issues are also highlighted for financial institutions under Basel II banking regulations, which require institutions to quantify and demonstrate risk with respect to information and data security. “With Basel II, you need to be able to quantify operational risk, which includes people, processes and technology,” notes Jonathan Rosenoer, head of security for financial services at IBM.
In order to meet compliance requirements now in effect worldwide, many companies look to global control standards, such as the Statement on Auditing Standards (SAS) No. 70 for Service Organizations. SAS 70 is an internationally recognized auditing standard that enables service organizations to disclose control processes to customers and auditors in a uniform reporting format. The standards were developed by the American Institute of Certified Public Accountants (AICPA); those organizations that go through the process to become SAS 70 compliant can thus assure clients that regulatory requirements, such as those under Sarbanes-Oxley, are met.
This is critical not only for service organizations themselves in knowing that they are secure, but also for those companies using third-party services and systems. Mark Vengroff, CEO of Vengroff, Williams & Associates, which provides outsourced receivables management solutions, explains: “When we receive RFPs [Request For Proposal] today, the number of questions discussing security has increased tenfold. It is to the point where the security portion of the RFP is as thick as the rest of it.”
Vengroff continues: “Companies are concerned about releasing data and what happens to it. More and more clients want to know if we are SAS 70 compliant. Going through the process to become SAS 70 compliant is certainly difficult and time-consuming. But it is critical to our clients to know that we are secure and that we meet the requirements of their auditors for control and compliance.”
A number of organizations are looking to develop additional standards for best practice in security protocols. One such is BITS, an independent industry group made up of top-tier financial institutions that was set up to solve problems—and provide guidance and frameworks to institute best practice—arising where financial services, technology and commerce intersect. The group recently released its latest work under the Financial Institution Shared Assessments Program (FISAP). The program aims to provide companies and financial institutions with efficient methods of assessing their third-party service providers and to help institutions align service provider testing with industry regulations.
Catherine Allen, CEO of BITS, explains: “FISAP started about three or four years ago as outsourcing started to grow. Whether you outsource to India or to Indiana, you have the same regulatory requirements and the same security issues. So we worked with regulators, vendors and financial institutions to develop a framework for analyzing IT services to ensure that all issues have been addressed that a regulator might ask in managing third-party services.”
Jason James, network security director at Happy State Bank, a financial institution based in Happy, Texas, says the real impact of regulations such as Section 404 of Sarbanes-Oxley is that it has forced financial institutions and large corporations to implement procedures that have long been best practice in the industry. “It is time-consuming and costly to go through all your IT processes like this, but it is something that should have been done a long time ago,” he says. “It is a rigorous process, but … it needs to be done.”
Happy State Bank is using Core Security’s Core Impact penetration testing product to find security weaknesses within the group’s IT systems. The product tests the effectiveness of internal and external security measures by performing controlled attacks on a network to find weak points wherein a hacker could gain unauthorized access. James believes such systems are useful if they can quickly do testing that it would take an expensive security professional a long time to do manually. “It automates the attack sequence that hackers would use,” he says. “It is really beneficial, particularly if you don’t have the budget to afford a full-time security tester.”
The initial runs of Core Impact at Happy State Bank uncovered a number of possible breach spots in the security defenses of the bank’s in-house systems. “Our perspective on security really changed after that. If you think you are secure and find out you are not, it reinforces your stance to do all you can do. And that is definitely our policy,” says James.
Rosenoer at IBM says that when it comes to investing in security solutions, it is critical to look to the future. “It is important to have a vision of where you want to be three to four years from now in order to tailor your security spend and ensure that what you are investing in is scalable to meet those goals,” he says.
According to Edward Adams, CEO of Security Innovation, the big problem for many organizations is simply the scale of the project. “A lot of organizations just don’t know where to start to assess security of applications or are overwhelmed by the daunting task of doing it for thousands of functions and applications,” he says.
The most important thing is just to start somewhere and use the resources that are available to know where and when to make investments in system security. With standards organizations such as BITS providing a starting point, meeting and exceeding control and compliance regulations can begin to take on a shape that is manageable for any business.
Source: Global Finance