Working with paper-based information security policies can be limiting for financial institutions. Automation allows banks and credit unions to take their policies off the shelf and move them online to reap multiple benefits.
There are 2 major challenges to having a static, paper-based information security program; the first is making sure policies accurately reflect the financial industry’s current guidance and best practices, and the second is making sure they accurately reflect your institution’s specific practices. Often new paragraphs and sections get added to cover additional policies while almost nothing gets expunged. Or a revision in one section of the program might not be properly updated in all other related areas.
These twin challenges are the primary cause of disconnects between policies, procedures, and practices —and compliance-related findings from IT auditors and examiners. Today examination auditors are scrutinizing documents far more closely, and they expect to see documentation that proves institutions are doing what their policies say they are. And unfortunately, policy disconnects and lack of adequate documentation in IT often reflect poorly on management. It is not unusual for us to see weaknesses in the IT area pull down the CAMELS management component in other areas. In a study conducted by the OCC earlier this year, researchers found that:
Advantages of Automation
Leveraging technology for an information security (InfoSec) program offers significant benefits by addressing both challenges. A key advantage is that it places all InfoSec related documents in one place where personnel can easily access them. Having a digitally enhanced program makes it easier to minimize exam findings related to inconsistencies between policies (what you say you’re going to do) and procedures (how you say you’re going to do them). Automation streamlines the process of updating policies and documenting the corresponding procedures that are in place to support them.
As another advantage, automation promotes personnel collaboration and engagement in the information security process. Having a web portal where staff can access the policies and procedures related to their area of focus enables collaboration, encourages engagement, and generally helps generate buy-in. As a result, personnel becomes better informed and more engaged in the information security program.
Automation also supports change management by facilitating periodic, detailed reporting to update various stakeholders about the status of the information security program. Reports can focus on a specific area or be customized for different stakeholders who may need more specialized reporting. They may be high-level summaries, or highly detailed. Most importantly, as regulatory guidance and best practice evolve, automation can allow policy updates to happen with the click of a button.
Our Unique Approach
At Safe Systems, we took a unique and comprehensive approach when creating our new Information Security Program solution. The program includes a comprehensive set of policies and a process-based risk assessment. It’s also structured around the Information Security and Management handbooks by Federal Financial Institution Examination Council (FFIEC). And it features a detailed, easy-to-navigate table of contents that will look familiar to auditors and examiners. The idea is to make it as easy as possible for IT auditors and examiners to find what they’re looking for, so they can move on to other areas!
Another way our approach is unique is that our methodology starts with enterprise modeling: We find out everything about the institution’s departments, processes, functions, and required interdependencies. That data then flows directly into the risk assessment and links to other areas that may be added later, such as business continuity management or vendor management. All of these areas will “talk” to the model to support automatic updating whenever global changes are made.
Our Information Security Program—which has been years in the making and incorporates everything we’ve learned about what does and doesn’t work—is effectively simplifying an inherently complex process for institutions of all types and sizes. So far, we’ve heard great feedback from auditors, examiners, and customers. (In fact, the risk assessment was developed in close collaboration with IT auditors.) Customers are finding our information security program much easier to manage than having multiple disjointed policies in Word documents and PDFs strewn across disparate folders. They can access policies without worrying if they have the most current version. And our broad and deep understanding of financial institution risk management allows us to start with a pre-filled set of policies, which are then customized to each institution. This greatly accelerates the onboarding process. Customers also like being able to work one-on-one with our team to build a process-based risk assessment model, being able to customize policy language as needed, and not worrying about what changes to make, or where to make them.
For more details, listen to our webinar on “Automating Your Information Security Program: How Technology Can Get Policies Off The Shelf.”