If you work within the banking industry, writing effective information security policies is more than laying out a set of rules to follow. Like all financial institutions, banks are exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disasters. Due to the nature of information gathered regarding the financial transactions and the extensive use of technology to process this information, banks are exposed to specific information and technology risks.
According to Forbes, cyberattacks cost financial services firms more to address than firms in any other industry at $18 million per firm (vs. $12 million for firms across industries). If that fact does not open your eyes, financial services firms also fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries.
To put it simply, while the average U.S. business is attacked 4 million times per year, the average U.S financial firm is attacked an astounding 1 billion times per year. It is time for your banking organization to create or update its information security policies.
What are Information Security Policies?
An information security policy is a statement, or collection of statements that are designed to guide employee behavior with regards to the security of company data, assets, and IT systems. Information security policies should reflect the risk environment for the specific industry. These policies can define the desired behavior and play an important role in the organization’s overall security posture.
The goal when creating effective information security policies is to provide relevant guidance and value to the team within an organization.
Any mature security program requires policies, documents and procedures that we will discuss in the blog. But what makes information security policies effective? It typically starts with establishing a foundation for a security program. Start by designating an employee or a team of employees who are responsible for the compliance and cybersecurity. It will be this person or group that will being creating the information security policies that cater to your banking organization.
If you are hosting your servers in a secure data center colocation facility, providers such as LightEdge can help to manage your financial institution’s risk through security technologies, auditable work processes, and documented policies and procedures. That way, you are able to focus your attention on ensure employees comply with your information security polices internally to create a 360-degree security plan.
While there are entire books published dictating how to write effective information security policies, below are principles to keep in mind when you are ready to start knocking out security policies or reviewing existing ones.
What Should Banking Information Security Policies Cover?
Since information security policies should cover the risk environment of the industry, determining current financial technology risks can be a starting point. Create policies that are geared towards and guides employee behavior to reduce the risk. If your banking organization is at risk of social engineering, then there should be a policy that covers the behavior desired to reduce the risk of employees being social engineered. Security awareness training is known to reduce the percentage of employees who are prone to phishing and social engineering.
Information security policies are commonly created for areas such as acceptable use of company assets, personnel security, passwords, change management, access control, physical access, etc. PCI DSS compliance requirements also drive the need to develop security policies, but do not write a policy just for the sake of having a policy.
Here are specific areas that should be outlined within effective banking information security policies:
Does your banking organization use services from third-party suppliers, service providers, software vendors, and/or consultants, including customer information and transaction processing services? If so, it is imperative to outline risks that could be associated with third-party vendors coming in contact with any confidential customer information, financial or otherwise.
This includes threats to the availability of systems used to support customer transactions, the accuracy, integrity and security of customer’s non-public, personal financial information, or compliance with banking regulations. Under contracts like Service Level Agreements (SLAs), risk management measures commonly used by financial institutions to address these risks, are generally under the control of the vendor, rather than the financial institution.
The financial institution, however, continues to bear certain associated risks of financial loss, reputation damage, or other adverse consequences from actions of the vendor or the failure of the vendor to adequately manage risk.
Your organization should expand its analysis of the ability of vendors to fulfill their contractual obligations and prepare a formal analysis of risks associated with obtaining services from, or outsourcing processing to vendors. The following areas to cover include:
- Selection of vendors
- Statements of purpose to access your customer’s personal financial information
- Disaster recovery capabilities, and other risk management measures maintained by the vendor
- Compliance with applicable regulatory requirements
- Liability for delayed or inaccurate transactions and other potential risks
- Required service levels and performance standards
- Ongoing monitoring
- Internal audits
- Contingency plans
Strategic Systems Platforms
Strategic systems are defined as the computer systems that are critical to the operation of your specific bank. Understanding and creating security policies surrounding the management, physical access, and physical security of these systems is critical.
In the strategic systems platform section of your bank’s information security polices should include who has the primary responsibility of oversight and management. It should also outline who is in charge of the management of third-party technical service providers. These strategic systems for your organizations may include:
- Loan accounting systems
- Deposit accounting systems
- Internet banking and bill paying systems
- Customer information files
- Customer profitability systems
No matter which strategic systems you use, they should be protected by strict physical security and access management controls. Putting these systems in a top-tier data center facility can offer you a high level of reliability through secure, certified, and custom services. LightEdge’s data center facilities give you the control, whether you need a colocation rack, cage or custom suite now or in the future.
Roles and Responsibilities
Create a list of individuals that will be integral to the successful execution of your bank’s information security policies and programs. Some critical responsibilities that this team will need to complete include:
- Audit Committee: Ensure that appropriate tests and audits of information security systems are performed. Review reports of security tests and audits and ensure that appropriate action is taken to address identified weaknesses in control. Review assessments of outsourced technology vendor performance and controls and ensure that appropriate action is taken to address identified weaknesses in vendor information security controls.
- Human Resources: Responsible for ensuring appropriate information security orientation is provided for new employees. Ensure new hires and contract personnel are properly vetted and agree to follow Bank information security policies.
- Internal Employees: Ensure that customer information is protected on a day to day basis. Responsible for reporting any breaches of Information Security to their respective business unit manager.
Attempted or Actual Security Breaches
Any breach of security that was attempted or successful should be reviewed, documented, and reported by the proper personnel. The senior management team and appropriate legal and regulatory authorities must be notified. If it is applicable, a Suspicious Activity Report should also be filed.
A study of 400 global bank executives found that 71 percent focus digital investments on cybersecurity. At the same time, cybercriminals are becoming increasingly sophisticated and use a range of tactics. Denial of services and phishing and social engineering are the two most costly attack types for financial services firms.
Your bank should implement a comprehensive risk assessment process, including classification, ranking, and information systems, both electronic and non-electronic based on the following criteria:
- Nature and sensitivity of information contained in the system, whether non-public customer or proprietary bank information
- Quantity or volume of such information contained in the system
- Impact of the loss of integrity of such information
- Impact of the loss of confidentiality of such information
- Impact of the loss of accessibility of such information
The risk assessment process will include each appropriate information system, the likelihood of occurrence of certain threats and the potential exposure to threat. It will also document the existence of administrative, technical, and physical security controls implemented by your bank to mitigate the occurrence and potential risk exposures.
The data classification and risk assessment should be updated at least on an annual basis. The adequacy of the security policies and programs should be reviewed with senior management and the audit committee. From there, updates to the polices should be made and internal employees should be notified.
Ninety percent of financial institutions reported being targeted by ransomware. Understanding how financial institutions mitigate the risk of denial of services and social engineering attacks, including through employee training, would help investors better gauge risks.
Why is it Important to Keep Security Policies Current?
Your information security policies should not just be filling the empty spaces on a bookshelf. Just like food, when left out for a period of time, security policies can get stale when not routinely updated. At minimum, information security policies should be reviewed yearly and updated as needed.
Think back to a year from now. Just note how technology has changed and evolved, what new threats arose, what security incidents have you experienced and learned from? It is important to understand those factors and incorporate them into your policies. Security policies are a living document that need to remain relevant to your organization, industry, and time.
Your Banking Data is Safe with LightEdge
Information security policies are the foundation to a good security program. As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite. Our customized and scalable services give you the control, whether you need a colocation rack, cage, or custom suite now or in the future.
Tracking and monitoring all access to network resources and cardholder data, including the regular testing of controls, systems, and processes is critical. Our colocation centers have a plan in place that tracks and monitors all access to network resources and cardholder data. Log files, system traces or any tool enabling the tracking of access to sensitive data is critical in preventing, detecting, or minimizing a data breach. The availability of logs enables tracking, alerting, and analysis when an intrusion occurs. LightEdge also regularly tests our security systems and processes
LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
With geographically-dispersed facilities across all of the US power grids, our data centers are the heart of our operation and yours. We have a wide range of colocation and disaster recovery solutions delivering advanced shared infrastructure designed to enable operational and financial efficiency, reducing the burden on your IT staff.
Our LightEdge facilities are more advanced than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.
Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? Our security experts will provide a free security assessment to see how you measure up against the latest compliance and security standards. No risk, no commitment. Contact us today to get your free security assessment.
- How to Determine if your Business is PCI Compliant
- Seven Common E-Commerce PCI Compliance Myths Explained
- PCI DSS Cloud Compliance: Your Guide to a Smooth Cloud Migration
- 6 Best Practices for Data Security in the Cloud Infographic
- Why the Cloud is Safer the CIOs Believe: 6 Best Practices for Data Security
- The Best of Both Worlds: Colocation and PCI DSS Compliance
- Ultimate Guide to a Highly Compliant Cloud Environment
- Cost of Ownership: Public vs Private Cloud Showdown
- Why Virtual Private Cloud Will Make You Reconsider Your Cloud Infrastructure
- What Every Business Needs to Know About Dedicated Private Cloud