Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
When you build your security program on risk assessment, you are going to protect your company. When you build a program based on compliance, you have, well, compliance.
"We never set the bar for any program based on regulatory expectations," declares Advanta's Holmquist. "I set the bar higher than their expectations. We create as robust a program as we can based on awareness, accountability and the ability to take action.We always exceeded regulators' expectations."
COMPLIANCE IN THE TRENCHES
Risk is also well understood by regulatory auditors
and bank examiners, who are not-and should not
be-simply working off a checklist.
"With regulators, I've always found I was able to do things with a risk-based approach," says Stiglianese, "as long as I was able to take them through what my methodology was for evaluating risk."
Depending on whom you talk to, compliance in the financial sector is something of a black and white affair, but that's not to say it's all or nothing.
The overriding consideration is the safety of the business-that is to say, is there a real danger that the business could collapse and put customers and other institutions in jeopardy. That's at the heart of many regulatory requirements and a different consideration than the soundness of the business, which speaks more to its level of profitability.
So, while banks should use risk assessment to develop programs that meet or, preferably, exceed regulatory requirements, comply
Requires Free Membership to View
they will.
"We follow guidelines laid out for the company,"
says First Capital's Hogard. "Risk assessment determines
to what degree of effort and cost does the
company expend making sure we're complying with
the regulations."
Hogard applies the 80-20 rule, achieving 80 percent of compliance quickly at 20 percent of the effort, then implementing more effort-intensive methods to enhance compliance.
The key is presenting a plan that makes sense to examiners/auditors. If your company can't implement controls immediately, presenting a risk-based, specific plan-with a time frame-will work.
"Generally, it looks something like a 24-month rolling plan," says Steve Katz, founder and president of IT security consultancy Security Risk Solutions, who managed information security at JP Morgan, Citigroup and Merrill Lynch. "It gives business managers as well as auditors and examiners a sense that you're not just trying to solve the immediate problems. If there are open compliances, you have a plan to remediate over time."
This was first published in January 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation