This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
Security managers are sweating the current financial crisis, in particular how the wave of layoffs and mergers in the financial services sector could weaken data security. In particular, institutions need to be vigilant about flicking the switch on user access once a person is let go. User provisioning, password management and configuration management are primary areas of concern, experts say.
In recent weeks, not only have world markets plunged, but major institutions have either folded or been acquired. The bankruptcy of Lehman Brothers was followed quickly by JP Morgan's acquisition of Bear Stearns. JP Morgan then acquired Washington Mutual. And Citigroup gobbled up Wachovia's banking operations--more deals are expected.
While larger institutions have solid processes in place to address the integration of new business, the question of disgruntled, unemployed former workers is a serious threat.
Steven Katz, often regarded as the first CISO and who once held that position at Citigroup, JP Morgan and Merrill Lynch, says larger banks were forced to shore up these processes to meet the Federal Financial Institutions Examination Council (FFIEC) rules that govern the financial industry.
"These are companies that have been subject to a fair amount of regulatory scrutiny in terms of information security and generally have fairly substantial programs for provisioning and deprovisioning folks and validating access rights," says Katz.
"If I were sitting at one of these companies that were in jeopardy, my concern about disgruntled employees would go up, and I would pay more attention to my access control reports," says Katz. "I'd also be paying more attention to privileged user activities."
Bank acquisitions follow the same track as most corporate acquisitions. A steering committee works quickly to conduct a gap analysis, put in place necessary practices and policies, and analyze and migrate data. The time it takes to conduct an analysis and bring together systems depends on whether there is a big difference in data structure and system makeup, says Matthew Pollicove, an SAP identity management expert and project manager at Secude Global Consulting.
This was first published in November 2008