When you build your security program on risk assessment, you are going to protect your company. When you build a program based on compliance, you have, well, compliance.

"We never set the bar for any program based on regulatory expectations," declares Advanta's Holmquist. "I set the bar higher than their expectations. We create as robust a program as we can based on awareness, accountability and the ability to take action.We always exceeded regulators' expectations."

COMPLIANCE IN THE TRENCHES
Risk is also well understood by regulatory auditors and bank examiners, who are not-and should not be-simply working off a checklist.

"With regulators, I've always found I was able to do things with a risk-based approach," says Stiglianese, "as long as I was able to take them through what my methodology was for evaluating risk."

Depending on whom you talk to, compliance in the financial sector is something of a black and white affair, but that's not to say it's al...

BROWSE BY TAG Features,   Security Audit, Compliance and Standards,   Gramm-Leach-Bliley Act (GLBA),   Sarbanes-Oxley Act,   IT Security Audits,   Business Management: Security Support and Executive Communications,   Information Security Management,   Enterprise Risk Management: Metrics and Assessments,   VIEW ALL TAGS

The overriding consideration is the safety of the business-that is to say, is there a real danger that the business could collapse and put customers and other institutions in jeopardy. That's at the heart of many regulatory requirements and a different consideration than the soundness of the business, which speaks more to its level of profitability.

So, while banks should use risk assessment to develop programs that meet or, preferably, exceed regulatory requirements, comply they will. "We follow guidelines laid out for the company," says First Capital's Hogard. "Risk assessment determines to what degree of effort and cost does the company expend making sure we're complying with the regulations."

Hogard applies the 80-20 rule, achieving 80 percent of compliance quickly at 20 percent of the effort, then implementing more effort-intensive methods to enhance compliance.

The key is presenting a plan that makes sense to examiners/auditors. If your company can't implement controls immediately, presenting a risk-based, specific plan-with a time frame-will work.

"Generally, it looks something like a 24-month rolling plan," says Steve Katz, founder and president of IT security consultancy Security Risk Solutions, who managed information security at JP Morgan, Citigroup and Merrill Lynch. "It gives business managers as well as auditors and examiners a sense that you're not just trying to solve the immediate problems. If there are open compliances, you have a plan to remediate over time."

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >