QUESTION & ANSWER

IT security pros face challenge during economic crisis

By Robert Westervelt, News Editor 13 Oct 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Do IT security pros in the financial sector have to worry about the current economic environment?
Steven Katz: There are companies that are being merged and companies that are disappearing from the face of the earth. If I was sitting at one of these companies that were in jeopardy, my concern about disgruntled employees would probably go up. I would pay more attention to my access control reports. I would also pay more attention to monitoring privileged user activity. None of these things should be new or be changing in this current economic climate. Companies that have put together effective information security programs are not going to be doing anything different other than acting or following up with what they already have in place.

If I was sitting at one of these companies that were in jeopardy, my concern about disgruntled employees would probably go up. Steven Katz, former CISO, Citigroup, JP Morgan and Merrill Lynch

If you look at the mergers, I think Bank of America has a really good process of bringing on acquired companies, changing access rights and provisioning people. So that should be a fairly smooth event. You now have a number of investment brokerages that are becoming bank holding companies. The SEC regulations are different from the FFIEC [Federal Financial Institutions Examination Council] regulations. For companies that already have a strong information security program in place it's not going to be much of a stretch. For those that don't, they'll need to go back and figure out what they need to do to conform to the FFIEC regulations.

What typically would happen to ongoing security projects during a merger?
Katz: The company being acquired would probably put things on hold because their infrastructure and data structure is going to change. And the acquiring company is going to want to put their practices, policies and programs in place. Any company being absorbed into another one; the fact that it's being absorbed due to financial issues is no different from an acquisition under any other circumstances. Generally you put in a steering committee, you do a detailed gap analysis and you put together a program to get your policies and procedures into place. It's generally well thought through. Bank of America has done a lot of this a bunch of times. I know that J.P. Morgan Chase did an extremely good job when they acquired Bear Sterns, but they had a lot of practice acquiring other companies.

How long does it take for a company to meld the data structures and security policies together? Does it take a long time?
Katz: The length of time depends upon the oversight group sitting down and assessing where they are and determining where the gaps are. Nothing is really taken down until new systems are put in place. It's going to be gradual. The last thing you want to do is make the cure worse than the disease. You will always have technical risk oversight groups that figure out what functions and policies do we have in place at the acquiring company and what functions and policies at the company being acquired and making sure that there's a process to ensure the segregation of duties and ensure that they are paying a lot of attention to activity monitoring reports.

What happens when a company goes completely out of business? Who picks up the pieces?
Katz:

SearchSecurity radio:

Companies typically have an orderly process to phase things out. Both Bear Sterns and Lehman, from what I know, their technology risk programs were maintained and there was an orderly process to deidentify folks and deprovision folks. Companies recognize that there are two issues to deal with. One is the shareholders, but the other is what you are doing for your customers. There is still a requirement to maintain confidentiality and integrity of your confidential customer data. In both cases there was essentially a controlled process to figure out how long it was going to take to merge the company records and employee records into a new company.

Who typically makes up the oversight committee?
Katz: It's going to be IT, it's also going to be technology risk and security, certainly audit and compliance and business will be at the table. They're all actively involved. Your external auditors are going to be very much a part of it. I am certain that the examining body for the acquiring company will be actively engaged to make sure the process moves smoothly. There's good news and bad news in being a regulated entity. The bad news is that you're a regulated entity and you have a lot of folks looking at what you are doing. The good news is that in times of crisis like this, they're going to help you make sure that you stay on the straight and narrow.

In this uncertain economy, do you think companies will continue to spend on security technologies, including encryption?
Katz: Yes. I think the companies recognize that there is a trust relationship with their customers. The last thing they want to do is add an additional threat to the problem. To the extent that there is a valid business reason for protecting customer information, and encryption comes right into that, they're going to continue to do that. It may take a little longer. The business case may have to be made a little more clearly. Your risk calculations are going to have to be carefully scrutinized.

Tags: FFIEC Regulations and Guidelines,  IT Security Audits,  Information Security Incident Response,  Enterprise Risk Management: Metrics and Assessments,  Information Security Policies, Procedures and Guidelines,  Business Management: Security Support and Executive Communications,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT FFIEC Regulations and Guidelines FTC Red Flags Rules: How to create an identity theft prevention plan Protecting data in a merger and acquisition This May Day, banks wave the Red Flags Understanding multifactor authentication features in IAM suites Compliance drives credit union to catch online bill payment fraudsters The road to compliance At RSA, feds seek help to close widening cybersecurity gaps TJX should have had stronger Wi-Fi encryption, say Canadian officials Interview: FDIC director explains FFIEC standard Future authentication technologies: How to choose the right product IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary FFIEC compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary