Published: 28 Nov 2008
Security managers are sweating the current financial crisis, in particular how the wave of layoffs and mergers in the financial services sector could weaken data security. In particular, institutions need to be vigilant about flicking the switch on user access once a person is let go. User provisioning, password management and configuration management are primary areas of concern, experts say.
In recent weeks, not only have world markets plunged, but major institutions have either folded or been acquired. The bankruptcy of Lehman Brothers was followed quickly by JP Morgan's acquisition of Bear Stearns. JP Morgan then acquired Washington Mutual. And Citigroup gobbled up Wachovia's banking operations--more deals are expected.
While larger institutions have solid processes in place to address the integration of new business, the question of disgruntled, unemployed former workers is a serious threat.
Steven Katz, often regarded as the first CISO and who once held that position at Citigroup, JP Morgan and Merrill Lynch, says larger banks were forced to shore up these processes to meet the Federal Financial Institutions Examination Council (FFIEC) rules that govern the financial industry.
"These are companies that have been subject to a fair amount of regulatory scrutiny in terms of information security and generally have fairly substantial programs for provisioning and deprovisioning folks and validating access rights," says Katz.
However, the potential for problems does exist since there is a higher possibility for employee deceit and data-handling misuse at troubled firms, says Katz.
"If I were sitting at one of these companies that were in jeopardy, my concern about disgruntled employees would go up, and I would pay more attention to my access control reports," says Katz. "I'd also be paying more attention to privileged user activities."
Bank acquisitions follow the same track as most corporate acquisitions. A steering committee works quickly to conduct a gap analysis, put in place necessary practices and policies, and analyze and migrate data. The time it takes to conduct an analysis and bring together systems depends on whether there is a big difference in data structure and system makeup, says Matthew Pollicove, an SAP identity management expert and project manager at Secude Global Consulting.
Acquiring companies generally scout to get a basic idea of the systems and processes in place well before proceeding with an acquisition. In many cases, the acquisition steering committee--consisting of IT, business and compliance employees--knows how difficult the process will be, says Pollicove.
"Even though they're addressing many of the same customers, they'll sometimes do things in completely different ways," says Pollicove.
Any third-party organizations and consultants who worked with the acquired company must be carefully managed to prevent information leaks and breaches, says Claudiu Popa, president and CSO at data security vendor Informatica.
Employees on both sides must be aware of policies, procedures, standards and guidelines early on to ensure a smooth transition, says Popa. "Human resources departments must look for gaps in liability and responsibility that would represent a security failure.
"The risk to information assets during this time is increased by numerous factors such as different policies in effect, people, process inefficiencies, breakdowns in leadership and lax security controls," says Popa. "This kind of transitional period results in situations that can not only foster security breaches but, critically, make them more difficult to detect."