It is the financial institution's responsibility to secure the network and the data that resides therein. A common attitude that I see in community financial institutions is that the institutions only feel obligated to implement security insofar as the regulators have issues. In other words, many institutions will balk at the idea of implementing controls, and spending money, until the regulators demand it. That thought process is fundamentally incorrect.
A satisfactory regulatory audit should be the result of a sound security program, not the other way around. Certainly, financial institutions have to respect and remediate issues identified in regulatory reports. However, a red flag should be raised when financial institutions rely on regulatory reports as the principal justification in information technology spending decisions. Often, it indicates that an institution lacks the understanding of what it entails to maintain a secure environment. Specifically, it raises questions about an institutions ability to adequately assess information technology related operational risks.
A weak internal audit function compounds the issue. Internal audit has a tendency to follow the emphasis of the regulators. A key performance indicator of internal audit is its ability to protect the bank from regulatory criticism. While the importance of that function should not be underestimated, it can lead to a very acute security issue if the role of internal audit is not clearly defined. If the audit function is primarily focused on regulatory emphasis, the results of which being the principal driver in spending decisions, then the bank has essentially designated the regulatory agency as the de facto information security officer. The regulators are effectively making technology decisions. A strong internal audit function not only protects the bank from regulatory criticism, but also evaluates and recommends improvements to the control environment, regardless of regulatory emphasis, thereby keeping control of environment, and the related spending decisions, within the institution.
Furthermore, financial institutions have the responsibility of performing due diligence and maintaining due care. Due diligence is a term that is commonly used in community financial institutions. Before vendors are selected, due diligence is performed, before an acquisition is made, due diligence is performed, before major systems are updated, due diligence is performed, and so on. Due diligence and due care have a very specific meaning with respect to information security. Due diligence refers to the process of understanding the current threats and risks associated with information security. Due care refers to the implementation of countermeasures to mitigate the threats and their implied risks [Harris, 2010 p110]. Management that fails to practice due diligence and due care can potentially be deemed negligent following an information security incident.
Therefore, the development of a security program and information technology spending decisions should not be driven by regulatory and internal audits. Management has the obligation to practice due diligence and due care and develop an effective information security program. Internal and regulatory audits should be a validation that a security program is adequate. In other words, audits validate that management understands threats and risks, demonstrating the exercise of due diligence, and that management has implemented an effective control environment, demonstrating the practice of due care. Thinking about it any other way is allowing the tail to wag the dog.
1. Harris, Shon (2008). All-in-one CISSP Certification Exam Guide (5th Ed. ed.). New York, NY: McGraw-Hill.
Peter Viglucci, CISA, CRISC
Director of Information Technology
Peter Viglucci, Director of Information Technology, has over 17 years of experience in all aspects of Financial Industry IT