Find answers to questions such as: What makes an ERM program effective? How should it be implemented?
A Complete Data Security Strategy
From text messages and emails to storage and archiving of highly sensitive data, managing and securing information is a serious challenge for financial institutions. While the technological and procedural dams in place to restrain the flood of sensitive information in an increasingly digital world are becoming more sophisticated, the water pressure is building.
At a time when online efficiencies and advances in information technology inevitably lead to a corresponding array of new vulnerabilities, it can be tempting to “fight fire with fire”— relying on technology to upgrade security and data management capabilities. But architecture is only one piece of the puzzle.
One critically important — and often underutilized — component of any data security and management strategy is planning and policy; specifically the ability to make strategic and informed decisions based on information classification. Because while PCI Security Standards and other compliance regulations dictate how certain information should be handled, few financial organizations truly understand the implications of the connection between what they are storing and how it should be stored. Fewer still have demonstrated the ability to use that differentiation to proactively mitigate data loss and avoidable exposure.
The ability to make those distinctions, and to use them as the basis for rigorous policies and procedures that will make information more secure and data management more efficient, is at the heart of information classification. Adopting security and data management policies based on the fundamental principles of information classification is a good way for decision-makers at institutions to maintain regulatory compliance while optimizing their IT environments and creating valuable new efficiencies.
Appreciating the nuances of how to apply information classification to your data management and security strategies requires a strong grasp of what categories of information are particularly sensitive, where and how that information is being stored and protected, and what kinds of liabilities exist with regard to managing it without excessive complexity.
Personal Information Abounds
It might seem like stating the obvious to point out that compliance requirements deal with sensitive (i.e. personal, identifiable) information. When designing an effective and efficient information management policy, however, it is an important starting point to recognize exactly what you are trying to protect. Everything from Social Security and bank account numbers to birth dates and credit scores all falls into the category of information that used to be under the metaphorical mattress and is now present online and in electronic databases.
One key distinction that needs to be made in order to classify records correctly is to distinguish between data and information. Data are the bits and bytes and the types of files; the raw materials, in other words. Information, on the other hand, is the value of that data over time, or the potential loss in value that compromised information would represent. Financial records, customer records, intellectual property and executive communications all fall into the category of highly sensitive proprietary information.
Typically, financial institutions will identify the most mission-critical applications and designate a storage infrastructure to support that analysis. High-end arrays (i.e. Tier 1 disks) are a popular choice, representing a kind of hi-tech filing cabinet with the dual advantages of portability and security.
The most important consideration is not so much the hardware, but the ability to coordinate the storage element with a security element as each in a vacuum is meaningless and counterproductive. Compliance standards are a good starting point to evaluate the category of information, and the right processes in place to manage and protect that information.
There are a number of strategies to safeguard information in a way that maximizes security and efficiency, but they all hinge on a deep understanding of the value and utility of the information in question. Once that is clear, it is possible to put controls on information that will prevent it from being emailed, or will not allow it to be transferred to a USB drive or other portable storage device.
Some systems will remotely notify an administrator if sensitive information is accessed or a transfer has been attempted. More rigorous techniques include encryption packages for everything from emails and data transfers to archived information, physical keys necessary to access or read disks, and a host of more sophisticated access controls and user permissions. Older material might be moved to a secure cyber vault that can be accessed if necessary.
Today’s online world full of increasingly ubiquitous mobile devices only makes these security challenges more profound. Security systems that were once no more complex than a password and a user ID simply will not cut it today, and in the last five to 10 years we have seen a move toward tokens — unique identifiers for specific individuals (three-factor authentication). These tokens can be physical (a device attached to a keychain) or electronic, or a combination of both. This rapidly expanding field is helping to make systems more difficult to penetrate. Because of the speed at which the strategies and technologies are evolving, regulatory compliance and information security are an ongoing processes … not a one-time event. Tracking and monitoring programs and staying informed about new advances is critical.
Responsibilities and Ramifications
Financial institutions have a responsibility to protect the sensitive information of their clients, employees and professional partners, and the consequences of a failure to fulfill that responsibility extend far beyond the regulatory or legal penalties that may result. The short-term financial impact of fines or penalties can be significant, but the long-term financial effect resulting from a loss of consumer confidence may be far worse. A reputation hit, loss of market share and damage to a bank’s brand can be as detrimental as the regulatory ramifications.
Avoid those pitfalls by developing a cohesive strategy based on information classification. Look at what is stored, where it is stored and duration of storage, and let that structure begin to inform your strategies and solutions. Above all, pay attention to detail and think carefully about how to balance priorities with regard to compliance, security, access and efficiency.
The bottom line is that technology can only go so far. Due diligence conducted by an organization must include policies that are not designed and implemented in a vacuum, but structured to address real-world demands and vulnerabilities. Do not fall into the trap of thinking that you can “tech” your way to security. Technology is important, but the smart money is on the policies, procedures, training and documentation that not only comply with security regulations, but also do so in a manner that aligns information with business value.
Marc Johnson is practice manager of storage & datacenter management for Michigan-based Creative Breakthroughs Inc., an IT advisory services, network security, integration and infrastructure management strategies company. Contact him at mjohnson(at)cbihome.com or 248-519-4000.
Copyright (c) February 2012 by BankNews Media