Developing an Information Security Wellness Program for your Financial Institution

Posted on Thu, Sep 11, 2014 @ 04:23 PM

KCrumbley Author: Karen Crumbley,

Ask someone how they achieve optimal physical health and you will likely hear about the following three components: exercise, diet, and annual physicals. The combination of these three items provides a straightforward approach to preventing poor health or identifying any warning signs before they have an opportunity to progress. The same principles apply to information security awareness for a financial institution’s (FI’s) stakeholders (employees, board members, and customers). That is, given the same preventative measures, an FI may reduce the number and extent of information security breaches due to fraud. Consider implementing the following three measures in order to achieve information security wellness.

1. Exercise

The FI, much like the human body, needs mental exercise in order to stay fit. One example of exercise for the FI is to periodically assess how well its stakeholders can identify potential signs of fraud. Performing these assessments can help board members and employees avoid the risk of social engineering threats:

  • Do employees know the red flags that would indicate a phishing email vs a legitimate email message? How well would they perform in the event that a fraudster had researched their social media profiles in order to construct a convincing email to ask for non-public information? 
  • If an USB flash drive were planted in the lobby, would a staff member pick it up and plug it into a machine on the FI’s network? 

If there is hesitation in answering these questions, it is important to discover the current health of your FI’s education and awareness program. Measure the base line status in order to assess progress and see what educational methods may impact your FI’s stakeholders. Soliciting a third party to assist in testing behaviors may be beneficial in order to simulate real-world threats and keep staff on their toes by engaging them in regular “exercise” to test their awareness.

2. Diet

Information Security awareness is the “diet” for an FI and commonly FIs approach information security awareness and education strictly as an annual event. Additionally, Gramm-Leach-Bliley Act compliance for protecting customer information is not new, but that does not have to mean that educational content cannot be fresh. Ideally, there should be a well-balanced stream of information throughout the year to address the latest threats to non-public information or cyber security within the organization. Helping employees to recognize the signs of fraud and respond appropriately is a process. As an alternative to the annual binge, try feeding information to your FI staff on current topics and the latest threats to non-public information throughout the year. Understand that the criticality to stay ahead of the curve is an important best practice. One contributing factor for a regular diet of information security focus is the increased pressure from regulatory agencies on cyber security directives.

3. Annual Physicals

Annual physicals are essentially a series of tests to assess the current state of wellness. One methodology for measuring effectiveness of the FI’s information security awareness is to administer tests that measure results through a web-based training course. This allows employees to take all they have learned throughout the year and apply it. Unlike watching a video or hanging up posters, web-based testing will quantify results, track activity, and yield findings where there is a common thread. Perhaps there are areas of weakness that need additional attention. Identifying these areas will drive the diet and exercise regimen for the FI going forward and get everyone into SHAPE (StakeHolder Awareness Program Engagement).

All FIs can achieve information security awareness wellness and health by continuing these three basic initiatives throughout the year. The goal is for the FI to adapt and respond to the dynamic threats that exist. These strategies apply to all stakeholders in your organization. New employees will need to be educated and more seasoned employees will need to have accordant reminders and reinforcement. What can you do to improve your FI’s information security awareness health?

Tags: security awareness training, Information Security & Risk Management, security, security controls, information security monitoring

Virtualization: Not just for testing anymore

Posted on Wed, Nov 16, 2011 @ 07:18 AM

ChrisSutherland  Author: Chris Sutherland,

A question was recently asked of me as follows, “I am familiar with the concept of VM (Virtual Machine) which IBM invented back in the early 1970’s. How would using VM provide greater security? And why would a bank customer want this?”  

Let me begin my response by saying there are a number of good reasons to choose virtualization that make sense from a business standpoint (you can refer to my blog post, Is Virtualization the Right Choice for your Financial Institution?”) With the appropriate setup and VMware’s virtualization solution, you get a secure and robust solution that has both the technology and the processes to ensure that the high standard is maintained in all current and future products. VMware virtualization gives you the following:

• Secure Architecture and Design: Based on its streamlined and purpose-built architecture, vSphere (the VMware Hypervisor) is considered by many experts as the most secure virtualization platform.
• Third-party Validation of Security Standards: VMware has validated the security of its software against standards set by Common Criteria, NIST, and other organizations.
• Proven Technology: More than 250,000 customers – including all of the Fortune 100 as well as military and government installations – trust VMware to virtualize their mission-critical applications.

Because VMware uses what is called a “Bare-Metal Virtualization,” meaning that the hypervisor (virtual machine manager) resides on the physical server, there is no dependency on an operating system that could add a layer of insecurity as well.

Another point to consider is the “Thin Virtualization” concept. “Thin” virtualization was started with VMware’s release of ESXi 3.5 and continues to improve and dramatically strengthen security and manageability as follows:
• Reduced size makes the attack surface much smaller and reduces the potential for vulnerabilities.
• Independence from the parent partition or console based on a general-purpose Operating System means far fewer interfaces to exploit and less malware threats, which is especially important given the path of device drivers from the Virtual Machine to the physical hardware.
• Unstructured, console-based interaction from administration is replaced by authenticated and audited interfaces.

As an added point for securing the environment VMware has a security suite of software called vShield. The vShield Product Family is the foundation for trusted cloud infrastructures.  vShield enables adaptive and cost-effective security services within a single management framework. Three of the benefits are:

1. Reduce Complexity with Unified Security Policy Framework for the Cloud. vShield provides a comprehensive set of services for securing the datacenter at any level – host, network, applications, data and endpoints, in a single management tool integrated with vCenter Servers.
2. Secure Applications and Data with Adaptive Trust Zones. vShield allows organizations deploying cloud infrastructure to create adaptive trust zones that securely isolate applications with different trust levels and also quarantine applications that may have been compromised.
3. Accelerate Compliance and Automate Remediation. Exposure or leakage of such data – for example stolen credit card information – can cost an enterprise millions of dollars and/or harm its reputation. VMware vShield also provides organizations with the ability to identify sensitive business information and ensure it is protected. This includes over 80 pre-built templates for the most common standards of protecting sensitive data.

So what have we concluded? The reasons we have cited here, plus the fact that many companies (including financial institutions) are using virtualization in production environments lead us to the realization that virtualization is not only good for testing, but it is secure and makes sense in everyday production environments for business-critical applications, as well as servers.

Tags: virtualization, VMware, security

Subscribe to Email Updates