Are security managers meeting new needs?

In 1968, when congress enacted the Bank Protection Act, the risks faced by banking institutions were significantly different from the risks faced by banks today. For the most part, bank security programs of this era were targeted to the paper-based physical delivery systems of that period, and the basic role of the bank security director at that time was primarily focused on physical security, such as ensuring that the proper security devices and systems were in place.

Over the next twenty-five years not much changed. Congress passed numerous laws addressing such new concerns as money laundering The process of taking the proceeds of criminal activity and making them appear legal.

Laundering allows criminals to transform illegally obtained gain into seemingly legitimate funds. , but the attention remained focused on physical security and paper trails to address risks such as armed robberies, check fraud, and currency safekeeping Safekeeping

The storage of assets or other items of value in a protected area.

Notes:
Individuals may use self-directed methods of safekeeping or the services of a bank or brokerage firm. . Now, however, bank security is going through a paradigm shift A dramatic change in methodology or practice. It often refers to a major change in thinking and planning, which ultimately changes the way projects are implemented. For example, accessing applications and data from the Web instead of from local servers is a paradigm shift. See paradigm. .

Advances in technology have caused the scope of financial institution risk to take on an entirely different character, unrecognizable from the risks banks faced only a decade ago. For example, banks are not adding physical branch sites; they're closing them. But "virtual" access to bank assets through electronic means is growing exponentially. If bank security departments are to be seen as adding value to their organizations in this new environment, they must be viewed as enablers in safeguarding emerging technologies.

While some financial services security professionals have successfully expanded their efforts to address technology risk management by integrating information systems security, disaster planning, and overall technology risk control under a single program, others continue to operate with a circa-1968 security program design. Those security directors can be heard at industry conferences complaining that so much at their institution "gets done outside their box."

Indeed it does, and security professionals must break out of that box to survive. If they do not soon recognize the need to shift priorities, they will become less and less relevant to their company's well-being, replaced by or subsumed under the information technology group within each organization.

Conversely, if they look closely at their institution's technology risk profile, they will see an opportunity to make a difference. Many banks' weakest security component is not the absence of new data protection technologies, it is the absence of proper oversight. At the same time that these banks invest heavily in data security systems, they fail to establish policies to ensure that audit logs are systematically monitored, that suspicious or unauthorized access events are resolved, and that timely criminal referrals are made for technology-related crimes.

Security directors can fill this need. They can help their institutions develop formalized for·mal·ize
tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es
1. To give a definite form or shape to.

2.
a. To make formal.

b. policies for monitoring computer access and ensure that access violations are investigated.

Security managers should integrate these technology risk management programs with their existing security programs. But before they can take that initiative, they must garner the specific technological know-how required to convince senior management that the bank security director can be entrusted with protecting the bank's technology assets and computing infrastructure.

Doing so involves more than understanding general concepts. The security manager should become comfortable with tasks such as retrieving text-file records of computer access events and obtaining audit trails from other sources such as printer queues, transaction logs, and cost-accounting systems. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke"
put differently , the security manager must be computer literate.

Once management understands the logic of incorporating technology risk control into the bank security program, the security director needs to implement safeguards to address the six "As" of technology risk control as follows.

Assurance. Documented policies must be in place to assure management that internal controls exist for all aspects of information and technology risk. Policies should provide a clear standard of what is expected based on a single authoritative source that everyone can refer to and interpret consistently.

Authentication and authorization. Authentication and authorization systems must be in place to uniquely identify individual users. The best method involves three-factor authentication, which includes something the user has (an access card or token), something the user knows (a password), and something intrinsic to the user - a characteristic such as a retinal image or face recognition.

Audit trails. Audit trails should be in place to detect and report user access events, discern user actions taken, and trace transaction events back to source applications.

Availability. Availability of corporate information and technology resources should be ensured through appropriate emergency disaster and business continuity plans, both for the corporate infrastructure and for each business unit.

Asset tracking. Systems should be in place to track information technology assets, including all components of a distributed computing environment See DCE.

Distributed Computing Environment - (DCE) An architecture consisting of standard programming interfaces, conventions and server functionalities (e.g. naming, distributed file system, remote procedure call) for distributing applications transparently across networks . This concern can be addressed through prudent business practices, software tools, and products.

For security directors who have not begun to address the movement toward electronic banking, now is the time to get started. Of course, doing so will require a serious commitment of time and resources. New security hardware and software solutions are introduced almost daily. They address everything from Internet/intranet and Web security to workstation-to-server controls and security for distributed applications.

Attempting to gain a working knowledge of this vast and shifting landscape can be overwhelming. But the challenge must be met if banks are to be adequately protected against technology crimes and if security professionals are to continue to play a vital role in developing and maintaining the needed safeguards.

John J. Melia, Jr., CPP cpp - C preprocessor. , CFE CFE Conventional Forces in Europe (treaty)
CFE Cash Flow to Equity (finance/accounting)
CFE Comisión Federal de Electricidad (México)
CFE Certified Fraud Examiner (certified fraud examiner Certified Fraud Examiner (CFE) is a designation awarded by The Association of Certified Fraud Examiners (ACFE). The ACFE is a 41,000 member-based global association dedicated to providing anti-fraud education and training. ), CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)². (certified information systems security professional Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as (ISC)²). ), CBCP CBCP Catholic Bishops Conference of the Philippines
CBCP Certified Business Continuity Professional (Disaster Recovery Institute International)
CBCP Callback Control Protocol
CBCP Certified Business Continuity Planner (certified business continuity professional), is director of compliance/risk management for Home Loan and Investment Bank, FSB (FrontSide Bus) See system bus.

FSB - front side bus , based in Warwick, Rhode Island Warwick is a city in Kent County, Rhode Island, United States. It is the second largest city in the state, with 85,808 people. Its mayor, since 2000, has been Scott Avedisian. Founded by Samuel Gorton in 1642, Warwick has witnessed major events in American history. . He is a member of ASIS 1. ASIS - Application Software Installation Server.
2. (language) ASIS - Ada Semantic Interface Specification. .

COPYRIGHT 1997 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	bank security
Author:	Melia, John J.
Publication:	Security Management
Date:	Dec 1, 1997
Words:	909
Previous Article:	The Art of Investigative Interviewing.
Next Article:	Miller time for Virtual 5K.
Topics:	Banking industry Safety and security measures Banks (Finance) Financial institutions Safety and security measures Security consultants Management Security measures Security services industry Security systems industry Management

Related Articles
Banking on security's future.
A high-rise solution.
Trading places.
A mad, mad millennium?
Mastering security amid merger mania.
Better banking.
Seven steps to successful contracting.
Profile of an Attractive Model.
The intimidation factor. (Special Focus on Risk Management).