38 SEPTEMBER / OCTOBER 2019 SECURITY / FRAUD Information Security Risk Seven questions small banks should ask Joe Oleksak Partner Plante Moran joe.oleksak@plantemoran.com Plante Moran is a Diamond Associate Member of the Indiana Bankers Association. While banking is an inherently risky business, most executives have a good understanding of the business risks facing their institutions. But mention information security, and many executives will tell you it’s an IT problem. Nothing could be further from the truth – information security is a business risk. As news articles continue to expose cyber breaches across a wide range of industries, responsibility is starting to head upward in the leadership chain to the audit committee and board of directors. Hard questions are being asked: • Did leaders do their due diligence? • Did they understand the risk? • Did they appropriately align resources? If the answer is no to any of these questions, then liability may ultimately find its way to the C suite. For banking executives, information security is now part of the job. Understanding information security risk at the business level helps you and your technology managers uncover and understand risk you may not have thought about. Following are seven questions to ask as you evaluate the security culture within your organization. 1. Is ownership of the information security risk assessment process at the bank’s executive level? Those who own the risk assessment process are in the best position to understand and effectively execute the risk program that comes from it. Since IT professionals aren’t typically responsible for (or aware of) all the organization’s business risks, they probably shouldn’t own the process. IT is a major player – potentially even a leader – but ownership must reside where the responsibility lies: at the executive level. If your executive team lacks experience or feels that some additional risk assessment guidance is important, facilitation (but not outsourced responsibility) with a third party is a good option. 2. Do you have adequate cybersecurity resources? In many banks, the IT personnel are not security professionals. In others, a shortage of available talent may limit in-house staffing options. In either case, finding a trusted adviser to implement a risk program is paramount, and you’ll need to budget for it. 3. Does your program meet or exceed regulatory standards and requirements? Financial institutions operate in a mature regulatory environment, and audits have been a part of doing business for years. But when it comes to information security, compliance is more than a necessary evil. It must go beyond “checking the box” to understanding the reasons for compliance, learning the value of a strong information security framework, and building on that value to develop a strong information security posture. Beyond the audit report itself, it’s important that you understand the baselines and deviations from your institution’s security monitoring. Most importantly, you must be able to relate how the results affect risk within your organization so you can align resources appropriately to address those risks. Having a strong partnership with your IT auditors can add perspective and guidance. 4. Are your systems and networks secure? Systems and networks should be designed and configured properly and work in accordance with your risk assessment plan’s control objectives. Your
RkJQdWJsaXNoZXIy MTg3NDExNQ==