Implementing short-term solutions

Of the issues summarized in the previous section, the medium- and low-priority issues will not be dealt with in the short term, as they are either too complex, too contentious, or will take too long to complete. Consequently, these issues are one of the major inputs into the information-security strat-egy (the strategic vision of the organization is the other major input). Issues that don’t make it into the strategy will be recorded and tracked using an issues-tracking database (see Section 4.4.6).

The high-priority issues will be dealt with during the consolidation period. We have seen that in the case of The Secure Bank, the following issues are judged as high priority:

◗ Support from executive management;

◗ Absence of risk analysis;

◗ Insufficient dialogue with users;

◗ High standards imposed by the audit department;

◗ Lack of involvement of production support staff;

◗ No defined approach to privacy issues.

Resolving the first point is somewhat simplified by the fact that execu-tive management has already recognized that there is a problem. Indeed, in Section 1.9 we explained how a series of unfavorable audits resulted in a decision by executive management to change the management of the information-security process, which is why we are here!

One of the first actions we undertake therefore is to ask executive man-agement to name a representative for issues relating to information security.

At the same time, we request that the IT security department be given

4.4 The consolidation period 95

Table 4.1(continued)

Id Issue Priority

I15 Test Environments Use Production Data

Testing is currently carried out in development environments, which are less secure than the production environment. Despite regulatory restrictions protecting the confidentiality of data related to clients, testing cycles use real production data.

Low

I16 Complex Infrastructure with Little Standardization

In the past, the IT security department has not been able to respond rapidly enough to requirements for securing applications. This problem is compounded by a complex infrastructure and a lack of product standardization.

Low

I17 No Architectural Approach

In the past, the introduction of security-related tools has been very limited. Existing tools have been implemented as point solutions and economies of scale have not been realized.

Low

temporary responsibility for coordinating all aspects of information security on the understanding that this decision will be reviewed at the end of the consolidation period. One of the arguments used to justify this approach was that nobody was prepared to accept responsibility for privacy issues, and this had therefore become a bottleneck to further progress for the mar-keting department.

Following the agreement of the executive committee and the appoint-ment of a representative, we prepare and agree on a brief stateappoint-ment of support for the information-security process and publish this on the organi-zation’s internal Web site. In parallel, we establish an information-security steering committee chaired by the IT security department and consisting of a representative of each stakeholder, including the executive-management representative. The primary goal of the steering committee is to encourage the active involvement of stakeholders and to provide a forum for dialogue.

In the future, this steering committee will prove to be a valuable mechanism for depersonalizing issues and avoiding conflicts.

More formally, the responsibilities of the steering committee are as follows:

◗ Review and approve the information-security strategy.

◗ Review and approve information-security policy statements.

◗ Ensure that the information-security approach is aligned with the busi-ness strategy of the bank and make recommendations on how to pro-ceed where conflicts arise.

◗ Ensure that the information-security department receives the support it requires from stakeholders in order to successfully complete its mission.

◗ Provide a cross-discipline management forum for discussing security-related issues.

The second issue, the absence of risk analysis, provides us with an oppor-tunity for strengthening the relationship with the risk-management group.

During the initial stakeholder meetings, the manager of the group stressed the importance of preparing for the requirements of the Basel II agreement and expressed a certain frustration with the lack of progress to date. Our approach was therefore to actively support the risk-management depart-ment in this area in return for their support for the introduction of FRA techniques in the short term. The risk-management department was happy to agree to this approach under the understanding that efforts be made to combine the two methods into a single approach in the long term.

A number of actions will be launched to immediately improve the dia-logue with end users:

◗ Creation of an information-security section on the company’s intra-net server, including a bulletin board where users can ask questions and receive responses from the IT security department;

◗ Modification of current IT help desk procedures to allow security-related problems to be forwarded to the IT security team;

◗ Establishment of a centralized telephone number for reporting security incidents;

◗ Creation and delivery of a short awareness presentation focused on awareness of current threats. The objective of the presentation is to encourage users to think about the possible consequences of everyday actions, particularly where modern technology is concerned.

The problem arising from the high expectations of the audit department is more delicate, as it involves a potential conflict between two important stakeholders. Within The Secure Bank, we were able to resolve this problem by introducing a proposal for a more risk-oriented approach to the informa-tion steering committee. According to this approach, the appropriate level of security for new applications will be decided by the business manager, based on a risk analysis performed together with the risk-management team and the IT security department. The steering committee was in favor of this approach because the business manager was in the best position to weigh information-security risks against the risks of late delivery. In addition, the new procedure requires the business owner to accept the residual risk. The role of the audit department is then to ensure that the business managers fulfill this role correctly and to verify that any legal or regulatory require-ments are satisfied.

The lack of involvement of production staff is only an issue in the sense that nobody has provided feedback to this group in the past. This is easily resolved by appointing a member of the IT security unit as a point of liaison with administrators and organizing a biweekly meeting to discuss proposals and how to take them forward. As production support staff will be propos-ing mainly technical improvements, the first task of this workgroup is to define a set of global requirements, which all proposed ideas for improve-ment must meet in order to be considered as candidates for impleimprove-mentation.

By insisting on this preliminary step, we will be able to align this process with our strategic vision for the future.

Finally, following the decision of executive management to temporarily extend the scope of IT security to cover all aspects of information security, we agree to take charge of the privacy issue confronting the marketing department. Work started on this issue at the beginning of the fourth month. Although it took another 3 months to solve this issue, the marketing department was able to resume the project after 4 weeks, following a site visit to a financial institution that had already solved this problem. The final agreed solution was to produce a privacy policy by working together with the legal and audit departments and with guidance from a contact point in the financial institution. The final policy was formally approved by the information-security steering committee in its second meeting (month seven), which meant that the text could be published on the Web site and sent to customers in mailings at the beginning of month eight.

4.4 The consolidation period 97

This last issue is worthy of further comment, as the final delay of 8 months was initially unacceptable to the marketing department. However, we were able to use the information steering committee to support this strategy, given the commitment of executive management to improving information security. As a result, the marketing department received the full support of executive management to delay the project until the issue had been resolved correctly.