Application Security - the Vendor Management Connection
The ID Theft Red Flags Rule, Business Continuity and Anti-Money Laundering have dominated the headlines - and banking/security priorities. But recent attention paid to Application Security has the potential to fuel one major fire drill in 2009.
It started in May, when the Office of the Comptroller of the Currency (OCC) issued a bulletin underscoring the importance of application security. The point: to remind national banks and their third-party service providers that application security is an important component of their information security program. All applications -- internally developed, vendor-acquired, or contracted for - need to be subject to appropriate security risk assessment and mitigation.
Recent attention paid to Application Security has the potential to fuel one major fire drill in 2009.
The underlying message here: Vendor Management- regulators want to see it improved by all banking institutions. And application security is becoming just one of the newest vehicles for delivering the message.
You could see this theme developing back in Feb., when we released the results of our first annual State of Banking Information Security survey. Banking/security leaders expressed confidence in their own security measures and procedures, but when it came to those of their third-party service providers ... well, there was too much they didn't know, and yes, it could hurt them.
In their own fashion, the National Credit Union Association (NCUA) and Federal Deposit Insurance Corporation (FDIC) have had their say about improving vendor management practices, and I see the OCC's stance on application security as being part of the same theme: A financial institution can outsource a service, but it cannot cede responsibility for the potential risks to itself and its customers.
I believe vendor management is going to be one of the dominant stories of 2009 - that as soon as banking institutions get by their Nov. 1 deadline for Red Flags Rule compliance, the focus is going to shift (even more than it is now) to shoring up and demonstrating secure outsourcing practices.
That's why I'm so excited about our new Application Security survey, and if you haven't taken it yet, then please take a few minutes to do so now.
The point: To gauge what institutions' application security practices are now, as well as what gaps need to be filled. My theory, of course, is that institutions are doing a pretty good job of ensuring their own practices and procedures. But when it comes to verifying the same in applications developed or managed by vendors ... ehh, perhaps not so good.
So, take a few minutes please (if you haven't already) to fill out this survey. The results will give you the chance to benchmark your efforts against those of other institutions, and they'll also give you the information you need to either validate or initiate your efforts toward fulfilling what may well be one of the biggest regulatory mandates of 2009.
It's all about vendor management. The sooner you get a handle on it - and demonstrate it to your examiners - the better.