Information Security Trends, Issues Continue to Evolve - FINSEC 2006 Conference, New York
With 10 vendor sponsors at the conference, attendees were availed to information security solutions during the conference breaks ranging from CD and DVD encryption to anti-virus software and authentication solutions. Vendors included: AppSense, Global Technologies Group, Harris Corporation, Imperva, Kaspersky Lab, M-Tech, nCipher, Tablus, TriCipher, and WhiteHat Security.
The security strategies and tools and techniques presentations covered in the two-day conference were led by eleven information security experts from national banks and financial firms. The most highly-sought after seat was in the FFIEC Authentication Guidance talk led by Diana Kelley, VP and Service Director from the Burton Group. It was standing room only within five minutes of the start, showing many of the FINSEC 2006 attendees wanted to know how the authentication guidelines will apply to their institutions. The Tower Group has estimated that only 20 percent of institutions will have security systems implemented by the end of the year. Kelley suggested strategies should look toward a risk management approach not just to conform to FFIEC authentication but also to PCI and NACHA guidelines, if warranted. She also recommended that institutions go to their examiner and talk to them about what they are thinking of implementing, talk to them about issues found in other banksâ€™ examinations and if in doubt, ask for them to explain clearly what they want.
Another popular session was presented by Phil Maier of Inovant, a VISA Solutions Company. His descriptions of Key Indicators for the Financial Sector: What to Monitor and Log showed the approaches to logging and monitoring and noted that while regulatory rules mandate that banks regularly monitor event logging, it is growing more popular among institutional management as a way to protect not only the perimeter of the institutionâ€™s operations, but the data at rest too. Consolidating a bankâ€™s logging approach was recommended by Maier as a cost-effective measure where multiple firewall logs must be monitored. Centralized monitoring offers institutions economies of scale through consolidated reporting, and correlation opportunities on an enterprise-wide effort. It also offers enhanced forensics capabilities and a single point of contact for audit.
Among other presenters was Karl Kasper, of JP Morgan Chase who spoke on â€œSecurity Architecture as a Foundation for Risk Analysis.â€ Kasper, a founder of @stake, noted the potential for serious damage to institutions and the financial industryâ€™s role in critical infrastructure make the need for baseline security architecture with mitigation strategies built in not a nice-to-have, but a must have for any institution.
Parker Foley of Wachovia spoke on Trends in Information Security Standards. Foleyâ€™s take on the drivers behind the trend toward higher-level models in policy structure and distributed models in management responsibility include the move to a business approach to security and the pressures of efficiency and cost reduction at larger banks.
Throughout the conference presentations the audience came back with valuable information. Other topics included: Security in a Check21 Environment; Security Awareness strategy; User Provisioning; Promising Security Technology Trends; Developing an In-house Pen Testing Program; Cryptography 101; Web App Hacking; and Remote Access Security.
Keynotes were presented by Thomas Dunbar, Global IT Chief Security Officer of XL Capital; Anish Bhimani, Managing Director of IT Risk Management for JP Morgan Chase Bank, and Ron Insana, Senior Analyst for CNBC. Dunbarâ€™s keynote on Beyond the Expected: The Impact of Sarbanes-Oxley on Information Security Management, showed the direct link between a strong InfoSec department effectively dealing with Information Security as a business risk management issue and compliance with SOX. Dunbar stressed the need to identify key risks within an organization, those inherent financial reporting and fraud risks that if left unmitigated by control activities could individually or in aggregate result in a more than remote likelihood of a more than inconsequential misstatement in company financial statements. Dunbar reminded the audience that itâ€™s not just SOX that businesses must comply with, but also the EU Data Privacy acts, HIPAA and the Financial Services Authority regulations.
Bhimaniâ€™s talk on Managing Risk in a Constantly Changing Environment noted that in the next two years there will be several trends happening including: increased regulatory scrutiny; increasingly focused attacks on specific targets; increased customer and media awareness driving reputational risk; and the rise of security metrics and the evolution of information security into risk management. Bhimani sees the evolution of information security into risk management as necessary to align with operational risk, regulatory compliance; and the partnership of information security with IT Audit in larger organizations will help make info security more visible.
Ron Insanaâ€™s keynote focused on anecdotes about infamous Wall Street scams including the Salad Oil scandal of 1963 and the aftermath of regulations that come after the cyclical financial abuses, as in the case of Enron, Tyco and WorldComm produced the Sarbanes-Oxley (SOX) legislation. Insana noted many publicly held companies are buying out stockholders and reverting back to privately held entities to avoid SOX compliance and other regulatory scrutiny. He also predicted that regulatory relief from SOX does not seem likely in the near future. One bright note: Insana pointed out historically the stock market usually has a good year in the third year of a presidentâ€™s term leading up to a presidential election.