In reviewing recent security incidents at several New York City banks, an article in the October 21st New York Times¹ focused on an ever recurring theme – the need to closely scrutinize how well a financial institution’s vendors provide IT security to protect access to data and systems.  While the theme itself isn’t new, the article revealed that the Treasury Department is now engaged in a “sweeping effort”¹ to require banks to increase their procedures for determining if vendors are adequately protecting their data and access to their systems.

(more…)

It’s the 21st century – your cyber-security assessments cannot afford the “one and done” approach of yesterday.

Modern information systems, comprised in large part by computer networks, contain a myriad of intertwined technologies – databases, applications, networking devices, web services and email just to name a few. All of these technologies are provided by diverse platforms at various release levels. Throw human users with varying roles and privileges into the mix and the resulting level of complexity makes an effective information security program an imposing challenge. Businesses are feeling the pressure of meeting the needs for global connectivity, e-commerce transactions, and online business-to-business communications while maintaining security programs to protect their information assets. Privileged account control, patch management, configuration management, and data backup are some of the hurdles to be cleared.

(more…)

While there are often significant non-financial benefits to understanding your vendors’ controls, many executives are still “fuzzy” on why they need a third party or vendor risk management program. Generally, an organization outsources a business function to a service provider because it is less expensive than staffing the expertise and building the infrastructure internally. Building oversight (and additional cost) to manage the risks posed by these relationships into the budget seemingly reduces the ROI. However, not fully understanding these risks can cost the organization significantly more during and after a data breach. Once the decision is made to outsource, the sharing of sensitive information is a requirement; and due diligence becomes one of the only mechanisms to understand whether the third party has the necessary controls in place to protect your data.

(more…)