John Carlson Senior Director, BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior Director, BITS Presentation to Global Dialogue World Bank Group September 10, 2003
Agenda Overview of BITS Key Security and Technology Risks BITS Security-Related Risk Management Activities BITS Product Certification Program IT Service Providers Effort Fraud Reduction and Identity Theft Prevention and Assistance
A BIT about BITS Created in 1996 to foster the growth and development of electronic financial services and e-commerce for the benefit of financial institutions and their customers. A nonprofit industry consortium that represents the 100 largest financial institutions in the US (banks, securities and insurance). Works as a strategic brain trust to provide intellectual capital and address emerging issues where financial services, technology and commerce intersect. BITS’ mission is to unify the leadership of the nation’s largest integrated financial services companies in order to: –Address urgent and cutting-edge technology-related business issues; –Leverage and protect the financial services industry critical infrastructure; –Bring industry issues to the public sector in credible, objective and effective ways; and –Maintain consumer confidence in the delivery of financial industry products and services.
Key BITS Accomplishments Crisis Management Leading crisis management coordination efforts for the sector Creating the BITS/FSR Crisis Communicator Driving dialogue to address telecommunications interdependencies Best Practices BITS Voluntary Guidelines for Aggregation Services BITS IT Service Provider Framework BITS Guidelines for Mobile Financial Services BITS E-Insurance Technology Risk Transfer Gap Analysis Tool White Papers Fraud Prevention Strategies for Internet Banking Financial Identity Theft: Prevention and Consumer Assistance Product Security Security profiles and testing for e-commerce products Other points to make: Submitted comment letters on the “Draft Interagency White Paper to Strengthen the Resilience of the U.S. Financial System” and “National Strategy to Secure Cyberspace” BITS Priorities for 2003 Crisis Management Coordination Telecommunications Fraud Reduction IT Service Providers Operational Risk Management Payments Strategies Privacy and Information Use Security and Risk Assessment (SRA) BITS Product Certification Program (BPCP)
Security and Technology Risks Continuing growth in new e-finance applications, movement of these applications to public networks, and expanding customer access via new channels Increase in outsourcing arrangements Complexity of software and systems Escalating rate and nature of cyber attacks, viruses and worms Poor quality of software “Patch management” challenges Identity theft and privacy protection Infrastructure interdependencies (e.g., telecommunications networks, power grid) Regulatory requirements and operational risk capital requirements
BITS Security-Related Activities Product Security Urging software manufacturers to improve software quality. Developing best practices for patch management. Improving baseline security of products used in the financial industry through security requirements and software testing. Critical Infrastructure Developing the National Strategy for Critical Infrastructure Protection. Supporting and strengthening the Financial Services Information Sharing and Analysis Center (FS/ISAC). Founding and participating in the Financial Services Sector Coordinating Council for Homeland Security and Critical Infrastructure Protection. The Security and Risk Assessment Working Group is senior information security officers of member companies. The goals of the BITS Security and Risk Assessment Working Group are to: Increase public and private sector confidence in the security of e-commerce. Provide leadership in addressing security issues for all financial services companies. Work with government agencies and regulators in the assessment of needed legislation and regulation. Influence key technology providers on security aspects of product and service development. The working group does this through education, advocacy and support.
BITS Security-Related Activities Operational Risk Developing a common body of high-risk factors that influence operational risk models. Establish metrics and measurement methodologies. Regulatory Assisting financial institutions in complying with new cyber security and other security requirements (e.g., customer notification in response to security breaches). Facilitating industry dialogue with regulators. BITS Operational Risk Working Group serves as a forum for the exchange and development of ideas around enterprise-level operational risk challenges. Developed a common body of high risk factors for the industry related to information security that influence operational risk models and establish metrics and measurement methodologies. Developing a list of Key Risk Indicators by major line of business and defining best practice for use. Working with regulatory agencies and member financial institutions to comply with new requirements in a cost effective manner.
BITS Product Security Program A three-year development effort involving 32 BITS member companies, 23 outside organizations and over 100 security professionals from technology vendors, government agencies and leading financial services firms. Criteria represent minimum baseline product security requirements for a set of security features including: Identification Non-repudiation Authorization Confidentiality Data and system integrity Data disposal Audit Authentication Security administration Guidance documentation BITS is among the first private-sector “user communities” to use the Common Criteria to define product-security requirements. The BITS Product Certification Program shares goals with the Common Criteria Certification. Technology vendors can leverage testing duplication and costs by testing for BITS Product Certification and the Common Criteria at the same time. Testing is available through third party labs or Common Criteria labs.
IT Service Providers Effort BITS IT Service Providers Working Group – Raises awareness, develops voluntary guidelines, and shares successful strategies to assure the security and privacy of third-party services in support of the financial services industry. BITS Framework for Managing Technology Risk for IT Service Provider Relationships – Provides criteria against which relationships can be evaluated and managed. Update published for comment September 2003. BITS IT Service Provider Expectations Matrix – Reduces risk, helps institutions comply with regulatory requirements and eliminates gaps in the audit or assessment process. RFI available for public comment through September 30. BITS/American Banker Financial Services Outsourcing Conference – Held November 6-7, 2003 in Washington, DC. According to Gartner, outsourcing within the securities and financial-services segment saw a 10.4 percent growth rate in 2002, with a projected 12.8 percent growth rate for 2003 globally. In an environment where financial institutions’ use of domestic and international outsourcers is growing, financial institutions must establish processes that evaluate risks, vulnerabilities and regulatory requirements at every stage of the process – from selection to management. BITS IT Service Provider Working Group raises awareness, develops voluntary guidelines, and shares successful strategies to assure the security and privacy of services provided by third parties in support of the financial services industry. First deliverable – Framework: provides the financial services industry and Service Providers with risk-management strategies for evaluating IT Service Provider outsourcing opportunities. The Framework is based on the Working Group’s interpretation of regulatory requirements and industry best practices. The Framework is currently being updated by our members with further considerations for vendor management, disaster recovery business continuity, cross border outsourcing and security expectations. Created to identify security and control requirements, the Expectations Matrix provides financial institutions, service providers, and audit and assessment organizations a comprehensive tool to reduce risk, help institutions comply with regulatory requirements and eliminate gaps in the audit or assessment process. This industry-wide approach, will promote a common understanding among IT service providers of the financial industry’s expectations for information and control requirements. This RFI is out for comment through September 30th. Conference – brings together regulators, fi’s and service providers to share information. Agenda includes keynotes by Corporate Technology Officer at Citigroup and Department of Navy CIO. Second day is dedicated to cross border outsourcing.
Fraud Reduction/Identity Theft Prevention and Assistance Quarterly Loss Reporting Program – Participants saw, on average, a 3% annual decrease in losses per account vs. an industry increase of 1% between 1999 and 2001. (Program administered by the American Bankers Association.) BITS/FSR Fraud Reduction Voluntary Guidelines – Efficient and consistent procedures to prevent identity theft and restore victims’ financial identity. Uniform Affidavit for Identity Theft – Allows for collection of transactional detail to be shared with law enforcement to help build cases and shut down fraud rings. The affidavit may be shared with other companies where the victim holds accounts. (Created with the Federal Trade Commission.) Publications – White papers on truncation, identity theft and Internet fraud.
E-mail: john@fsround.org For More Information John Carlson Senior Director E-mail: john@fsround.org Telephone: (202) 589-2442 www.BITSinfo.org