Presentation is loading. Please wait.

Presentation is loading. Please wait.

John Carlson Senior Director, BITS

Published byMadison Simpson Modified over 5 years ago

Similar presentations

Presentation on theme: "John Carlson Senior Director, BITS"— Presentation transcript:

1 John Carlson Senior Director, BITS
Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior Director, BITS Presentation to Global Dialogue World Bank Group September 10, 2003

2 Agenda Overview of BITS Key Security and Technology Risks
BITS Security-Related Risk Management Activities BITS Product Certification Program IT Service Providers Effort Fraud Reduction and Identity Theft Prevention and Assistance

3 A BIT about BITS Created in 1996 to foster the growth and development of electronic financial services and e-commerce for the benefit of financial institutions and their customers. A nonprofit industry consortium that represents the 100 largest financial institutions in the US (banks, securities and insurance). Works as a strategic brain trust to provide intellectual capital and address emerging issues where financial services, technology and commerce intersect. BITS’ mission is to unify the leadership of the nation’s largest integrated financial services companies in order to: –Address urgent and cutting-edge technology-related business issues; –Leverage and protect the financial services industry critical infrastructure; –Bring industry issues to the public sector in credible, objective and effective ways; and –Maintain consumer confidence in the delivery of financial industry products and services.

4 Key BITS Accomplishments
Crisis Management Leading crisis management coordination efforts for the sector Creating the BITS/FSR Crisis Communicator Driving dialogue to address telecommunications interdependencies Best Practices BITS Voluntary Guidelines for Aggregation Services BITS IT Service Provider Framework BITS Guidelines for Mobile Financial Services BITS E-Insurance Technology Risk Transfer Gap Analysis Tool White Papers Fraud Prevention Strategies for Internet Banking Financial Identity Theft: Prevention and Consumer Assistance Product Security Security profiles and testing for e-commerce products Other points to make: Submitted comment letters on the “Draft Interagency White Paper to Strengthen the Resilience of the U.S. Financial System” and “National Strategy to Secure Cyberspace” BITS Priorities for 2003 Crisis Management Coordination Telecommunications Fraud Reduction IT Service Providers Operational Risk Management Payments Strategies Privacy and Information Use Security and Risk Assessment (SRA) BITS Product Certification Program (BPCP)

5 Security and Technology Risks
Continuing growth in new e-finance applications, movement of these applications to public networks, and expanding customer access via new channels Increase in outsourcing arrangements Complexity of software and systems Escalating rate and nature of cyber attacks, viruses and worms Poor quality of software “Patch management” challenges Identity theft and privacy protection Infrastructure interdependencies (e.g., telecommunications networks, power grid) Regulatory requirements and operational risk capital requirements

6 BITS Security-Related Activities
Product Security Urging software manufacturers to improve software quality. Developing best practices for patch management. Improving baseline security of products used in the financial industry through security requirements and software testing. Critical Infrastructure Developing the National Strategy for Critical Infrastructure Protection. Supporting and strengthening the Financial Services Information Sharing and Analysis Center (FS/ISAC). Founding and participating in the Financial Services Sector Coordinating Council for Homeland Security and Critical Infrastructure Protection. The Security and Risk Assessment Working Group is senior information security officers of member companies. The goals of the BITS Security and Risk Assessment Working Group are to: Increase public and private sector confidence in the security of e-commerce. Provide leadership in addressing security issues for all financial services companies. Work with government agencies and regulators in the assessment of needed legislation and regulation. Influence key technology providers on security aspects of product and service development. The working group does this through education, advocacy and support.

7 BITS Security-Related Activities
Operational Risk Developing a common body of high-risk factors that influence operational risk models. Establish metrics and measurement methodologies. Regulatory Assisting financial institutions in complying with new cyber security and other security requirements (e.g., customer notification in response to security breaches). Facilitating industry dialogue with regulators. BITS Operational Risk Working Group serves as a forum for the exchange and development of ideas around enterprise-level operational risk challenges. Developed a common body of high risk factors for the industry related to information security that influence operational risk models and establish metrics and measurement methodologies. Developing a list of Key Risk Indicators by major line of business and defining best practice for use. Working with regulatory agencies and member financial institutions to comply with new requirements in a cost effective manner.

8 BITS Product Security Program
A three-year development effort involving 32 BITS member companies, 23 outside organizations and over 100 security professionals from technology vendors, government agencies and leading financial services firms. Criteria represent minimum baseline product security requirements for a set of security features including: Identification Non-repudiation Authorization Confidentiality Data and system integrity Data disposal Audit Authentication Security administration Guidance documentation BITS is among the first private-sector “user communities” to use the Common Criteria to define product-security requirements. The BITS Product Certification Program shares goals with the Common Criteria Certification. Technology vendors can leverage testing duplication and costs by testing for BITS Product Certification and the Common Criteria at the same time. Testing is available through third party labs or Common Criteria labs.

9 IT Service Providers Effort
BITS IT Service Providers Working Group – Raises awareness, develops voluntary guidelines, and shares successful strategies to assure the security and privacy of third-party services in support of the financial services industry. BITS Framework for Managing Technology Risk for IT Service Provider Relationships – Provides criteria against which relationships can be evaluated and managed. Update published for comment September 2003. BITS IT Service Provider Expectations Matrix – Reduces risk, helps institutions comply with regulatory requirements and eliminates gaps in the audit or assessment process.  RFI available for public comment through September 30. BITS/American Banker Financial Services Outsourcing Conference – Held November 6-7, 2003 in Washington, DC. According to Gartner, outsourcing within the securities and financial-services segment saw a 10.4 percent growth rate in 2002, with a projected 12.8 percent growth rate for 2003 globally. In an environment where financial institutions’ use of domestic and international outsourcers is growing, financial institutions must establish processes that evaluate risks, vulnerabilities and regulatory requirements at every stage of the process – from selection to management. BITS IT Service Provider Working Group raises awareness, develops voluntary guidelines, and shares successful strategies to assure the security and privacy of services provided by third parties in support of the financial services industry. First deliverable – Framework: provides the financial services industry and Service Providers with risk-management strategies for evaluating IT Service Provider outsourcing opportunities. The Framework is based on the Working Group’s interpretation of regulatory requirements and industry best practices. The Framework is currently being updated by our members with further considerations for vendor management, disaster recovery business continuity, cross border outsourcing and security expectations. Created to identify security and control requirements, the Expectations Matrix provides financial institutions, service providers, and audit and assessment organizations a comprehensive tool to reduce risk, help institutions comply with regulatory requirements and eliminate gaps in the audit or assessment process.  This industry-wide approach, will promote a common understanding among IT service providers of the financial industry’s expectations for information and control requirements. This RFI is out for comment through September 30th. Conference – brings together regulators, fi’s and service providers to share information. Agenda includes keynotes by Corporate Technology Officer at Citigroup and Department of Navy CIO. Second day is dedicated to cross border outsourcing.

10 Fraud Reduction/Identity Theft Prevention and Assistance
Quarterly Loss Reporting Program – Participants saw, on average, a 3% annual decrease in losses per account vs. an industry increase of 1% between 1999 and (Program administered by the American Bankers Association.) BITS/FSR Fraud Reduction Voluntary Guidelines – Efficient and consistent procedures to prevent identity theft and restore victims’ financial identity. Uniform Affidavit for Identity Theft – Allows for collection of transactional detail to be shared with law enforcement to help build cases and shut down fraud rings. The affidavit may be shared with other companies where the victim holds accounts. (Created with the Federal Trade Commission.) Publications – White papers on truncation, identity theft and Internet fraud.

11 E-mail: john@fsround.org
For More Information John Carlson Senior Director Telephone: (202)

Download ppt "John Carlson Senior Director, BITS"

Similar presentations

Yukiko Ko yko@transunion.com Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.

Yukiko Ko Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Prepared for: DISA September 17, 2003 Establishing a Government Information Security System Presented to the IT AND COMMUNICATIONS SYSTEMS SECURITY CONFERENCE.

Prepared for: DISA September 17, 2003 Establishing a Government Information Security System Presented to the IT AND COMMUNICATIONS SYSTEMS SECURITY CONFERENCE.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Security Controls – What Works

Security Controls – What Works
Closing the CIP Technology Gap in the Banking and Finance Sector Treasury Department Office of Critical Infrastructure Protection and Compliance Policy.

Closing the CIP Technology Gap in the Banking and Finance Sector Treasury Department Office of Critical Infrastructure Protection and Compliance Policy.
PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.

PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Security Governance Technology Executive Club

Security Governance Technology Executive Club
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Presented at CLEAR’s 23rd Annual Conference Toronto, Ontario September, 2003 Public Accountability – Best Practices Accrediting Your Certification Program.

Presented at CLEAR’s 23rd Annual Conference Toronto, Ontario September, 2003 Public Accountability – Best Practices Accrediting Your Certification Program.
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.

Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.
Competency Models Impact on Talent Management

Competency Models Impact on Talent Management
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
US-CERT www.us-cert.gov National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.

US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.

The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.
1 International Forum on Trade Facilitation May 2003 Trade Facilitation, Security Concerns and the Postal Industry Thomas E. Leavey Director General, UPU.

1 International Forum on Trade Facilitation May 2003 Trade Facilitation, Security Concerns and the Postal Industry Thomas E. Leavey Director General, UPU.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Similar presentations

Ads by Google