3 min read

Information Security Program Maturity at Financial Institutions

Information Security Program Maturity at Financial Institutions

When I get questions about the name “Rivial” I tend to cringe a little. Way back in 2008 when the idea was born, the concept was this: information security is not a trivial matter, but managing it should be. If you take the word ‘trivial’ and remove the ’t’ you get rivial. It’s a made up word taken from that cheesy tag-line. It’s easy to see why we quickly dropped that tag-line...

The management of any complex program can be challenging, and managing a cybersecurity program in today’s high-stakes, always-changing world of regulations and evolving attacks is downright intimidating. It turns out there was some insight into that cheese-tastic statement from over a decade ago. Despite the company making a handful of slight pivots along the way, the core goal has remained the same. That is to make our client’s lives easier.

Since 2011, Rivial has been a virtual CISO to financial institutions. I want to further our goal of making people’s lives easier by outlining the key areas we manage so that you can evaluate your cybersecurity program’s overall maturity.

If you’re at a financial institution, you might be thinking that there is already a way to evaluate a bank’s or credit union’s cybersecurity program. It’s called the FFIEC Cybersecurity Assessment Tool (CAT), the FDIC’s Information Technology Risk Examination (InTREx) or the NCUA’s Automated Cybersecurity Examination Tool (ACET). Most of the elements of a solid cybersecurity program are contained within these documents. The catch is that  they are broken into individual line items called declarative statements, also referred to as cybersecurity controls. The CAT controls are organized by maturity levels (baseline, evolving, intermediate, advanced, and innovative) to help financial institutions determine what level they are at, or should be at.

In an attempt to make your life easier, I would like to suggest an alternative approach to managing the maturity of a cybersecurity program. We use a more holistic structure, using areas of information security rather than the list of 494 individual line items that can be found in the CAT.

 

Cybersecurity program areas:

  • Policy Framework
  • IT Risk Management
  • IT Compliance
  • Security Testing
  • User Training
  • Incident Response
  • Cybersecurity Strategy

 

Policy Framework

The first step to building a mature information security program is implementing a policy framework. This is a set of policies, approved by the Board of Directors, that instructs the organization on cybersecurity matters. Most financial institutions should have at least 8-10 individual policies (not you Bank of America, you probably have a few more) in place for a mature framework, starting with a concise 3-5 page document that outlines the program itself. There should be a comprehensive information security policy that specifies how the organization will handle system access, security training, and other key areas. We have also found some topics, such as vendor management and mobile device management, are important enough to warrant their own policy document. 

 

IT Risk Management

The area of IT Risk covers a lot of ground, and is the fundamental element of the cybersecurity program. IT Risk Management is where you establish a risk tolerance, measure risk across the organization’s IT assets, and manage risk by comparing it to the stated tolerance and treating it in some way (accept, transfer, mitigate). These are the security controls designed to reduce risk and may not be covered by the compliance area (hint: the very next paragraph).

 

IT Compliance

Aside from risk management, which is about being secure, financial institutions also need to comply with GLBA. This typically means ensuring all of the declarative statements (controls) are in place for a designated maturity level within the CAT for banks, or the ACET for credit unions. As I mentioned earlier in this article, there are controls in the CAT/ACET that cover policies, risk assessment, and other areas. Looking at individual controls to build a security program, like these programs do, is a very inefficient and unorganized approach. That would be like designing a house by looking at each individual piece of wood. 

 

Security Testing

One of the areas identified in policies, risk management, and compliance is security testing. Security testing consists of vulnerability assessment and penetration testing, inside and outside the network, as well as social engineering to test employee resistant to phishing and pretext calling attacks. If the organization writes its own software code, testing should also include web application security testing. 

 

User Training

Closely related to and in some cases overlapping social engineering testing, is user awareness training. All employees are part of the security program and need to know the basics of information security. IT admins and department managers with elevated privileges and executives prone to spear phishing, should receive additional training beyond what standard employees get. Developing or finding the right materials and tracking the organizations progress are keys to a mature cybersecurity program.

 

Incident Response

As we all know, no amount of security controls can reduce risk to zero. Unfortunately it just isn’t possible. This means every organization needs a plan for responding to cybersecurity incidents. The plan should outline who is going to perform what activities to identify, contain, eradicate, and recover from incidents. To be fully mature the plan must also be tested regularly to identify gaps and areas for improvement. I also recommend pre-vetting 2-3 computer forensics vendors now, before an incident occurs. Perform the required vendor due diligence ahead of time so you don’t end up in a pinch when there is a need to move quickly.

 

Cybersecurity Strategy

A competent virtual CISO can tie it all together. With the proper security expertise and a solid maturity model, a financial institution can implement the right cybersecurity program to protect customer/member information while not spending tens of thousands on unnecessary effort or solutions.

Focusing on the areas above will help organize the overall information security program and build a strategic road map. Because, you know... information security is not a trivial matter, but managing it should be.

Learn more about how we manage cybersecurity programs with our virtual CISO solution.

NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

Originally launched in 2014 and updated in 2018. NIST CSF 2.0 (released in February 2024) builds on ten years of cybersecurity progress. It expands...

Read More
Unlocking Budget With Quantitative Risk Assessments

Unlocking Budget With Quantitative Risk Assessments

Year after year, the responsibilities of security leaders seem to grow. They must develop and implement security policies, train their organization...

Read More
ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

Cyber insurance can't fully shield your organization from cybercrime, but it can help keep your business operations going if there's a major security...

Read More