"Information security is part of life now for financial
services organisations and you have to take it seriously. If the
business is linked to any loss of sensitive data, it causes serious
reputational damage and you can't afford for that to happen,
especially in such a highly regulated industry," says Colin
Campbell, IT services manager atStroud &
Swindon Building Society.
As a result the company, which employs about 430 staff, has both
a security committee made up of senior management that develops
strategy and takes responsibility for the issue, and a risk and
compliance team that is independent of IT, but works alongside it
in an advisory capacity.
Campbell's challenge is that Stroud & Swindon has to prove
annually to the regulator, the
Financial Services Authority
(FSA), that it has reasonable security measures in place. It's
a continuous process and Campbell is constantly reviewing the
building society's security controls and policies, which are
working documents. "We have a major review annually, but ad hoc
changes also take place when they have to and people are advised
thereafter," Campbell says.
The upshot of one such wide-ranging review last year was the
recall of 90 per cent of the organisation's laptops. Due to the
"massive publicity" around
stolen laptops and data leakage, it was felt that the risks
around mobile computing had to be explored in some depth.
Therefore, the risk and compliance team in conjunction with IT
security staff spent several months identifying which personnel,
including senior management, were using corporate laptops, before
establishing whether the machines were fit-for-purpose in security
terms.
Users were then asked to justify why they required their PCs.
This resulted in the majority of the laptops being recycled and
disposed of, with most of the remaining 60 staying in the hands of
the mobile mortgage sales force.
In order to ensure that security risks were further minimised,
however, Campbell decided that personnel should only be allowed to
view corporate data rather than download it. Therefore, after being
stripped of everything apart from the basic operating system, the
machines are now effectively thin clients, in order to ensure that
they contain no useful or historical information in the event of
them being stolen, Campbell says.
Access to the corporate network for both the sales staff and
people working from home, meanwhile, is also controlled using
SSL-based
virtual private networks and a managed authentication service
provided by
CryptoCard.
This means that when remote workers try to access the corporate
network, they input both their user name and pin before using an
assigned hardware token to generate a one-time password, which is
likewise entered into the system.
"This allows us to allow them to use any PC with a broadband
connection but in a very restricted and controlled way. So if
people have an ad hoc requirement to access workplace systems, they
can do it from anywhere but there are controls and governance
around it," explains Campbell.
He liked the idea of using a managed service for a non-sensitive
activity of this type, however, because it is was more
cost-effective than employing an expensive security specialist
in-house.
"We tend to outsource those elements of infrastructure services
that requires specialist knowledge. This isn't the kind of thing
you'd have to do day-in-day-out so any skills tend to be lost and
the cost of employing key specialists in-house doesn't make sense
any more," Campbell says.
One of the most important principles of security, however, he
believes, is end user education. This means ensuring that personnel
have an understanding of what they can and cannot do and what their
corporate responsibilities are in terms of accessing and using
data. This is crucial, says Campbell, because people are always the
weakest link in the security chain.
"You can make a system as secure as you want, but if people take
it offsite and misuse the data, then all the controls in the world
won't work," Campbell says.
As a result, although the building society has formal
security policies in place, Campbell says this is also
simplified into a user guide to make it easier to comprehend. "By
their very nature, [security policies are] not easy reading."
A recap of this user guide is undertaken once or twice a year to
clarify any changes, but every member of staff is also
contractually obliged to sit 10 tests of varying levels (depending
on their role) each year to ensure that they understand current
legalities.
The tests, which include an information security module, are
devised and administered by the risk and compliance team. Campbell
says these are used to demonstrate to the FSA that people's
knowledge is being refreshed and kept up-to-date in order to meet
statutory requirements.
While such demands may seem onerous to some, there have been
spin-off benefits. "It's now a part of working life, but it does
give IT people a good insight into the business and what their
colleagues are doing. So it's made us more aware and gives us a
more rounded view, which is the idea behind it all anyway,"
Campbell concludes.
>>
Stroud and Swindon builds on digital system
>>
Infosecurity 2008: Showguide and preview