"Information security is part of life now for financial services organisations and you have to take it seriously. If the business is linked to any loss of sensitive data, it causes serious reputational damage and you can't afford for that to happen, especially in such a highly regulated industry," says Colin Campbell, IT services manager at Stroud & Swindon Building Society.
As a result the company, which employs about 430 staff, has both a security committee made up of senior management that develops strategy and takes responsibility for the issue, and a risk and compliance team that is independent of IT, but works alongside it in an advisory capacity.
Campbell's challenge is that Stroud & Swindon has to prove annually to the regulator, the Financial Services Authority (FSA), that it has reasonable security measures in place. It's a continuous process and Campbell is constantly reviewing the building society's security controls and policies, which are working documents. "We have a major review annually, but ad hoc changes also take place when they have to and people are advised thereafter," Campbell says.
The upshot of one such wide-ranging review last year was the recall of 90 per cent of the organisation's laptops. Due to the "massive publicity" around stolen laptops and data leakage, it was felt that the risks around mobile computing had to be explored in some depth.
Therefore, the risk and compliance team in conjunction with IT security staff spent several months identifying which personnel, including senior management, were using corporate laptops, before establishing whether the machines were fit-for-purpose in security terms.
Users were then asked to justify why they required their PCs. This resulted in the majority of the laptops being recycled and disposed of, with most of the remaining 60 staying in the hands of the mobile mortgage sales force.
In order to ensure that security risks were further minimised, however, Campbell decided that personnel should only be allowed to view corporate data rather than download it. Therefore, after being stripped of everything apart from the basic operating system, the machines are now effectively thin clients, in order to ensure that they contain no useful or historical information in the event of them being stolen, Campbell says.
Access to the corporate network for both the sales staff and people working from home, meanwhile, is also controlled using SSL-based virtual private networks and a managed authentication service provided by CryptoCard.
This means that when remote workers try to access the corporate network, they input both their user name and pin before using an assigned hardware token to generate a one-time password, which is likewise entered into the system.
"This allows us to allow them to use any PC with a broadband connection but in a very restricted and controlled way. So if people have an ad hoc requirement to access workplace systems, they can do it from anywhere but there are controls and governance around it," explains Campbell.
He liked the idea of using a managed service for a non-sensitive activity of this type, however, because it is was more cost-effective than employing an expensive security specialist in-house.
"We tend to outsource those elements of infrastructure services that requires specialist knowledge. This isn't the kind of thing you'd have to do day-in-day-out so any skills tend to be lost and the cost of employing key specialists in-house doesn't make sense any more," Campbell says.
One of the most important principles of security, however, he believes, is end user education. This means ensuring that personnel have an understanding of what they can and cannot do and what their corporate responsibilities are in terms of accessing and using data. This is crucial, says Campbell, because people are always the weakest link in the security chain.
"You can make a system as secure as you want, but if people take it offsite and misuse the data, then all the controls in the world won't work," Campbell says.
As a result, although the building society has formal security policies in place, Campbell says this is also simplified into a user guide to make it easier to comprehend. "By their very nature, [security policies are] not easy reading."
A recap of this user guide is undertaken once or twice a year to clarify any changes, but every member of staff is also contractually obliged to sit 10 tests of varying levels (depending on their role) each year to ensure that they understand current legalities.
The tests, which include an information security module, are devised and administered by the risk and compliance team. Campbell says these are used to demonstrate to the FSA that people's knowledge is being refreshed and kept up-to-date in order to meet statutory requirements.
While such demands may seem onerous to some, there have been spin-off benefits. "It's now a part of working life, but it does give IT people a good insight into the business and what their colleagues are doing. So it's made us more aware and gives us a more rounded view, which is the idea behind it all anyway," Campbell concludes.
This was first published in April 2008