Kevin Doyle has found a nice little upside to his efforts at formalizing his institution's information technology security processes: He won't have to worry about Gramm-Leach-Bliley as much.
The information security manager for Pennsylvania State Employees Credit Union has embarked on marrying the firm's security practices to ISO best practice standards on IT security management. Due to recent updates on those benchmarks, Doyle and many security experts say the guidelines, known as ISO 17799, can now also serve as a de facto cover for financial institutions' security and controls requirements under GLB or Sarbanes-Oxley.
"The ISO standard really gives you a solid criteria for what you have to have in place, and everything else would fall into place as far as compliance," says Doyle.
The practical impact for financial institutions, particularly smaller ones like the $2.3 billion PSECU, would be possibly foregoing a more expensive and perhaps unnecessary full operational audit. There's also the plum of proving bona fides to customers and potential partners who appreciate the security assurance.
Compliance to these ISO "best practices"-a formal certification program has not been adopted-means an IT organization can successfully cover several IT security areas that are considered especially important to companies engaged in e-commerce or Web transactions.
"If you just look at what the minimum [ISO] standards are, you're going to pass your audit at a minimum compliance level," says Chrisan Herrod, a former chief security officer with the Securities and Exchange Commission and now a senior consultant with Scalable Software, a Houston-based firm specializing in compliance solutions for companies in financial services, healthcare, government and energy.
In the years since GLB and SOX were enacted, banks have generally measured their data and information processes against auditors' checklists, including the COBIT IT auditing standard from the Information Systems Audit and Control Association (ISACA). COBIT can be excessive to smaller organizations that, for example, do not have as many financial IT controls to account for under SOX guidance, according to Herrod. "I would say looking at COBIT is a good idea, but trying to implement every recommendation and or every key control objective that COBIT has documented would be overkill for the size and complexity of a very small credit union," says Herrod.
What's different about the ISO standards is how they serve as a management construct instead of a systems checklist or blueprint. ISO 17799 comprises of umbrella security categories continuity, access control and defined management programs. COBIT, in contrast, lassos in operational soundness issues like asset classification, personnel security and physical security, Herrod says.
Like the GLB or SOX regulations, the pathways to meeting ISO standards aren't prescribed, leaving institutions like PSECU free to choose their type and level of solution deployment, including staying with more operationally thorough COBIT examinations. But those solutions must show that security measures are in place and documented, as GLB requires, and reportable across an organization and with third parties-as with SOX. "They require a formalized risk assessment program, and specific controls in place for any type of business function that you have." says Doyle, whose firm is using Scalable's tools for ISO compliance. "If you define your critical business applications, you can use that as an umbrella to make sure you meet a security framework."
Auditors and regulators are indicating to Doyle that recognized ISO adherence could give PSECU a leg up in examinations, once it receives formal ISO body recognition, says Doyle. "Our [NCUA] examiners were in [recently], and we told them of our objective to get certified by the ISO," says Doyle. "They said, 'if you do, you'll really be in the elite class.'"
And that could provide some paperwork shortcuts. "I can't speak for them, but I really got the impression that would be the case," says Doyle. "If they see you're certified, they might scale back the examination. I did get that impression."
Even with the compliance issues that ISO 17799 solves, Doyle maintains the PSECU's main drivers for ISO standards adoption were business related. The Harrisburg, PA institution hosts online banking services for 20 regional credit unions that use PSECU's home-built product. It's no small matter to hang an ISO seal of approval in the back office.
"For us, it was a more of a business decision," says Doyle. "With all the phishing stuff going on, we're trying to make people who are not comfortable doing business online see that we're in compliance with a standard such as that. We're trying to make security almost a promotional tool for our electronic delivery process."
Herrod, who has also served in chief IT security roles at GlaxoSmithKline and Fannie Mae, agrees that market forces have been the engine behind ISO adoption. "Even though Fannie Mae did not have to adhere to Gramm Leach Bliley, our business partners that did were insisting on Fannie Mae following suit," she says. "We utilized an earlier ISO version, and it was a smart move to ensure partnerships."
ISO 17799 has not been widely adopted, with fewer than perhaps 100 U.S. firms having sought compliance recognition. Herrod says the standard was reworked last year to include more rules governing regulatory compliance, in order to drive federal government preferences for financial services to improve information-sharing programs against industry threats and vulnerabilities.
Canadian institutions like SunLife Financial and BMO Financial Group are among the few North American standard-bearers for ISO 17799, or the preceding BS 7799 standard. The British-spawned standards are the veritable IT security playbook for Asian and European institutions, says Scalable Software's Herrod.
