It goes without saying that 2009 will be the "Year of Lessons Learned" for banking. From lending changes to merger best practices, the past year has tested every facet of the banking professional's knowledge and capabilities - CIOs included. The demise of many institutions, especially regional banks where IT staff is limited in size and resources, has exposed a new set of vulnerabilities in the IT infrastructure. At a high-level, what we've learned is that a bank's network security is at its most vulnerable during the bank closure process.
Typically, a bank closure happens within a 48-hour period, during which the FDIC relieves management of its duties and begins forensic accounting analysis. Amidst this chaos, 100 to 200 new people - mostly forensic accountants - become active on the bank's network as the bank is transitioned into new ownership.
This complete back-end transition requires a bank to loosen its network access controls to accommodate new users, while simultaneously and securely transferring all technical, customer and financial data. On the front-end, the transition can't interfere with banking transactions and customer-facing processes. In other words, that deposit you make at 1 p.m. on a Friday afternoon still has to happen according to procedure and regulation.
SECURITY - IN GOOD TIMES & BAD
As a managed security service provider for large and regional banking institutions, we have seen many of our clients through the closing and acquisition process. What we've learned is there are several ways CIOs can prepare their network security infrastructure so that security is always optimized - whether in good times or bad.
First, agility and visibility are mission-critical all of the time. A bank closure is the ultimate test of your security agility. It requires the absolute maxing out of an institution's network, while at the same time exposing the bank to new threats. To be adequately secure, banks must be able to prevent, detect and respond to threats quickly without unplugging security. For example, reconfiguring firewalls or adding new network access control devices should be a simple task any day of the week - but especially in the 48-hour period when your network is most vulnerable. Additionally, you must have visibility into all device and network activity to prevent and react to threats in a moment's notice.
Banks and their outsourced vendors should centralize management and monitoring for maximum visibility and agility. The list of solutions and vendors that meet these criteria is finally growing, giving bank CIOs new options.
Next, engineer your security infrastructure for interoperability and cost-efficiency. This is a common IT practice in any industry, but is especially important in banking. When a bank is closed and acquired, you want to be able to use the security equipment already in place. No one wants to rip and replace major network infrastructure during such a security-sensitive event. Furthermore, when integrating your bank's security infrastructure with that of a new bank, you want to minimize security holes and gaps and maintain compliance. Your network's ability to work seamlessly with myriad vendor devices while still being able to monitor traffic going across the network is key.
For a long time, it was difficult to find technologies that enabled the monitoring and management of third-party devices, and the network traffic that traveled through them. Today, there are a handful of solutions that do just this.
Finally, develop a detailed disaster recovery and security operations plan. Obviously, bank closures aren't the only reason you should have a security operations and disaster recovery plan in place. Events like 9/11 and Hurricane Katrina raised the bar for security planning and business continuity. Yet, it's surprising how many banks fail to take this planning seriously.
Create a checklist that encompasses everything you do - whether it's every day, every week, once a month, once a quarter or once a year. Knowing where everything is all of the time, and how to access and conduct critical processes like backing up and reporting, is instrumental in keeping your network secure during major transitions. Remember that your IT team may not be involved in the implementation of this plan.
Security at its best is both visible and invisible at every level. Whether your bank is operating at its prime or facing closure, the goal is the same. Enable your bank to operate as usual in any situation.
Ray Maurer is chief technology officer of Perket Technologies, Inc.
For more Perspectives columns, visit www.americanbanker.com/btn
