WHITE PAPER: ENTERPRISE SECURIT Y IT Risk Management for Financial Services An Essential Strategy for Business Success White Paper: Enterprise Security IT Risk Management for Financial Services An Essential Strategy for Business Success Contents Executive summary Overview The challenge to the enterprise Five steps to risk management best practices Symantec’s approach to best practices implementation 13 Putting our strategy to work 14 IT Risk Management for Financial Services: An Essential Strategy for Business Success Executive summary Assuming and managing risk is one of the important roles the financial services industry plays for its customers The key, of course, is to manage risk profitably Risk involves the many domain areas of expertise such as credit, investment, casualty, interest rate, and other traditional risks faced by financial services providers To be successful, financial institutions understand that sound information management is critical to effectively serving customers while meeting planned profit objectives Yet, as much as institutions have invested in traditional risk management, too many enterprises have been slow to implement best practices for information technology (IT) risk management IT risks include anything from a network shutdown that paralyzes the business, to liability for failure to protect private data Because it is dispersed throughout the enterprise, business-critical information is not always easy to protect Symantec has developed a comprehensive approach to IT risk management, based on our industry-leading best practices and technologies in the security and infrastructure management areas Our approach to reducing IT risk enables a bank, brokerage firm, or insurance company to align the risk and cost of infrastructure, putting information technology assets on the same sound footing as other business assets This white paper describes best practices for enterprise IT risk management, the challenges faced by financial service providers in implementing best practices, and Symantec’s solution to those challenges Overview Operational risk has always been a part of doing business Today, however, management is increasingly required to identify, quantify, and manage the broad range of operational risks The Sarbanes-Oxley Act in the United States, and Basel II globally have made all levels of operational risk management, including IT risk, a board-level topic in every major financial institution today These regulations require increased control and effective management of information assets throughout the institution As a part of meeting these requirements, successful, forward-looking enterprises are developing specific strategies and policies for IT risk management IT risk management involves two complementary components: security and availability Information is worthless and can even be a liability, if it’s not secure Secure information is useless if it can’t be efficiently stored and readily accessed IT Risk Management for Financial Services: An Essential Strategy for Business Success Individuals, corporations, and whole economies are increasingly dependent on the Internet and networked IT systems The daily value that these systems deliver is often not readily apparent or easy to measure Risk exposure can be equally elusive—dispersed among a number of departments, business service providers, and functions, and in a variety of forms Typical IT risks include lost business or productivity due to IT infrastructure downtime or disaster, liability for failing to keep customer data private, fines for regulatory violations, or inability to defend lawsuits due to inadequate record keeping Recent headlines have demonstrated how anything from a lost laptop to a Category hurricane can trigger a major incident Each of these can be more broadly labeled as an “information incident.” Throughout the globe, the rapidly evolving matrix of legislation and regulation requires new levels of privacy, security, and documentation Audit and accountability requirements increasingly hold corporate board members, officers, and managers legally responsible—encouraging financial institutions to take a closer look at IT-related due diligence policies and business practices In addition, the industry itself is developing and mandating standards such as communication and interoperability requirements Figure depicts a sampling of this global trend National Association of Securities Dealers Rules (NASD) Bank Secrecy Act (BSA) Sarbanes-Oxley (SOX) U.S Securities and Exchange Commission Rules (SEC) Payment Card Industry Standards (PCI) European Union Market Abuse Directive Markets in Financial Instruments Directive (MiFID) USA Patriot Act Graham Leach Bliley Privacy Act (GLBA) Single European Payments Area (SEPA) Basel II Solvency II Federal Financial Institution Examination Council (FFIEC) Figure A sampling of global directives in financial services IT Risk Management for Financial Services: An Essential Strategy for Business Success A recent Harvard Business Review report1 identified company directors’ leading IT concerns: • Is the company getting adequate ROI from information resources? • Is there an effective, up-to-date plan in place for disaster response and recovery? • Are management practices in place to prevent hardware, software, and legacy applications from becoming obsolete? • Are corporate systems adequately protected against criminal intrusions? • Do we have management practices in place to ensure 24x7 levels, including tested backup? • Are there any possible IT-based surprises lurking out there? Shareholders are paying attention, too: One study, by Oxford Executive Research, found that companies that recovered quickly from major operational disasters increased their share price by percent on average versus the market Companies that struggled to regain their operations took a 20 percent drop in relative value Reducing the risk of losing market value is critical to meeting long-term business objectives in the capital-sensitive financial services industry Security is the headline-grabbing component of IT risk But on a day-to-day, profit-and-loss level, information availability is just as important Diverse financial institutions need to handle an explosion of channel interaction including email, instant messaging, and online transactions, managing both the information flow and the records they generate Retention requirements create a challenge to efficiently archiving growing volumes of data Management teams must have information available on demand, where and when it’s needed Business continuity and disaster recovery plans need to be dynamically designed, implemented, and tested to make sure information remains accessible when the worst happens, and throughout periods of rapid change The challenge to the enterprise Many boards and management teams lack knowledge of the extent of exposure to IT risk This hampers their ability to exploit the growing array of risk management tools in a financially effective way A bank, brokerage firm, or insurance company must be able to identify, quantify, and manage information risk as predictably as they currently manage their unique industry risks To this, IT organizations must cost-justify remediation measures The Oxford Executive Research Briefing, The Impact of Catastrophes on Shareholder Value Rory F Night and Deborah J Pretty, 1996 IT Risk Management for Financial Services: An Essential Strategy for Business Success By quantifying business impact, minimizing exposure, and planning for disaster, a financial institution can go a long way towards putting information risk on a more businesslike footing In addition, those who manage IT risk effectively tend to be far more operationally efficient than those who not A successful enterprise needs to treat information technology risk within the integrated framework of business risk management IT risk management alone does not yet have the kind of well-developed statistical or actuarial models that make financial risk assessment reasonably precise However, “roughly right” approaches based on heuristics and experience yield reliable, valuable, and usable measures of IT risk These approaches enable IT managers to assess the business impact of IT risks, and to demonstrate the ROI of prevention and remediation measures Effective IT risk management requires a comprehensive approach involving security, availability, performance, and compliance IT risk is dispersed across departments, locations, and business lines, and needs to be addressed in ways that challenge conventional organizational charts Corporate officers and executives need to take a leadership role in developing IT risk management strategies and policies Moreover, IT risk management exists in a constantly changing environment and requires unremitting monitoring and continuous improvement Five steps to IT risk management best practices Symantec has developed a five-step methodology that can be used throughout all segments of the financial services industry to develop effective IT risk management strategies Using this method, institutions can improve their information security and availability at an appropriate pace, and know both the results and the return at every stage Risk has always been a part of financial services In fact, the industry is compensated for taking and managing risk, whether in making loans or extending insurance coverage These risktaking activities are strategic to the institution As technology plays an increasing role in financial services, IT risk management should also be viewed as a strategic tool just as it is in credit risk management In extending credit, an institution’s underwriting process is, to a large extent, a risk assessment Avoiding unprofitable loan risk assures safety and soundness In the same way, an accurate assessment of the threat environment in IT can help a bank, brokerage firm, or insurance company avoid spending money on remediation measures that may not be cost-justified Improved IT efficiencies can then free up funds for an institution’s core mission IT Risk Management for Financial Services: An Essential Strategy for Business Success The Symantec five-step IT Risk Management Methodology consists of the following elements: Develop an awareness of IT risks Quantify the business impact Design solution(s) Align the costs of IT risk management to business value and implement solution(s) Build an institutional capability to manage IT risk Step 1: Develop an awareness of IT risks IT risks can take many forms, including the costs related to the loss of data as well as lost productivity due to lack of access to the data Risks, costs, and opportunities for improvement fall into four major categories: • Security—Information is altered or used by unauthorized people Example causes: computer crimes, internal breaches, cyberterrorism • Availability—Information is not accessible because of system failure or slowdown or cannot be recovered in sufficient time subsequent to a security or availability incident Example causes: configuration changes, lack of redundancy in architectures, human errors, external threats, natural disasters • Performance—Information is not provided when it is needed or major new sources of demand for information cannot be handled cost-effectively Example causes: distributed architectures, business growth, siloed architectures, peak demand, heterogeneity in the IT landscape • Compliance—Information handling can violate any one of the ever-changing and fast-growing number of regulatory requirements Example causes: inadequate technology, outdated compliance policies, human error or malfeasance Step 2: Quantify the business impact It is essential to understand the risks that have been discovered in terms of the probability of an event that would trigger the risk, and the time value of the exposure should such risk occur Further, the risks need to be quantified for each critical business application Knowing these two parameters allows the decision-maker to plot the values on a simple two-dimensional graph and to assign mitigation/remediation priorities to different applications A simple and consistent IT Risk Management for Financial Services: An Essential Strategy for Business Success methodology yields better results than a complex analysis in assuring the ability to evaluate and make effective risk management decisions Figure is a graphic depiction of the cost calculation process Each institution will make adjustments appropriate to meet its unique business needs Probability of Event High External Fraud Employee Error Customer Error Internal Fraud Noncompliance Remediation Loss of Customer Information Natural Disaster IT Disaster Low Terrorism Downtime Cost to the Business High Figure A sample of calculating the cost of risk To be effective, policy must then go beyond a list of categories Quantifying risk requires a view of the multiple dependencies between risks as well as understanding the potential for downstream implications Here are some examples: • An exploited security vulnerability may contribute to a recoverability risk This impacts the institution’s business continuity • An application performance issue that prevents data access may provide the opening for a security risk This can result in loss of information while the organization is focused on solving performance problems • Individual risk management efforts in one area may expose compliance risk in another if risk management is not coordinated throughout the enterprise The business impact may be direct or indirect—including financial, legal, and operational dependencies Downstream implications include negative customer experience that comes with poor performance or one-off risk management requirements that complicate doing business with IT Risk Management for Financial Services: An Essential Strategy for Business Success the institution Unaddressed, negative customer experience will expose a new, more pernicious risk: customer attrition Just as in assessing the risk of any financial service, quantifying the business impact of IT risk gets to the core issue of being able to manage the enterprise risk equation By better quantifying the potential financial impact of various operational risks, institutions are better able to justify the cost of remediation, and better able to judge what level of risk exposure is best suited to their strategic goals Step 3: Design solution(s) IT risks have different root causes, and thus different approaches are required to manage and mitigate them Broadly speaking, these approaches require a combination of process, people, technology, and information Processes for running data center and IT operations are rapidly evolving The best-run IT organizations are moving from a haphazard, “job shop” model to a more rigorously designed, executed, and measured systematic approach IT Infrastructure Library (ITIL), International Organization for Standardization (ISO), and other standards are emerging to describe “best-ofbreed” IT operational processes On the other end of the risk spectrum, institutions are paying more attention to the role their people play in the battle to reduce risk Companies are experimenting with a wide range of techniques, including awareness-building, identity- or role-specific authority, new divisions of labor, new roles and specialists, and enhancement of risk mitigation capabilities at all levels At the customer level, education, awareness, and proactive communication are also key elements to establishing a holistic risk management approach The technology of IT risk management is becoming more helpful to human efforts Rapid advances have been made in such areas as long-distance replication, clustering, content, intrusion and phishing detection, data protection and backup, vulnerability assessment, and policy management Importantly, these tools are being integrated to offer workflow-driven solutions designed to follow customized processes and regulatory requirements Event-driven automation is increasingly taking the place of onerous manual analysis and remediation Information itself plays a role in IT risk management—information on the latest threats and vulnerabilities, from the instant they appear anywhere on the globe An effective IT risk management solution involves real-time information and proactive intelligence on security 10 IT Risk Management for Financial Services: An Essential Strategy for Business Success threats, and facilities for rapid recovery when new threats strike Of course, the key is to be proactive with this information at the policy, technology, staff, and customer level Step 4: Align the costs of IT risk management to business value and implement solution(s) Investments in process, people, technology, and information are required to mitigate risks However, since IT budgets are under constant pressure to deliver more value for the same money, leading institutions will not over-invest or under-invest in IT risk management solutions IT Service Optimization has emerged over the past few years as the most promising approach to align the costs of IT to the business value With this approach, the role of IT with respect to the business evolves from a “cost center” to a “service center.” As it evolves under the IT Service Optimization approach, the IT organization masters four primary activities: • Providing IT as a collection of well-defined services, developed and managed by a “service management” group that interfaces with the business • Exposing these services to the business through service-level agreements and charge-backs to the business • Building and maintaining a shared, heterogeneous infrastructure to improve capital utilization and reduce costs, rather than building custom systems for each business application • Running IT operations in an automated fashion to increase labor efficiency and reduce costs A number of leading organizations are first applying the IT Service Optimization concept by building “storage utilities.” The storage utility provides data storage for business application usage through different service classes, for example: • “Platinum” storage service with very high performance, availability, recoverability, and security • “Gold” storage service with moderate performance, availability, recoverability, and security • “Bronze” storage service with low performance, availability, recoverability, and security The costs of these different storage services are exposed to the business—”Platinum” is typically 10 times more costly than “Bronze” service, for example As a result, a company can align risk requirements and overall usage to the spending on IT Clearly defined service levels 11 IT Risk Management for Financial Services: An Essential Strategy for Business Success result in efficient structuring of IT services Appropriately priced and well-communicated IT value helps business users balance the economics with the need for information resulting in more effective use of IT resources Step 5: Build an institutional capability to manage IT risk The effective management of IT risk requires the introduction of an ongoing IT risk management program This program can then govern the various risk management projects that evolve as a result of the previous stages of the process An IT risk management program should be iterative, ensuring that, as the business and all of its influences change, new risks are quickly identified and dealt with appropriately Leading financial institutions are building an enterprise capability to understand and manage IT risks as rigorously as they manage other business and operational risks Using insight from a variety of sources, they develop a risk “heat map” showing the potential impact and likelihood of the four IT risks on their lines of business, core business processes, or major applications Then, they create a prioritized list of projects to remediate these risks and deploy the tools of software, people, process improvements, and information Finally, they control the risks by continuous measurement and improvement Institutions with a rigorous IT risk management policy are fundamentally reorienting their IT governance and risk governance approaches Many have established new leadership roles, such as IT Risk Manager, to advocate and coordinate their approach to the issue This leadership role is most effective when made an integral part of enterprise IT governance As companies build IT risk management into an institutional capability, they confront new issues such as: • Does our IT strategy need to evolve or change to maintain an acceptable risk posture? • Should we have new or expanding leadership roles to address IT risk, such as an IT Risk Manager? • How we create reporting and management systems to monitor performance? • How we incorporate risk management with sound governance to oversee and approve IT risk decisions? • How we educate our IT staff and build cultural awareness and understanding of risk throughout the employee base? 12 IT Risk Management for Financial Services: An Essential Strategy for Business Success • What role our customers play in risk management and how can we incorporate them in a manner that builds trust and confidence in our ability to serve them? • What steps should be taken to make our planning and testing processes more rigorous and to make our systems more disaster-resistant? Improving IT risk management should be on the agenda of nearly every senior executive Executives with a solid awareness of IT risks can better understand the tools needed to manage these risks, and build the institutional capability to control them This wisdom also contributes to maximizing the return on information investments Symantec’s approach to best practices solution Symantec recognizes that many enterprises are not ready to adopt a full-scale transformation of their IT systems Still, effective risk management is possible by addressing immediate needs and building incremental improvements The Symantec IT Risk Management Methodology gives organizations a strategic road map, and provides measurable objectives and demonstrable results at every stage IT risk management involves two fundamental building blocks: security and availability As the industry leader in both security solutions and storage management solutions, Symantec is uniquely positioned to help enterprises achieve their goals Our service delivery is structured around five areas of expertise: • Data and storage management—Help ensure data availability and security while optimizing storage asset utilization • High availability—Achieve the highest level of data and application availability • Business continuity management—Help minimize the business impact of planned and unplanned outages • Security management—Help assess security threats, improve security controls, and manage security risk • IT service optimization—Align IT with business needs, improve service levels, and optimize infrastructure 13 IT Risk Management for Financial Services: An Essential Strategy for Business Success Each practice has a portfolio of defined services and deliverables, as well as custom offerings, to address specific challenges Consultants can provide whatever level of service is required to augment in-house capabilities Symantec also helps its customers make information risk management a part of their organizational culture Educational and awareness programs help them be more proactive against threats, and keep up with a complex and rapidly changing environment Symantec’s comprehensive approach to IT risk management helps an enterprise manage cost, complexity, and compliance We standardize and automate IT processes, consolidating technologies to maximize efficiencies We increase network productivity by streamlining storage costs and building greater resilience into the infrastructure Putting our strategy to work Our process begins with a thorough evaluation of the risks and opportunities an enterprise faces We utilize a broad range of tools to assess and address security and availability issues, including: • Continuous services account management to stay abreast of the customer environment • Technology tools to help probe and map the current state and weaknesses of the IT environment • Frameworks and tools for comprehensively evaluating IT risk and cost, from simple “data center best practice checklists” to detailed IT risk assessment services • An up-to-date information repository describing the latest risks for IT, compiled using proprietary insight into threats and vulnerabilities • Critical mass of expertise in each category of IT risk and in data center optimization (by industry, geography, platform) • Predictive risk models and measures to evaluate the likely impact on cash flow, earnings, or other metrics We then help customers develop a plan for continuous improvement of risk management practices that both focuses on IT and goes well into the entire organization for timely response to the concerns of highest priority Achieving competency at IT risk management includes several key areas: 14 IT Risk Management for Financial Services: An Essential Strategy for Business Success • Broad training on the major IT risk factors and remediation tools to build an expert leadership team • Knowledge and people management systems to disseminate best practice thinking • World-class methodologies and tools to improve the process, architecture, and information of IT organizations • Standardized reference processes for infrastructure processes—for example, backup and recovery • Leading-edge technology, to assure protection against the most sophisticated new security threats, while optimizing storage accessibility and efficiency • Training and education programs to improve processes and raise the level of performance of people at every level of the organization We also help organizations sustain their IT risk management abilities over time, managing cost and risk in an ever-changing environment We help the institution develop internal capabilities, and provide whatever technical resources are needed to supplement its own resources Our system for continuous monitoring and improvement includes: • A robust “problem management” feedback loop that changes the delivery groups, for example, products, consulting services, enterprise support services, and education services • A culture and set of reinforcing behaviors aligned to risk awareness and management • Advanced escalation and incident management processes • Key support processes documented and aligned with customers on the ITIL framework—for example, incident management, change management, etc • Certification programs built on individual product expertise, role-based mastery, and even organizational/environmental certification, including data center certification • Periodic assessments of any changes in people, architectures, or requirements • Technology tools to triage issues in multi-vendor distributed systems 15 IT Risk Management for Financial Services: An Essential Strategy for Business Success • Risk-sharing arrangements, including onsite residencies staffed by Symantec personnel, service-level agreements, and managed services offerings The ultimate goal of all this is a simple one: to help an enterprise understand, manage, and control its IT environment—people, process, and technology—to reduce risk and cost By developing a rational, businesslike framework for understanding and managing information risk, a financial services institution can pursue its larger vision and mission with confidence and operate more effectively, while deriving maximum value from its IT investment 16 About Symantec Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance Headquartered in Cupertino, Calif., Symantec has operations in 40 countries More information is available at www.symantec.com For specific country offices and Symantec Corporation contact numbers, please visit World Headquarters our Web site For product 20330 Stevens Creek Boulevard information in the U.S., call Cupertino, CA 95014 USA toll-free (800) 745 6054 +1 (408) 517 8000 (800) 721 3934 www.symantec.com Copyright © 2007 Symantec Corporation All rights reserved Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S and other countries Other names may be trademarks of their respective owners 02/07 12065894 ... IT efficiencies can then free up funds for an institution’s core mission IT Risk Management for Financial Services: An Essential Strategy for Business Success The Symantec five-step IT Risk Management. .. for IT risk management IT risk management involves two complementary components: security and availability Information is worthless and can even be a liability, if it? ??s not secure Secure information... experience that comes with poor performance or one-off risk management requirements that complicate doing business with IT Risk Management for Financial Services: An Essential Strategy for Business Success