Banking in the Ninth

Information Technology and Data Security Management

Safety and Soundness Update - March 2013

Published March 11, 2013  | March 2013 issue

Information Technology and Data Security Management
Creating an effective IT management framework can be very challenging for community bank management. This article suggests key areas of focus that should assist bank management. In many cases, taking care of these basics will address some of the most important IT-related threats. Consider the following questions:

Where is your data? What are your data security requirements? Banks seek to secure confidential data wherever it is; but achieving that goal is not easy. Bank data no longer sits under one roof. But banks still remain responsible for ensuring that they have effective control over it, whether it moves over a network or is stored at a third-party service provider.

Is your software updated promptly and consistently? Widely used software applications such as Java and Adobe are prime targets for hackers. Last year, Java surpassed Adobe’s Reader software as the most frequently attacked piece of software. Bank management must make sure that the most recent versions of software are in use.

Is your system ready for personal mobile devices? Using smart phones or tablets to access bank email or reports is gaining momentum. However, banks need well-thought-out controls for these “bring your own device” practices so that additional data risks are identified and controlled.

Do you have a framework? An effective framework for IT risk management includes a data classification method (private, public, internal, external) and knowing where data is (in motion, at rest, in use). The details of this framework can vary, and there are many resources to provide options for management. The key is finding a framework that works for an institution and having board and senior management support that framework.

Are you getting good feedback? Bank management needs feedback on its IT risk practices. Obtaining effective feedback requires that bank management provide details to explain its framework. An audit process of that framework driven by a data-centric risk assessment is one important source of that feedback.