Technical Policies Continue to be Criticized after Years of Exams

1/5/2012

Banks have been responsible for updating their technical policy posture for years. The big push for an effective technical policy posture began prior to 2000 with the Y2K exercise. In addition to technical policies, banks may have up to 50 other policies which also must be updated annually. After years of examinations from the regulators and other industry experts, policies have become redundant, pointless, ineffective and lengthy. Just as in a good network security program, policies must be layered to be effective.

In an effort to clarify this issue, I will outline what a strong policy posture consists of and how your program should be structured.

The following are definitions that outline an effective policy management structure. Remember to keep it simple, short and accurate:

• A policy is a statement of principle that presents the Board of Directors expectations to the bank. A policy statement is usually mandatory, changes very little and is supported by procedures, standards and guidelines. A good example of a simple policy statement will read, “Data that is classified as sensitive will be encrypted at rest and in transit.”
• Procedures are developed in each business area (Operations, Accounting / Bookkeeping, Asset Management, Wealth Management, New Accounts, Information Technology, etc.) and are designed to support the requirements outlined in the governing policies. Procedures change on a regular basis, yet continue to support the governing policy. For example, a simple procedure statement will read, “Email that is sensitive in nature will be encrypted by typing ‘secure’ in the subject line prior to transmission outside of the bank.”
• A standard is a compulsory action that all business areas must comply with. For example, a simple standard will read, “Email will be encrypted using industry best practices / recommendations, such as the use of S/MIME.”
• A guideline is simply a recommended course of action for the bank. A simple guideline may read, “Encrypted email is not required when communicating with internal bank employees. However, if the email contains confidential material, it is suggested that the employee uses encryption.”
• Deviations are common in community banking due to the number of responsibilities that are expected of employees. The purpose of a deviation program is to document exceptions that do not comply with policies, procedures, standards or guidelines. A simple deviation statement may read, “Email communication of sensitive material on mobile devices is approved for the President and CEO.”

Banks that do not have a strong policy posture framework continue to struggle with how their controls are managed. Policies have become bloated with years of recommendations from various authorities. Current banking policies read like timelines with various recommendations tacked onto the end of each policy, until the entire program is hundreds of pages long.

The Board of Directors is ultimately responsible for each policy. When technical policies become polluted with years of recommendations they lose their effectiveness. In the event of a breech, these policies will be scrutinized and due to their historic development and ineffectiveness, board members could be at risk.

During your next IT exam, insist that these controls are included in the scope of the assessment.