Forward thinking security
- 21 February, 2009 22:00
Early this year, international financial services group Credit Suisse kick-started its worldwide proactive information security strategy, called the Security Operations Centre (SOC) program. Credit Suisse, which provides private banking, investment banking, asset management and insurance services worldwide, is active in more than 50 countries and employs about 50,000 people.
Divyesh Vithlani, the bank’s CIO for the Asia Pacific region, said that one key feature of SOC is the log management and correlation stream. This improves the recognition and detection of security incidents by analysing different events to identify possible anomalies.
Vithlani said that monitoring tools are married into business intelligence systems to predict and stop security breaches. Any potential security issue, identified by SOC, is investigated and, where necessary, rectified by the bank’s relevant IT specialists, including risk analysts.
Proactive information security has been identified, by the Global State of Information Security (GSIS) survey conducted by PricewaterhouseCoopers and CIO magazine, as a key component in any organisation’s effort to safeguard its resources. The 2008 study – the sixth edition of the survey - involved some 7,100 respondents. Slightly more than 17 per cent of them, including CIOs and senior IT management, hailed from the Asia Pacific region.
Mark Lobel, the advisory services principal at PricewaterhouseCoopers, said that the GSIS 2008 highlighted that a clear security strategy is the one element that directly correlates with lower numbers of security incidents. But, having a sound plan counts for nothing when just 43 per cent of the respondents audit or monitor user compliance with their security policies. Because the result is that security remains mostly reactive, not proactive.
More sophisticated organisations will funnel data from network logs and other monitoring tools into business-intelligence systems to predict and stop security breaches. So, along with encryption fanatics and identity management experts, an information security team needs statisticians and risk analysts to stay ahead of trouble.
With the SOC program, Vithlani says the bank is taking a big step towards a proactive-based information security strategy. “This service ensures the bank's infrastructure perimeters are safeguarded from attack at all times,” he adds.
Besides regular audits to enforce user compliance, regular communication also serves to reinforce the need to comply with security policies. Software and tools are used to complement the enforcement and monitoring capability, for instance, the global password changer ensures that end-user passwords are strong and robust enough to conform to the bank's password policies. Similarly, staff granted internet access have their activities logged via proxy servers with restricted-website blockers.
The safe employee
The SOC forms part of Credit Suisse’s overall information security strategy. Credit Suisse adopts, what CIO Vithlani describes as, a multi-layered strategy that includes proactive risk management, predictive threat modelling, and consistent methodologies “well integrated into the IT processes, all fostering a culture of control and risk awareness”.
Each Credit Suisse employee is an important cog in the bank’s information security strategy machine. According to Vtihlani, employees are educated on information security matters through a variety of channels, including regular emails on security awareness, plus updates on security trends and practices.
There is also an intranet site where staff can learn about IT risk standards and policies. Staff members who just joined the organisation are given mandatory web-based training, while all workers go through a re-certification annually. “In addition, we have put in place tools to filter potentially harmful e-mails which will be quarantined to prevent unintentional security breaches,” says Vithlani.
Increasingly organisations are looking to entrust employees with the responsibility for keeping data correct and protected and Credit Suisse is one of them.
“Information is a valuable and critical asset. All major information assets accounted for (should) have a nominated "owner". Information owners are responsible for assigning appropriate sensitivity classifications,” says Vithlani. Information classification helps support the need-to-know principle, so that data can be appropriately handled and controls implemented, to protect the information appropriately, he adds.
Another element that helps contribute to lower security incidents is the organisation and direction offered by a C-level security executive, points out Lobel. More organisations in Asia employ dedicated security personnel, according to the GSIS survey. Local respondents reported higher numbers of full time employees or equivalents dedicated to information security inside the organisation. In addition, there seemed to be more structure around the security role. Thirty per cent of Asian organisations stated that they had established a chief security role, compared with only 27 per cent for the survey as a whole.
In Credit Suisse, Vithlani focuses on the IT risk issues to provide leadership towards greater governance and business alignment for the Asia Pacific region, while operational management of information security falls under the purview of Peter Mo, the regional head of IT risk for the Asia Pacific region.
He reports to the Chief Information Security Officer globally and to the regional CIO for Asia Pacific. The role communicates, coordinates and ensures a consistent IT risk governance process in the region using a global IT Risk operating model. It provides a conduit to channel Asia Pacific-specific IT risk challenges to the global team. The IT risk team for the region comprises 25 IT Risk professionals across the region, dedicated to IT risk planning and assessment, response and mitigation plus oversight functions.
The GSIS survey has identified the growing importance of conducting due diligence on outsourcing partners. There are companies that skip these steps as they felt it would be an expensive and time-consuming effort to do so, says PwC’s Lobel.
But these security checks must not be neglected for Mo’s team. “With increased outsourcing, we need to continually assess our Asia Pacific-based third party service providers to ensure they are complying with our security standards,” he adds.
The SOC program for the region is Mo’s baby. “My team in Asia Pacific participates in formulating the plans and providing the operational management,” he says.
Currently, the bank’s big project in the information security space is the SOC. “To ensure the success of SOC, we have to define and manage service levels so that we can expand and adjust the services as required,” said Mo.
Vithlani said the implementation of the program will serve as the platform for delivering future security services that can provide more accurate correlation of security incidents to enhance overall security management.