Risk Management and ISO 27001 Certification - Mark Bernard, Credit Union Central, B.C.
Richard Swart: Hi. This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.Com. Today we'll be speaking with Mark Bernard, who is a security and privacy officer for the . He has extensive experience in the information security and audit industry, and today he'll be discussing a number of issues including ISO 27001.
Well, Mark, I was wondering if you could start by telling our listeners about the state of information security there in British Columbia, and about any unique challenges that you might face.
Mark Bernard: Well, here in British Columbia, we have some very unique challenges. One of the last provinces in Canada to actually still have legislation in place that enforces credit unions to actually work with credit union central. We also have a number of changes within the regulatory and legislative system, such as the securities act. There is also industry standards that most people are being affected with, such as the payment card industry standards.
So, the complexity has increased dramatically, and of course requirements to comply with the regulations have also increased the demand, certain time constraints on when that compliance happens and occurs. And then, of course, our partners, who are also faced with a lot of the same regulations as us, are looking for new, higher levels of assurance that the information that we're handling is protected and secure, it's available, and the integrity is of the highest.
So, we have a lot of growing concerns that are becoming more complex to manage.
Swart: One thing I noticed when going over your experience is that you have quite a bit of experience implementing security practices without significantly modifying existing business practices in the organizations you have worked with. What approach have you taken that has enabled you to pull this off?
Bernard: Well, one of the key things is really to come in and take a look at the landscape of the organization, not trying to make any dramatic changes immediately. Most organizations are actually doing a lot of good things. And so, really, the key is to identify what it is that they're doing well, and then leverage off that, you know, ensuring that the investment that the organization has already made and policies, practices and standards, along with education and awareness, are protected, and somehow integrated into the new sort of central stream of doing things.
Swart: What about controlling costs, Mark? Isn't it true that the costs of information security are going through the roof?
Bernard: Yes. As you mentioned earlier, a lot of the complexity around the information security in the banking system has dramatically increased because of the standards and regulations changing. So, of course, that has had an immediate impact on the operational costs. There is a lot of unplanned expenses now through hiring external consultants, through changing the way processes function, education and awareness. Costs are going up. In some cases I've seen three and four times the typical yearly annual planned costs, which is quite high, actually.
Swart: Do you have any best remedies for managing those costs without having three and four-fold increases?
Bernard: Well, the, really the best plan is to improve how we manage the existing compliance process. And one of the things that we have done is, we have turned, have agreed to support and sponsor our approach with the ISO 27000 standard. it's a proven standard. It's been around. It's been developed, initially by a British company and then adopted by the International Standards organization. So implementing a framework that is well-known is key.
Swart: Now, you are familiar with the first or second bank in North America to achieve this certification. Can you talk about what's involved, or the process of becoming certified under that standard?
Bernard: Well, I think the important part is to have a good strategy in mind. Have the support of the executives. You need to keep the scope narrow. It needs to be practical. The approach needs to be practical. Coming in with a canned approach, perhaps, you know, that has been used in other businesses, may not always apply in each business, even though in the banking industry, there are many, many banks. A lot of them do have different business models, and different management teams. And they manage things differently.
So keeping all these sorts of factors in mind as you prepare the scope, initially we were looking at certification for the organization. And then we narrowed that focus down to our on-line banking system. And that on-line banking system is really what is key. As you know, one of the major drivers behind all the compliance concerns is consumer confidence. So we felt that the best effort that we could put forward to provide that assurance would be implementing a well-known practice, a well-known standard, like ISO, for the on-line banking system.
So we narrowed the scope down to our on-line banking system. And the way that the ISO framework works is that any systems that are integrated with that on-line banking system also have to become part of the scope. So in fact, we are talking about physical security, environmental security, we're talking about human resources. We're talking about the IT infrastructure that is around it. And then if the scope starts getting narrower, then we talk bout the group that supports the on-line banking system then with direct.
And then we talk about the other business units that also support them. So we have on-line bill payments, separate group. And we also have yet another group, the accounting folks, who make sure that general ledgers are kept up to date on the accounting, and that aspect of it.
Swart: Well, speaking of accounting, a lot of executives are quite concerned that achieving ISO compliance, or excuse me, IS certification, will significantly increase their costs, and lead to the adoption of significantly more controls. Is that perception accurate?
Bernard: Actually it's not. ISO is a big thing to take on, and there has been a lot of reluctance, as you know. We are going to be likely the first on-line banking system in North America, perhaps even the globe, to become ISO certified. And I think the reluctance is because they just haven't found the right person or the right group who can deliver that package in a way that they can accept. In fact, the ISO framework, once it's properly implemented, will actually help reduce controls, which is usually a big selling point with senior managers.
As we have external consultants and monitors coming in and telling us to implement more and more controls, the concern is that we have layers and layers, and all of the sudden productivity slows down within the organization. We have to hire new people to manage the controls because there are so many of them. And ISO is not about that at all. There are 133 controls within ISO. And they can be basically applied in a number of different ways.
But the bottom line is, there are only 133, and if you manage those properly, then there shouldn't be any need to implement layers upon layers of additional control.
Swart: That's good information. And a lot of our listeners are probably surprised to hear that. Let's shift our focus for a second into risk management. You have got extensive experience, both as a consultant and as a chief security officer. Is there a particular lesson you have learned about implementing cost-effective risk management that you could share with our listeners?
Bernard: Yeah. I think the biggest lesson is, you know, you need good support from the executives and from the board of directors, and even the audit committee can go as high as that. If you have that support, and they're open to you bringing a strategy to the table, and that strategy is a practical approach, then they'll likely accept it. Because it will mean some changes. And in some cases, the culture will shift in the organization somewhat. Because we're talking about implementing a quality management system as opposed to having a very disjointed kind of approach, in some cases, where you have silos operating within the same business having, you know, redundant processes, redundant positions.
So it is a bit of a shift. It's a positive one. And it will help control costs. Probably the biggest challenge that I have found is through the risk management process, we have basically three steps. First we do an inventory of all of the information and assets, and then we classify those assets based on some sort of a classification schema. And as part of that process we also do sensitivity analysis to determine, you know, based on confidentiality, integrity and availability, but what are the highs, lows and medians, and what are the likely impacts of that.
And then we try to assign some sort of a dollar figure. Now, that dollar figure is quite a bone of contention, actually, within most organizations. Because unfortunately, when you take an information asset that hasn't normally been valued within an organization, and then you turn it into something that has a price tag on it, the concern is that of course it becomes a tangible asset, which could actually be part of the organization's overall assets, and might even impact their books.
But the approach that we have taken is, you know, assets are typically valuated for two purposes. One is yes, for financial gain, absolutely, to go on the books. But the other one is for performance management. So it's very important, when designing that strategy, to stick to the performance management part of it, where we want to assess how the organization manages and handles information as opposed to what the real value is.
But putting a value on it is key, because when we go to do the return on investment, and try and assess the amount of money that the executives have spent on the controls that they have implemented within the organization, we need some benchmark to measure against. So applying that value is important.
Swart: That's great information. I have noticed, Mark, that many of your answers seem to be focused more on the business side of information security, not sort of the technical. And I know it's becoming an increasing trend. What are some of the central business skills that a banking or a credit union chief security officer needs to have or needs to master these days?
Bernard: Well, I think it's all about the business, for sure. And when you get immersed in the ISO process, you will soon realize that. Because right at the very top of the list is, you know, you have to define what are in our agreements with our partners, and our clients. And those have to somehow filter into the process when we establish controls. I would say that it's very important to have a good footing in the business side of the operation. It wouldn't hurt to be able to, you know, develop a business case, also to be able to do strategic and tactical planning, and do annual budgeting.
Those sorts of things will expand your appreciation for the operation, and the sort of constraints and the fiscal responsibilities that they have to operate within. And once you start to see that as a security officer, you start to realize that, you know, I can provide, this process can provide, value to the organization. But there are some limits. So we have to focus on the things that really need to be done.
So if our goal is, one of our strategic goals is to increase on-line presence, to get more on-line accounts, then we need to focus on the things that we can do around information security to enhance that or improve that.
Swart: Well, Mark, that's great information. Thank you for sharing with our listeners today. I know that we're going to appreciate learning about the ISO process, and your experience there in British Columbia.
Bernard: Thank you. Thank you very much for the opportunity to participate.
Swart: Well, thank you for listening to another podcast with the information security and media group. To listen to a selection of other podcasts, or to find other educational content regarding information security for the banking and finance community, please visit www.BankInfoSecurity.com or www.CUInfoSecurity.com.