|C-Level Security: Bank Security and the Egg Timer
How Good Management Trumps Technology
The development of technology for securing information has been advancing at a pace that is truly astounding. In 20 years the security industry has evolved from Sun Micro Systems' Sunscreen and the Cisco PIX (yes, I know there were a few others) to over a thousand security products, of which nearly 700 are currently VC funded. All are trying to generate business from within this ever advancing market currently called cybersecurity. There are few tech markets growing at the rate of cybersecurity, and as a result we are seeing investors in a near desperate attempt to gather slivers of this market, throwing money at companies with Rube-Goldberg-inspired technology. We now have a flood of technology solutions that no one person can understand, and the customers that consume this technology struggle daily with supporting and operating these systems. Many of the C-Level executives reading this may want to consider a management solution for the next expensive problem your engineering team presents to you.
In the early days, prior to there being a developed security market, banks when implementing technology were (and still are) governed by "compliance guidance". During this period, the securing of network information was new, novel and many interesting security implementations come to mind. To focus their guidance, the FFIEC* came out with their first network security booklet containing a basic requirement which inferred all connections to public networks (internet) must be monitored 24x7. This requirement started the managed security services industry, since monitoring networks 24x7, was not something that most financial institutions could perform. Though a few institutions were pretty clever at bending these rules, one bank in California had an approach that worked great and was unforgettable.
Around the year 2000, my firm was conducting a review of security practices and procedures for a mid-sized institution in the Los Angeles area. After a few hours of general discussion, the conversation moved to the latest FFIEC directives. When we hit upon the 24x7 monitoring requirement, they responded by saying that they did not run the network 24x7, they only had their internal network connected to the Internet during business hours. This was not typical, since many applications (email for one) did not play well if connections were broken for long periods of time, so this answer led us to an interesting conversation. When asked how they are certain that the connection is connected/disconnected each day, the banker in charge replied; with an 'egg timer'.
The FFIEC does not specify HOW you do anything. They are in the business of assessing IF you are compliant with their action statements. We were in the business of preparing and assessing these compliance directives for our customers, and are now in a quandary; the bank is connected to the internet, but claims only during business hours while they can 'monitor' their network. When questioned, the bank produced logs verifying that the network was disconnected daily at 5 pm and was inspected by a member of staff who signed the log. To bolster their position, they had a compensating control (think of this as a backup in case of failure of the primary control) in the form of an egg timer, which was actually a light timer into which they plugged their internet router. Around 8 am, the timer would turn on the power and boot the router. At 5 pm, the timer would turn the power to the router off and someone would come into their data closet (yes, it was really a closet) and sign a log stating that the timer had worked.
The timer was the type you might use to cycle lights in your home while on vacation, and it had a 7-day range which allowed the bank to keep the internet disconnected over the weekend when they were closed. The logs were complete for a period of 9 months, since the day the system was implemented. Prior to this implementation, the bank used dial-up connections for a few of their computers. Their implementation met and at the time exceeded the compliance directive. An inexpensive and well-managed solution.
We debriefed our assessment with the banks management and the compliance manager stated something that stayed with me to this day. "Good management trumps technology - every time." Rather than setting up an elaborate installation of new complicated technology to handle the current compliance directives, they employed an inexpensive home-brewed solution to meet the compliance standard set by the FFIEC. I believe they used this system for a few years without complaints from the examiners prior to transitioning to a 24x7 solution.
I would be very interested to hear your experience with good management trumping technology. Do you have a favorite situation that you would like to share?
*FFIEC - Federal Financial Institutions Examinations Council, they set the standards which are used to measure and assess financial organizations ability to securely deliver financial services. http://ithandbook.ffiec.gov/it-booklets/information-security.aspx