Calculating IT risk, navigating compliance

No one can afford to lock down everything and comply with the letter and spirit of every regulation. So put the most resources where liability is highest

If you want to know how important regulatory compliance has become for financial services companies in the United States in recent years -- how ingrained in the day-to-day operations of banks, brokerages, and mortgage companies -- consider SunTrust bank, the nation's seventh largest financial institution, where auditors have their own room on the upper floors of the company's Atlanta headquarters. Permanent network connections? Got 'em. Perpetually refreshed buffet? You bet. Floor-to-ceiling windows with striking views of downtown? Done.

"We like to keep our auditors happy," says David Rowan, senior vice president and director of SunTrust's enterprise technology risk management group, at a recent address at Courion's Converge '06 user conference.

And for good reason. With more than $175 billion in assets, 5 million customers, and 33,000 employees, SunTrust gets audited around 48 times a year. That means auditors are an almost permanent fixture in the company's offices, and SunTrust is in an almost perpetual state of "audit readiness," with full-time staff dedicated to nothing other than facilitating audits against the legion of regulations that affect SunTrust's business: Sarbanes-Oxley, Gramm-Leach-Bliley, the Anti-Money Laundering Act, the Bank Protection Act, audits from the Federal Reserve and Securities and Exchange Commission, as well as internal and third-party audit teams.

The company's robust response to these challenges has made it a leader in enterprise risk management and a darling of the compliance community. SunTrust has reduced outstanding audit issues by 97 percent in the last five years by investing in areas such as user and access management and by consolidating risk functions such as physical and IT security. The cost? SunTrust will spend $55 million on enterprise risk management this year, around 5 cents per share of the company, Rowan says.

All the more frustrating, then, that SunTrust's investment didn't spare it the expense and embarrassment of having to reissue 65,000 debit cards to customers last year following a security breach at a merchant site that led to the theft of account information for hundreds of thousands of Visa card holders by an unnamed Russian hacking crew, Rowan says.

That dilemma is one that is vexing companies across the country, in the wake of reported data thefts at online retailer OfficeMax, the Veterans Administration, Fidelity Investments, not to mention ChoicePoint, LexisNexis, CardSystems, and countless others. Traditionally something that was managed within the company, enterprise risk management today involves an increasingly complex set of interdependencies that includes customers, business partners, and outsourced operations, along with consultants and other contractors. At the same time, risk officers are under intense pressure to reduce the cost and complexity of compliance.

Click for larger view.

That confluence of factors could set the stage for a big shift in the evolving practice of enterprise risk management, as companies look for ways to streamline and automate compliance functions, while broadening their understanding of enterprise risk to take into account threats that accompany customer and business partner integration through Web services and SOAs.

Risky Business

Developing an enterprise risk management strategy involves creating an integrated view of a company's exposure to risk that includes a company's business, ongoing operations, and finances. Enterprise risk management requires a sober assessment of internal risks such as theft by rogue employees or the unexpected loss of an indispensable senior executive, not to mention external hazards ranging from hackers to hurricanes (see "Best practices for managing IT risk").

"Basically, if it's bad, it's my responsibility," Rowan jokes.

Companies have weighed their business risks for years, but the Sarbanes-Oxley Act of 2002 pushed many of the nation's businesses to think seriously about risk beyond the basics of door locks, passwords, firewalls, and anti-virus software. Two provisions in particular caused a Y2K-like scramble: Sarbanes-Oxley Section 404, which requires companies to document -- and auditors to attest to -- the effectiveness of internal controls and procedures; and Sarbanes-Oxley Section 409, which requires "real-time" disclosure of information that changes the financial condition or operations of the company.

As the worst compliance fires are doused, management's attention is turning to overall IT risk, says John Pescatore, a Gartner fellow. "The biggest accomplishment of Sarbanes-Oxley is that it forced companies to take a process look at things like application development and patch management. These are things the security guy has been whining about for years, but nobody wants to stop the plane in midflight to fix them," he says.

During the past three years, Gartner has seen investments in vulnerability and patch management software shrink the patch window at large enterprises from more than a month down to just five days. Fast-moving worms such as Blaster and Slammer might have been the impetus to buy those systems, but risk management and process audits are the motivation for their continued application. "Three years ago, people might have said, 'We need to use this because we just got hit by Blaster,' " Pescatore says. "Today, they haven't been hit by Blaster, but they have process audits and control objectives."

At SunTrust, compliance concerns prompted Rowan and his colleagues to completely re-engineer the company's decentralized system for assigning access control, winnowing the number of employees with rights to grant access to applications from 1,000 people down to just 30 with user-provisioning and password self-service technology from Courion.

At TransUnion, one of the United States' "big three" credit bureaus and a global corporation with more than 4,000 employees, regulations such as the U.S. Fair Credit Reporting Act and consumer privacy laws in Canada and the European Union have led to investments in vulnerability tracking technology from Qualys that allows senior executives at the company to view the company's risk posture, says Kenneth Baldridge, TransUnion's director of information security.

The High Cost of Low Risk

But many security and risk management experts doubt whether the investments that companies have made in the name of compliance have paid off in terms of overall risk reduction, beyond the immediate goal of keeping auditors at bay (see "How to evaluate risk management solutions").

"I believe at the end of the day, the technologies companies have invested in will be proven to have been a good thing. But I also think there's going to be a lot of technologies and processes that will not prove to be that effective," says Ed Cooper, vice president of marketing at SkyBox Security.

For example, regulations such as Sarbanes-Oxley and the Payment Card Industry (PCI) standard from Visa and MasterCard have made companies deeply concerned about being able to identify and mitigate critical software vulnerabilities. But scans by SkyBox of customer networks show that 80 percent of exploits for those vulnerabilities are blocked by other security controls, without a patch or other mitigation steps being necessary, Cooper says.

Companies spend considerable time, effort, and resources mitigating those critical vulnerabilities and deploying vendor patches, even though doing so doesn't change their risk at all, Cooper says.

"People say, 'We went out and bought reporting tools and changed processes and spent money on consultants to tell us where we have gaps, but we haven't rationalized our architecture to the business,' " says Eric Maiwald, senior analyst at Burton Group.

The continuing cost of compliance to enterprises and the demand for return on investment from businesses and their shareholders is forcing companies to take that next step of developing full-fledged risk management strategies that are tightly integrated with their business processes, experts agree.

"I think we're beginning to see a second stage, where the CFO and business managers say, 'We see that you have [compliance] under control, but we've got to drive down costs. We can't go to the market and continue to say we're not going to hit our earnings because of Sarbanes-Oxley,' " says Chris Zannetos, CEO of Courion. 

Fashioning the Framework

IBM recommends a range of best-practices frameworks to help companies develop enterprise risk management strategies, including the ITIL (IT Infrastructure Library) for IT service management, which focuses IT processes around business needs. But customers should adopt a layered approach that also includes consideration of ISO 17799, CobiT, and various other standards, says Kelly Schupp, director of security solutions for Tivoli Software at IBM.

SunTrust is backer of the CobiT framework, which provides guidelines for IT security and control, but the company doesn't adopt any best practice whole cloth, Rowan says. "You have to look at [best-practices frameworks] through the lens of your business," he says.

Instead, the company sends its risk officers to bank teller training to see how things work in the field. That type of firsthand knowledge affects decisions made at the top level, about issues such as authentication and data protection. "If tellers need to log on five different ways just to access a screen, you may be addressing your risk but hurting your business," SunTrust's Rowan says.

Tools by companies such as Archer Technologies and SkyBox, which Gartner dubs "risk prioritization" software, are gaining popularity, as companies try to streamline risk management activities by understanding how regulations overlap and by prioritizing their risk, Gartner's Pescatore says.

"You know you have vulnerabilities out there, and there are regulatory requirements. It's like a huge Venn diagram," says American Express CISO John Kirkwood.

American Express is using asset and risk management technology from Archer to see the overlap in that diagram -- and to spot the gaps. By its own estimates, the company is subject to around 11,000 different regulations in the United States and abroad. Around 80 or 90 percent of those are centered on just 250 different compliance areas, Kirkwood says.

"You can run out and put in what you need for GLBA [Gramm-Leach-Bliley Act] and Sarbanes-Oxley and HIPAA, or you can say, 'All these require control of users. What's the least onerous way to put that in?' And then you can just refine it," Kirkwood says.

SkyBox's products develop an overall picture of enterprise risk by analyzing network configurations together with assets and vulnerability information to identify areas that are susceptible to attack. That allows companies, for example, to determine not just that they need a network-based IPS device but where best to deploy the product to reduce their exposure to attack, SkyBox's Cooper says.

"The next phase -- the real challenge -- is quantifying whether IPS and IDS are actually doing what you expect them to do … and prove to the management team what the value of that investment is," Cooper says.

At companies such as the Limited Brands in Columbus, Ohio, which owns Victoria's Secret and Bath & Body Works, compliance for Sarbanes-Oxley led to the creation of an overall risk management and brand protection strategy in the past three years, says David Criminski, security director at Limited.

Limited used an arsenal of point security products for years, including IDS, IPS, firewalls, anti-virus, and malicious code detection, but only issued its first security policy in 2003 to comply with Sarbanes-Oxley. Since then, Limited introduced a data classification model that identifies all data according to its level of risk: private restricted confidential (customer data), restricted confidential, and pubic confidential.

The data classes have, in turn, been integrated into Limited's project management lifecycle, allowing the company to focus activities such as security research and penetration testing on systems handling the most sensitive data, Criminski says.

"As an IT security guy, I'd love it to be all security all the time, but you've got to prioritize. So if it's PRC [private restricted confidential] data, you do all that, but maybe not with public confidential data," Criminski says.

Limited's risk management strategy has also made follow-on regulations such as PCI more manageable. "PCI doesn't stress us out because there isn't anything there that isn't a part of our security program already," Criminski says.

What You Don't Know Can Hurt You

Unfortunately, complying with regulations such as Sarbanes-Oxley and HIPAA is just one element of overall risk management. The larger problem of calculating security risk remains difficult and fundamentally different from calculating other kinds of risk that companies and CFOs are familiar with -- such as credit risk or fraud, Gartner's Pescatore says.

"Risk analysis is great stuff. But just because you're compliant, doesn't mean you're secure," Pescatore says.

1 2 Page 1
Page 1 of 2