Keeping Tabs on Data

Step No. 1 in securing data: know where it is

By Tam Harbert

It’s 10 p.m. Do you know where your data is?

That’s a question many community banks may need help answering. Most banks conduct an IT audit on a regular basis to make sure their systems are secure. But a key to a thorough audit is knowing exactly where all your data is.

That’s getting more and more complicated, as data increasingly moves out of the core processing system and into third-party applications and off-site cloud providers.

“If [banks] don’t know where their data is, then they can’t be sure that it’s being protected the way it should be,” says Susan Judge, chief operating officer of Assurity River Group Inc., an information security firm in Minneapolis.

A key part of the audit is identifying what type of data your bank has, classifying it into categories depending on its level of sensitivity and determining where it is located. For community banks, much of their most sensitive data, like customer names and Social Security numbers, are in their core processing systems and should be classified as a high-risk category. Detailed audits should be done annually on such systems, but can be less frequent—every two or three years—for lower-risk categories of data, IT auditors say.

Reining in data

And yet there is an increasing number of ways that sensitive data can make its way out of the core processing system. If the bank uses a third-party application for Internet banking, for example, that app is pulling data from the core system, says Loras Even, a principal at McGladrey LLP, an assurance, tax and consulting firm in Chicago.

In addition, a third-party application for loan processing may be running on the bank’s network, accumulating even more data than what’s typically gathered for checking or savings accounts. What happens if a loan officer downloads an Excel spreadsheet from that application onto his laptop, which is then lost or stolen?

That’s why it’s so important to spell out specific policies for handling and storing data, such as requiring all laptops (and perhaps other mobile devices such as smartphones) to be encrypted.

In addition, more banks are outsourcing data to cloud providers, but sometimes they aren’t doing enough due diligence. Even if a cloud provider says it’s SAS-70 certified, “it’s best not to rely on that,” says Judge. The bank’s contract should clearly stipulate what controls the provider has in place to protect the data and should spell out that the bank has the right to audit the provider, she adds.

Make sure to get a service organization control (SOC) report from the provider, but don’t just file it away with the contract. “As a bank you want to read that report and verify that the controls being opined on by the auditor are the controls that you are relying on,” Even says.

Passing the audit

Data auditing is a combination of human skill and technological capabilities. Initially, auditors interview key staff to learn about the bank’s data and data policies. Then they use both technical tools and personal investigative skills to verify whether and how those policies are being enforced, as well as whether the policies are adequately protecting the data.

Judge calls it “the ‘show me’ service,” where the bank needs to prove that it’s doing what it says it is doing. The auditor tests key systems to make sure they are patched and configured securely. It also tests the network from the outside, called penetration testing, to identify any vulnerabilities in the bank’s firewall.

Another type of test that’s become increasingly important is social engineering testing, says Even. Designed to see whether bank employees are following the right standards and protocols to keep data safe, this test goes beyond computer systems. It’s one thing to see if employees click on phishing emails, which can take them to phony websites that might steal information. But allowing someone into a restricted area without the proper credentials can be just as dangerous.

Auditors from Plante Moran PLLC will walk into a bank carrying a branded Hewlett-Packard box, saying they are there to replenish printer supplies, just to see if anyone asks for identification, according to Raj Patel, partner at the Southfield, Mich.-based accounting and business consulting firm.

McGladrey tests employees over the phone as well. Bad actors can easily spoof caller ID so it looks like a local call, and bank employees want to be especially helpful to members of the community, of course. “But bank personnel [still need] to step through their validation process before they help someone over the phone,” says Even.

Auditors also use technology that can detect if data is being stored where it should not be. Electronic-discovery software, for example, scans the bank’s network looking for certain patterns, such as a nine-digit pattern that could be a Social Security number, which sometimes shows up on employee hard drives, Judge says.

The first and best line of defense, however, is to have clear policies and adequate employee training. Most data breaches happen because someone stored information in an insecure place and probably didn’t realize it. For example, says Judge, when employees click “save,” they might be putting a sensitive document or spreadsheet onto their own hard drive rather than the network drive.

“You have to make sure you put the right controls on the right data, and then educate all your employees,” Judge says.

Tam Harbert is a writer in Rockville, Md.