IT Risk Management for Financial Services

Assuming and managing risk is one of the important roles the financial services industry plays for its customers. The key, of course, is to manage risk profitably. Risk involves the many domain areas of expertise such as credit, investment, casualty, interest rate, and other traditional risks faced by financial services providers
Nội dung trích xuất từ tài liệu:
IT Risk Management for Financial ServicesWHITE PAPER: ENTERPRISE SECURIT Y IT Risk Management for Financial Services An Essential Strategy for Business SuccessWhite Paper: Enterprise SecurityIT Risk Management for Financial ServicesAn Essential Strategy for Business SuccessContentsExecutive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4The challenge to the enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Five steps to risk management best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Symantec’s approach to best practices implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Putting our strategy to work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14IT Risk Management for Financial Services:An Essential Strategy for Business SuccessExecutive summaryAssuming and managing risk is one of the important roles the financial services industry playsfor its customers. The key, of course, is to manage risk profitably. Risk involves the many domainareas of expertise such as credit, investment, casualty, interest rate, and other traditional risksfaced by financial services providers. To be successful, financial institutions understand thatsound information management is critical to effectively serving customers while meeting plannedprofit objectives. Yet, as much as institutions have invested in traditional risk management, too manyenterprises have been slow to implement best practices for information technology (IT) riskmanagement. IT risks include anything from a network shutdown that paralyzes the business,to liability for failure to protect private data. Because it is dispersed throughout the enterprise,business-critical information is not always easy to protect. Symantec has developed a comprehensive approach to IT risk management, based on ourindustry-leading best practices and technologies in the security and infrastructure managementareas. Our approach to reducing IT risk enables a bank, brokerage firm, or insurance companyto align the risk and cost of infrastructure, putting information technology assets on the samesound footing as other business assets. This white paper describes best practices for enterprise IT risk management, the challengesfaced by financial service providers in implementing best practices, and Symantec’s solution tothose challenges.OverviewOperational risk has always been a part of doing business. Today, however, management isincreasingly required to identify, quantify, and manage the broad range of operational risks.The Sarbanes-Oxley Act in the United States, and Basel II globally have made all levels ofoperational risk management, including IT risk, a board-level topic in every major financialinstitution today. These regulations require increased control and effective management ofinformation assets throughout the institution. As a part of meeting these requirements, successful,forward-looking enterprises are developing specific strategies and policies for IT risk management. IT risk management involves two complementary components: security and availability.Information is worthless and can even be a liability, if it’s not secure. Secure information isuseless if it can’t be efficiently stored and readily accessed.4IT Risk Management for Financial Services:An Essential Strategy for Business Success Individuals, corporations, and whole economies are increasingly dependent on the Internetand networked IT systems. The daily value that these systems deliver is often not readily apparentor easy to measure. Risk exposure can be equally elusive—dispersed among a number ofdepartments, business service providers, and functions, and in a variety of forms. Typical IT risks include lost business or productivity due to IT infrastructure downtimeor disaster, liability for failing to keep customer data private, fines for regulatory violations,or inability to defend lawsuits due to inadequate record keeping. Recent headlines havedemonstrated how anything from a lost laptop to a Category 1 hurricane can trigger a majorincident. Each of these can be more broadly labeled as an “information incident.” Throughout the globe, the rapidly evolving matrix of legislation and regulation requires newlevels of privacy, security, and documentation. Audit and accountability requirements increasinglyhold corporate board members, officers, and managers legally responsible—encouraging financialinstitutions to take a closer look at IT-related due diligence policies and business practices.In addition, the industry itself is developing and mandating standards such as communicationand interoperability requirements. Figure 1 depicts a sampling of this global trend. National Association Bank Secrecy of Securities Dealers Act (BSA) Rules (NASD) U.S. Securities and Sarbanes-Oxley Exchange Commission Rules Graham Leach (SOX) (SEC) Bliley Privacy Act ...