Booklet: Information Security
Section: Security Process Monitoring and Updating
Subsection:

Action Summary additional information.

A static security program provides a false sense of security and will become increasingly ineffective over time.  Monitoring and updating the security program is an important part of the ongoing cyclical security process.  Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls.  Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls.  They should use that information to update the risk assessment, strategy, and implemented controls.  Updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Monitoring

Effective monitoring of threats includes both non-technical and technical sources.  Non-technical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services.  Technical sources include new systems, new service providers, and increased access.  Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities.  This effort could include the following security activities:

  • Senior management support for strong security policy awareness and compliance.  Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel.  Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.
  • Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies.  Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.
  • Security personnel and system owners should monitor external sources for new technical and non-technical vulnerabilities and develop appropriate mitigation solutions to address them.  Examples include many controls discussed elsewhere in this booklet, including
    • Establishing an effective process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,
    • Maintaining up-to-date anti-virus definitions and intrusion detection attack definitions, and
    • Providing effective oversight of service providers and vendors to identify and react to new security issues.
  • Senior management should require periodic self-assessments to provide an ongoing assessment of policy adequacy and compliance and ensure prompt corrective action of significant deficiencies.

Updating

Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program.  The institution will need to consider the scope, impact, and urgency of any new or changing threat or vulnerability.  Depending on the nature of changing environment, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security monitoring requirements).

Institution management confronts routine security issues and events on a regular basis.  In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process.  For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch.  More systemic events like mergers, acquisitions, new systems, or system conversions, however, warrant a more extensive security risk assessment.  Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.