Risk Management Crosses Disciplines at PNC Bank

Apr 1, 2003 12:00 PM, By JACQUELINE EMIGH

Every day, banks are faced with security hazards ranging from robberies to hacker attacks — all while complying with an increasingly complicated regulatory environment. To better fend off the security risks and to ensure compliance, PNC Bank, headquartered in Pittsburgh, has set up a multidisciplinary risk management team.

The brainchild of John Ericksen, PNC's director of security services and technology risk, the two-year-old entity is known as the Computer Emergency Response Team and Forensics (CERF). The team is made up of physical and IT security experts from the two components of PNC's Security Services arm: corporate security and information security.

“A lot of what we discuss is of a technical nature; however, the bank's legal and human resource (HR) people, for example, are also brought in, on an ‘as needed’ basis” says Robert Burch, PNC's vice president of information security. “They serve as an extension to CERF.”

Formation of the CERF team represents a move by PNC toward “proactive risk management,” Burch continues. “This is the most challenging and dynamic period of risk ever experienced by business. Managing threats, reform laws, audits and new regulations is a full-time job.”

Potential hazards include the possibility of advanced external threats, loss of company assets and proprietary data, and breach of customer data integrity, Burch says. “Traditional risk management models no longer work. Independent defense solutions are a formula for disaster,” he says. “Companies have to be flexible and forward-thinking. They need to monitor proactively and design for the next trend in risk.”

Bottom-line responsibility for computer security has now been moved to the multidisciplinary team. “Unix administrators are not enough, and you can't rely on firewalls alone,” Burch says.

Also under the CERF umbrella, members of Corporate Security and Information Security work together on crafting systems that combine information systems with physical access controls.

PNC's CERF team also deals with the increasing mound of regulations facing banks today. Examples include rules of the U.S. Securities and Exchange Commission; the Sarbanes-Oxley Act; the Graham-Leach-Bliley Act (GLBA); the USA Patriot Act; and compliance auditing, just for starters.

Several federal agencies that regulate the finance industry have instituted rules based on GLBA. For instance, the Office of the Comptroller of the Currency (OCC) now requires subject banking institutions to use “response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.”

The Federal Trade Commission (FTC) now has a Safeguards Rule. The rule calls on financial institutions to maintain information security programs for “detecting, preventing and responding to attacks, intrusions or other system failures.”

The Sarbanes-Oxley Act, passed last year, requires not just financial institutions but all publicly traded companies to retain certain documents, either electronically or physically, for periods of several years.

Despite the technical nature of some of the solutions, CERF takes a business orientation to addressing problems. Burch outlines the major steps the CERF team uses:

• Identify critical infrastructures and existing controls;

• Prioritize business and customer assets;

• Justify technology improvements using a business case approach; and

• Build a Security Operations Center (SOC).

PNC's SOC contains a range of multivendor risk management tools. “You can't buy a magic bullet. A shrinkwrapped system is not available,” Burch says.

“We have hooks into every information system in the bank, from legacy systems to new deployments,” says Robert Knight, PNC's assistant vice president for CERF.

PNC's corporate security staff makes contributions in the areas of forensics and fraud investigations, as well, Knight adds. “Our investigatory people can snoop out anything.”

Lawyers, too, are advocating a multidisciplinary approach to security and associated regulatory issues. The plan should cover physical and technical security; data retention; confidentiality and trade secrets; incident response, and more, says Marc Zwillinger, an attorney at Sonnenschein Nath & Rosenthal.

For effective incident response, banks should identify in advance the “triggers” for the response, while also pinpointing key personnel and the actions to be taken, Zwillinger says.

One of the many risk management tools now in use at PNC is Guidance Software's EnCase Enterprise Edition. The product is designed to allow corporate investigators to copy information on remote computer hard drives. The preserved evidence can then be analyzed for signs of unauthorized activities such as file deletions or software downloads.

“For us, one of the most important benefits of EnCase Enterprise Edition is its remote access capability,” Knight says. “The product can often eliminate the need to travel. You don't necessarily have to go somewhere else physically.”

Banks and other corporations can best deal with security and associated regulatory issues by being prepared, Burch says: “Involve key executives and the board in all security services planning and escalation procedures. Build a team comprised of technologists and managers from all areas of the business. You can't wait for something to happen first.”

Once a multidisciplinary plan is in place, communications become paramount, both inside the team and with others. “Overcommunicate to lines of business and remote resources,” Burch suggests.

For the Record

ABOUT THE AUTHOR

Jacqueline Emigh is a New York-based writer and regular contributor to Access Control & Security Systems.

ABOUT THE COMPANIES

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

Guidance Software

11

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue