Implementing Information Security at the Enterprise

1
India - US Information Security Summit 2004
Implementing Security in the Enterprise
NASSCOM New Delhi, India October 13, 2004
Rhonda MacLean Chief Information Security
Officer Bank of America
20041013
1
Rev d
2
Overview

• Voice of the Customer
• Our Information Security Framework
• Compliance Culture
• Expectations in our Partnership with Suppliers

2
3
Voice of the Customer, Shareholders and Regulators
3
4
Why do we care?
At risk

• Disclosure of sensitive data
• Service Interruption
• Corruption of operational data
• Fraud
• Theft of services

At stake

• Customer trust
• Privacy and integrity
• Reputation
• Legal or regulatory action

4
5
Todays amazing information technology environment
Number of transistors on microprocessor
Source Bureau of Economic Analysis Data
published March 25, 2004 Source
http//www.intel.com/research/silicon/mooreslaw.ht
m Source Internet Software Consortium
(www.isc.org) Source Exploiting Software
How to Break Code, Gary McGraw and Greg Hoglund,
Addison-Wesley 2004
6
Amazing Growth in Complexity
Consider this IT Complexity Factor
6
7
New vulnerabilities regularly uncovered in
commercial software
Severity and Sophistication Increasing
83 Increase
Source Symantec Bugtrac system, security
vulnerability database, Symantec Internet
Security Threat Report Trends for July 1, 2003
December 31, 2003.
7
8
Confidential data increasingly the target of
technology exploitation
Threats to Confidential Data as a Percentage of
Top Ten Malicious Code Threats
Source Symantec Internet Security Threat Report
Trends for July 1, 2003 December 31, 2003.
8
9

Integrated into a Comprehensive Protection
Framework
Defense in Depth
9
10
(No Transcript)
11
Basis for Supplier Assessment

• The Board of Directors and senior management
  are responsible for ensuring adequate risk
  mitigation practices are in place for effective
  oversight and management of outsourced functions.
  FFIEC
• Frameworks used for assessing suppliers
• International Standard ISO/IEC 17799 Code of
  Practice for Information Security Management.
• Industry Standards
• Regulatory Guidelines
• Bank of America Standards

FFIEC - Federal Financial Institutions
Examinations Council
11
12
How we work with our supplier partners
Information Security Assessment Framework
Supply Chain Management Engages CIS Early in the
Supplier Selection Process
CIS Provides Supplier with an Information
Security Classification (risk factor)
Supplier Completes Information Securitys Vendor
Self Assessment
CIS Evaluates and Scores the Vendor Self
Assessment Responses (result determines need for
onsite assessment)
CIS Develops a Gap Analysis and Supplier
Develops/Implements a Remediation Action Plan
All Relevant Supplier Information and
Documentation is Stored in a Central
Repository,Remediation Activity Tracked and
Continuously Verified
12
13
Assessment Tool Scoring Example
13
14
Example Security Assessment Results(Aggregated
data for set of suppliers)
Controls requiring remediation Controls requiring
no remediation
Total of Controls Tested
Security Control Area
14
15
Information Security is a Partnership

• Customer trust is an essential element of the
  financial services industry.
• Secure products and services provide a
  competitive edge.
• Consistent protection practices are essential.
• Information security culture difficult but
  critical to success.

Working together we will keep our customers and
Bank of America information safe and secure.
15