As a bank executive, what are your top IT concerns?


1. Over spending on information technology and hurting return on assets.


2. An IT infrastructure that really doesn't meet your bank's needs.


3. Employees unable to do their work because network applications or workstations aren't responding as they should.
Information security weaknesses which might allow customer information to be stolen and misused.


4. Information security weaknesses which might allow customer information to be stolen and misused.


5. Poor examination results because the examiners judged your policies and procedures to be less than adequate.


6. Over dependence on a single bank employee for IT.


7. Sending confidential backup tapes home with an employee. What if the tapes are lost or stolen?


8. A disgruntled or careless employee damaging your information systems.


9. Important systems going down or important information being corrupted. Can you restore operations quickly?


10. A board of directors unhappy with the situation.


NetStandard - Certified Information Systems Security Professionals (http://www.netstandard.com/blog/2008/01/top-it-security-concerns.html)

"A disgruntled or careless employee damaging your information systems."

I'd say that one probably has the largest potential for damage.

Banks are really concerned with all aspects of security.... but bigger question is why you would think a banking executive would be on HostHideout :)

dan



As a bank executive, what are your top IT concerns?


1. Over spending on information technology and hurting return on assets.


2. An IT infrastructure that really doesn't meet your bank's needs.


3. Employees unable to do their work because network applications or workstations aren't responding as they should.
Information security weaknesses which might allow customer information to be stolen and misused.


4. Information security weaknesses which might allow customer information to be stolen and misused.


5. Poor examination results because the examiners judged your policies and procedures to be less than adequate.


6. Over dependence on a single bank employee for IT.


7. Sending confidential backup tapes home with an employee. What if the tapes are lost or stolen?


8. A disgruntled or careless employee damaging your information systems.


9. Important systems going down or important information being corrupted. Can you restore operations quickly?


10. A board of directors unhappy with the situation.


NetStandard - Certified Information Systems Security Professionals (http://www.netstandard.com/blog/2008/01/top-it-security-concerns.html)

I totally agree that internal security is paramount. And the problem is, internal security is so easy to fall down on. I can give tons of examples, but I’ll give just a few. For instance, there’s the old problem of permission creep. A guy gets transferred from one position in the company to another. Each time he moves, he gets new access levels to important applications and network resources. But, at the same time, the company forgets to revise his old access levels. In time, he has access to far more resources than he needs.

Here’s another problem. A bank CEO or chief loan officer has wide access to the core application program. The potential for abuse is overwhelming. That’s why C-level officers should have view-only access. This chief lending officer, who has too much access, could book a fictitious loan to an elderly customer, and then divert the loans to himself. Or say the bank doesn’t have proper controls over dormant accounts. Those are the old accounts which haven’t had any activity in a long time, sometimes years. An operations officer could say, “I’ll just take money out of those accounts. The depositor isn’t paying any attention. He’ll never know.”

Here’s another issue. You’ve got folders on the company’s shared drive. Some of these folders contain sensitive information. Are you controlling who can open these folders? What if the guy in accounting, who used to be in human resources, can look at personnel files he shouldn’t be able to see?

Or what if your Active Directory group policies are weak? Let’s say users have administrative control over their PCs and can download programs at will. Let’s say at the same time, you have not enabled the AD setting, “Do not allow anonymous enumeration of SAM accounts and shares”. An employee could download a free Active Directory reporting program and map out your whole domain.

Internal security takes a lot of careful thought, planning and testing because there are so many variables. Many business owners will say, “My people are honest. I’m not worried.” Maybe they are honest and nothing bad has ever happened. But sometimes employees have unexpected medical bills. Another employee develops a gambling problem. Another employee was mistreated and wants revenge. It happens. Further, strong security not only protects you, it protects your employees. If an employee has money problems, don’t dangle a carrot in front of him which could lead to him getting in trouble with the law. Practicing good internal security is actually the best thing to do for everyone involved.