Paul Rohmeyer

Organizing for Security

Previous chapters in this book have examined a wide range of technical, legal, and organizational issues with regard to security. This final chapter provides in-depth coverage of the issues involved in developing a secure organization. It starts by examining the forces that are making security a top organizational concern. It goes on to a description of the information security organization from the perspectives of organizational theory and behavior theory. Next, the chapter provides an in depth discussion of the relationship between the CIO and CSO and concludes with a summary and brief discussion of the issues faced by organizations as they develop an architecture for security.

Capability Effectiveness Testing for Architectural Resiliency in Financial Systems

Increasing interconnectivity in financial institutions and markets along with complex, interdependent architectures present unique enterprise risks. While technological advances continuously improve the reliability and trustworthiness of individual technological system components, the complex, collaborative architectures relied on by most financial organizations present substantial challenges that span technology, personnel, and process dimensions. As systems and threat environments grow in sophistication, approaches to security testing and evaluation must evolve as well. Traditional approaches to cyber security testing may still be useful to evaluate basic architectural components, however new techniques are needed to enable the enterprise to construct simulation exercises that model real-world threat conditions and test the resiliency of all architectural components, including personnel and process dimensions. Organizations must not only establish capabilities to recognize breach attempts, but take decisive response action under conditions of uncertainty and stress. Techniques to evaluate resilient enterprise architectures sometimes underemphasize the threats surrounding human dimensions. This paper examines emerging risk considerations presented by increased connectivity among financial services enterprises. It explores new requirements for testing and evaluation of enterprise resiliency as well as organizational detection and response capabilities. The paper considers industry and other external environmental factors driving the need to develop comprehensive evaluation approaches to evaluate the effectiveness of enterprise capabilities in order to embed capability effectiveness assessments within enterprise risk management practices. Limitations of current cyber testing approaches in simulating the emerging cyber threat environment are identified, and the value of realistic, time-bound drills and tests that mimic the stress of real-world cyber events are explored.

Managing Cloud Computing risks in financial services institutions

The integration of Cloud Computing with information systems architectures continues to grow at a rapid pace due to the availability of high quality, low cost computing services and organizational efforts to improve efficiency and productivity. Enterprises are increasingly comfortable turning to the Cloud for IT solutions, where teams of dedicated, specialized experts deliver important capabilities and outcomes, instead of investing in the development of internal architectures. While data and systems security concerns remain, for many firms the economic arguments are so compelling in favor of Cloud deployments that adoption tends to proceed regardless of security and assurance worries. As a result, enterprise IT functions find themselves managing an array of risk issues in an environment of diminished transparency and with limited opportunities to directly treat observed risks. The mechanisms for managing technology risks associated with Cloud models differ from traditional approaches taken to control risk in internal architectures. This paper examines emerging threats in Cloud Computing within a financial services organization. This includes consideration of insider threats, data leakage, insecure software, and new Cloud attack patterns. The nature and characteristics of the threats are explained and the paper explores the risk treatment options chosen by the sample organization. The authors observations are synthesized in a general model that describes Cloud Risks and Controls for financial services institutions.