Identifying operational risk and mitigating the loss resulting from inadequate or failed processes, people or systems is not a new concept in the financial sector. Financial institutions are expected to have documented inventory of its assets and documented processes to identify threats and vulnerabilities continuously. In Capital One’s circumstances, the OCC linked the data breach to problems with Capital One’s cloud migration plan. Back in 2015, Capital One failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. It also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls and effective dispositioning of alerts. It is an apt reminder that processes and procedures should not only focus on the reactive, but also be proactive in mitigating risk before an incident occurs.

 

In the financial sector, audits are expected to review every aspect of the information security program, the environment in which the program runs and the outputs of the program. These audits should report on information security activity and control deficiencies to decision makers, identify root causes and recommend corrective action for deficiencies. Audits should track the results and the remediation of control deficiencies reported therein along with any additional technical reviews. Capital One’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the institution’s audit committee. Often plans and processes are legal obligations, but the effectiveness of these plans hinges on diligent execution. It is important to view these processes from a ‘living’ perspective and remain vigilant in performing each step in a timely fashion.

 

Institutions with stronger security culture are expected to generally integrate information security into new initiatives from the outset and throughout the lifecycle of services and applications. The board, or designated board committee, should be responsible for overseeing the development, implementation, and maintenance of the institution's information security program and holding senior management accountable for its actions. The board should reasonably understand the business case for information security and the business implications of information security risks; provide management with direction; approve information security plans, policies, and programs; review assessments of the information security program's effectiveness; and, when appropriate, discuss management's recommendations for corrective action. For certain concerns raised by Capital One’s internal audit, Capital One’s Board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses. An effective security-driven culture should be prioritized from the top down to demonstrate the importance of the issue. All financial institutions have a responsibility to safeguard employee, customer and applicant records and this responsibility starts in the board room.

 

Regardless of how developed an organization’s program is, it is always appropriate to take a step back and review the basics of an information security and ensure your program is being diligently maintained – it may end up saving you from regulatory penalties.