Tech Safe Principles
As we journey together searching for guidance and practices to help secure our banking infrastructure we must have a set of guide rails to keep us focused. You see, the information technology domain is broad and deep, and too often filled with distractions, pretenders, uncertainty and false promises. Establishing a set of principles early in the journey to help in the technology assessment and adoption process will act as a lodestar, keeping us focused and oriented in the right direction, especially through chaotic times.
To be sure, all IT decisions are ultimately risk-based decisions grounded on the organizations appetite for differing levels of risk. These principles, enumerated below, are subordinate to the greater risk calculus and are meant to support the risk assessment process.
This list, by no means exhaustive, is a fusion of best practices borrowed from many sources and synthesized for the banking community.
Apply these principle where possible. Not all technologies align with these, and perhaps that may be a signal that a different/better solution is preferable.
- Design Principles
- Identity Management – technology should support strong identity management controls, such as Microsoft Active directory, or come with built-in identity management to assist with on-boarding, account maintenance and off-boarding.
- Traceability – Does the technology provide adequate logging and audit capabilities? Logs support detection controls and they provide artifacts for auditors.
- Secure Data – data in-transit and at-rest should be encrypted using industry standard encryption algorithms. Good key management policies and procedures are critical in safeguarding data. Review key management practices as part of the technology risk assessment.
- Automation – Opt for automated solutions where possible; separate people from data and processes. Automation can encapsulate and consistently execute secure processes, thus reducing human error.
- Operations as Code – Where possible, opt for technologies that support automation by scripts or code. Code can create bespoke secure solutions that integrate well with the organization’s technologies. Operations as code produces automation that secures and reduces labor.
- Annotate Documentation – This is related to operations as code. Document, by way of comments, how the code works and what it does. This documentation serves two purposes; it informs maintainers about the internals, and it serves as a procedural document for training and audit purposes.
- Make Frequent Small Reversible Changes – Small errors are easier to fix and recover from than a poorly planned or implemented major change. All changes should include a contingency plan.
- Measure – Collect metrics and monitor KPIs in order to detect potential problems, gauge return on investment, and inform on specifications for upgrades/replacements.
- Anticipate Failure – This is a fact of life. This frame of mind will improve and strengthen the contingency planning aspects of sound management of the infrastructure.
- Test Recovery Procedures
- Stop Guessing Capacity – highly dynamic environments require flexible and elastic solutions.
- Learn from Operational Failures – Capture lessons learned. Conduct forensic reviews of projects or events to evaluate how it worked positive and negative takeaways. Identify gaps in communication, policies, procedures or administration that can be remediated for improved future outcomes.
As stated earlier, the list does not represent all things in banking systems or operations. This list focuses on technologies operating in the environment. This forum in turn will speak to the greater issues affecting IT in banking. As time goes on we will produce similar lists for their respective areas of operation. In addition, this and other lists will adapt and respond to member feedback and recommendations. As ‘living’ documents, the intent is to remain relevant with the state of technology and banking operations.
We will be publishing these best-practices in the ‘Principles‘ section of the forum. We welcome all comments and criticism equally, and endeavor to build a community site worthy of everybody’s time and effort.
Abel Sanchez (abel@staidworks.com)
Bank Safe Technology Contributor and Moderator
