Seeking compliance in a mobile world

Newly public financial firm Thomas Weisel Partners retools policies and procedures to comply with the Sarbanes-Oxley Act while prepping for the changing nature of mobile threats

When Thomas Weisel Partners went public last year, it forced some dramatic changes in how the San Francisco-based investment-banking company approached IT — and in CSO Beth Cannon’s job description. She recently completed an 18-month retooling of the policies and procedures the company follows for everything from managing change to using mobile devices. Looking ahead, she sees a new crop of threats on the horizon that target the mobile devices that many of the firm’s 650 employees use daily.

What is the reporting structure there — you’re part of the IT group, correct?

I am, and I report to the CIO, who reports to the chief administrative officer, who is part of our executive committee.

How is that structure working out for you?

It works OK for me. I started out in IT, so I have a lot of IT relationships that I can’t get my job done without. However, because I’ve been here for a number of years and because of my past duties running engineering and infrastructure — of which a part was the security of the desktops, laptops, servers and network — I also have relationships with the compliance and legal teams as well. As a CSO, you cannot get your job done without those relationships. For me it would work either way. I think you have pros and cons on both sides.

What are some of the key regulations that you have to comply with?

On the broker/dealer side, there are a number of NASD and [New York Stock Exchange] regulations that affect the IT group, from written-communications rules that say we have to archive all instant messages and e-mail. We also have to worry about mobile devices and what people are doing with them that might be outside of the policies, procedures and regulations we have. We are required to block Web sites that would put us out of compliance, like [IM site] meebo. Users are allowed to use certain IM services here, but we cannot allow use of any that we cannot log or archive. We have a proxy server for allowed IM networks, such as AOL, Yahoo and MSN.

Getting personal:Beth Cannon
Title:Chief Security Officer
Company:homas Weisel Partners
Responsibilities:Information security and legal compliance, as it relates to technology; business continuity planning and disaster recovery.
Number of IT staff:42
Education:B.S. in computer information systems; CISSP; NASD Registered Representative (Series 7 & 63), NASD General Securities Supervisor (Series 24).
Previous job:Principal consultant, Synectix Network Business Solutions; consultant and project manager for clients including law offices, financial services, technology companies.
First Internet experience:Using newsgroups to look up and retrieve technical information and support

The mantra is basically, if you can’t log it, archive it and supervise it, you better block it. That is very hard to do today with the technologies available to employees, such as MySpace, podcasting and the blogging options. The regulatory agencies are preparing to issue new guidance on the written-communications and supervision rules that will take into account mobile devices, as well as many of the newer communication technologies. So we will need to consider additional means of restricting access to only what we can control and log. All of these things are a concern. The technology to allow users flexibility to do new things is far ahead of the technology to block it, archive it or somehow prevent corporate use of it.

Do you have to block things for everyone in the company or just certain people?

It’s companywide. And we log and archive companywide.

How long do you have to keep archives for?

The rule states three years, but if you’re in litigation of any kind, you have to keep it [until the litigation is complete]. So we continue to have all e-mail records from the beginning of our business in 1999. There always seems to be something going on that prevents the destruction of records.

And then, since going public last February, Sarbanes-Oxley compliance has been at the forefront of my life for a year and a half, and will continue to be so. The first year we spent a lot of time working to determine where we were and what we needed to do to remediate, so that we could get in line with Sarbanes-Oxley controls and the [Control Objectives for Information and related Technology] standards, which we use as our general computing-controls framework. The past four to five months, we have been working to solidify the behavior change that comes with new and updated controls and policies. It is a lot of working with people and with the IT group to make sure we are always doing everything consistently and following process.

What are some of the behavior changes?

Prior to SOX, we had a simple policy for change control. When we made a change to a production system, we had a way of documenting it. But in reviewing the procedure, we found that it wasn’t controlled enough and it didn’t provide necessary evidence. So we built in some new workflows and modified the policy and procedure.

I think the biggest behavior change has been to get people to make sure we all do it every single time and to make sure that there is evidence of testing and of approval. Not just, “We did the test,” but showing we did the test, proving it through a written essay about how you did it or documentation in the log files. If we don’t have documentation and it becomes part of the sample set of testing, we fail the test, and that’s a big deal.

There have been other things that have changed, such as keeping trails of evidence for everything we do. A lot of us used to keep materials in e-mail. An incident would happen on a system and the person on call would send an e-mail about resolution. Most of us would drop e-mails into a folder or delete them after the problem was resolved. But it’s very hard to pull evidence out of e-mail. So there’s been a big change to have a more formalized process for tracking all of the things that we do. It’s not that we weren’t doing the tasks before, but our evidence trails were informal and casual, and the evidence wasn’t always in one location.

You’re talking about change management here basically, and yet this falls under you — the CSO?

I have responsibility for SOX and other controls as it relates to IT — ensuring controls, policies and procedures are in place, acceptable and working. Therefore, it falls under my responsibility to make sure that we’re doing it.

What other kinds of security implications do these regulations have?

It’s the control of everything. The regulations state we must be in control of everything, but technology moves fast and many times the convenience and “cool” factor of technology outpace the control and security aspect. This is why I worry about mobile devices. If a firm allows personal handheld devices to be used, there are many security implications. If you have a firm-supplied BlackBerry, we control just about every aspect of the device. If you bring in a personal Treo, I can connect you into our corporate e-mail system, but there are lots of things outside of e-mail that you can do that we cannot control or see.

How are you dealing with that currently? Do you issue your own mobile devices?

We used to issue all BlackBerry devices. Today, it’s still majority firm-provided BlackBerries, but there are other devices allowed in now. A few years ago, it looked like it would be a big benefit in terms of cost savings to the firm to not pay for corporate devices, because if you look just at cost and not at risk considerations, those devices are very expensive. Now we are in discussions about whether we want to go back to having devices that we have control over.

We have policies in place to protect our data and mobile devices, and we enforce these policies on all mobile devices, whether it’s firm-provided or your own. There are also risks associated with not being able to log IM or non-corporate e-mail and risks of multiplatform viruses and malware. The key is trying to figure out where and what the risks are in terms of both compliance and security. What would the cost be to the firm if there was a breach in security, a virus, or somebody took data from the firm?

We also have written policies and procedures in regards to personal IM and non-corporate e-mail. It’s very clear that nobody is to do firm business under an e-mail or IM account or service that we can’t log or archive. However, I think regulators really want the firms to be able to control it through technology.

Is it even possible to control these things with technology?

I don’t think you can control everything with technology. Every day I hear about new ways to get around controls. We can control a certain percentage, and we rely on our security providers to be able to block things and be up-to-date on the new security issues. But I don’t know that you’ll ever have a way to block everyone from doing everything. Technology is the support and enforcement to the policy, procedure and training.

How do you deal with the need for employees to be able to collaborate with one another vs. the need to provide effective identity management, to make sure they’re not seeing data they shouldn’t be seeing?

One of the projects we started this year is a firmwide data-classification project. Even though we have data security and processes in place, we did not have classification tags on pieces of data, such as “confidential” or “public.” This project is a manual process of working with the individual business owners to examine the information they use and segregate classified and confidential information.

Another subject of discussion is user provisioning. Currently we have a very manual process which makes evidence for SOX challenging. The firm is a midsize corporation, and we find ourselves with big-company challenges but not big-company budgets. The manual processes are getting too cumbersome. So, we’re looking at automating some of these processes, and user provisioning is one that’s on the table right now.

What are some of the new risks that you’re seeing or that you expect to see?

With the memory cards and technology on a lot of the new phones, they’re basically mass storage devices, so you have security implications for firm data and intellectual property and sensitive information. I think mobile devices are also ripe for malware and multiplatform viruses. I don’t know how it’s all going to change in the next 18 to 24 months, but I feel like we are going to see a lot of issues and challenges. There aren’t many options for protection on mobile devices like you have on a laptop or desktop system. We can’t get antivirus software for all the devices that are out there today, and there are no sophisticated protection mechanisms available, such as behavior analysis modules. E-mail viruses have proven that it’s easy to get people to click on anything, so I worry about the cross-platform viruses that could cross over from one phone operating system to the internal network.

All these mobile devices and USB devices essentially get at the issue of data leak prevention — how are you dealing with that?

We work to have risk-mitigation technologies that block as many ways as possible to get data out, and utilize policies and procedures to address what technology doesn’t cover. We encrypt laptops, we have policies for mobile devices, we have provisions for timeouts and passwords. As part of the data classification project, we’re out there looking for any data that would fall under the intellectual property, confidentiality or personally identifiable [information] laws and regulations, and adding protection mechanisms there.

You’re encrypting the entire hard drive, then?

Yes, we are. We feel this minimizes our risk better than encrypting just a portion of a hard drive and depending upon personnel to save all files to a particular location.

In the future, we may also look at other technologies that would assist with other areas of data-leak prevention, such as Vontu or other providers. [Ed. note: Vontu products purport to watch traffic as it traverses the network looking for sensitive information.]

What are some of the other key tools you use to keep in compliance?

Symantec Enterprise for antivirus, network behavior-analysis tools, Websense content filtering, laptop encryption, and our systems that log and archive the e-mail and IM communications. We also do vulnerability scans enterprisewide to determine what systems may be vulnerable to attack. We are now looking at some of the event-monitoring tools that consolidate events. We’re looking at so many events during the day that it will benefit us to consolidate and correlate them.

Does the need to comply with various regulations take security dollars away from areas where you think the money would be better spent?

For us, not yet. Ask me that question in a couple years. Right now the need to comply with some of the regulations has given us budget for security technologies that we have wanted to implement. So I would say that so far it’s been helpful.

Do you think there are certain areas where people are more lax than they should be?

1 2 Page 1
Page 1 of 2