Occam’s razor states, “All things being equal, the simplest solution tends to be the best one.” When this is applied to data classification, making everything private and confidential sounds like the best option. The best policy I’ve seen says that all bank information (customer information, policies, procedures, contact lists, employee numbers, network diagrams etc.) is not to be shared with anyone. This saves the bank time and resources by not trying to define what can be shared within the bank or with outside parties and just says that everything is private and confidential to the bank. But more importantly it prevents people with malicious intent from getting information that could be useful to socially engineer or hack into bank systems. Some banks would be surprised to see how much damage a social engineer could do with just an employee contact list., like calling around until he can finagle a password out of an employee.

Some other data classification policies rank information according to Top Secret, Confidentiality, Proprietary, Internal use and Public and have to take time to classify every document and decide who can access it. But this takes a lot of effort to identify every new document that comes into the bank. Why not just control access to these documents with internal controls and say that it all has the same classification? This way your customers’ privacy is protected, you have a low-maintenance data classification policy and you have saved resources.

Some banks are already saying that all bank information is private, but do yourself a favor and make you examiners happy by putting it on paper, then don’t let anyone outside the bank see it.

powered by ODEO

In this episode, Court and Heath chat a little about the ins and outs of Vendor Management. We hit on RFPs, SLAs, and SAS 70s, as well as introduce the world to the ATOW.

For the past several months, we have been warning our customers in offline conversations that the “multi-factor” authentication methods employed by most banks these days is not true two-factor authentication.  Its really nothing more than a glorified single factor.  Its been our experience that examiners are not currently drilling into this, but with news like this  its only a matter of time.  My advice to any CIO, especially as the end of their first year’s contract with multi-factor vendors draws near, is to begin looking for alternate methods. Not only will examiners eventually require, its the right thing to do.

 Even so, as we seem to preach all too often.  True two-factor authentication is still no substitute for a well-developed (and ongoing) customer education program regarding the threats to online security.

When I visit banks week to week the topic of social media as a way to contact customers seems to always come up. I have read some strategic plans recently that state the bank wants to reach a younger demographic, but don’t really know how to do this. Starting a blog on your bank’s website sounds like the most logical way to educate and market to customers. Here, I will discuss how to start a blog, blogging ideas and security.

Starting a blog isn’t as hard as you think. If someone else is hosting your website ask them for a good way to post a blog and they should be happy to help. If you are hosting your own website, there are several options here. We use WordPress, but there are several options out there including Google’s Blogger. You can download software and host it on your servers so it is secured by your network or you can just have a link on your website (remember link disclaimers!) to your blog.

Well, now that you have a blog what are you going to put on it? Here’s a few ideas to get you started….

• Brief financial tips: For example, do maximum contributions to your 401K up to what your employer matches and why this is a good idea.
• Explain your products: Here you can describe how merchant capture can benefit their small business.
• Community Events: Why it is important and what the bank will be doing at the event.
• How banks work: Some folks would be interested to learn how their bills get paid.
  The possibilities are endless and it doesn’t even really have to be bank related. The important thing is that you are getting people to visit your website.

We have met several bankers who want to start a blog, but are scared of giving disgruntled customers or staff a way to publicly express disgust with the bank your website. This is easily mitigated. You can set up a blog to only post comments or articles after approval from an administrator. This restricts spam and gives you complete control on what is being presented on your website. You can also make people that want to comment register with a valid email address. This way you can see who commented and even get some contact information on them. If you really want to be a new age banker, you can let displeased customers post comments and then respond to their concerns. This way you can ensure customers that issues are being corrected or are isolated incidents. And you do it with direct contact to customers that have had issues with the bank while letting other customers know there is nothing to be worried about. Spin that bad press into good news!

One final word to the wise, blogging takes a long time. There’s no reason to have a blog if no one has posted anything since the Clinton administration. Be sure you have the resources to write regularly and if you are monitoring comments, check to see if you have any in the queue to make available to the world.

No more excuses now. Let’s see some more banks with blogs!