Why banks of different sizes have more threat landscape concerns
Santa Cruz County Bank is a locally owned and operated commercial bank, serving the needs of the residents and businesses of Santa Cruz County. We believe strongly in the importance of local decision making and responsive customer service. We offer a complete line of short and intermediate term loan products, including commercial term loans and lines of credit, Small Business Administration guaranteed term loans, construction loans, mini-perm commercial real estate loans and home equity lines of credit. All of our deposit products are augmented by state-of-the-art services, both personal and electronic, including online banking, bill payment, cash management, and merchant services.
Santa Cruz County Bank operates five banking offices located in Aptos, Capitola, Santa Cruz, Scotts Valley, and Watsonville. To provide further convenience for our clients, the Bank operates two additional self-serve ATM and Night Depositories in Santa Cruz and Aptos and a Business Lending Center on 41st Avenue, Capitola. Santa Cruz County Bank is a locally owned commercial bank in Santa Cruz County.
Name: Jaime Manriquez Age: 31 Position: CTO and Information Security Officer Previous jobs:
Information Technology Manager at Flash Composer
Sr. Network Administrator
MS-SQL/0racle Database Administrator
Information Security Officer at Monterey Bay Bank-Union Bank of California
System Administrator at Freeworks.com
Technical Support Engineer at IBM
Education: Bachelor of Science in Computer Information Systems from DeVry Institute of Technology; Certified Ethical Hacker from the internal e-commerce council (C|EH); Snort Certified Professional from Source Fire (SnortCP); Microsoft Certified Professional from Microsoft (MCP); Microsoft Certified Technical Specialist (MCTS) Family: Married with two kids Residence: Watsonville, CA Other interests: Baseball, Football, Soccer, reading security and I.T. Pro journals, comedy Favorite Charity: Local church Awards Won: Executive Leadership in Information Security (ELIS) from Technosium
In the following interview, Jaime Manriquez, CTO and Information Security Officers discusses 1:1 with Rake Narang, Editor-in-chief of Info Security Products Guide, why banks of different sizes have more threat landscape concerns.
Rake Narang, Editor-in-Chief - Info Security Products Guide: What can you tell us about your institution and your role there as CTO?
Jaime Manriquez: Santa Cruz County Bank began as a “de novo” or start up bank that opened its doors on February 3, 2004. Since that time, our Bank has grown to over $236 million in assets and operates five full service banking offices. In addition to these offices, we have a Business Lending Office, an Administrative Office and two “off-site” ATM kiosks, nine (9) locations in all.
As CTO and Information Security Officer, my role is to:
Identify, mitigate and address evolving threats internally and externally;
Develop policies and procedures related to information security;
Monitor and evaluate the effectiveness of the Information Security Program (“ISP”) bank wide;
Ensure that the ISP policy and information security related policies and procedures are effective and updated to support the overall ISP;
Oversee the Gramm-Leach-Bliley Act “GLBA” information security risk management program, procedures, and annual risk assessments. (This includes risk assessments for business applications, technical infrastructure, service providers, and business processes);
Provide monitoring, participation, and professional counsel on security related activities throughout the Bank;
Provide status reports to the Board of Directors on the bank wide state of the GLBA ISP that includes:
Status of the program
Risk issues as well as the potential damage from any unmitigated risks
Risk management program, risk assessments, and risk mitigation strategies
Control decisions [including new, changes to, and implementation of key controls]
Recommendations for changes to the Bank’s overall ISP
Interpret results of audits, risk assessments, network vulnerability assessments, penetration testing efforts, and other information security related reviews;
Determine if strategies and tactical solutions for security issues are appropriate and cost effective;
Monitor the implementation of ISP and security-related internal and external audit recommendations to ensure solutions are appropriate and implemented on a timely basis;
Oversee the information security training program Bank-wide to ensure materials are appropriate, training is timely, current issues are included, and both training materials and employee training records are retained;
Oversee the annual service provider GLBA due diligence review and associated documentation files for completeness and for compliance with the service provider risk assessment.
Oversee the Security Incident Response Procedure, its upkeep, and its implementation;
Rake Narang: Do banks of different sizes have similar threat landscape and concerns?
Jaime Manriquez: In my opinion, banks of different sizes have more threat landscape concerns. All the hackers, crackers, fraudsters (or whatever you want to call them) know that the greatest opportunity for financial profit is in the financial space.
The trend in attacks has been targeted towards the financial space more and more, especially the online banking space, which is the why FFIEC mandated multifactor authentication for online clients a few years back. Although multifactor authentication is another layer of security it’s still not secure. For example, if a bank client has their computer, home or business network compromised the intruder can install a key logger and capture all the information needed to access the client’s account.
This makes it difficult for Banks and Online Banking providers to detect abnormal patterns in the intrusion detection systems and intrusion prevention systems because the traffic would appear as normal traffic due the fact that the fraudster has all the information the client would have been prompted for when accessing their online banking. It’s always been a cat and mouse game and in my opinion, the cat and mouse game will continue for a long time.
Rake Narang: What advice would you give to other security executives on current security threats and staying updated on security trends?
Jaime Manriquez: The advice that I would give to other security executives on current security threats and staying updated on security trends is that security is not only the job of CTO, it is also the job all staff members.
Insider threat risk is some times the biggest risk a firm may have. I strongly advise educating employees and customers on security risks by developing a security awareness program if you do not have one in place. You can spend hundreds of thousands of dollars in security and security products; however, if the staff is not trained well, they can compromise the security posture of any firm. I would advise other security executives to conduct both internal and external vulnerability assessments, penetration test assessments and social engineering assessments on a regular basis to get a good footprint of the risks in your environment. Once you have identified the risks, mitigate them as soon and as much as possible.
All About Santa Cruz County Bank Head Office Address: 720 Front Street, Santa Cruz 95060 Web Address: www.sccountybank.com Founded in: February 2004 CEO: David V. Heald Public or Private: Public (stock ticker symbol: SCZC) Number of Employees: 65 FTE
