WHITE PAPER: ENTERPRISE SECURITY
IT Risk Management
for Financial Services
An Essential Strategy
for Business Success
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
The challenge to the enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Five steps to risk management best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Symantec’s approach to best practices implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Putting our strategy to work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
White Paper: Enterprise Security
IT Risk Management for Financial Services
An Essential Strategy for Business Success
Executive summary
Assuming and managing risk is one of the important roles the financial services industry plays
for its customers. The key, of course, is to manage risk profitably. Risk involves the many domain
areas of expertise such as credit, investment, casualty, interest rate, and other traditional risks
faced by financial services providers. To be successful, financial institutions understand that
sound information management is critical to effectively serving customers while meeting planned
profit objectives.
Yet, as much as institutions have invested in traditional risk management, too many
enterprises have been slow to implement best practices for information technology (IT) risk
management. IT risks include anything from a network shutdown that paralyzes the business,
to liability for failure to protect private data. Because it is dispersed throughout the enterprise,
business-critical information is not always easy to protect.
Symantec has developed a comprehensive approach to IT risk management, based on our
industry-leading best practices and technologies in the security and infrastructure management
areas. Our approach to reducing IT risk enables a bank, brokerage firm, or insurance company
to align the risk and cost of infrastructure, putting information technology assets on the same

sound footing as other business assets.
This white paper describes best practices for enterprise IT risk management, the challenges
faced by financial service providers in implementing best practices, and Symantec’s solution to
those challenges.
Overview
Operational risk has always been a part of doing business. Today, however, management is
increasingly required to identify, quantify, and manage the broad range of operational risks.
The Sarbanes-Oxley Act in the United States, and Basel II globally have made all levels of
operational risk management, including IT risk, a board-level topic in every major financial
institution today. These regulations require increased control and effective management of
information assets throughout the institution. As a part of meeting these requirements, successful,
forward-looking enterprises are developing specific strategies and policies for IT risk management.
IT risk management involves two complementary components: security and availability.
Information is worthless and can even be a liability, if it’s not secure. Secure information is
useless if it can’t be efficiently stored and readily accessed.
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
4
Individuals, corporations, and whole economies are increasingly dependent on the Internet
and networked IT systems. The daily value that these systems deliver is often not readily apparent
or easy to measure. Risk exposure can be equally elusive—dispersed among a number of
departments, business service providers, and functions, and in a variety of forms.
Typical IT risks include lost business or productivity due to IT infrastructure downtime
or disaster, liability for failing to keep customer data private, fines for regulatory violations,
or inability to defend lawsuits due to inadequate record keeping. Recent headlines have
demonstrated how anything from a lost laptop to a Category 1 hurricane can trigger a major
incident. Each of these can be more broadly labeled as an “information incident.”
Throughout the globe, the rapidly evolving matrix of legislation and regulation requires new
levels of privacy, security, and documentation. Audit and accountability requirements increasingly
hold corporate board members, officers, and managers legally responsible—encouraging financial

institutions to take a closer look at IT-related due diligence policies and business practices.
In addition, the industry itself is developing and mandating standards such as communication
and interoperability requirements. Figure 1 depicts a sampling of this global trend.
Figure 1. A sampling of global directives in financial services
Sarbanes-Oxley
(SOX)
Bank Secrecy
Act (BSA)
Graham Leach
Bliley Privacy Act
(GLBA)
Payment Card
Industry Standards
(PCI)
USA Patriot
Act
Single European
Payments Area
(SEPA)
Basel II
Federal Financial
Institution Examination
Council (FFIEC)
National Association
of Securities Dealers
Rules (NASD)
U.S. Securities and
Exchange Commission Rules
(SEC)
Markets in

Financial Instruments
Directive (MiFID)
European Union
Market Abuse
Directive
Solvency II
5
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
6
1
The Oxford Executive Research Briefing, The Impact of Catastrophes on Shareholder Value. Rory F. Night and Deborah J. Pretty, 1996
A recent Harvard Business Review report
1
identified company directors’ leading IT concerns:
• Is the company getting adequate ROI from information resources?
• Is there an effective, up-to-date plan in place for disaster response and recovery?
• Are management practices in place to prevent hardware, software, and legacy applications
from becoming obsolete?
• Are corporate systems adequately protected against criminal intrusions?
• Do we have management practices in place to ensure 24x7 levels, including tested backup?
• Are there any possible IT-based surprises lurking out there?
Shareholders are paying attention, too: One study, by Oxford Executive Research, found that
companies that recovered quickly from major operational disasters increased their share price by
5 percent on average versus the market. Companies that struggled to regain their operations took
a 20 percent drop in relative value. Reducing the risk of losing market value is critical to meeting
long-term business objectives in the capital-sensitive financial services industry.
Security is the headline-grabbing component of IT risk. But on a day-to-day, profit-and-loss

level, information availability is just as important. Diverse financial institutions need to handle an
explosion of channel interaction including email, instant messaging, and online transactions,
managing both the information flow and the records they generate. Retention requirements create
a challenge to efficiently archiving growing volumes of data. Management teams must have
information available on demand, where and when it’s needed. Business continuity and disaster
recovery plans need to be dynamically designed, implemented, and tested to make sure
information remains accessible when the worst happens, and throughout periods of rapid change.
The challenge to the enterprise
Many boards and management teams lack knowledge of the extent of exposure to IT risk. This
hampers their ability to exploit the growing array of risk management tools in a financially
effective way. A bank, brokerage firm, or insurance company must be able to identify, quantify,
and manage information risk as predictably as they currently manage their unique industry risks.
To do this, IT organizations must cost-justify remediation measures.
7
By quantifying business impact, minimizing exposure, and planning for disaster, a financial
institution can go a long way towards putting information risk on a more businesslike footing. In
addition, those who manage IT risk effectively tend to be far more operationally efficient than
those who do not.
A successful enterprise needs to treat information technology risk within the integrated
framework of business risk management. IT risk management alone does not yet have the kind of
well-developed statistical or actuarial models that make financial risk assessment reasonably
precise. However, “roughly right” approaches based on heuristics and experience yield reliable,
valuable, and usable measures of IT risk. These approaches enable IT managers to assess the
business impact of IT risks, and to demonstrate the ROI of prevention and remediation measures.
Effective IT risk management requires a comprehensive approach involving security,
availability, performance, and compliance. IT risk is dispersed across departments, locations,
and business lines, and needs to be addressed in ways that challenge conventional organizational
charts. Corporate officers and executives need to take a leadership role in developing IT risk
management strategies and policies. Moreover, IT risk management exists in a constantly
changing environment and requires unremitting monitoring and continuous improvement.

Five steps to IT risk management best practices
Symantec has developed a five-step methodology that can be used throughout all segments of
the financial services industry to develop effective IT risk management strategies. Using this
method, institutions can improve their information security and availability at an appropriate
pace, and know both the results and the return at every stage.
Risk has always been a part of financial services. In fact, the industry is compensated for
taking and managing risk, whether in making loans or extending insurance coverage. These risk-
taking activities are strategic to the institution. As technology plays an increasing role in financial
services, IT risk management should also be viewed as a strategic tool just as it is in credit risk
management. In extending credit, an institution’s underwriting process is, to a large extent, a risk
assessment. Avoiding unprofitable loan risk assures safety and soundness. In the same way, an
accurate assessment of the threat environment in IT can help a bank, brokerage firm, or insurance
company avoid spending money on remediation measures that may not be cost-justified.
Improved IT efficiencies can then free up funds for an institution’s core mission.
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
The Symantec five-step IT Risk Management Methodology consists of the following elements:
1. Develop an awareness of IT risks
2. Quantify the business impact
3. Design solution(s)
4. Align the costs of IT risk management to business value and implement solution(s)
5. Build an institutional capability to manage IT risk
Step 1: Develop an awareness of IT risks
IT risks can take many forms, including the costs related to the loss of data as well as lost
productivity due to lack of access to the data. Risks, costs, and opportunities for improvement fall
into four major categories:
• Security—Information is altered or used by unauthorized people. Example causes: computer
crimes, internal breaches, cyberterrorism.
• Availability—Information is not accessible because of system failure or slowdown or cannot
be recovered in sufficient time subsequent to a security or availability incident. Example

causes: configuration changes, lack of redundancy in architectures, human errors, external
threats, natural disasters.
• Performance—Information is not provided when it is needed or major new sources of demand
for information cannot be handled cost-effectively. Example causes: distributed architectures,
business growth, siloed architectures, peak demand, heterogeneity in the IT landscape.
• Compliance—Information handling can violate any one of the ever-changing and fast-growing
number of regulatory requirements. Example causes: inadequate technology, outdated
compliance policies, human error or malfeasance.
Step 2: Quantify the business impact
It is essential to understand the risks that have been discovered in terms of the probability of an
event that would trigger the risk, and the time value of the exposure should such risk occur.
Further, the risks need to be quantified for each critical business application. Knowing these two
parameters allows the decision-maker to plot the values on a simple two-dimensional graph and
to assign mitigation/remediation priorities to different applications. A simple and consistent
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
8
9
methodology yields better results than a complex analysis in assuring the ability to evaluate and
make effective risk management decisions.
Figure 2 is a graphic depiction of the cost calculation process. Each institution will make
adjustments appropriate to meet its unique business needs.
Figure 2. A sample of calculating the cost of risk
To be effective, policy must then go beyond a list of categories. Quantifying risk requires a
view of the multiple dependencies between risks as well as understanding the potential for
downstream implications. Here are some examples:
• An exploited security vulnerability may contribute to a recoverability risk. This impacts the
institution’s business continuity.
• An application performance issue that prevents data access may provide the opening for a
security risk. This can result in loss of information while the organization is focused on solving

performance problems.
• Individual risk management efforts in one area may expose compliance risk in another if risk
management is not coordinated throughout the enterprise.
The business impact may be direct or indirect—including financial, legal, and operational
dependencies. Downstream implications include negative customer experience that comes with
poor performance or one-off risk management requirements that complicate doing business with
Employee Error
Customer Error
IT Disaster
Terrorism
Noncompliance
Remediation
External
Fraud
Internal
Fraud
Natural
Disaster
Loss of Customer
Information
High
High
Low
Downtime Cost to the Business
Probability of Event
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
the institution. Unaddressed, negative customer experience will expose a new, more pernicious
risk: customer attrition.
Just as in assessing the risk of any financial service, quantifying the business impact of IT

risk gets to the core issue of being able to manage the enterprise risk equation. By better
quantifying the potential financial impact of various operational risks, institutions are better able
to justify the cost of remediation, and better able to judge what level of risk exposure is best
suited to their strategic goals.
Step 3: Design solution(s)
IT risks have different root causes, and thus different approaches are required to manage and
mitigate them. Broadly speaking, these approaches require a combination of process, people,
technology, and information.
Processes for running data center and IT operations are rapidly evolving. The best-run IT
organizations are moving from a haphazard, “job shop” model to a more rigorously designed,
executed, and measured systematic approach. IT Infrastructure Library (ITIL), International
Organization for Standardization (ISO), and other standards are emerging to describe “best-of-
breed” IT operational processes.
On the other end of the risk spectrum, institutions are paying more attention to the role their
people play in the battle to reduce risk. Companies are experimenting with a wide range of
techniques, including awareness-building, identity- or role-specific authority, new divisions of
labor, new roles and specialists, and enhancement of risk mitigation capabilities at all levels. At
the customer level, education, awareness, and proactive communication are also key elements to
establishing a holistic risk management approach.
The technology of IT risk management is becoming more helpful to human efforts. Rapid
advances have been made in such areas as long-distance replication, clustering, content,
intrusion and phishing detection, data protection and backup, vulnerability assessment, and
policy management. Importantly, these tools are being integrated to offer workflow-driven
solutions designed to follow customized processes and regulatory requirements. Event-driven
automation is increasingly taking the place of onerous manual analysis and remediation.
Information itself plays a role in IT risk management—information on the latest threats and
vulnerabilities, from the instant they appear anywhere on the globe. An effective IT risk
management solution involves real-time information and proactive intelligence on security
IT Risk Management for Financial Services:
An Essential Strategy for Business Success

10
11
threats, and facilities for rapid recovery when new threats strike. Of course, the key is to be
proactive with this information at the policy, technology, staff, and customer level.
Step 4: Align the costs of IT risk management to business value and
implement solution(s)
Investments in process, people, technology, and information are required to mitigate risks.
However, since IT budgets are under constant pressure to deliver more value for the same money,
leading institutions will not over-invest or under-invest in IT risk management solutions.
IT Service Optimization has emerged over the past few years as the most promising approach
to align the costs of IT to the business value. With this approach, the role of IT with respect to the
business evolves from a “cost center” to a “service center.” As it evolves under the IT Service
Optimization approach, the IT organization masters four primary activities:
• Providing IT as a collection of well-defined services, developed and managed by a “service
management” group that interfaces with the business
• Exposing these services to the business through service-level agreements and charge-backs to
the business
• Building and maintaining a shared, heterogeneous infrastructure to improve capital utilization
and reduce costs, rather than building custom systems for each business application
• Running IT operations in an automated fashion to increase labor efficiency and reduce costs
A number of leading organizations are first applying the IT Service Optimization concept by
building “storage utilities.” The storage utility provides data storage for business application
usage through different service classes, for example:
• “Platinum” storage service with very high performance, availability, recoverability, and security
• “Gold” storage service with moderate performance, availability, recoverability, and security
• “Bronze” storage service with low performance, availability, recoverability, and security
The costs of these different storage services are exposed to the business—”Platinum” is
typically 10 times more costly than “Bronze” service, for example. As a result, a company can
align risk requirements and overall usage to the spending on IT. Clearly defined service levels
IT Risk Management for Financial Services:

An Essential Strategy for Business Success
result in efficient structuring of IT services. Appropriately priced and well-communicated IT value
helps business users balance the economics with the need for information resulting in more
effective use of IT resources.
Step 5: Build an institutional capability to manage IT risk
The effective management of IT risk requires the introduction of an ongoing IT risk management
program. This program can then govern the various risk management projects that evolve as a
result of the previous stages of the process. An IT risk management program should be iterative,
ensuring that, as the business and all of its influences change, new risks are quickly identified
and dealt with appropriately. Leading financial institutions are building an enterprise capability
to understand and manage IT risks as rigorously as they manage other business and operational
risks. Using insight from a variety of sources, they develop a risk “heat map” showing the potential
impact and likelihood of the four IT risks on their lines of business, core business processes, or
major applications. Then, they create a prioritized list of projects to remediate these risks and
deploy the tools of software, people, process improvements, and information. Finally, they control
the risks by continuous measurement and improvement.
Institutions with a rigorous IT risk management policy are fundamentally reorienting their IT
governance and risk governance approaches. Many have established new leadership roles, such as
IT Risk Manager, to advocate and coordinate their approach to the issue. This leadership role is
most effective when made an integral part of enterprise IT governance.
As companies build IT risk management into an institutional capability, they confront new
issues such as:
• Does our IT strategy need to evolve or change to maintain an acceptable risk posture?
• Should we have new or expanding leadership roles to address IT risk, such as an IT Risk
Manager?
• How do we create reporting and management systems to monitor performance?
• How do we incorporate risk management with sound governance to oversee and approve
IT risk decisions?
• How do we educate our IT staff and build cultural awareness and understanding of risk
throughout the employee base?

IT Risk Management for Financial Services:
An Essential Strategy for Business Success
12
13
• What role do our customers play in risk management and how can we incorporate them in a
manner that builds trust and confidence in our ability to serve them?
• What steps should be taken to make our planning and testing processes more rigorous and to
make our systems more disaster-resistant?
Improving IT risk management should be on the agenda of nearly every senior executive.
Executives with a solid awareness of IT risks can better understand the tools needed to manage
these risks, and build the institutional capability to control them. This wisdom also contributes
to maximizing the return on information investments.
Symantec’s approach to best practices solution
Symantec recognizes that many enterprises are not ready to adopt a full-scale transformation of
their IT systems. Still, effective risk management is possible by addressing immediate needs and
building incremental improvements. The Symantec IT Risk Management Methodology gives
organizations a strategic road map, and provides measurable objectives and demonstrable results
at every stage.
IT risk management involves two fundamental building blocks: security and availability. As
the industry leader in both security solutions and storage management solutions, Symantec is
uniquely positioned to help enterprises achieve their goals.
Our service delivery is structured around five areas of expertise:
• Data and storage management—Help ensure data availability and security while optimizing
storage asset utilization
• High availability—Achieve the highest level of data and application availability
• Business continuity management—Help minimize the business impact of planned and
unplanned outages
• Security management—Help assess security threats, improve security controls, and manage
security risk
• IT service optimization—Align IT with business needs, improve service levels, and optimize

infrastructure
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
Each practice has a portfolio of defined services and deliverables, as well as custom
offerings, to address specific challenges. Consultants can provide whatever level of service is
required to augment in-house capabilities.
Symantec also helps its customers make information risk management a part of their
organizational culture. Educational and awareness programs help them be more proactive against
threats, and keep up with a complex and rapidly changing environment.
Symantec’s comprehensive approach to IT risk management helps an enterprise manage
cost, complexity, and compliance. We standardize and automate IT processes, consolidating
technologies to maximize efficiencies. We increase network productivity by streamlining storage
costs and building greater resilience into the infrastructure.
Putting our strategy to work
Our process begins with a thorough evaluation of the risks and opportunities an enterprise faces.
We utilize a broad range of tools to assess and address security and availability issues, including:
• Continuous services account management to stay abreast of the customer environment
• Technology tools to help probe and map the current state and weaknesses of the IT
environment
• Frameworks and tools for comprehensively evaluating IT risk and cost, from simple “data center
best practice checklists” to detailed IT risk assessment services
• An up-to-date information repository describing the latest risks for IT, compiled using
proprietary insight into threats and vulnerabilities
• Critical mass of expertise in each category of IT risk and in data center optimization (by
industry, geography, platform)
• Predictive risk models and measures to evaluate the likely impact on cash flow, earnings, or
other metrics
We then help customers develop a plan for continuous improvement of risk management
practices that both focuses on IT and goes well into the entire organization for timely response to
the concerns of highest priority. Achieving competency at IT risk management includes several key

areas:
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
14
15
• Broad training on the major IT risk factors and remediation tools to build an expert
leadership team
• Knowledge and people management systems to disseminate best practice thinking
• World-class methodologies and tools to improve the process, architecture, and information
of IT organizations
• Standardized reference processes for infrastructure processes—for example, backup
and recovery
• Leading-edge technology, to assure protection against the most sophisticated new security
threats, while optimizing storage accessibility and efficiency
• Training and education programs to improve processes and raise the level of performance of
people at every level of the organization
We also help organizations sustain their IT risk management abilities over time, managing
cost and risk in an ever-changing environment. We help the institution develop internal
capabilities, and provide whatever technical resources are needed to supplement its own
resources. Our system for continuous monitoring and improvement includes:
• A robust “problem management” feedback loop that changes the delivery groups, for example,
products, consulting services, enterprise support services, and education services
• A culture and set of reinforcing behaviors aligned to risk awareness and management
• Advanced escalation and incident management processes
• Key support processes documented and aligned with customers on the ITIL framework—for
example, incident management, change management, etc.
• Certification programs built on individual product expertise, role-based mastery, and even
organizational/environmental certification, including data center certification
• Periodic assessments of any changes in people, architectures, or requirements
• Technology tools to triage issues in multi-vendor distributed systems

IT Risk Management for Financial Services:
An Essential Strategy for Business Success
• Risk-sharing arrangements, including onsite residencies staffed by Symantec personnel,
service-level agreements, and managed services offerings
The ultimate goal of all this is a simple one: to help an enterprise understand, manage, and
control its IT environment—people, process, and technology—to reduce risk and cost. By
developing a rational, businesslike framework for understanding and managing information risk,
a financial services institution can pursue its larger vision and mission with confidence and
operate more effectively, while deriving maximum value from its IT investment.
IT Risk Management for Financial Services:
An Essential Strategy for Business Success
16
For specific country offices and
contact numbers, please visit
our Web site. For product
information in the U.S., call
toll-free 1 (800) 745 6054.
Symantec Corporation
World Headquarters
20330 Stevens Creek Boulevard
Cupertino, CA 95014 USA
+1 (408) 517 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2007 Symantec Corporation. All rights
reserved. Symantec and the Symantec logo are
trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their
respective owners. 02/07 12065894

About Symantec
Symantec is a global leader in
infrastructure software, enabling
businesses and consumers to have
confidence in a connected world.
The company helps customers
protect their infrastructure,
information, and interactions
by delivering software and services
that address risks to security,
availability, compliance, and
performance. Headquartered in
Cupertino, Calif., Symantec has
operations in 40 countries.
More information is available at
www.symantec.com.