It examinations and best practices for senior management and the board
1 / 60

IT Examinations and Best Practices for Senior Management and the Board - PowerPoint PPT Presentation

  • Uploaded on

IT Examinations and Best Practices for Senior Management and the Board. Susan Orr Susan Orr Consulting, Ltd. CISA, CISM, CRISC, CRP. Genesis of the Examination. EDP IS (Information Systems) IT (Information Technology). What is the best title? . Traditional IT Areas. GLBA compliance

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' IT Examinations and Best Practices for Senior Management and the Board' - megan

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
It examinations and best practices for senior management and the board

IT Examinations and Best Practices for Senior Management and the Board

Susan Orr

Susan Orr Consulting, Ltd.


Genesis of the examination
Genesis of the Examination the Board

  • EDP

  • IS (Information Systems)

  • IT (Information Technology)

What is the best title?

Traditional it areas
Traditional IT Areas the Board

  • GLBA compliance

  • IT management

  • Audit

  • Security and controls

    • Network

    • Operations

  • Business Continuity

  • Incident Response

  • Vendor Management

  • EFT/Payment Systems

Traditional it areas1
Traditional IT Areas the Board

  • IT Management

    • Oversight

    • Reporting

    • IT Steering Committee

    • IT Strategic Planning

  • Audit

    • Expertise

    • Content

    • Independence

    • Follow-up

Traditional it areas2
Traditional IT Areas the Board

  • Security and Controls

    • User Profiles

    • Access Controls

    • Activity Monitoring

    • Internal Logical

    • Perimeter Logical

    • Internal Physical

    • Perimeter/External Physical

    • Policies/Procedures

Policies plans programs
Policies/Plans/Programs the Board

  • Policies

    • ACH

    • Wire Transfer

    • Internet Banking

    • Remote Deposit

  • Plans/Programs

    • Information Security

    • BCP

    • Incident Response

    • Vendor Mgmt

    • Acceptable Use

    • Technology

Information security glba
Information Security/GLBA the Board

  • 501(b) – Requires agencies to establish standards for administrative, technical and physical safeguards to:

    • Protect against any anticipated threats or hazards to the security or integrity of such records

    • Ensure the security and confidentiality of customer records and information

    • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

Interagency guidelines
Interagency Guidelines the Board

  • Interagency Guidelines Establishing Standards for Safeguarding Customer Information

    • FDIC CFR Part 364, Appendix B

    • FRB CFR Part 208, Appendix D-2

    • OCC CFR Part 30, Appendix B

    • NCUA CFR Part 716

Updates to glba and related regs
Updates to GLBA and Related Regs the Board

  • FACTA - 2003

  • Small Entity Guidance


  • Sarbanes Oxley

  • State Data Protection Laws

  • ID Theft Red Flags

  • PCI

  • Various Interagency and agency specific guidance

It vs enterprise wide
IT vs. Enterprise-wide the Board

  • GLBA and information security isn’t just an IT issue – it is an organizational responsibility.

  • It requires board involvement – a top down approach is imperative

501 b mandated interagency guidance
501(b) Mandated Interagency Guidance the Board

  • Interagency guidelines requires banks to implement a comprehensive written information security program

    • The information security program must include:

      • Administrative safeguards

      • Technical safeguards

      • Physical safeguards

    • Safeguards may be appropriate to

      • Size and complexity of institution

      • Nature and scope of activities performed

Written information security program
Written Information Security Program the Board

  • An information security program is a regulatory requirement and should integrate existing policies, procedures, and controls with management practices in an overall plan for the protection of personal information

Information security program
Information Security Program the Board

  • Policy Statement/Compliance with Laws and Regs

  • Definition of Security

  • Objectives

  • Responsibilities

    • Board, Senior Mgmt

    • Others

  • Delegation of ISO

  • Risk Assessment

  • Risk Mitigation/Key Controls

  • Testing of Key Controls

  • Disposal of Confidential Information

  • Business Continuity

  • Incident Response

  • Vendor Mgmt

  • Updating/Revising

  • Reporting to Board

Recent guidance released
Recent Guidance Released the Board

  • June 28, 2011 Authentication in an Internet Banking Environment – Supplement

  • April 9, 2012 Appendix D: Managed Security Service Providers (Outsourcing Technology Services Booklet)

  • July 10, 2012 Cloud Computing Information Paper

  • October 31, 2012 Revised TSP Booklet

  • January 22, 2013 Proposed Social Media Guidance

Authentication supplement
Authentication Supplement the Board

  • Account Takeover/ACH & WT Online Fraud

    • Hillary Machine

    • Experi-Metal (EMI)

    • Patco

    • Village View Escrow

    • Choice Escrow

How? the Board

  • Malware

    • Phishing emails

    • Smishing

    • Vishing

  • Compromised email accounts

  • Social engineering

  • Remote login software

Ffiec authentication guidance
FFIEC Authentication Guidance the Board

  • September 2005, Guidance

  • June 2011 Supplement

    • Reinforce Sept. 2005 Guidance’s risk management framework and update regulator’s expectations regarding customer authentication, layered security, or other controls

      • Risk assessment

      • Authentication strategies/layered security

      • Customer awareness education

    • Identifies specific minimum elements that should be part of a customer awareness and education program

Appendix d managed security service providers
Appendix D: Managed Security Service Providers the Board

  • Use of outsourcing security management

  • Engagement

    • Agreed upon SLA in contract

    • Strategies for transparency and accountability

      • Regular communication

        • Change control

        • Problem resolution

      • Descriptions on logical and physical controls

    • Periodic reviews of MSSP processes, infrastructure, and controls

Types of mssps
Types of MSSPs the Board

  • Firewall

  • IDS

  • VPN

  • Event Log Management

  • Antivirus

  • Web Content Filtering

  • Patch Management and Security Software Management

  • Incident Response and Management

  • Data Leak Prevention

  • Secure Messaging

  • Consulting

    • Pen testing

    • Vulnerability assessments

    • Compliance tools

    • Training

Types of mssps1
Types of MSSPs the Board

  • Full Outsourcing

    • Manage all connections

    • Manage network

    • Update rules on devices

    • Analyze data and escalate responses

    • Provide reports and alerts

  • Co-Managed

    • Client owns equipment

    • Security event monitoring tools and data loss prevention

    • After hours IDS/IPS event reporting

Types of mssps2
Types of MSSPs the Board

  • Split Processing

    • MSSP monitors devices

    • Vulnerability assessments

  • Consulting

    • Risk assessments

    • Initial system configuration

    • Policy formulation

    • Information Security compliance

    • Forensics

    • Pen testing

    • Social engineering testing

    • Physical security

    • Management reporting

Cloud computing
Cloud Computing the Board

Key elements of the ffiec document
Key Elements of the FFIEC Document the Board

  • Due Diligence

  • Vendor Management

  • Audit

  • Information Security

  • Legal, Regulatory, and Reputation Considerations

  • Business Continuity Planning

Cloud defined
Cloud Defined the Board

  • Definition – cloudy at best

    • Virtual servers available over the Internet

    • Anything you use outside of the firewall

    • Using resources, networks, servers, software, storage, services basically over the Internet (Web based products/services)

    • “Comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google

Supervision of technology service providers
Supervision of Technology Service Providers the Board

  • FFIEC October 2012

    • Examination program

      • Examination process

      • Examiner responsibilities

      • Frequency

Proposed social media guidance
Proposed Social Media Guidance the Board

  • “Institutions will be expected to use the guidance in their efforts to ensure that policies and procedures provide oversight and controls commensurate with the risks posed by social media activities”

Principle elements of guidance
Principle Elements of Guidance the Board

  • Address increased risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk

  • Financial Institution Use

  • Employee Use

  • Controls

Governance the Board

  • Strategic plan

    • Aligns and contributes to strategic goals of FI

  • Policies

  • Procedures

  • Monitoring

  • Controls

Expectations the Board

  • Even if you don’t have a social media site still need to be prepared to address:

    • Potential for negative comments and complaints

    • Provide guidance for employee use of social media

Findings the Board

  • Information Security Program

  • Independence of the ISO

  • Incident Response Plan

  • Vendor Management

  • Data Loss Prevention

  • Enterprise-wide Information Security Risk Assessment

Information security program1
Information Security Program the Board

  • Written Program

    • Summary of bank’s program, not reiteration of the FFIEC ISP requirements

  • Controls

    • Review of user profiles

    • Access based on least

  • Report to the Board

    • Content to brief

ISO the Board

  • Lack of Independence

    • Should not be an IT production resource

  • Lack of knowledge/expertise

Incident response plan
Incident Response Plan the Board

  • Plans are not detailed enough

  • Need a designated Incident Response Team

  • Need to specifically identify the types of incidents (technical and non-technical)

  • Need to note how would be made aware of each incident

  • Need to provide specific steps for how to respond to each identified incident

Vendor management
Vendor Management the Board

  • Big Focus on Vendor Management Program

    • Detailed written program

      • Responsibilities

      • Risk assessment

      • Explanation of risk criteria and ratings

      • Due diligence process

      • Contracting process

      • Ongoing monitoring and oversight

    • Too IT oriented and not enterprise-wide

    • Focused only on mission criticality

Operations the Board

(wires, ACH, ATM




Payroll processor


Cash Management


Law Firms



Security Company



Classification factors
Classification Factors the Board

  • Mission critical

  • Access to sensitive or confidential information

  • Information controlled by service provider

  • Volume of transactions

  • New activity for institution

  • New provider

  • Markets products or services

  • High risk activities

Data loss prevention
Data Loss Prevention the Board

  • Data Leakage – NPI leaving bank

  • Need to develop comprehensive data loss prevention strategy integrating various components/devices and other methods of unauthorized disclosure of NPI.

    • USB, mobile devices

    • Email, fax

    • File transfer

    • Hard copy

Data loss prevention1
Data Loss Prevention the Board

  • Encryption

  • Secure file transfer

  • Restricted use of USB and portable devices

  • Restricted remote access

  • Acceptable Use for copying and removing documents from bank

  • Guidelines for mobile devices and BYOD

  • Email content filtering

Enterprise wide information security risk assessment
Enterprise-wide Information Security Risk Assessment the Board

  • Not Comprehensive

    • Identification of threats/risk

    • Identification of controls

  • Not Enterprise-wide, only focused on IT

  • No Validation of the Effectiveness of the Controls

  • No Definitions for Risk Rating Factors

  • Consider interconnectivity of information assets, vendors or components that store, transmit, or transfer information

Risk assessment process

Identify & the Board



Gap Analysis



Residual Risk




Validation of


Inherent Risk


Risk Assessment Process

Mobile the Board

  • Internal Use

  • Customer Use

Internal the Board

  • Smart Phone, Blackberry, iPad

    • BYOD

    • Bank Owned

Internal use
Internal Use the Board

  • Risk Assess

  • Policy and use guidance

  • Controls

    • PIN/Passcode

    • Encryption

    • Firewalls

    • Antivirus

    • Connectivity restrictions

    • App installation restrictions

Customer use
Customer Use the Board

  • Mobile Banking

  • Consumer Capture

Customer use risks
Customer Use Risks the Board

  • Weaker ties to customers than with merchant

  • Consumers more mobile

  • Deposits with mobile phones harder to find fraudster

  • Printing fraudulent checks and depositing, security ink and water marks might not be present or viewable on image

  • Duplicate deposits

  • Using default passwords on device or no password

  • Not installing security updates or software patches

  • Unsecure WiFi connections

Customer use controls
Customer Use Controls the Board

  • IT Strategic Plan

  • Risk Assessment

  • Policy

  • Business continuity plan

  • Incident response plan

  • Vendor management

  • Procedures

    • Marketing

    • Enrolling customer

    • Registration, activation

    • Account management

      • Monitoring user activity and security reports

    • Deactivation of user

Customer use controls1
Customer Use Controls the Board

  • Know Your Customer

  • Implement a customer agreement specific for the product

  • Customer opt in/enroll

  • Set limits

  • Strong authentication/MFA

  • Encryption/secure sessions

  • Monitoring/auditing of transactions and activity

  • Implement back office fraud detection

  • De-activation procedures

  • Secure application that is downloaded to protect from being manipulated

Mobile the Board

  • No regulatory guidance…yet

Cyber security attacks
Cyber Security Attacks the Board

  • DDoS Attacks

    • September 11, 2013 – Threat of new attack

    • August 2013: New DDoS Fraud Link

    • June 2013: Another Version of DDoS Hits Bank

    • June 2013: OCC Sees Cybersecurity as Fastest Growing Risk to Banks

DDoS the Board

Occ concerns
OCC Concerns the Board

  • Mobile Computing/BYOD

  • Cloud Computing

  • Outsourcing

  • Big Data

  • Sophistication of attacks

  • Expect to get worse before gets better

Laws that govern
Laws that Govern the Board

  • GLBA

  • SOX

  • FCRA

  • FTCA

  • Bank Services Company Act

  • State Data Security Laws

  • Executive Order

  • Cyber security bills

  • PCI – Industry Standards

  • FFIEC guidance

Summary the Board

  • There are some standard examination protocols

  • There will be variations depending on the examiner, the agency


Questions???? the Board


Susan Orr Consulting, Ltd.


[email protected]