It examinations and best practices for senior management and the board
Sponsored Links
This presentation is the property of its rightful owner.
1 / 60

IT Examinations and Best Practices for Senior Management and the Board PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

IT Examinations and Best Practices for Senior Management and the Board. Susan Orr Susan Orr Consulting, Ltd. CISA, CISM, CRISC, CRP. Genesis of the Examination. EDP IS (Information Systems) IT (Information Technology). What is the best title? . Traditional IT Areas. GLBA compliance

Download Presentation

IT Examinations and Best Practices for Senior Management and the Board

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

It examinations and best practices for senior management and the board

IT Examinations and Best Practices for Senior Management and the Board

Susan Orr

Susan Orr Consulting, Ltd.


Genesis of the examination

Genesis of the Examination

  • EDP

  • IS (Information Systems)

  • IT (Information Technology)

What is the best title?

Traditional it areas

Traditional IT Areas

  • GLBA compliance

  • IT management

  • Audit

  • Security and controls

    • Network

    • Operations

  • Business Continuity

  • Incident Response

  • Vendor Management

  • EFT/Payment Systems

Traditional it areas1

Traditional IT Areas

  • IT Management

    • Oversight

    • Reporting

    • IT Steering Committee

    • IT Strategic Planning

  • Audit

    • Expertise

    • Content

    • Independence

    • Follow-up

Traditional it areas2

Traditional IT Areas

  • Security and Controls

    • User Profiles

    • Access Controls

    • Activity Monitoring

    • Internal Logical

    • Perimeter Logical

    • Internal Physical

    • Perimeter/External Physical

    • Policies/Procedures

Policies plans programs


  • Policies

    • ACH

    • Wire Transfer

    • Internet Banking

    • Remote Deposit

  • Plans/Programs

    • Information Security

    • BCP

    • Incident Response

    • Vendor Mgmt

    • Acceptable Use

    • Technology

Information security glba

Information Security/GLBA

  • 501(b) – Requires agencies to establish standards for administrative, technical and physical safeguards to:

    • Protect against any anticipated threats or hazards to the security or integrity of such records

    • Ensure the security and confidentiality of customer records and information

    • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

Interagency guidelines

Interagency Guidelines

  • Interagency Guidelines Establishing Standards for Safeguarding Customer Information

    • FDIC CFR Part 364, Appendix B

    • FRB CFR Part 208, Appendix D-2

    • OCC CFR Part 30, Appendix B

    • NCUA CFR Part 716

Updates to glba and related regs

Updates to GLBA and Related Regs

  • FACTA - 2003

  • Small Entity Guidance


  • Sarbanes Oxley

  • State Data Protection Laws

  • ID Theft Red Flags

  • PCI

  • Various Interagency and agency specific guidance

It vs enterprise wide

IT vs. Enterprise-wide

  • GLBA and information security isn’t just an IT issue – it is an organizational responsibility.

  • It requires board involvement – a top down approach is imperative

501 b mandated interagency guidance

501(b) Mandated Interagency Guidance

  • Interagency guidelines requires banks to implement a comprehensive written information security program

    • The information security program must include:

      • Administrative safeguards

      • Technical safeguards

      • Physical safeguards

    • Safeguards may be appropriate to

      • Size and complexity of institution

      • Nature and scope of activities performed

Written information security program

Written Information Security Program

  • An information security program is a regulatory requirement and should integrate existing policies, procedures, and controls with management practices in an overall plan for the protection of personal information

Information security program

Information Security Program

  • Policy Statement/Compliance with Laws and Regs

  • Definition of Security

  • Objectives

  • Responsibilities

    • Board, Senior Mgmt

    • Others

  • Delegation of ISO

  • Risk Assessment

  • Risk Mitigation/Key Controls

  • Testing of Key Controls

  • Disposal of Confidential Information

  • Business Continuity

  • Incident Response

  • Vendor Mgmt

  • Updating/Revising

  • Reporting to Board

Recent guidance released

Recent Guidance Released

  • June 28, 2011 Authentication in an Internet Banking Environment – Supplement

  • April 9, 2012 Appendix D: Managed Security Service Providers (Outsourcing Technology Services Booklet)

  • July 10, 2012 Cloud Computing Information Paper

  • October 31, 2012 Revised TSP Booklet

  • January 22, 2013 Proposed Social Media Guidance

Authentication supplement

Authentication Supplement

  • Account Takeover/ACH & WT Online Fraud

    • Hillary Machine

    • Experi-Metal (EMI)

    • Patco

    • Village View Escrow

    • Choice Escrow

It examinations and best practices for senior management and the board


  • Malware

    • Phishing emails

    • Smishing

    • Vishing

  • Compromised email accounts

  • Social engineering

  • Remote login software

Ffiec authentication guidance

FFIEC Authentication Guidance

  • September 2005, Guidance

  • June 2011 Supplement

    • Reinforce Sept. 2005 Guidance’s risk management framework and update regulator’s expectations regarding customer authentication, layered security, or other controls

      • Risk assessment

      • Authentication strategies/layered security

      • Customer awareness education

    • Identifies specific minimum elements that should be part of a customer awareness and education program

Appendix d managed security service providers

Appendix D: Managed Security Service Providers

  • Use of outsourcing security management

  • Engagement

    • Agreed upon SLA in contract

    • Strategies for transparency and accountability

      • Regular communication

        • Change control

        • Problem resolution

      • Descriptions on logical and physical controls

    • Periodic reviews of MSSP processes, infrastructure, and controls

Types of mssps

Types of MSSPs

  • Firewall

  • IDS

  • VPN

  • Event Log Management

  • Antivirus

  • Web Content Filtering

  • Patch Management and Security Software Management

  • Incident Response and Management

  • Data Leak Prevention

  • Secure Messaging

  • Consulting

    • Pen testing

    • Vulnerability assessments

    • Compliance tools

    • Training

Types of mssps1

Types of MSSPs

  • Full Outsourcing

    • Manage all connections

    • Manage network

    • Update rules on devices

    • Analyze data and escalate responses

    • Provide reports and alerts

  • Co-Managed

    • Client owns equipment

    • Security event monitoring tools and data loss prevention

    • After hours IDS/IPS event reporting

Types of mssps2

Types of MSSPs

  • Split Processing

    • MSSP monitors devices

    • Vulnerability assessments

  • Consulting

    • Risk assessments

    • Initial system configuration

    • Policy formulation

    • Information Security compliance

    • Forensics

    • Pen testing

    • Social engineering testing

    • Physical security

    • Management reporting

Cloud computing

Cloud Computing

Key elements of the ffiec document

Key Elements of the FFIEC Document

  • Due Diligence

  • Vendor Management

  • Audit

  • Information Security

  • Legal, Regulatory, and Reputation Considerations

  • Business Continuity Planning

Cloud defined

Cloud Defined

  • Definition – cloudy at best

    • Virtual servers available over the Internet

    • Anything you use outside of the firewall

    • Using resources, networks, servers, software, storage, services basically over the Internet (Web based products/services)

    • “Comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google

Supervision of technology service providers

Supervision of Technology Service Providers

  • FFIEC October 2012

    • Examination program

      • Examination process

      • Examiner responsibilities

      • Frequency

Proposed social media guidance

Proposed Social Media Guidance

  • “Institutions will be expected to use the guidance in their efforts to ensure that policies and procedures provide oversight and controls commensurate with the risks posed by social media activities”

Principle elements of guidance

Principle Elements of Guidance

  • Address increased risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk

  • Financial Institution Use

  • Employee Use

  • Controls



  • Strategic plan

    • Aligns and contributes to strategic goals of FI

  • Policies

  • Procedures

  • Monitoring

  • Controls



  • Even if you don’t have a social media site still need to be prepared to address:

    • Potential for negative comments and complaints

    • Provide guidance for employee use of social media



  • Information Security Program

  • Independence of the ISO

  • Incident Response Plan

  • Vendor Management

  • Data Loss Prevention

  • Enterprise-wide Information Security Risk Assessment

Information security program1

Information Security Program

  • Written Program

    • Summary of bank’s program, not reiteration of the FFIEC ISP requirements

  • Controls

    • Review of user profiles

    • Access based on least

  • Report to the Board

    • Content to brief

It examinations and best practices for senior management and the board


  • Lack of Independence

    • Should not be an IT production resource

  • Lack of knowledge/expertise

Incident response plan

Incident Response Plan

  • Plans are not detailed enough

  • Need a designated Incident Response Team

  • Need to specifically identify the types of incidents (technical and non-technical)

  • Need to note how would be made aware of each incident

  • Need to provide specific steps for how to respond to each identified incident

Vendor management

Vendor Management

  • Big Focus on Vendor Management Program

    • Detailed written program

      • Responsibilities

      • Risk assessment

      • Explanation of risk criteria and ratings

      • Due diligence process

      • Contracting process

      • Ongoing monitoring and oversight

    • Too IT oriented and not enterprise-wide

    • Focused only on mission criticality

It examinations and best practices for senior management and the board


(wires, ACH, ATM




Payroll processor


Cash Management


Law Firms



Security Company



Classification factors

Classification Factors

  • Mission critical

  • Access to sensitive or confidential information

  • Information controlled by service provider

  • Volume of transactions

  • New activity for institution

  • New provider

  • Markets products or services

  • High risk activities

Data loss prevention

Data Loss Prevention

  • Data Leakage – NPI leaving bank

  • Need to develop comprehensive data loss prevention strategy integrating various components/devices and other methods of unauthorized disclosure of NPI.

    • USB, mobile devices

    • Email, fax

    • File transfer

    • Hard copy

Data loss prevention1

Data Loss Prevention

  • Encryption

  • Secure file transfer

  • Restricted use of USB and portable devices

  • Restricted remote access

  • Acceptable Use for copying and removing documents from bank

  • Guidelines for mobile devices and BYOD

  • Email content filtering

Enterprise wide information security risk assessment

Enterprise-wide Information Security Risk Assessment

  • Not Comprehensive

    • Identification of threats/risk

    • Identification of controls

  • Not Enterprise-wide, only focused on IT

  • No Validation of the Effectiveness of the Controls

  • No Definitions for Risk Rating Factors

  • Consider interconnectivity of information assets, vendors or components that store, transmit, or transfer information

Risk assessment process

Identify &



Gap Analysis



Residual Risk




Validation of


Inherent Risk


Risk Assessment Process



  • Internal Use

  • Customer Use



  • Smart Phone, Blackberry, iPad

    • BYOD

    • Bank Owned

Internal use

Internal Use

  • Risk Assess

  • Policy and use guidance

  • Controls

    • PIN/Passcode

    • Encryption

    • Firewalls

    • Antivirus

    • Connectivity restrictions

    • App installation restrictions

Customer use

Customer Use

  • Mobile Banking

  • Consumer Capture

Customer use risks

Customer Use Risks

  • Weaker ties to customers than with merchant

  • Consumers more mobile

  • Deposits with mobile phones harder to find fraudster

  • Printing fraudulent checks and depositing, security ink and water marks might not be present or viewable on image

  • Duplicate deposits

  • Using default passwords on device or no password

  • Not installing security updates or software patches

  • Unsecure WiFi connections

It examinations and best practices for senior management and the board

FDIC Supervisory Insights Winter 2012

Customer use controls

Customer Use Controls

  • IT Strategic Plan

  • Risk Assessment

  • Policy

  • Business continuity plan

  • Incident response plan

  • Vendor management

  • Procedures

    • Marketing

    • Enrolling customer

    • Registration, activation

    • Account management

      • Monitoring user activity and security reports

    • Deactivation of user

Customer use controls1

Customer Use Controls

  • Know Your Customer

  • Implement a customer agreement specific for the product

  • Customer opt in/enroll

  • Set limits

  • Strong authentication/MFA

  • Encryption/secure sessions

  • Monitoring/auditing of transactions and activity

  • Implement back office fraud detection

  • De-activation procedures

  • Secure application that is downloaded to protect from being manipulated

It examinations and best practices for senior management and the board

FDIC Supervisory Insights Winter 2012

It examinations and best practices for senior management and the board

FDIC Supervisory Insights Winter 2012



  • No regulatory guidance…yet

Cyber security attacks

Cyber Security Attacks

  • DDoS Attacks

    • September 11, 2013 – Threat of new attack

    • August 2013: New DDoS Fraud Link

    • June 2013: Another Version of DDoS Hits Bank

    • June 2013: OCC Sees Cybersecurity as Fastest Growing Risk to Banks

It examinations and best practices for senior management and the board


Occ concerns

OCC Concerns

  • Mobile Computing/BYOD

  • Cloud Computing

  • Outsourcing

  • Big Data

  • Sophistication of attacks

  • Expect to get worse before gets better

Laws that govern

Laws that Govern

  • GLBA

  • SOX

  • FCRA

  • FTCA

  • Bank Services Company Act

  • State Data Security Laws

  • Executive Order

  • Cyber security bills

  • PCI – Industry Standards

  • FFIEC guidance



  • There are some standard examination protocols

  • There will be variations depending on the examiner, the agency




Susan Orr Consulting, Ltd.


  • Login