1 / 60

IT Examinations and Best Practices for Senior Management and the Board

IT Examinations and Best Practices for Senior Management and the Board. Susan Orr Susan Orr Consulting, Ltd. CISA, CISM, CRISC, CRP. Genesis of the Examination. EDP IS (Information Systems) IT (Information Technology). What is the best title? . Traditional IT Areas. GLBA compliance

megan
Download Presentation

IT Examinations and Best Practices for Senior Management and the Board

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Examinations and Best Practices for Senior Management and the Board Susan Orr Susan Orr Consulting, Ltd. CISA, CISM, CRISC, CRP

  2. Genesis of the Examination • EDP • IS (Information Systems) • IT (Information Technology) What is the best title?

  3. Traditional IT Areas • GLBA compliance • IT management • Audit • Security and controls • Network • Operations • Business Continuity • Incident Response • Vendor Management • EFT/Payment Systems

  4. Traditional IT Areas • IT Management • Oversight • Reporting • IT Steering Committee • IT Strategic Planning • Audit • Expertise • Content • Independence • Follow-up

  5. Traditional IT Areas • Security and Controls • User Profiles • Access Controls • Activity Monitoring • Internal Logical • Perimeter Logical • Internal Physical • Perimeter/External Physical • Policies/Procedures

  6. Policies/Plans/Programs • Policies • ACH • Wire Transfer • Internet Banking • Remote Deposit • Plans/Programs • Information Security • BCP • Incident Response • Vendor Mgmt • Acceptable Use • Technology

  7. Information Security/GLBA • 501(b) – Requires agencies to establish standards for administrative, technical and physical safeguards to: • Protect against any anticipated threats or hazards to the security or integrity of such records • Ensure the security and confidentiality of customer records and information • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

  8. Interagency Guidelines • Interagency Guidelines Establishing Standards for Safeguarding Customer Information • FDIC CFR Part 364, Appendix B • FRB CFR Part 208, Appendix D-2 • OCC CFR Part 30, Appendix B • NCUA CFR Part 716

  9. Updates to GLBA and Related Regs • FACTA - 2003 • Small Entity Guidance • US PATRIOT ACT • Sarbanes Oxley • State Data Protection Laws • ID Theft Red Flags • PCI • Various Interagency and agency specific guidance

  10. IT vs. Enterprise-wide • GLBA and information security isn’t just an IT issue – it is an organizational responsibility. • It requires board involvement – a top down approach is imperative

  11. 501(b) Mandated Interagency Guidance • Interagency guidelines requires banks to implement a comprehensive written information security program • The information security program must include: • Administrative safeguards • Technical safeguards • Physical safeguards • Safeguards may be appropriate to • Size and complexity of institution • Nature and scope of activities performed

  12. Written Information Security Program • An information security program is a regulatory requirement and should integrate existing policies, procedures, and controls with management practices in an overall plan for the protection of personal information

  13. Information Security Program • Policy Statement/Compliance with Laws and Regs • Definition of Security • Objectives • Responsibilities • Board, Senior Mgmt • Others • Delegation of ISO • Risk Assessment • Risk Mitigation/Key Controls • Testing of Key Controls • Disposal of Confidential Information • Business Continuity • Incident Response • Vendor Mgmt • Updating/Revising • Reporting to Board

  14. Recent Guidance Released • June 28, 2011 Authentication in an Internet Banking Environment – Supplement • April 9, 2012 Appendix D: Managed Security Service Providers (Outsourcing Technology Services Booklet) • July 10, 2012 Cloud Computing Information Paper • October 31, 2012 Revised TSP Booklet • January 22, 2013 Proposed Social Media Guidance

  15. Authentication Supplement • Account Takeover/ACH & WT Online Fraud • Hillary Machine • Experi-Metal (EMI) • Patco • Village View Escrow • Choice Escrow

  16. How? • Malware • Phishing emails • Smishing • Vishing • Compromised email accounts • Social engineering • Remote login software

  17. FFIEC Authentication Guidance • September 2005, Guidance • June 2011 Supplement • Reinforce Sept. 2005 Guidance’s risk management framework and update regulator’s expectations regarding customer authentication, layered security, or other controls • Risk assessment • Authentication strategies/layered security • Customer awareness education • Identifies specific minimum elements that should be part of a customer awareness and education program

  18. Appendix D: Managed Security Service Providers • Use of outsourcing security management • Engagement • Agreed upon SLA in contract • Strategies for transparency and accountability • Regular communication • Change control • Problem resolution • Descriptions on logical and physical controls • Periodic reviews of MSSP processes, infrastructure, and controls

  19. Types of MSSPs • Firewall • IDS • VPN • Event Log Management • Antivirus • Web Content Filtering • Patch Management and Security Software Management • Incident Response and Management • Data Leak Prevention • Secure Messaging • Consulting • Pen testing • Vulnerability assessments • Compliance tools • Training

  20. Types of MSSPs • Full Outsourcing • Manage all connections • Manage network • Update rules on devices • Analyze data and escalate responses • Provide reports and alerts • Co-Managed • Client owns equipment • Security event monitoring tools and data loss prevention • After hours IDS/IPS event reporting

  21. Types of MSSPs • Split Processing • MSSP monitors devices • Vulnerability assessments • Consulting • Risk assessments • Initial system configuration • Policy formulation • Information Security compliance • Forensics • Pen testing • Social engineering testing • Physical security • Management reporting

  22. Cloud Computing

  23. Key Elements of the FFIEC Document • Due Diligence • Vendor Management • Audit • Information Security • Legal, Regulatory, and Reputation Considerations • Business Continuity Planning

  24. Cloud Defined • Definition – cloudy at best • Virtual servers available over the Internet • Anything you use outside of the firewall • Using resources, networks, servers, software, storage, services basically over the Internet (Web based products/services) • “Comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google

  25. Supervision of Technology Service Providers • FFIEC October 2012 • Examination program • Examination process • Examiner responsibilities • Frequency

  26. Proposed Social Media Guidance • “Institutions will be expected to use the guidance in their efforts to ensure that policies and procedures provide oversight and controls commensurate with the risks posed by social media activities”

  27. Principle Elements of Guidance • Address increased risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk • Financial Institution Use • Employee Use • Controls

  28. Governance • Strategic plan • Aligns and contributes to strategic goals of FI • Policies • Procedures • Monitoring • Controls

  29. Expectations • Even if you don’t have a social media site still need to be prepared to address: • Potential for negative comments and complaints • Provide guidance for employee use of social media

  30. Findings • Information Security Program • Independence of the ISO • Incident Response Plan • Vendor Management • Data Loss Prevention • Enterprise-wide Information Security Risk Assessment

  31. Information Security Program • Written Program • Summary of bank’s program, not reiteration of the FFIEC ISP requirements • Controls • Review of user profiles • Access based on least • Report to the Board • Content to brief

  32. ISO • Lack of Independence • Should not be an IT production resource • Lack of knowledge/expertise

  33. Incident Response Plan • Plans are not detailed enough • Need a designated Incident Response Team • Need to specifically identify the types of incidents (technical and non-technical) • Need to note how would be made aware of each incident • Need to provide specific steps for how to respond to each identified incident

  34. Vendor Management • Big Focus on Vendor Management Program • Detailed written program • Responsibilities • Risk assessment • Explanation of risk criteria and ratings • Due diligence process • Contracting process • Ongoing monitoring and oversight • Too IT oriented and not enterprise-wide • Focused only on mission criticality

  35. Operations (wires, ACH, ATM Core) IT HR/ Payroll processor Trust Cash Management Enterprise-wide Law Firms Marketing Facilities/ Security Company Accounting Lending

  36. Classification Factors • Mission critical • Access to sensitive or confidential information • Information controlled by service provider • Volume of transactions • New activity for institution • New provider • Markets products or services • High risk activities

  37. Data Loss Prevention • Data Leakage – NPI leaving bank • Need to develop comprehensive data loss prevention strategy integrating various components/devices and other methods of unauthorized disclosure of NPI. • USB, mobile devices • Email, fax • File transfer • Hard copy

  38. Data Loss Prevention • Encryption • Secure file transfer • Restricted use of USB and portable devices • Restricted remote access • Acceptable Use for copying and removing documents from bank • Guidelines for mobile devices and BYOD • Email content filtering

  39. Enterprise-wide Information Security Risk Assessment • Not Comprehensive • Identification of threats/risk • Identification of controls • Not Enterprise-wide, only focused on IT • No Validation of the Effectiveness of the Controls • No Definitions for Risk Rating Factors • Consider interconnectivity of information assets, vendors or components that store, transmit, or transfer information

  40. Identify & Classify Assets Gap Analysis Vulnerabilities Threats Residual Risk Probabilities Impact Assessment Validation of Effectiveness Inherent Risk Controls Risk Assessment Process

  41. Mobile • Internal Use • Customer Use

  42. Internal • Smart Phone, Blackberry, iPad • BYOD • Bank Owned

  43. Internal Use • Risk Assess • Policy and use guidance • Controls • PIN/Passcode • Encryption • Firewalls • Antivirus • Connectivity restrictions • App installation restrictions

  44. Customer Use • Mobile Banking • Consumer Capture

  45. Customer Use Risks • Weaker ties to customers than with merchant • Consumers more mobile • Deposits with mobile phones harder to find fraudster • Printing fraudulent checks and depositing, security ink and water marks might not be present or viewable on image • Duplicate deposits • Using default passwords on device or no password • Not installing security updates or software patches • Unsecure WiFi connections

  46. FDIC Supervisory Insights Winter 2012

  47. Customer Use Controls • IT Strategic Plan • Risk Assessment • Policy • Business continuity plan • Incident response plan • Vendor management • Procedures • Marketing • Enrolling customer • Registration, activation • Account management • Monitoring user activity and security reports • Deactivation of user

More Related