it examinations and best practices for senior management and the board n.
Skip this Video
Download Presentation
IT Examinations and Best Practices for Senior Management and the Board

Loading in 2 Seconds...

play fullscreen
1 / 60

IT Examinations and Best Practices for Senior Management and the Board - PowerPoint PPT Presentation

  • Uploaded on

IT Examinations and Best Practices for Senior Management and the Board. Susan Orr Susan Orr Consulting, Ltd. CISA, CISM, CRISC, CRP. Genesis of the Examination. EDP IS (Information Systems) IT (Information Technology). What is the best title? . Traditional IT Areas. GLBA compliance

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'IT Examinations and Best Practices for Senior Management and the Board' - megan

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
it examinations and best practices for senior management and the board

IT Examinations and Best Practices for Senior Management and the Board

Susan Orr

Susan Orr Consulting, Ltd.


genesis of the examination
Genesis of the Examination
  • EDP
  • IS (Information Systems)
  • IT (Information Technology)

What is the best title?

traditional it areas
Traditional IT Areas
  • GLBA compliance
  • IT management
  • Audit
  • Security and controls
    • Network
    • Operations
  • Business Continuity
  • Incident Response
  • Vendor Management
  • EFT/Payment Systems
traditional it areas1
Traditional IT Areas
  • IT Management
    • Oversight
    • Reporting
    • IT Steering Committee
    • IT Strategic Planning
  • Audit
    • Expertise
    • Content
    • Independence
    • Follow-up
traditional it areas2
Traditional IT Areas
  • Security and Controls
    • User Profiles
    • Access Controls
    • Activity Monitoring
    • Internal Logical
    • Perimeter Logical
    • Internal Physical
    • Perimeter/External Physical
    • Policies/Procedures
policies plans programs
  • Policies
    • ACH
    • Wire Transfer
    • Internet Banking
    • Remote Deposit
  • Plans/Programs
    • Information Security
    • BCP
    • Incident Response
    • Vendor Mgmt
    • Acceptable Use
    • Technology
information security glba
Information Security/GLBA
  • 501(b) – Requires agencies to establish standards for administrative, technical and physical safeguards to:
    • Protect against any anticipated threats or hazards to the security or integrity of such records
    • Ensure the security and confidentiality of customer records and information
    • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer
interagency guidelines
Interagency Guidelines
  • Interagency Guidelines Establishing Standards for Safeguarding Customer Information
    • FDIC CFR Part 364, Appendix B
    • FRB CFR Part 208, Appendix D-2
    • OCC CFR Part 30, Appendix B
    • NCUA CFR Part 716
updates to glba and related regs
Updates to GLBA and Related Regs
  • FACTA - 2003
  • Small Entity Guidance
  • Sarbanes Oxley
  • State Data Protection Laws
  • ID Theft Red Flags
  • PCI
  • Various Interagency and agency specific guidance
it vs enterprise wide
IT vs. Enterprise-wide
  • GLBA and information security isn’t just an IT issue – it is an organizational responsibility.
  • It requires board involvement – a top down approach is imperative
501 b mandated interagency guidance
501(b) Mandated Interagency Guidance
  • Interagency guidelines requires banks to implement a comprehensive written information security program
    • The information security program must include:
      • Administrative safeguards
      • Technical safeguards
      • Physical safeguards
    • Safeguards may be appropriate to
      • Size and complexity of institution
      • Nature and scope of activities performed
written information security program
Written Information Security Program
  • An information security program is a regulatory requirement and should integrate existing policies, procedures, and controls with management practices in an overall plan for the protection of personal information
information security program
Information Security Program
  • Policy Statement/Compliance with Laws and Regs
  • Definition of Security
  • Objectives
  • Responsibilities
    • Board, Senior Mgmt
    • Others
  • Delegation of ISO
  • Risk Assessment
  • Risk Mitigation/Key Controls
  • Testing of Key Controls
  • Disposal of Confidential Information
  • Business Continuity
  • Incident Response
  • Vendor Mgmt
  • Updating/Revising
  • Reporting to Board
recent guidance released
Recent Guidance Released
  • June 28, 2011 Authentication in an Internet Banking Environment – Supplement
  • April 9, 2012 Appendix D: Managed Security Service Providers (Outsourcing Technology Services Booklet)
  • July 10, 2012 Cloud Computing Information Paper
  • October 31, 2012 Revised TSP Booklet
  • January 22, 2013 Proposed Social Media Guidance
authentication supplement
Authentication Supplement
  • Account Takeover/ACH & WT Online Fraud
    • Hillary Machine
    • Experi-Metal (EMI)
    • Patco
    • Village View Escrow
    • Choice Escrow
  • Malware
    • Phishing emails
    • Smishing
    • Vishing
  • Compromised email accounts
  • Social engineering
  • Remote login software
ffiec authentication guidance
FFIEC Authentication Guidance
  • September 2005, Guidance
  • June 2011 Supplement
    • Reinforce Sept. 2005 Guidance’s risk management framework and update regulator’s expectations regarding customer authentication, layered security, or other controls
      • Risk assessment
      • Authentication strategies/layered security
      • Customer awareness education
    • Identifies specific minimum elements that should be part of a customer awareness and education program
appendix d managed security service providers
Appendix D: Managed Security Service Providers
  • Use of outsourcing security management
  • Engagement
    • Agreed upon SLA in contract
    • Strategies for transparency and accountability
      • Regular communication
        • Change control
        • Problem resolution
      • Descriptions on logical and physical controls
    • Periodic reviews of MSSP processes, infrastructure, and controls
types of mssps
Types of MSSPs
  • Firewall
  • IDS
  • VPN
  • Event Log Management
  • Antivirus
  • Web Content Filtering
  • Patch Management and Security Software Management
  • Incident Response and Management
  • Data Leak Prevention
  • Secure Messaging
  • Consulting
    • Pen testing
    • Vulnerability assessments
    • Compliance tools
    • Training
types of mssps1
Types of MSSPs
  • Full Outsourcing
    • Manage all connections
    • Manage network
    • Update rules on devices
    • Analyze data and escalate responses
    • Provide reports and alerts
  • Co-Managed
    • Client owns equipment
    • Security event monitoring tools and data loss prevention
    • After hours IDS/IPS event reporting
types of mssps2
Types of MSSPs
  • Split Processing
    • MSSP monitors devices
    • Vulnerability assessments
  • Consulting
    • Risk assessments
    • Initial system configuration
    • Policy formulation
    • Information Security compliance
    • Forensics
    • Pen testing
    • Social engineering testing
    • Physical security
    • Management reporting
key elements of the ffiec document
Key Elements of the FFIEC Document
  • Due Diligence
  • Vendor Management
  • Audit
  • Information Security
  • Legal, Regulatory, and Reputation Considerations
  • Business Continuity Planning
cloud defined
Cloud Defined
  • Definition – cloudy at best
    • Virtual servers available over the Internet
    • Anything you use outside of the firewall
    • Using resources, networks, servers, software, storage, services basically over the Internet (Web based products/services)
    • “Comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google
supervision of technology service providers
Supervision of Technology Service Providers
  • FFIEC October 2012
    • Examination program
      • Examination process
      • Examiner responsibilities
      • Frequency
proposed social media guidance
Proposed Social Media Guidance
  • “Institutions will be expected to use the guidance in their efforts to ensure that policies and procedures provide oversight and controls commensurate with the risks posed by social media activities”
principle elements of guidance
Principle Elements of Guidance
  • Address increased risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk
  • Financial Institution Use
  • Employee Use
  • Controls
  • Strategic plan
    • Aligns and contributes to strategic goals of FI
  • Policies
  • Procedures
  • Monitoring
  • Controls
  • Even if you don’t have a social media site still need to be prepared to address:
    • Potential for negative comments and complaints
    • Provide guidance for employee use of social media
  • Information Security Program
  • Independence of the ISO
  • Incident Response Plan
  • Vendor Management
  • Data Loss Prevention
  • Enterprise-wide Information Security Risk Assessment
information security program1
Information Security Program
  • Written Program
    • Summary of bank’s program, not reiteration of the FFIEC ISP requirements
  • Controls
    • Review of user profiles
    • Access based on least
  • Report to the Board
    • Content to brief
  • Lack of Independence
    • Should not be an IT production resource
  • Lack of knowledge/expertise
incident response plan
Incident Response Plan
  • Plans are not detailed enough
  • Need a designated Incident Response Team
  • Need to specifically identify the types of incidents (technical and non-technical)
  • Need to note how would be made aware of each incident
  • Need to provide specific steps for how to respond to each identified incident
vendor management
Vendor Management
  • Big Focus on Vendor Management Program
    • Detailed written program
      • Responsibilities
      • Risk assessment
      • Explanation of risk criteria and ratings
      • Due diligence process
      • Contracting process
      • Ongoing monitoring and oversight
    • Too IT oriented and not enterprise-wide
    • Focused only on mission criticality


(wires, ACH, ATM




Payroll processor


Cash Management


Law Firms



Security Company



classification factors
Classification Factors
  • Mission critical
  • Access to sensitive or confidential information
  • Information controlled by service provider
  • Volume of transactions
  • New activity for institution
  • New provider
  • Markets products or services
  • High risk activities
data loss prevention
Data Loss Prevention
  • Data Leakage – NPI leaving bank
  • Need to develop comprehensive data loss prevention strategy integrating various components/devices and other methods of unauthorized disclosure of NPI.
    • USB, mobile devices
    • Email, fax
    • File transfer
    • Hard copy
data loss prevention1
Data Loss Prevention
  • Encryption
  • Secure file transfer
  • Restricted use of USB and portable devices
  • Restricted remote access
  • Acceptable Use for copying and removing documents from bank
  • Guidelines for mobile devices and BYOD
  • Email content filtering
enterprise wide information security risk assessment
Enterprise-wide Information Security Risk Assessment
  • Not Comprehensive
    • Identification of threats/risk
    • Identification of controls
  • Not Enterprise-wide, only focused on IT
  • No Validation of the Effectiveness of the Controls
  • No Definitions for Risk Rating Factors
  • Consider interconnectivity of information assets, vendors or components that store, transmit, or transfer information
risk assessment process

Identify &



Gap Analysis



Residual Risk




Validation of


Inherent Risk


Risk Assessment Process
  • Internal Use
  • Customer Use
  • Smart Phone, Blackberry, iPad
    • BYOD
    • Bank Owned
internal use
Internal Use
  • Risk Assess
  • Policy and use guidance
  • Controls
    • PIN/Passcode
    • Encryption
    • Firewalls
    • Antivirus
    • Connectivity restrictions
    • App installation restrictions
customer use
Customer Use
  • Mobile Banking
  • Consumer Capture
customer use risks
Customer Use Risks
  • Weaker ties to customers than with merchant
  • Consumers more mobile
  • Deposits with mobile phones harder to find fraudster
  • Printing fraudulent checks and depositing, security ink and water marks might not be present or viewable on image
  • Duplicate deposits
  • Using default passwords on device or no password
  • Not installing security updates or software patches
  • Unsecure WiFi connections
customer use controls
Customer Use Controls
  • IT Strategic Plan
  • Risk Assessment
  • Policy
  • Business continuity plan
  • Incident response plan
  • Vendor management
  • Procedures
    • Marketing
    • Enrolling customer
    • Registration, activation
    • Account management
      • Monitoring user activity and security reports
    • Deactivation of user
customer use controls1
Customer Use Controls
  • Know Your Customer
  • Implement a customer agreement specific for the product
  • Customer opt in/enroll
  • Set limits
  • Strong authentication/MFA
  • Encryption/secure sessions
  • Monitoring/auditing of transactions and activity
  • Implement back office fraud detection
  • De-activation procedures
  • Secure application that is downloaded to protect from being manipulated
  • No regulatory guidance…yet
cyber security attacks
Cyber Security Attacks
  • DDoS Attacks
    • September 11, 2013 – Threat of new attack
    • August 2013: New DDoS Fraud Link
    • June 2013: Another Version of DDoS Hits Bank
    • June 2013: OCC Sees Cybersecurity as Fastest Growing Risk to Banks
occ concerns
OCC Concerns
  • Mobile Computing/BYOD
  • Cloud Computing
  • Outsourcing
  • Big Data
  • Sophistication of attacks
  • Expect to get worse before gets better
laws that govern
Laws that Govern
  • GLBA
  • SOX
  • FCRA
  • FTCA
  • Bank Services Company Act
  • State Data Security Laws
  • Executive Order
  • Cyber security bills
  • PCI – Industry Standards
  • FFIEC guidance
  • There are some standard examination protocols
  • There will be variations depending on the examiner, the agency



Susan Orr Consulting, Ltd.