written by Blair Groves
We have all heard the phrase “heightened regulatory environment” regarding the expectations the banking industry is facing from their regulating agencies. With the latest hacks and scams being front page news, banks can expect that this phrase will most definitely ring true when it comes to the technology and security portion of their upcoming exams.
As we go from bank to bank performing IT audits we have started to see a trend in findings from examiners, both state and federal. We have compiled a list of items that can help you prepare for your examiners and, hopefully, minimize findings and increase the overall security of your institution.
If you haven’t already done so, examiners would like to see what the inherent risk is of each hardware and software item. In other words, what is the risk of an item without applying any mitigating controls? Once the inherent risk is displayed, explain the mitigation controls applied and then explain what the residual risk would be, after the mitigation controls have been applied. Hopefully, the original residual risk rating will drop after the controls are applied.
Operations Security & Risk Management
Banks should ensure that the Board of Directors is aware if the institution has any “super-users” or users with privileged access rights. If the bank does have a “super-user” management should document what mitigating controls are in place and have the Board review and approve access and controls on at least an annual basis.
Management should make certain local administrative rights are removed from workstations to protect from unauthorized software or overrides of global domain settings.
Management should implement playbooks into the bank’s Incident Response Plan. Playbooks should include different scenarios that could impact the bank and should be practiced with employees of the bank as training.
Privacy screens should be on workstations in public areas or those viewed through windows.
Succession plans should be in place for in-house IT managers, as well as managed service vendors. Background checks should be performed on all new employees.
Management should ensure an internal vulnerability and external vulnerability test be performed annually.
The Information Security Program annual report to the Board should include risk assessment findings, material changes to the program, any security incidents, service provider overviews, and accepted risk, such as privilege access in the banking systems in accordance with FFIEC guidelines in the IT handbook for Information Security.
ACH, Remote Deposit Capture and Fed-Line
Ensure management has developed an ACH risk assessment in accordance with NACHA rules appendix 8. This risk assessment should be approved by the Board annually.
Merchants using ACH and RDC should be evaluated for risk. Based on the level of risk, certain controls should be applied. For example, high risk ACH/RDC customers could have dual controls at the merchant to mitigate the increased level of risk.
Local machine firewall should be applied to all Fed-Line workstations, and management should implement firewalls on Fed-Line workstations that will only allow access to certain sites.
ACH activity should be reported to the Board on a monthly basis. Anomaly detection should be implemented on ACH batch files.
Management should ensure past employees are withdrawn from wire authority.
Remote deposit capture login should use multifactor authentication.
Disaster Recovery & Business Continuity Management
Generators should be tested monthly and stress tested annually to ensure it can support bank operations.
Disaster recovery testing should include testing in the event of a Distributed Denial of Service (DDOS) attack. (FIL 11-2014).
The Business Impact Analysis (BIA) should include priority of recovery and identify interdependencies.
Bottom line, we don’t expect all of these recommendations to be mitigated at your bank. However, we believe becoming familiar with them and researching the mitigation strategies might help you at your next FDIC exam. For more information, please don’t hesitate to call Blair Groves or Chris Griesemer at The Whitlock Company 417-881-0145.