written by Chris Griesemer
Before regulators arrive for your banks next IT Review, do you ever find wonder what topics they will focus on year? In the past 6 months, we have seen a couple of areas that seem to get a little more attention.
These areas include:
1. Cloud Hosting
2. Social Engineering
3. Patch Management
4. Windows XP
5. Risk Rate before Implementation
The Cloud is becoming more and more attractive for both monetary and convenience reasons. If your bank plans to use or is using a cloud product or service, make sure you include a couple of items in your vendor review. First, understand how your data is being stored. Is it encrypted and who has access to it both physically and logically? It is important to make sure your data is backed up reliably and stored securely.
Secondly, who has access to the backed up data? If you decide to end your relationship with your cloud vendor, how easy (or difficult) will it be to get your data back. What happens with your data when you terminate the relationship? Is the data wiped from the vendor’s server or is it just deleted? These are questions you should ask when doing your vendor review.
Social Engineering seems to be a popular topic lately. The recent breach of Target’s data has brought it to the forefront of business headlines. The most important procedure to put in place is training. Make sure bank employees are familiar with certain types of social engineering techniques. Employees should know to always double check vendors who show up onsite. Never give information to vendors over the phone without verifying they are who they say they are. And make sure desks are clear of usernames and passwords written down (and stored under keyboards).
Patch management never seems to go away and there is always some new patch needing to be applied. Taking the patch management process out of the hands of your users and centralizing the patch management procedures seems to be popular among banks right now. Make sure reports are produced that verify whether or not the patches are being applied and these reports are discussed in the IT committee meetings.
Windows XP support ended on April 8, 2014. If you have Windows XP in your bank, make sure it is listed in your risk assessment with mitigation explaining how it will be replaced. Also make sure ATM’s are not using XP. If they are, again make sure it is listed in the risk assessment.
Risk Rate before Implementation
And finally, make sure all new technology is entered into the risk assessment before being implemented in the bank network. Examiners would like to see the new technology entered into the risk assessment in the due diligence stage. By risk rating at this stage, a bank may find one product has more risk associated with it than another product and decide to go with the less risky solution. When this happens, the risk assessment is truly used as a tool to help the bank.
These are the top five areas we have seen the examiners focus on this year. Of course there are many other areas but these are some important ones to note. If you have any questions about these or any other topics, please don’t hesitate to contact us 417-881-0145 or www.whitlockco.com.