written by Chris Griesemer

How many hacking incidents can you remember in the past 12 months? Sony, Home Depot, P.F. Changs and Anthem to name a few. These events have definitely affected the awareness of different industries but maybe no more than Financial Institutions. According to their web site, The Federal Financial Institutions Examination Council (FFIEC) is designed to prescribe uniform principles, standards and report forms for Banks.

One area they provide help with is Information Security. The FFIEC recently came out with guidelines or recommendations for banks to be more equipped to handle Cyber Security Threats. I believe these items not only apply to banks but to every business. I have listed the eight that are on the FFIEC web site with some modifications to show the value for all industries:

  1. Make sure all servers and workstations are continually updated with current patches. Implementing a patch management automation application like GFI Languard will help make patching machines easy and very manageable.
  2. Review incident response and business continuity plans to make sure they cover what to do in the event of a cyber security incident.
  3. Perform information security risk assessments. In other words, identify the risks your business needs to be aware of. For example, having internet in a business is always a risk. Have you recognized all risks associated with the internet, ie. Malware, virus’, phishing, hacking, firewall security. These are all risks which could affect any business owner. More importantly, be sure to identify how to ensure those risks don’t affect your business.
  4. Monitor firewalls and implement intrusion detection and prevention services which have the ability to notify or prevent any threats attacking your firewall.
  5. Protect against not only physical unauthorized access but logical unauthorized access. Review all of the third party vendors you have working on your business and determine if they have physical access to your company or logical access. If the answer is “Yes”, review the rights they have and make sure they are acceptable.
  6. Determine what critical systems your company is using and make sure you have implemented and tested controls to minimize risk.
  7. Implement security awareness and training programs for all employee’s on an annual basis.
  8. Determine if there are any industry information sharing forums and sign up for them. These forums will continually offer new ideas on security based on your specific line of business.

One area that FFIEC does not includes is insurance. It is also important to make sure your insurance on your company covers cyber security incidents.

For those of you who have not seen these before, these would greatly increase your overall security. For those of you who have seen these, this would be a great time to review and make sure all of these items are implemented and are reviewed on an annual basis.

The Whitlock Company has been performing these types of reviews for Financial Institutions for more than twelve years. If you are concerned with this topic and would like to learn more, please don’t hesitate to call Chris Griesemer for more information 417-881-0145.