Blair Groves , Chris Griesemer , Community Banking , CPA , MO , Security , Springfield , Technology

The Latest IT and Security Hot Topics for Banks

written by Blair GrovesWe have all heard the phrase “heightened regulatory environment” regarding the expectations the banking industry is facing from their regulating agencies. With the latest hacks and scams being front page news, banks can expect that this phrase will most definitely ring true when it comes to the technology and security portion of their upcoming exams.As we go from bank to bank performing IT audits we have started to see a trend in findings from examiners, both state and federal. We have compiled a list of items that can help you prepare for your examiners and, hopefully, minimize findings and increase the overall security of your institution.Risk Assessment If you haven’t already done so, examiners would like to see what the inherent risk is of each hardware and software item. In other words, what is the risk of an item without applying any mitigating controls? Once the inherent risk is displayed, explain the mitigation controls applied and then explain what the residual risk would be, after the mitigation controls have been applied. Hopefully, the original residual risk rating will drop after the controls are applied.Operations Security & Risk Management Banks should ensure that the Board of Directors is aware if the institution has any “super-users” or users with privileged access rights. If the bank does have a “super-user” management should document what mitigating controls are in place and have the Board review and approve access and controls on at least an annual basis.Management should make certain local administrative rights are removed from workstations to protect from unauthorized software or overrides of global domain settings.Management should implement playbooks into the bank’s Incident Response Plan. Playbooks should include different scenarios that could impact the bank and should be practiced with employees of the bank as training.Privacy screens should be on workstations in public areas or those viewed through windows.Succession plans should be in place for in-house IT managers, as well as managed service vendors. Background checks should be performed on all new employees.Management should ensure an internal vulnerability and external vulnerability test be performed annually.The Information Security Program annual report to the Board should include risk assessment findings, material changes to the program, any security incidents, service provider overviews, and accepted risk, such as privilege access in the banking systems in accordance with FFIEC guidelines in the IT handbook for Information Security.ACH, Remote Deposit Capture and Fed-Line Ensure management has developed an ACH risk assessment in accordance with NACHA rules appendix 8. This risk assessment should be approved by the Board annually.Merchants using ACH and RDC should be evaluated for risk. Based on the level of risk, certain controls should be applied. For example, high risk ACH/RDC customers could have dual controls at the merchant to mitigate the increased level of risk.Local machine firewall should be applied to all Fed-Line workstations, and management should implement firewalls on Fed-Line workstations that will only allow access to certain sites.ACH activity should be reported to the Board on a monthly basis. Anomaly detection should be implemented on ACH batch files.Management should ensure past employees are withdrawn from wire authority.Remote deposit capture login should use multifactor authentication.Disaster Recovery & Business Continuity Management Generators should be tested monthly and stress tested annually to ensure it can support bank operations.Disaster recovery testing should include testing in the event of a Distributed Denial of Service (DDOS) attack. (FIL 11-2014).The Business Impact Analysis (BIA) should include priority of recovery and identify interdependencies.Summary Bottom line, we don’t expect all of these recommendations to be mitigated at your bank. However, we believe becoming familiar with them and researching the mitigation strategies might help you at your next FDIC exam. For more information, please don’t hesitate to call Blair Groves or Chris Griesemer at The Whitlock Company 417-881-0145.

View Similar Blogs

Other blogs about cybersecurity and your business

  • Business Leaders in a Meeting

    Leveraging Financial Expertise for Smarter Business Decisions

    Business strategy and consulting from The Whitlock Co. can help your business define goals and develop actionable plans to achieve sustainable growth. Why should you hire outside experts? Our team...
  • Business leader in a financial planning meeting

    Future-Proof Your Business With Expert Financial Planning & Analysis

    The Whitlock Co. provides financial planning and analysis services for your business or organization. These types of services involve the strategic evaluation of your company’s financial health,...
  • Businesspeople in a Conference Room

    Complete Guide to Our Business Advisory & Accounting Services

    In today’s dynamic, fast-paced business landscape, deciding to hire an accounting firm to help your business means you get more than a team crunching numbers. An accounting firm is a strategic...