Cramming for an IT Exam
EVERY 12 TO 18 MONTHS, a financial institution must be prepared to have its systems audited by the appropriate regulatory agency. Financial institutions must be prepared to pass these detailed IT exams, not only to avoid penalties from regulators but also to ensure that customer and member information remains secure, which will help to secure the organization’s reputation.
Preparing for an IT exam can be an overwhelming task, so it is crucial to identify key areas and specific actions. While requirements, activities, and involvement levels may vary greatly based on the size and complexity of the institution, there are nevertheless three areas to consider: technology management, personnel roles, and multilayered protection.
Examiners will want to see whether the institution has clear and well-enforced policies in place to ensure system security and whether it keeps records of activities and enforcement actions that have been taken.
Policies. Each institution should have a formal information security program written to comply with section 501(b) of the Gramm-Leach-Bliley Act (GLBA). Examiners will look carefully at this program and how well its policies and procedures are enforced.
So what type of policies and procedures should be implemented? Network and Internet policies should include technical details about user authentication, the management of software patches and updates, virus protection, firewall configuration, and system architecture.
The policy should also address user policies, such as Internet use guidelines for employees. In addition, it should have a section on risk assessment, including how and how often the institution conducts a comprehensive risk assessment of its IT systems.
Another section of the program should address the assignment of security controls for customer information and service provider relationships. Additionally, the program should include a section on disaster recovery and business contingency plans that includes details on how the bank will respond to a disaster; for example, how it will ensure that customer data is protected.
“Examiners want to know how your bank is going to handle certain unexpected situations,” says Anne Cheatham, who serves as chief operating officer of Insurors Bank of Tennessee.
Cheatham says that her bank provides examiners with documented business continuity plans, which include detailed policies, procedures, spreadsheets, templates, and so on. Because continuity plans must be validated by testing, the bank also provides testing documentation to demonstrate that the institution has appropriate safeguards in place.
Reporting. Reporting is a key element that examiners look for when reviewing an institution. Comprehensive and unbiased security and performance-related reports that cover both the virtual perimeter and internal monitoring systems are essential in validating IT security efforts. It is equally important to ensure that those reports are user-friendly and easy to understand. Organized graphics, such as pie charts, bar graphs, and linear graphs, are good examples of clearly structured data. These provide the examiner with hard evidence of the institution’s efforts.
“It is not enough to have a ‘log dump’ of all of our system activity,” explains Susan Bly, senior vice president of operations of Georgia Bank and Trust in Augusta, Georgia. “Examiners want concise reports that give detailed information of the interactions that have taken place.”
For example, Bly’s bank has an around-the-clock monitoring system that produces monthly reports that are reviewed by the firm’s system administrator. She uses them to conduct a monthly scan for vulnerabilities. Also, the bank’s internal auditor reviews these reports to look for breaches of internal security.
Financial institutions should produce internal summaries of these reports each month, highlighting the important areas of protection. They should report these areas to the board of directors quarterly.
They should also archive the reports and be prepared to provide them to examiners.
Examiners will look for proof that an institution’s procedures are being followed. For example, if an institution has a policy to test the complexity of passwords quarterly, the examiner will want to see reports that document the tests and actions taken.
“Prior to the examination date, regulators sent me a list of all the expected items” that they intended to inspect on arrival, such as reports on intrusion activity, vulnerabilities, and patch management,” says David Reynolds, vice president of information systems for Insurors Bank of Tennessee.
“Upon arrival at the bank, the regulators reviewed all of the information provided in response to the list of expected items as well as additional reports and documents that were requested,” he says.
The bank’s information security officers should expect examiners to ask follow-up questions to get additional information after they look at reports. For example, in one situation, Reynolds says, the examiner noted that the bank had instances where user accounts became locked due to excessive incorrect password attempts, each logged on the monthly reports. The examiner asked what was being done about this problem.
Reynolds explained to the examiner that staff used the activity-report information to verify that there was no illegal activity taking place. They then followed up with users to ensure that they understood how the systems worked.
The personnel of a bank are the backbone of the bank’s compliance and security structure. A good training program is, therefore, an essential component of the overall compliance program. It instills in staff a thorough knowledge of best practices, and it helps to position the institution as proactive in setting high standards for security.
It is critical that proper training be given to company system administrators (SAs) and to information security officers (ISOs). All employees should be trained on possible threats, on security concerns, and most importantly, on policies and procedures.
Dividing responsibilities. Separation of duties is a significant component of a comprehensive security program. Without a clear delineation of duties, financial institutions may become exposed to security vulnerabilities.
Responsibilities of SAs and ISOs should, for example, be clearly explained and divided. The SA’s primary responsibility is to keep systems running and to ensure appropriate employee access to programs and data. An ISO’s goal is to ensure that system security is managed and that employees correctly follow security policies.
Training. SAs and ISOs should regularly attend information-security classes and seminars. In addition, each institution should schedule security awareness training for all employees to ensure that they are familiar with the organization’s rules and processes for handling sensitive data. This training will reduce the possibility of staff accidentally disclosing important and private information.
As an example, if a customer calls a bank trying to find a username and password for an account, the employee handling the call should know not to give this sensitive information over the phone. In many cases, however, employees have not been trained to recognize that this kind of query may be an attempt to steal information through a ruse known as social engineering and that providing this information could endanger the security of the financial institution’s computer system and thus could compromise sensitive data.
Technology committee. Thanks in part to the regular IT examinations they must prepare for, financial institutions have begun to create technology committees comprising personnel from across the enterprise. This group is responsible for making strategic technology decisions and has broad responsibility for managing technology.
“We have our ISO, SA, and at least one member of the executive management team involved in all meetings,” says Cheatham of Insurors Bank. She says that in her experience, she’s found that strong IT personnel and management involvement are keys to successful IT operations and also seem to be a high priority for the bank’s regulators. The committees help to ensure and highlight that involvement.
The frequency of committee meetings and the composition of the committee may vary from institution to institution. How those issues are dealt with will depend on level of technology deployed, complexity, and size of the institution.
Records. Detailed records should be kept of all meetings where IT policies and procedures are discussed, including those of the technology committee. The records should note when there is board of directors’ participation and when there are approvals of policy changes. These records serve to validate that the board is actively involved in the development and management of network security.
Regular meeting schedules should be maintained with formal agendas, and minutes should be issued for review and approval at subsequent meetings. Minutes should also be given to executives and board members not in attendance.
Records should be clear, consistent, and comprehensive. Passing an IT exam is just as much about being able to prove compliance as it is about being compliant.
“Regulators often want to know the management reporting style as well,” says Reynolds. “How the IT security measures are conveyed throughout the bank is important,” he says. Sometimes examiners will ask the IT staff and the board the same question to see whether they get the same response. “They want to know that every member of the team understands the role of IT on the same level and in the same way.”
Partners. According to Gwen Bridges, senior vice president of risk management for Greenville First Bank, Greenville, South Carolina, her institution considers its core providers and other partners as part of the internal team and deems it important to relay that to examiners.
“Any time we have third-party access to our systems, we make sure to review activities from our core provider, as they should be in compliance, too. Doing so enables us to document and verify that we are fully aware of all activity taking place, including at our technology and service partners,” she says.
“We expect to have to explain our due diligence in selecting vendors to provide key outside services and/or for items purchased,” adds Cheatham. “Examiners want to see that a detailed process is used to ensure that vendor relationships are valid and stable. We have a systematic approach to choosing our partners and use a comprehensive list of review items and/or requirements in performing due diligence and in negotiating vendor contracts.”
Implementing multiple layers of security protection is crucial to protecting a financial institution against threats and vulnerabilities, and examiners are looking for proof that an institution is addressing both the outside perimeter and the inside network, such as file servers and e-mail servers. Having a multilayered security approach helps guard institutions from both external and internal threats.
A multilayered approach is like a gated neighborhood. The gate protects outside traffic from penetrating the neighborhood; however, if an outsider gets in, the guard serves as another layer of defense and is there to stop the intruder from moving forward. Also, each house in a neighborhood is guarded with locks and an alarm system or a dog, thereby protecting valuables within the house.
These multiple layers of protection imitate the way a multilayered security system should work at a financial institution. There is not just one solution to protect all applications or platforms, but rather it is important for financial institutions to adopt several layers of defense that are specifically designed to address the multiple levels of vulnerabilities in technology systems.
User rights. One effective way to verify standard internal controls and procedures is by having SAs regularly review user rights and permissions. It’s also important for HR and IT to work together to keep user IDs and passwords current and to, for example, disable them immediately when an employee is terminated. Again, all these processes need to be documented hire independent consulting firms to perform vulnerability and penetration tests for third-party validation. The assessments may test both the perimeter and the inside of an institution’s network. A more comprehensive vulnerability assessment also incorporates an analysis of the internal network, policies, and procedures. Based on the stability or vulnerability of the network, a report card is created that grades how well the system works. Having these independent reports provides the examiner with proof that financial institutions are in compliance with industry standards.
“We have intrusion prevention tests at the end of every month,” says Georgia Bank and Trust’s Bly. “The examiner was very impressed with our monthly vulnerability and penetration testing reports. Additionally, we have an external auditor run annual tests, which shows us as proactive in testing not only our systems but our partners’ as well.”
Audit. Financial institutions can go a step further with a separate form of independent proof. An IT audit conducted by properly accredited auditors, such as a CPA firm, will review a financial institution’s technology management, personnel, key vendor relationships, and policies. In addition, independent testing can be conducted to validate and certify that proper standards have been implemented. Each of these building blocks provides an examiner with an accurate representation of the institution’s technology environment.
Increased regulatory requirements and scrutiny from the federal government, as well as the risk of reputational loss, have made information and network security a necessity rather than an option within financial institutions. When IT security procedures are followed, institutions will not only pass examiners’ evaluations but will also get an A+ when it comes to protecting customers’ resources and information.
Danny Johnston is the president and CEO of Georgia-based Gladiator Technology Services, Inc. Gladiator is a managed security service provider focused on information security protection for the financial industry.
Peter Piazza is associate editor with Security Management.