Wednesday, February 26, 2020

Building a Better Hen House

Posted by OnCourse Staff December 13, 2010 6:33pm

Photo Credit: Free Digitial Photos

Building a Better Hen House

For the banking industry, IT Security is an ever changing concern that must be addressed with the most recent threats in mind. For many institutions, security is handled by policy based IT audits and annual penetration tests performed by external vendors.

To truly prevent a fox from getting into your "hen house," so to speak, you must go above and beyond penetration tests and policy based IT audits. Below is a recent conversation I had with "Joe Management" where I discuss one way to go above and beyond - the vulnerability assessment.

What is it and why do I need it?

A Vulnerability Assessment is an identification of control issues through an exhaustive technical process. In other words, we can't just sample anymore. Computers are used to examine every piece of hardware connected to the Bank's LAN. Think of them as mini risk assessments. They look at all of the settings, the software installed, the vulnerabilities in the software installed. It's just not practical to audit all of that manually.

Is it just a high tech audit report?

No, a vulnerability assessment is not an audit report. Where audit reports are exception based, vulnerability assessments should present as much information as possible in order to ensure that the Bank, at the very least, is aware of the issues. The report should not be considered a critique, but rather a vehicle to deliver information.

The reality of IT in community banking is that outsourcing is here to stay. Many community banks do not possess the resources and/or in house expertise to adequately implement and then manage IT solutions. Using vendors allows them to get the expertise at a reasonable cost. But how do those in positions of oversight know that the solutions are secured sufficiently? How does management know that their vendors are doing what they are supposed to do?

So, this is something I can use to help manage my vendors?

Absolutely. A vulnerability assessment provides management with a tool to open a dialog with the vendor to gain comfort that the controls implemented are sufficient. The vendor can then explain the compensating controls to management. Management can then document the process and express their comfort to the audit committee. In this way, all parties can gain comfort that for the issues that are identified, risks are assessed, and controls are implemented, from the perspective of, and as they apply to, the specific needs of the Bank.

In cases where controls do not exists, management becomes aware of the issues and implements new controls. The idea is that you, as management, can research the issues in the context of your other mitigating controls and derive a final risk that is representative of the Bank. In other words, a vulnerability assessment defines inherent risks associated with findings - you then can research and determine your residual risk.

A vulnerability assessment is a tool that you can use to effectively manage your vendors and at the same time use with the board to get funding and buy-ins for the work that you think needs to be done.

Who performs the assessment? The internal auditors? Another security company?

Ideally, your internal audit staff should perform the assessment as a standard part of the IT audit. That will allow them to opine on the overall IT posture of the organization.

In community Banks, the process of validating the adequacy of IT security has traditionally been completed through Audit. Audit is a control that validates the adequacy of other controls. A typical IT audit focuses on controls as they relate to policy and procedures. The complexity of modern IT infrastructures requires more.

The days of auditors coming into your bank and taking screenshots of the password policy on the domain controllers are done. The IT infrastructure - of even a small community bank - is too complicated, too fluid, and vulnerabilities emerge too quickly to effectively audit manually.

If your auditors don't have the technical expertise to perform the assessment themselves, then you should hire someone else to do it for you. Your auditors can attest as to the results and the remediation.

We had an internal penetration test done, why do I need an assessment as well?

A vulnerability assessment should not be confused with a penetration test. You don't know where the vulnerability lies on the network. Vulnerability assessments are designed to be a comprehensive identification of issues so that you can fix the issues you might have missed. In order to perform a comprehensive assessment the auditor will require elevated permissions on the network.

On the other hand, the FFIEC defines a penetration test as follows:

A penetration test subjects a system to the real-world attacks selected and conducted by the testing personnel. The benefit of a penetration test is that it identifies the extent to which a system can be compromised before the attack is identified and assesses the response mechanism's effectiveness. Because a penetration test seldom is a comprehensive test of the system's security, it should be combined with other monitoring to validate the effectiveness of the security process.

Did you read the last line of the definition? "Because a penetration test seldom is a comprehensive test of the system's security, it should be combined with other monitoring to validate the effectiveness of the security process".

The reality is that audit is unable to comprehensively identify issues due to the complexity of modern infrastructures. Penetration tests are not designed to identify issues. You need a vulnerability assessment as well.

Wait; did you say "elevated privileges"? We are very, very concerned about customer data and don't want to give the level of access required for the assessment.

Great, but let's take moment for introspection. Ask yourself if other factors are contributing to your hesitation. Is the culture of the bank such that any issue identified results in a rebuke from those above? Are other things happening at the Bank that can't afford to be interrupted? Does the comprehensiveness of the assessment scare the IT department? Are you concerned about how the report will be interpreted by the regulators or by the audit committee?

Be honest with your answers. Ask yourself if your resistance to the process is actually an indicator of a larger problem. It usually is. Now talk to your auditor and resolve the issue in a way that makes everyone comfortable. The security of the Bank is too important to let cultural and personal issues get in the way.

Nope, we're just prudent.

Excellent, it's good to be prudent. In fact, the FFIEC guidance lists a number of key factors for management to consider before IT testing is performed (FFIEC IS Examination Handbook pages 88-90). They include understanding the personnel, scope, notifications, and the potential impact on data integrity, confidentiality, and availability. However, the FFIEC guidance does not state that you shouldn't have a review performed, only that you consider the key factors prior to starting.

You already have a trusted relationship with your internal auditors. If they have the expertise to perform the assessment then you have probably already addressed all of the key factors that the FFIEC suggests you consider.

Great, I have this comprehensive report. Now how do I present it without scaring the audit committee?

Vulnerability assessments are large reports. They are intentionally designed to provide as much information as possible.

The presentation to the audit committee should emphasis the availability and sharing of knowledge so that they can understand the risks you have to deal with and are responsible for mitigating. Your auditors should explain that a vulnerability assessment is not an exception based internal audit report. Instead, it is a tool for management to ensure the security of the organization

The audit committee has to understand that the next steps involve assessing the issues and implementing a plan for remediation. Very rarely will an audit committee be concerned about individual issues. They need to know what the risk is to the Bank (the assessment) and what's being done to fix them (the remediation).

In most cases they are genuinely pleased as they get a high level of comfort that the IT security controls have been comprehensively evaluated. The same goes for the regulators.

Is there anything else to know?

As management, you should understand that the report allows you to highlight your efforts to the board and to the regulators.

IT security is a moving target. Vulnerabilities evolve very quickly and you do nothing but deceive yourself if you think a policy based IT audit is enough to protect your Bank. As far as assessing the adequacy of your IT controls, don't judge yourself on the number of issues identified. Judge yourself on the adequacy of your process. When you identify issues be pleased and then fix them. Say to yourself, "There is no way I can know everything, but my process makes me stronger". That's the reality of IT. Accept it and you'll be doing more for the security of your Bank than any other single thing you could do. The strength of your process is what's going to ultimately determine the security of the bank.


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Flood Coverage – Still a Hot Regulatory Issue
Interagency Statement on Sharing BSA Resources and Challenges
New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Regulation E and Business Account Errors
Controls over Employee and Officer T&E Expenses
Is Regulation CC Put on the Back Burner?
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Keep an Eye On Your Chip!
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
Top Compliance Topics Discussed at the NJ Bankers Compliance University
Some tips and tricks for dealing with Regulatory Examinations
Updated Regulation E Booklet from the OCC!
Is Flood Disaster Still on the Heat Map?
Have You Implemented Your Plan yet?
FDIC Consumer Newsletter
More Flood Insurance Changes...
Same Sex Married Couples - Ensuring Equal Treatment – Announcement from Consumer Financial Protection Bureau
Truth in Lending (Regulation Z) Annual Threshold Adjustments (CARD ACT, HOEPA and ATR/QM)
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
ABA Survey on Impact of Dodd Frank Compliance
ABA Mortgage Origination Deskbook
Who handles Your Dormant Accounts?
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
The Credit -- Er, IT Crisis?
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Wag the Dog
Consumerization of Technology and its influence on Information Security
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
How do you charge Early Withdrawal Fees on Time Deposits?
Do you still offer NOW Accounts?
Policy Changes Required – Do you Wait until Annual Approval?
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
ACAMS to provide Free Webinar
ACBB Changes its Name
Who Do You Give Cash to?
ABA Briefing to Help Banks Address Cyber-security Threats
The OCC Issues Booklet: “A Common Sense Approach to Community Banking”
Safe Deposit Box Contents are not insured – But They COULD Be!
Allowance for Loan Loss Tips and Tricks
FDIC Can Review New Products
Let’s Talk About Overdrafts!
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
Regulation E and NACHA Rules: When you Want to Stop Payment on a Recurring Debit
CFPB Stands Up Against Poor Debt Collection Practices
Don’t Forget the Small Stuff
Double Endorsed Checks: What is the Risk?
Social Media – Will the Regulators Do Spot Checks?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Solutions to Reducing Dormant Accounts at Your Institution
Pandemic Preparedness: Are you testing your Pandemic Plan?
Regulation E Foreign Remittance Rules
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Expiration of Unlimited Deposit Insurance for NIBTAs
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why acxell Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
Regulation O – 5 Easy ways to avoid violations
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA