Year: 2015

15 Dec 2015

Community Banks Options for Help with Cybersecurity Regulations

Community Banks Options for Help with Cybersecurity Regulations

Financial institutions today are under pressure to comply with mounting regulatory requirements, especially as they relate to cybersecurity guidelines. In fact, the FFIEC recently issued an update to the FFIEC Information Technology Examination Handbook’s Management Booklet to more explicitly integrate cybersecurity concepts. Additionally, the FFIEC released a new resource called the Cybersecurity Assessment Tool (CAT) to help financial institutions identify risks and determine cybersecurity preparedness. This in-depth “assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time,” according to the FFIEC.

Due to the “increasing volume and sophistication of cyber threats,” cybersecurity has quickly become a hot topic with regulatory agencies. Regulators expect banks to show evidence that they are measuring cybersecurity threats and preparedness using the CAT or a comparable framework. This expectation applies to banks of all sizes, from a rural one-branch bank to a national bank with billions in assets. For smaller banks with fewer resources and less compliance expertise, complying with the new regulations and requirements can be a challenge.

While some regulatory agencies have indicated that completion of the Cybersecurity awareness Tool is not mandatory, all have stated they intend to use the tool to assess banks’ cybersecurity readiness. Examiners have already begun to issue verbal and written recommendations to financial institutions that have not filled out the CAT.

After completing the CAT, many community banks are finding they have a higher risk factor than they expected and are frantically searching for ways to efficiently manage the strategies needed to mitigate that risk.
What are your bank’s options for mitigating this increased cybersecurity risk?

Try to manage it yourself

Many banks that try to manage cybersecurity guidelines themselves in-house often run into hurdles immediately. Maintaining the knowledge and expertise of the evolving regulatory environment is a time-consuming endeavor. The CAT assessment alone is about 128 pages. Small banks do not have the bandwidth to manage cybersecurity compliance efficiently and in a manner that meets regulator demands. Many community banks simply can’t afford to have a team dedicated to regulatory management.

Use a local IT service provider

Community bankers have a natural inclination to “shop local,” and that includes looking for service providers who can assist with IT and compliance needs. However, it is also important to understand the risks that generalist IT service providers pose to your institution given today’s oversight environment. Local IT service providers often do not have experience with the regulatory demands bankers face. Auditors and examiners will expect a thorough paper trail to prove that daily practices match defined policies and procedures, and often this must flow through IT resources. Knowledge of your banking applications, cybersecurity and compliance environment is vital!

Engage an experienced bank IT and compliance professional

To help augment limited personnel resources, community banks are increasingly partnering with financially-focused IT and security service providers to better manage their growing compliance and security needs. It is important to partner with an organization with the right skills, knowledge and expertise.

The right IT service provider couples security measures with an understanding of and support for the unique compliance demands of the financial industry.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



08 Dec 2015

Is Cybersecurity Part of Your Bank’s Compliance Program?

Cybersecurity Cyber Attack Phishing

Cybersecurity has become a topic of interest to every community bank and credit union due to the growing dependence and reliance on technology, including smart phones and other mobile devices. In the financial industry it has also come under increased regulatory focus, and continues to be a hot topic for the foreseeable future, which is evident with the release of the FFIEC Cybersecurity Assessment Tool (CAT) and the updated FFIEC Management Examination Handbook.

So, exactly what do regulators expect from your community bank, and how does that differ from what you may be doing already? More importantly, with additional new guidance pending, how should you demonstrate cybersecurity compliance?

The FFIEC developed the CAT to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment tool provides a repeatable and measurable process for financial institutions to measure their current state of cybersecurity preparedness, and track changes over time.

The CAT has 2 sections, the inherent risk profile and the cybersecurity maturity level. Inherent risk is a function of type, size and complexity of your institution’s operations, and does not include any existing mitigating controls. The second section of the CAT is designed to help your institution measure their behaviors, practices and processes related to cybersecurity preparedness, resilience, and recovery.

What Comes after the Cybersecurity Assessment?

Once a financial institution has completed both sections, management can create a “gap analysis,” meaning they can decide what actions may be needed to either reduce inherent risks or increase control maturity to bring the actual state in line with the desired state. This is where the biggest challenge may lie for most financial institutions, because the concept of a “desired state” requires you to establish a “risk appetite,” or an acceptable level of cyber risk. For the vast majority of financial institutions offering some electronic banking products, this level is greater than zero, but may have not been formally approved. Once your risk appetite is established, you are then able to determine whether or not your residual risks are acceptable.

Right now, most financial institutions seem to be on the first step of simply completing the CAT. It’s important to note that even though some regulatory agencies have indicated that completion of the tool is not mandatory, all the agencies have stated they intend to use the tool to assess your cybersecurity readiness.

So what should your financial institution be doing now in order to comply with new Cybersecurity regulations?

You need to make sure you have kept your information security, business continuity and vendor management policies and procedures up to date. There is no regulatory requirement to have a separate cybersecurity policy as long as cybersecurity is in each of those existing policies. You need to have procedures in place to secure customer and confidential data and recover critical business processes regardless of the source or nature of the threat. Your risk assessments should all be impact-based, not threat-based, but make sure they all contain specific references to the source of the risk.

Make Sure your Vendor Management Program Accounts for Cyber Threats

Vendor risk assessments will need to be adjusted if they don’t specifically account for cyber threats. For example, critical vendors should be assessed for their exposure to, and protection from cyber threats, with your controls adjusted accordingly (i.e. audit reports, penetration tests, etc.). Your business continuity planning risk assessment should account for the impact and probability of cyber-attacks, as well as traditional fraud, theft and blackmail. Regulators will likely be looking for specific references to cyber concerns, so make sure your Vendor Management policies include a reference to it as well.

Hopefully you’ve already incorporated cyber-based security elements into your overall information security program, and very little adjustment needs to be made. Regardless of what your specific approach to cybersecurity may entail, prepare to discuss what you are doing – and how you are doing it – with the regulators. They will ask about it!

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



03 Dec 2015

Can Smaller Community Banks Afford a Dedicated Resource to Manage IT Networks and Workstations?

Managing a financial institution’s IT network is a full time, demanding job! A community bank’s IT administrator needs to truly understand the increasing complexity of IT operations, continuously changing regulatory requirements and FFIEC compliance guidelines. However, many smaller community banks are often located in communities that lack the qualified personnel resources to efficiently manage their IT and regulatory responsibilities.

Can Smaller Community Banks Afford a Dedicated Resource to Manage IT Networks and Workstations?

In addition, community banks often can’t afford to have a team dedicated to IT management. Given the remote location of some community institutions, locating, training and retaining qualified individuals is a challenge, and many community banks cannot afford to pay qualified individuals enough to keep them. Banks that do try to maintain an in-house department often spend an inordinate amount of time and effort recruiting and training staff as community banks are faced with losing employees to competitive salaries in the marketplace.

However, regardless of location and size, these community banks are under the same regulations as larger institutions. Regulatory agencies are continuously changing and increasing regulations around cybersecurity and network management. In fact, the FFIEC recently released the Cybersecurity Assessment Tool (CAT) that is designed to help institutions identify their risks and determine their cybersecurity preparedness. Even though some regulatory agencies have indicated that completion of the tool is not mandatory, all the agencies have stated they intend to use the tool to assess an institution’s cybersecurity readiness, and have already begun to issue citations to financial institutions that have lapses or are not meeting regulations.

Smaller financial institutions should be looking for ways to more efficiently manage their IT networks and compliance strategies. Oftentimes, they determine outsourcing the management of IT needs and security risks is the most cost-efficient method.

Another factor small community banks should consider is the need for an outsourced provider to manage individual PC’s and workstations in addition to their IT networks. By assigning an outsourced provider to manage your banks’ individual PC’s and workstations, the chances of the workstations having issues is reduced, and easily resolved with no added stress to the bank’s IT team.

Given their modest internal resources, smaller community financial institutions can benefit from outsourcing or partnering with a provider who offers network and workstation management solutions exclusively tailored for community banks. Having a service in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation and compliance-focused reporting to verify that your financial institution’s network is adhering to your policies and procedures is critical in today’s environment.
 

Capabilities to look for in an outsourced solution include:

  • Network and Workstation Monitoring
    A solution should be able to provide proactive remote monitoring, alerting, preventive maintenance, ticketing, support and reporting for servers, workstations and other devices.
  • Network Management
    A team of certified network engineers who have expertise, banking knowledge and a true understanding of a financial institutions’ technology and technology needs. This expertise ensures issues are resolved in a timely and efficient manner.
  • Workstation/PC Support
    This includes bank applications as well as internal systems and applications. Tasks such as keeping the individual computers up-to-date with anti-virus software are completed and managed by the provider.
  • Compliance-Focused Reports
    Reports that deliver pertinent and useful information to help management ensure the institution is adhering to FFIEC regulatory policies and procedures and to meet the needs of regulators and examiners expectations.
  • Documentation
    Dedicated account managers and experts who understand the financial industry’s regulatory requirements and overall best practices. The Account Manager should deliver compliance-focused Quarterly Control Self-Assessments and Annual Systems Reviews as recommended by the FFIEC as well as provide ongoing strategic planning, technical consulting and participation with your technology committee meetings.
  • Compliance Guidance
    IT regulatory assistance by experts who can be available for IT audit and examination support. Working together pre and post audit/exam, this team prepares banks and credit unions for audits/examinations and can assist the financial institution with any findings.
  • Educational Webinars and Education
    Continuous education and webinars on recent trends and changes in technology and compliance provide financial institutions with a forum where they can learn and interact with subject matter experts and banking peers.

Eliminating the burden of IT network and workstation management, security and regulatory compliance enables your institution to focus on strategy and customer care and have peace of mind in knowing your institution is safe from cybersecurity threats and in compliance with government regulations.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



23 Nov 2015

Top 5 Considerations for Black Friday Technology Purchases for Banks

Black Friday Sales

Who doesn’t love a deal? It’s the American way to search out the lowest price for that must-have item, especially around the two biggest discount days of the year, Black Friday and Cyber Monday. If, however, you are trying to take advantage of holiday discounts when buying for your financial institution, it may not be quite as simple as spotting that low price and clicking the buy button. Even with that irresistible deal you could end up actually spending more money in wasted equipment/software, duplicate configuration time, and accelerated depreciation schedules. So how can you make wise IT purchasing decisions, but still enjoy the shopping festivities? Here are the top five things to consider if you are looking to buy hardware or software for your financial institution during these bargain bonanzas.

Top 5 Considerations for Black Friday Technology Purchases for Banks

  1. Watch the warranty:

    Consumer advocates like Clark Howard commonly tell folks to skip the extended warranty when purchasing consumer electronics. This can be a sound strategy for your personal devices where hardware failure may result in a boring plane ride or a less entertaining jog. When purchasing for the workplace, however, downtime costs you money. To ensure that you are minimizing your likelihood of downtime, a warranty that covers parts and labor with an acceptable replacement timeframe needs to be standard. Ideally, it will include covering the labor costs of a technician coming to your site or, at minimum, free expedited shipping for replacement parts or off-site repairs. You don’t want to deal with constantly carting these items back and forth to a retail shop for repairs. Not only can this be frustrating, but it also hampers employee productivity and could potentially open your data up to further risk.

  2. Is it a refurb or special build?

    Many of these sales are able to offer lower prices because they are selling refurbished equipment. While refurbished machines have a solid track record of performance there are many other questions to be answered such as:

    • Does this item come with any support?
    • Which components are actually covered under any warranty?
    • How long do I have to determine if the item is working as advertised?

    Additionally, many stores and manufacturers create special builds for these large retail events. These combinations of hardware components and software builds are commonly used to clear backlogged stock, so the resulting builds may not always make the most technical sense. In some cases hardware components may be poorly balanced against one another, or one component may be more dated (and fated for faster obsolescence) than the other components. In other instances, bundled deals advertised as having the same technical specifications may have equivalent or comparable, but not identical, internal components per device. When shopping for business purposes, one-offs and small batch builds should generally be avoided unless you have the in-house expertise and administrative leeway to give that equipment the appropriate special attention. Be sure you read through all of the technical information before you make a purchase in order to avoid any surprises.

  3. What’s the return policy?

    Make sure that anything you purchase is going to have a return policy that fits with your plans and timelines. For example, if you are going to take on a major PC replacement product mid-1st quarter next year it probably doesn’t make sense to purchase your PCs now if they have a 30 day return policy. You’ll likely need longer than a month just to getting around to test them.

  4. Be wary of close outs.

    You can get some really great prices on close out items. Because they are brand new, many feel that this is a better option than buying the newer generation at full price. Well, maybe, but you really need to understand what it is you are buying. How fast will the manufacturer “end of life” the product (i.e. stop providing updates and any kind of support)? Is this a purchase that will have to be expanded later? Will parts be available at that point? If you aren’t careful you can end up with an asset that has a much shorter lifespan than you anticipated.

  5. Home licenses don’t do the job.

    Over the years this has been the most common mistake I’ve seen people make when they are in a bind for a PC. Often, they run out to the local big box store and purchase a PC off the shelf, seemingly resolving their issue. Many big box stores are geared towards personal rather than business users, and return policies for computer hardware or software purchases are typically more restrictive than other products. What might seem like minor details during the purchase case add up to a significant licensing cost. A user might unbox and set up their new workstation before realizing that it has a home edition of Windows, or the wrong version of Microsoft Office with “click-to-run” patching. Neither of these products is designed for a business environment, and the store may no longer accept the workstation as a return once it has been used. Often, the only workaround here is to replace the consumer-grade software with the business equivalent, and this can be a nasty added expense. Before you make any purchase you should make sure that all the software running on the device is ready for the enterprise and not simply intended for home use.

Black Friday and Cyber Monday both offer very tempting deals that many consumers, and even some businesses, are looking to take advantage of. It’s easy to get caught up in the momentum of the shopping season and purchase equipment or software after only a cursory glance. If you intend to take part in this annual flurry of commerce, then please make sure to take your time and understand exactly what it is that you are buying. Otherwise, that supersaver, white hot, limited quantities, limited time, guaranteed best price, too good to advertise, blowout bargain purchase may wind up costing you more in the long run.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



17 Nov 2015

Is Your Multi Location Financial Institution Ready for a WAN Outage?

WAN Outage

Have you planned for a backhoe at a construction site six blocks over cutting your (only) Internet connection? How about a car accident that knocks down the utility pole outside your main office, and severs the connection to your core provider? Have you looked to make sure there are no water pipes in the ceiling above your communications closet? If you aren’t fully prepared for communications outages, then you are not alone. While you cannot account for every contingency that might befall your bank or credit union, it certainly pays to prepare. During your next WAN infrastructure review, consider the following concepts to help build better resiliency for your WAN communications.

Have a Primary and Failover Site for Your WAN Connectivity

You should never put all your eggs in one basket, and having a single hub through which all devices must connect creates a single point of failure. In addition to your main office or operations center, consider upgrading a branch location to act as a backup communications hub for failover purposes. Both your primary and backup locations should be set up with connectivity for the Internet, WAN (MPLS/ T1/ Metro-E/Etc.) and the Core, at a minimum.
 
Be mindful of the following considerations regarding your secondary/failover site:

  1. You should have a fully functional firewall protecting any Internet connections at your communications failover site. Similarly, if you choose to leverage VPN technology and inexpensive Internet connectivity to provide a secondary connection for your WAN (branch) communications, then make sure that you have the appropriate firewalls or other devices in place at all locations to facilitate this plan.
  2. Don’t forget about specialty communications equipment. If you have a separate appliance for Fedline access or a router for VPN connectivity back to your ATM provider, then be sure to duplicate these devices at your secondary location.
  3. If you implement two different connections which use the same media or physical wire (e.g., phone and WAN data), then you have concentrated your risk. It only takes one line to be severed for both your connections to go down.

 

Automatic vs. Manually Assisted Failover

Now that we have discussed the kinds of solutions you want to have in place and where you want them, let’s discuss the technology behind maximizing these tools. It’s essential to understand that there are two types of failover: automatic failover and manually assisted failover. While the natural initial reaction is to opt for automatic failover, this may be cost-prohibitive, or may not be possible with your mix of technologies and vendors. Choosing the right option for your financial institution requires a full understanding of the differences between these two options. Let’s look at a few scenarios:
 

Automatic Failover

As the title implies, an automatic failover involves routing devices automatically adjusting routing and data flows based on conditions detected on the network. For example, picture a financial institution that has four branches with redundant connectivity at the main office and a designated Disaster Recovery (DR) site. If Internet connectivity were to go down at the main office, then the routing devices at the remaining branches would detect the outage and automatically start sending traffic destined for the Internet to the DR site. This allows the other branches to continue working, sometimes nearly seamlessly, and minimizes the outage to only the main office.

When the problems are resolved at the main office, then the branches will detect that their preferred path is once again available, and will reroute to send Internet traffic through the main office. This option is ideal, because no action is necessary by the networking team to change routes at all the branches. This minimizes the downtime during failover/ failback events.

While this option is usually the fastest way to adapt to network outages, it requires significant setup, testing and administration time. Additionally, all devices involved must be capable of using the same protocols to detect and adjust to changes in the environment.
 

Manually Assisted Failover

As mentioned above, automatic failover may not be feasible in all situations, and there are other scenarios where administrators may want to retain some manual control. One common reason to opt for manual failover is when an institution hosts its own DR equipment. If you have built a hot DR site with equipment and connectivity mirroring your production environment, the last thing you want to do is automatically fail all operations to DR equipment based on a temporary glitch in one of your telco circuits. While this may sound harmless enough, it creates a situation where you are working with live data on two different systems and likely ending up with a messy data merge, lost files and end-user frustration.

When adding data and server resources into the mix, administrators might prefer to tightly control when to “flip the switch” to cut over to DR resources and adjust communication routes. This option may be more desirable for savvy administrators overseeing complex networks, but the additional control often comes at the expense of failover/failback speed.
 

A Backup is Not a True Backup until it is Tested

Having a plan in place is a nice first step to build your redundancy and communications resilience, but the smallest of overlooked details can quickly derail your efforts. You wouldn’t trust your critical data backups without periodically testing restore capabilities, so why wouldn’t you test your communications backups?

Test your communications failover plans (at least) once a year to verify your WAN resiliency works as intended. Be sure to thoroughly document not only what went right with your test, but also what went wrong or what adjustments were necessary. This documentation allows you to learn from mistakes and address any gaps in your plans. Auditors and examiners will also want to review this testing documentation, so you should aim for incremental improvements from year to year and test to test.

Financial institutions may overlook another important backup need by neglecting to back up the configurations for routers and smart switches. Routing configurations can balloon in complexity over time as automatic failover is added and routing is optimized, and you do not want to lose all of the hard work that went into building those configurations due to failed hardware. Be sure to back up the router or switch configurations after configuration changes to ensure the fastest recovery from failed equipment. If you are uncomfortable managing these backups on your own, there are services available to monitor networking equipment that also automatically copy down device configurations on a regular schedule.

Finding and configuring the right mix of technologies to keep your financial institution running can be a daunting task. If you would like some help figuring out how to navigate the different circuit and failover options available, then consider enlisting the help of technology experts. The right technology partner should be familiar with the unique needs of financial institutions to help you stay technically afloat without running afoul of regulatory requirements.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



10 Nov 2015

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions
 

Recent cybersecurity incidents affecting financial institutions have largely involved third-party service providers, prompting increased attention by regulators, and increased scrutiny on oversight of third party relationships. To maintain compliance with today’s stringent regulatory environment, community banks and credit unions must ensure their vendor management processes monitor and document every aspect of their vendor relationships, including vendor concerns such as financial viability and information security practices of their vendors.

To address this concern, we at Safe Systems are now offering our new vendor management solution to the marketplace. This web-based software automates the process of contract management, product risk assessment, and controls review to help banks and credit unions effectively manage third-party service providers and maintain regulatory compliance. This proven solution has been in use by a select group of approximately 20 client institutions during the past year.

“By the time I had used Safe Systems’ Vendor Management application for several weeks, I was convinced that this product met State Bank of Cochran’s needs for an automated vendor management solution. Their Vendor Management application met all of the regulatory specifications of a sound vendor management program: risk assessment, due diligence in selecting a third party, contract structure and review, documentation and reporting, as well as independent reviews, and ongoing oversight,” said Leesa Anderson, CTO of State Bank of Cochran.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

As a Software as a Service (SaaS) solution, our vendor management software centralizes vendor profiles and data into a client dashboard to provide real-time alerts, reporting, and recommended controls. This customizable solution enables banks to automate vendor management activities, assess risk, and easily upload and track contracts from multiple vendors. Our vendor management solution also stores information in a SOC1 and SOC2 audited datacenter and integrates vendor information into our client management portal, “the Safe.” In addition, we provide ongoing training and consulting services with each license.

Vendor management is often the most under-manned function within a bank’s IT department. Many community financial institutions keep track of their vendor management activities manually using spreadsheets, but with our web-based software solution, banks and credit unions can easily monitor and manage multiple third-party service providers; understand the level of risk each vendor poses to your institution; and ensure compliance with regulatory guidelines.

09 Nov 2015

Top 5 Considerations Overlooked by Community Banks When Ordering New PCs

Computer-Tree---illustration-[Branded]

Several factors are often overlooked when banks order new PCs or laptops. It can be extremely aggravating to receive your hardware order only to find that a missed detail makes it difficult or even impossible to deploy the machine as intended. Such oversights can lead to long delays in your project timelines, and force you to deal with the hassles and added expense of the return process. You want to get your hardware order right on the first try. To help avoid some of the more frequently missed details, here is a list of five of the most commonly overlooked details by banks and credit unions that should be considered before purchasing new hardware:

  1. Compatibility with existing hardware and peripherals

    If you are planning to replace an older machine and will need to work with existing peripherals such as scanners, monitors or printers, then it is important to verify that the new system has the necessary ports available to seamlessly connect those devices. Don’t assume that your new hardware will have all of the same hardware connections as your old system. As computer hardware technology advances, the ports and connections that interlink technology components evolve. Ports that were considered standard fare in previous years may have been replaced by new technology, or may have been eliminated from standard builds altogether. For instance, installing teller stations that cannot connect to existing serial validator printers may lead to extra expense and costly downtime for your employees.

    Similarly, you should plan ahead if you want to implement a new feature during a hardware upgrade. If you have specific needs such as dual monitors or wireless connectivity for a desktop, then make certain the computer can support the necessary feature right out of the box. Serial ports, VGA/DVI ports, Display Ports, HDMI ports, wireless cards and the number of available USB ports should all be considered before placing your order.

  2. Compatibility with existing banking software

    Another commonly overlooked aspect of planning a PC purchase is whether or not the new system will be compatible with the software applications your bank is currently using. While this is becoming less of an issue as time passes, situations still arise where programs are incompatible with more recent operating systems. In other situations the software manufacturer may require an upgrade to support the modern operating system, sometimes requiring your institution to incur unforeseen costs. Even if the programs do run fine on the newer hardware and operating system, manufacturers may not provide full support for their product on computers running on an operating system they have not officially cleared.

  3. What software will you need?

    Understanding what software will be required for the user to perform their role is essential to avoiding irritating delays and unnecessary expenses. If a second order has to be placed after the hardware is received, not only are you forced to wait on processing and shipping, but ordering this way will likely cost more money than placing the order with all the correct software initially. A great example is Adobe Acrobat. The standard version will add roughly $70 to the cost of a computer; however, if purchased after the fact, the cost rises to nearly $300. Proper planning of your software needs can save both time and money.

  4. What is the optimal setup for the workspace?

    Consider the physical space these systems will occupy. Is there enough room? If you plan on adding larger monitors or moving to a dual monitor setup, then be sure to ask, will the area accommodate that? Will the user be able to operate the scanner or reach the validator printer in that space? Would a touch screen work better in that space? Full size desktops, laptops, small form factors, all-in-ones and even tablets all make up the dizzying array of options available today to solve your space-function conundrum.

  5. What is my plan for a PC failure?

    Do you have spare systems available for emergencies or new hires? If the answer is no, then consider the cost of having an employee out of action for a few days due to failed equipment versus the cost of purchasing an extra system or two proactively. Having spare equipment allows you to be flexible when responding to unexpected issues. In the event of a newly hired employee, you will already have the equipment on hand and you can concentrate on merely resupplying your stock of equipment. This is even more effective if identical equipment is used for multiple purposes throughout the bank (e.g., workstation models that fit both under desks and on the teller line).

With all of these hardware advances, software choices and requirements from your core banking software provider and other banking software vendors, planning for hardware upgrades has become more involved than ever. If you find all of these choices and considerations more than a little confusing, or simply do not have the time to deal with the hassle, then consider employing a hardware provider experienced in both banking and technology. The right partner will help you navigate the sea of available options to find the systems and technology to answer your institution’s current needs and prepare you for future growth.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



03 Nov 2015

What Community Banks Should Budget for, but Often Forget

Money Tree

As 2016 budget season quickly approaches, I wanted to share the IT, Security and Compliance budget items community banks and credit unions should budget for, but often forget. While creating a budget can help you execute your strategy, any shortcomings (to respond to changes in regulation or things you didn’t think about ahead of time) can quickly derail your plans and force you to make critical trade-offs. Since we work with more than 300 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints. While this list is not comprehensive, it highlights the top items you should consider as you build your budget for 2016.


Here’s our list of what banks often forget to (but should) include in their budgets.

1. Business Continuity Planning and Testing: $3,000 – $8,000

You must ensure that your business continuity policies, procedures and practices are in compliance with constantly changing regulations. A business continuity plan (BCP) should be a living, functional document that keeps pace with any changes in your infrastructure, strategy, technology and human resources. Be sure to budget for the following:

  • BCP updated to meet current regulations
  • Annual plan testing to validate
  • Training for gaps found during test or updates to the plan

2. Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity has come under increased regulatory focus, and with the latest Cybersecurity Assessment Tool being released this year, it promises to be a hot topic for the foreseeable future. You need to make sure you keep your security, business continuity and vendor management policies and procedures up to date.

3. New and Replacement Technology: $500 – $10,000

Be sure all products that vendors are sun setting are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices.

  • Server 2003 servers
  • VMWare ESX nodes 5.1 or lower (end of support August 24, 2016)
  • SQL 2005 or earlier instances (end of support April 12, 2016)
  • Domain replication from FRS to DFST
  • Extending warranties on hardware more than 3 years old
  • VEEAM Backup & Recovery version to 8 or higher

4. Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products and using more vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become quite cumbersome. An automated solution may enable you to be more efficient and will ensure all i’s are dotted and t’s are crossed.

5. Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee and customer.

6. Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. One way to do this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Including these items within your 2016 budget now will prevent you from having to make difficult decisions and trade-offs next year.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



27 Oct 2015
How well are you managing your vendors?

Banks – Reduce Risk, Increase Compliance with Vendor Management Software!

Today community financial institutions are increasingly relying on third party vendors for critical software, products and services. Regulations repeatedly make it clear that the use of third party vendors or service providers does not reduce the responsibility of your financial institution to ensure that data is safe, secure and complies with all applicable laws, regulations and security best practices. Often this is accomplished through a vendor management function within your bank or credit union.

It is more important than ever for financial institutions to manage their vendors, but many struggle with the best way to efficiently and successfully accomplish this. Until recently, most intuitions had only a handful of managed vendors, which could be tracked manually via a spreadsheet. While this may have worked in the past, regulators now expect all vendors to be risk assessed, easily overwhelming the manual process. In addition, spreadsheets provide no proactive alerting mechanism for expiring contracts and upcoming vendor reviews. They also do not provide the ability to collaborate across the organization and make producing management reports and documentation challenging.

Banks and credit unions should strongly consider the benefits of automating their vendor management functions using vendor management software designed specifically for the requirements of financial institutions. Implementing an automated solution for managing vendor relationships saves a tremendous amount of time and virtually eliminates compliance headaches.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize critical vendor management data

Having an automated system in place helps ensure all vendor information such as contracts and audit reports are located in one place. A centralized location provides financial institutions a way to efficiently manage multiple vendors and all the activities involved in managing a vendor relationship; from assessing the risks, to evaluating controls. It also ensures easy access for all those within the institution who are involved with managing the relationship. The ability to assign multiple vendor managers is an important feature for institutions struggling with the burden of addressing a greatly increased workload.

Use technology to manage the vendor management process

An automated online alerting feature ensures all bank and credit union stakeholders are notified of important key dates, including contract renewals (including auto-renewals), upcoming vendor reviews and annual Board reviews. It offers a comprehensive, up to the minute summary of the vendor relationship and ensures your financial institution is alerted to significant dates and all required activities.

Automate reporting and documentation processes

Automated systems also make providing proper documentation and reports to regulators a lot easier. In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. Automated solutions provide reports that include a comprehensive inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and management committees.

Automating vendor management functions not only saves time but also helps with ensuring your financial institution is in compliance with all the increased regulatory expectations and guidelines now in effect around vendor management. Ultimately, it is your financial institution’s responsibility to protect your customers and members and their sensitive data. An automated vendor management solution is a very effective tool for not only properly managing the process, but providing the necessary proof in the form of documentation to all stakeholders – management, auditors, and examiners!

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



22 Oct 2015

Eight Keys to Creating and Managing Your Passwords

In recent years, hackers have developed sophisticated methods using malware such as bots, worms and viruses to infiltrate systems and capture your critical data without you knowing until it is too late. IT staffers at community banks and credit unions around the country defend against these attacks with antivirus software and firewalls.

Despite these efforts, it is likely that the most vulnerable point in the line of defense is you, or more specifically, your passwords. The whole point of passwords is to defend against threats to your valuable and sometimes personal data. Therefore, cyber thieves often attempt to gain entrance into banks and credit unions through targeted attacks on bank employees. That is why it has become so important to understand the keys to creating, managing and securing all of your passwords.

Top 8 Keys to Password Creation and Management

  1. Make passwords impersonal.
    Avoid using names and dates such as birthdays, wedding anniversaries, spouse names, kids’ names, grandkids’ names, pet names, etc. These are some of the most popular and overused passwords today making it easy for hackers to figure out. If you are using personal names and dates as your passwords, you are not offering yourself a high level of security.
  2. Mix letters, numbers, case and symbols in your passwords. Try multiple words together separated by symbols such as “Run?Jump?Laugh?Fun?” or substitute numbers for specific letter, such as “$+@p135&0ff1c3M@x” instead of “Staples&OfficeMax.” Mixing lower-case and upper-case letters adds another layer of complexity and increases security as well.
  3. The longer the password, the better.
    Passwords should contain as many characters as possible. The length of a password is a major key to its security. When allowed, a password should be a minimum of 12 characters. With each additional character added to a password, the likelihood of the password being compromised is decreased by an increasing percentage.
  4. Use a formula to create your passwords.
    Be sure the formula isn’t easily identifiable. For example, “MarkJaneLucyBob” has a lot of characters but anyone who sees this knows you are most likely using your family names as your password. “Ma*Ja*Lu*Bo!” is much more secure and not too difficult to remember.
  5. Never reuse your passwords.
    Although it is tempting to use the same password in multiple programs or sites, it is not a good idea. If your password is compromised in one place, then you are immediately vulnerable in multiple places.Whenever possible, randomly generate a unique password for each program or site you use.
  6. Change your passwords on a regular basis.
    This key becomes more important if you are not following the previous keys regarding personalization and complexity. A complicated, lengthy, randomly generated password that is not reused on other sites might be acceptable to use for an extended period of time. Conversely, a short, simple password including personal names and dates, that are reused on multiple sights should be changed much more regularly.
  7. Use a password management program.
    While these tools have their own security issue as they are the key to all your passwords, they are really the only practical way to manage all of your user names and passwords. A heavy internet and social media user can easily have 50 passwords or more while even a novice user most likely has as many as 15 passwords. These cannot be maintained long term without help. Smart phone apps offer various password management options and the app store will provide ratings and reviews from other users. Respected industry resources, such as CNET or PC Magazine will also provide trustworthy list of options.
  8. Test the strength of your passwords.
    There are some excellent free tools available for you to test the strength and vulnerability of the passwords you create. One option that provides you with a score is The Password Meter. It gives users a percentage score and complexity rating. Another one, called “How Secure is my Password?” informs you how long it would take for your password to be cracked.

With the amount of valuable, personal data in need of protection it is important to create and maintain secure passwords as part of your overall data security strategy. As part of our Security service offerings, Safe Systems provides system hardening, system monitoring and validation. We also offer DNS Protect, which defends against internet-based threats on all servers, workstations and laptops on your network.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



20 Oct 2015
CORE Agnostic IT

The Importance of a Core-Agnostic IT Services Provider

CORE Agnostic IT

Let’s face it, managing multiple vendor relationships can be a headache! Today many financial institutions are looking to streamline their IT vendor relationships as much as possible and want vendors and core providers that will include all their products and services in a single contract. While that may seem nice and easy from a vendor management perspective, it increases risk with that vendor, which is against the FFIEC guidance regulations.

Understanding the Compliance Risks

In fact, earlier this year the FFIEC issued an update to the Business Continuity Handbook to help financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider. The new appendix, appendix J, entitled Strengthening the Resilience of Outsourced Technology Services, focuses on third-party oversight and cybersecurity, confirming that these two areas will come under ever-increasing scrutiny.

One-Stop Shops Increase Your Compliance Risks

While having one vendor to manage may seem like a good idea, putting all your eggs in one basket concentrates your risk factors. It is wiser to work with several vendors, which spreads out risk and does not force an institution to rely solely on one service provider. This can be a challenge if you work with a core vendor or processor that bundles all services together.

The intertwined relationship between the financial institution and the core processor that bundles all services makes it difficult for the institution to make IT changes and leaves little room for negotiation with their network monitoring services. The more services your institution has with core processors, the less you are able to negotiate on renewal pricing. In addition, if you switch core processors, you run the risk of being charged a fee for converting from one platform to another. If your financial institution’s internal network servers are intermixed with core banking servers and you decide to switch your core system, your IT network and IT management system will need to change or be modified.

A majority of core providers have acquired their IT network management provider. The acquired companies usually have a large cross section of core clients, but once acquired, these IT service providers are primarily interested in servicing and growing their core provider relationships. Core processors that build their own IT managed services internally often don’t have the experience and understanding of how to make other core systems run optimally with IT networks.

Working with an IT network management provider that is owned by a core banking software provider that is different from your bank’s core system is not a good long term strategic fit for your bank. The core-owned IT management services companies are focused on their company’s core banking systems. Their knowledge of other core systems will diminish over time, and their interest is really being in a one-stop shop for their core clients. There are often issues and finger pointing between a bank and its core provider over network issues and these situations will only be exacerbated by such a relationship.

Assessing Non-Compliance Risk and Minimize It

When determining your institution’s risk assessment when it comes to IT network management, some areas to think about are the timing of your bank’s core renewal, the likelihood your bank may change core processors, and the likelihood your bank may acquire another bank. In addition, track the year-over-year count of banks with your same core processing solution supported by your IT services provider.   If that number is going down, the risks of losing expertise specific to your institution’s configuration also goes down.

In order to avoid these pitfalls, it is important to separate IT network operations providers from your core system. Having separate support providers also strengthens the network from a security standpoint, increases flexibility and addresses the FFIEC vendor diversification issue. This separation provides you with the flexibility needed to make changes easily or independently, make the best decisions on internal network management, and not be tied to one vendor to manage IT network activities and core banking functions.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



13 Oct 2015

Vendor Management Best Practices for Community Banks and Credit Unions

Successfully managing your vendors


 
Vendors play an important role in the financial services industry. Financial institutions rely on third-party service providers to offer specialized services and technology assistance that help improve the overall quality and efficiency of their organizations.

To perform these services, vendors often must access, transmit, store or process sensitive information, including customers’ personal information. Financial institutions are responsible for managing the inherited risk, which is the residual risk the institution acquires, or inherits, from each service provider. Financial institutions must be aware of and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank or credit union to additional risks.

Regulators have issued guidance to help in understanding and managing the risks associated with outsourcing a bank activity to a service provider. To remain in compliance with governing organizations, it is important for all financial institutions to strengthen their vendor management programs. These enhancements safeguard the confidentiality and availability of the data and also minimize the impact if a data breach occurs.

To help your community financial institution execute vendor management safeguards, here are some best practices for implementing a successful, secure and compliant vendor management program.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize Vendor Information

To efficiently manage multiple vendors and all the activities involved in managing a vendor relationship, it is important to have all information housed in one centralized location. It also serves as a central repository for regulatory reporting.

Assess Risk

Have a list of all vendors that conduct businesses with the financial institution and rank each vendor according to its level of access to critical data and importance to operational activities. For most institutions, only about 10-15% of vendors are considered high risk, but all outsourced relationships must be risk-assessed. Establish a risk tier and implement different controls for the different risk levels.

Review Controls and Perform Due Diligence

Once risks have been assessed, the financial institution should perform due diligence for all vendors, with the intensity of the effort commensurate with the risk category; low risk vendors may only need a cursory review, while high risk vendors need a deeper dive. Due diligence activities include reviewing and assessing the vendor’s financial health; knowledge and familiarity with the financial services industry and banking regulations; information security controls in place and ability to recover from breaches or disasters. These activities and the vendor relationships need to be documented and procedures put in place; that ensure the vendor information is updated and monitored on an ongoing basis. These same procedures must also insure that service providers are complying with any applicable consumer finance laws and regulations, and have a plan in place to promptly address and identify problems.

Proper Documentation and Reporting

In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. This documentation should include (at a minimum) a current inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and independent review reports. It should also be able to easily identify all high inherent risk vendors and all high residual risk vendors.

Following these steps will help ensure your financial institution is in compliance with the regulations and guidelines around vendor management. Ultimately, it is the financial institution’s responsibility to ensure all sensitive data is protected. Implementing the above processes and procedures will help create a solid vendor management.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



07 Oct 2015
Vendor Management

Vendor Management — An Undermanned Function in Community Financial Institutions

Successfully managing your vendors

While the issue of vendor management and oversight is not new to the financial services industry, recent enforcement regulations actions by the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC) have given financial institutions a new set of regulations to follow.

The Times They Are a-Changin’

In fact, earlier this year the FFIEC issued an update to the Business Continuity Handbook to assist financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider. The new appendix, appendix J, entitled Strengthening the Resilience of Outsourced Technology Services, focuses on third-party oversight and cybersecurity, confirming that these two areas will come under ever-increasing scrutiny. Banks are now more than ever, encouraged to conduct due diligence and take their own steps to ensure vendors address security gaps.

The definition of service provider has expanded, which means that most institutions will need to expand their list of managed vendors way beyond simply those that provide banking services. The Federal Reserve issued a regulatory update in 2013 titled “Guidance on Managing Outsourcing Risk.” In it, they defined “service providers as all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.”

Regulators know the vast majority of financial institutions outsource at some point, in fact recent studies put the number of financial institutions that either transmit, process or store information with third-parties at more than 90 percent. They also know that most recent cyber security incidents affecting financial institutions involved third-party service providers.

CyberSecurity is an additional reason for enhanced vendor management.

Why? Because banks must manage the “inherited risk” of their vendors. Inherited risk is the residual risk the institution acquires, or inherits, from each service provider. Banks must be aware and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank to additional risks. Incident response is also an area financial institutions need to monitor and control, because when preventive controls aren’t effective, responsive controls must compensate.

Vendor Management Tool from Safe Systems

Complimentary White Paper
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Spreadsheets are simply not enough

Most community financial institutions do not have a formal internal department dedicated to vendor management and have historically failed to stay on top of their third-party relationships because of a lack of manpower and resources. In fact, only one out of 300 of our clients, has a dedicated vendor relationship manager. Instead, this position usually falls underneath the IT department, on a part-time basis and many still perform this process manually. About 90 percent of our clients keep track of their vendor management activities manually using Excel. However, for an average community financial institution to properly perform vendor due diligence and vendor management, some form of automation is required because the process of managing ongoing due diligence and contract tracking with multiple vendors is a very time consuming task.

In addition, a certain set of expertise is required to adequately perform this important function. To adequately perform vendor management responsibilities, the person must be able to maintain their expertise on an ongoing basis, have the time to work closely with the business manager who owns the relationship and be able to work with the vendor or other stakeholders within the bank when necessary, as well as have a strong technology background and truly understand banking and financial services.

With regulators now demanding greater control and accountability from financial institutions, how will your financial institution enhance its vendor management program?

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



30 Sep 2015
Voice and Data Network

Time to Evaluate Your Bank’s Voice and Data Network Solution?

WAN Network

Recommendation #1: Keep and Maintain a Hardware Inventory

If you don’t have a hardware inventory record for your bank, it’s a great place to start. A complete list should include the following for both voice and data equipment:

  • Make
  • Model
  • Software Level/Firmware Level
  • General Function – Server, Firewall, Router, Switch, PBX
  • Warranty Term and Expiration Date – End of Support Date, End of Life Date

Tip: Remember to include routers, switches, servers, PBXs, Wireless Access Points, and essentially any other device that has an IP address — be aware of devices approaching or past end of support or end of life.

Recommendation #2: Keep and Maintain a WAN Services Inventory

It’s also a good idea to keep and maintain a WAN services inventory for each location in your financial institution. The inventory should include the following information:

  • Circuit Provider
  • Circuit Type – T1, Ethernet, Cable Modem
  • Circuit Bandwidth
  • Circuit Function – MPLS, Internet, Point-to-Point, Voice (PRI/SIP/Analog)
  • Provider Contract Signing Date
  • Provider Contract Term – 12 month, 24 month, 36 month, 60 month

Tip: Most WAN and telecom circuit contracts are 36 month terms. Most carriers provide contracts with shorter terms (i.e., 24 or even 12 months), but expect to pay a premium -– approximately 20% or more for each reduction in term.

 

Recommendation #3: Review Your Voice and Data Solution Annually

Because bank voice and data networks are a large portion of your IT operating expense, the best practice is to conduct a yearly review of your technology solution.

For example, if you have not reviewed your MPLS network costs in the past year, you may be paying too much. Pricing pressures from competing providers (e.g., cable companies) have significantly reduced the cost of MPLS WAN circuits in recent years. In addition to pricing, technology advances at a lightning pace, so your solution might have become outdated since your last review.

Tip: If it’s been a year or longer since you reviewed your business communication solution, odds are it’s time for a review.

 

Engineering Best Practice

Create complete hardware and WAN service inventories to help you better manage your bank’s current business communication solution. These inventories will be very useful when you are ready to review your technology for improvements – you need to know what you have to work with before you start to solve problems. Once you have a thorough understanding of your existing IT communications environment, review your options to ensure you have the best price and technology available.

Don’t Go It Alone!

Safe Systems has seasoned WAN and telecom engineers that will help you throughout the process of evaluating your bank’s voice and data solution. There are a lot of choices, but we can ensure you get the right technology for your bank’s unique voice and data needs.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



24 Sep 2015

Replace Legacy Replication of Microsoft DC Data for Increased Management, Performance and Reliability

Replace Legacy Replication of Microsoft DC Data for Increased Management, Performance and Reliability

The Current State of SYSVOL Replication

So what is SYSVOL, how does it replicate, and why should your bank or credit union care? SYSVOL is the set of data replicated between domain controllers that contains both the files necessary to run Group Policy as well as any logon scripts used to map drives, configure printers, etc. Abbreviated as DC, a domain controller is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources. The domain controllers in your network are the centerpiece of your Active Directory service. It stores user account information, authenticates users and enforces security policy for a Windows domain – from Webopedia. For all logon scripts and Group Policy Objects to work properly, it is essential that SYSVOL be copied accurately and promptly throughout the domain. To perform this copy process, the File Replication Service (FRS) was established in Windows Server 2003. FRS was deprecated in Server 2008 R2 but is still widely used. As its replacement, Microsoft introduced Distributed File System Replication, or DFSR. Since DFSR is multitudes better than FRS, Microsoft has pushed domains forward by no longer even allowing the setup of FRS on new domains. However, any domain that has ever had a Server 2003 domain controller must be updated.

The Risks and Downsides of FRS

Before even looking at the benefits of DFSR, there are a multitude of reasons to switch just to avoid FRS. To start, FRS has been deprecated so that it receives no bug or security fixes. This means there have been no updates to this system in more than eight years. Second, FRS always copies the entire set of data, not just changes, so it causes significantly more traffic across the WAN when changes are made. Additionally, FRS has no self-repair system to resolve issues like database corruption or morphed folders. This means engineers have to respond more often to alerts to repair this system.

The Risks and Downsides of FRS

The Top 4 Improvements and Upsides of Using DFSR

  1. Contrary to FRS, DFSR is a fully supported replication system. It can replicate partial files, scale to a greater number of connections, and has mechanisms to help support slow and unstable networks.
  2. Unlike FRS, DFSR does not wait for a fixed interval to replicate, but is always running immediate and continuous replication.
  3. From a reporting standpoint, DFSR has built-in health status reports that list out any potential issue. This is especially important for the ability to quickly respond and resolve issues.
  4. DFSR contains many self-healing mechanisms to prevent errors in the first place. This leads to a system that is more manageable, has higher performance, is more reliable and allows for greater scale.

The Bottom Line

The need to update to DFSR is present in almost every domain. Push to complete this process as soon as possible for all the benefits available. This migration will correct any health issues in the Group Policy system, and it only takes around three hours of total time to complete. Click here to find out more about Safe Systems’ Network Monitoring and Management Services. For related information on migrating SYSVOL to DFSR, click here.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



15 Sep 2015

10 Steps on How to Best Manage your Community Bank’s IT Security Program

Protect Your Community Bank with a Comprehensive IT Security Program

A community bank’s digital assets are every bit as valuable as the money in the vault. The business of financial services has undergone a tremendous amount of change in the last decade with the advancement of network technology, online services and the growing demand from customers for 24/7 access to their financial lives. Running a community bank is not simply a matter of managing money and providing loans. It’s about managing data and networks, too.

Because of this technological shift in the industry, network administrators and information technology officers now play a crucial part in ensuring the financial institution’s network and data are protected from viruses, malware and electronic attacks.

There are a number of tools and procedures available that will help any community bank or credit union to operate in the online age with a greater degree of confidence. Some of these steps may seem like obvious security techniques, but the deployment of a layered approach is the first step in building a strong security foundation.

Deploy these 10 Steps to Best Manage your Community Bank’s IT Security Program

  1. Employ a firewall and intrusion prevention system (IPS) solution
  2. Keep your Microsoft systems patched with the latest bug fixes and security updates
  3. Maintain up-to-date virus security software and definitions
  4. Establish a process for critical server vulnerability scanning
  5. Patch ubiquitous third-party applications, such as Adobe, Java and Flash
  6. Have an ongoing server hardening solution to remove common and critical vulnerabilities
  7. Use a hosted DNS solution to protect against malware downloads
  8. Train your employees on information security and best practices
  9. Install a server security solution to monitor activity and help prevent attacks
  10. Have a comprehensive reporting solution for both network management and security review

Deploying these ten steps 
will provide you the additional peace of mind that comes through sound, comprehensive IT security. These ten components go a long way toward building a comprehensive security program that will help protect your institution and its assets from many malicious attacks.

We understand that community banks like yours are under pressure to manage the constant evolution of technology. By applying these tactics and solutions, you can stay ahead of this ever changing environment while managing costs and resources.

For more information on how to implement these techniques to keep your community bank’s digital assets secure, download Safe System’s complimentary white paper, 10 Components of a Comprehensive IT Security System for Community Banks.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



02 Sep 2015

Driving Compliance Through Technology

 
 
Driving Compliance Through Technology

Look around today’s financial institution and you’ll be hard-pressed to find a department that technology doesn’t touch. Most modern institutions are highly interconnected and dependent on their network infrastructure. In fact, technology is the lifeblood of the modern financial institution.

There is another sometimes overlooked area where technology can facilitate the financial institution’s success – compliance.

It is a full time job for community bank IT professionals to make sure the network is running, email is working, applications are up to date and patched, and all users have just enough access to the network resources needed to do their jobs. This doesn’t even include the extra time spent with auditors, examiners, and the Board to ensure procedures are documented and actual practices align with compliance standards.

While outsourcing some of these processes can alleviate most of the day-to-day pressure of administering and maintaining IT for a financial institution, it doesn’t absolve an institution of the oversight and documentation requirements necessary to ensure secure, up-to-date, and compliant operations.

Instead of being a daily chore, network monitoring, patch management, and troubleshooting can provide the foundation for the institution to build a better compliance posture. How? Automation and documentation.

There are three things examiners look for in a financial institution – written policies, written procedures and documented practices. Most institutions have the right policies and procedures in place but often maintain inadequate documentation of the work being performed; thus, they can tell an examiner they are adhering to appropriate compliance measures, but are not able to show thorough proof of that through documentation.

A typical community financial institution may have multiple software products to manage software patches, monitor network resources, and administer security and antivirus tools that keep machines safe from threats. Each of these systems requires different steps be taken to pull reports and provide the documentation needed to ensure adherence to policies and regulations. When making improvements that will significantly improve an institution’s ability to produce the documentation examiners are looking for the IT staff has two choices – manually pull all the necessary documentation from disparate systems, or build an internal process to centralize and automate it. Either way, an institution needs a certain amount of technology to be able to pull this off.

A centralized IT dashboard and reporting system can pull data and documentation from multiple systems and assemble the information. The right solution can automate the reporting process for bank examiners and bring critical documentation to your bank’s management team’s fingertips.

All those various systems your IT staff has to manage become one. A centralized and automated reporting system helps break down the silos that can make working with different reports from different systems so time consuming and difficult. Ultimately, a centralized IT reporting system can not only reduce administrative overhead, but also help improve your bank’s compliance posture.

Partnering with Safe Systems to co-manage your bank’s IT infrastructure ensures your financial institution will have the right technology in place to meet IT compliance requirements. With the right policies, procedures, practices, and the documentation to prove it, your financial institution will have the best opportunity to meet your examiner’s expectations. With automated systems and a centralized dashboard from which to monitor processes and generate reports, IT administrators can proactively ensure their institution maintains a strong compliance posture.

At Safe Systems we understand the ever-growing complexity of community financial institution IT operations and the enhanced regulatory requirements these institutions must meet. By making the decision to partner with Safe Systems, your organization will benefit from time saving automation and an in-depth view of your IT network environment. We want to provide you with assurance that your institution’s IT network is functioning efficiently, optimally, securely, and, most importantly, is compliant with FFIEC regulations.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



26 Aug 2015

How to Improve Management of Your Bank’s IT Network

 
 
How to Improve Management of Your Bank’s IT Network

The advancement of IT network technology, online banking services and the growing demand from customers to have 24/7 access to their financial lives have changed the business of banking. These changes have shifted the objectives of running a community bank away from simply needing to manage money and provide loans to also managing data and the IT networks that carry this information. From the teller line and the CSR platform to the phone and alarm systems, most modern institutions are highly interconnected and dependent on their IT network infrastructure. It is the lifeblood of today’s financial institution so it is imperative all technology assets work together and efficiently.

To ensure all systems are constantly functioning, it is important to continuously monitor hardware and software for failures, virus detection, and be alerted to required maintenance. Having a centralized solution in place that automatically monitors, alerts, tickets, provides support and reporting for servers, workstations, network routers, switches, software and other devices is an integral and critical function in today’s community bank.

Community banks face common challenges in terms of the capacity of their IT staff including:

  1. Finding IT Talent. Smaller financial institutions rely on technology to help them deliver the same services as the big banks in their regions; however, it can be very difficult to attract and retain quality IT talent to maintain these complex systems. IT teams (many times a single individual) are tasked with implementing new technologies and applications while keeping the bank’s IT infrastructure running and documenting every change to meet regulators’ demands.
  2. Keeping up with the Patches. When it comes to security, patch management is a critical component of any IT management plan. Patching is also a time consuming task for your bank’s IT personnel. It can take up to 30 minutes to manually patch an individual workstation. However, ensuring patches are up to date, as well as having a documented report of the patches that have been put in place, is crucial for security and compliance in the banking environment.
  3. Sustaining Security while Going Mobile. The shift in the banking industry to online and mobile services has also changed the job of IT network administrators and information technology officers. That’s put a new pressure on this role to ensure the financial institution’s network and data are protected from viruses, malware and electronic attacks from would-be-digital robbers. It’s not an easy job!

Having a programmatic way of proactively monitoring and addressing issues as they occur, is imperative to maximize uptime of all systems. The automation of these basic IT processes can benefit your financial institution tremendously. It also frees up IT personnel to help deliver services to customers and enhance the bank’s profitability.

With today’s mounting pressures, many community banks are increasingly turning to technology service providers to help manage their IT infrastructure. Such partners bring knowledge, additional resources and expertise to help community banks control and manage their complex IT environments and operate in today’s financial services arena with a greater degree of confidence.

A technology service provider can help consolidate, automate and manage many of the administrative functions that are so time consuming for in-house staff. Automating patch management and reporting saves bank IT administrators a great deal of time. In addition, providing bankers the ability to receive live information for diagnostic or reporting purposes, as well as remote access to the network not only saves time and improves efficiencies, but also helps meet the responsibilities of banking IT managers for documenting the environment for regulators.

When looking for a technology service provider to help your bank, look for the following characteristics:

  • Does the provider offer flexibility in their support services that align with your organization’s IT needs?
  • Does the technology service provider have knowledge and expertise of all the regulatory requirements of financial institutions?
  • Are their support center staff and system engineers well-versed in network and security technologies, as well as understand the unique technical requirements of your core banking platform and ancillary applications?

For more information about ways to improve the management of your bank’s IT network, please download our complementary white paper, Best Practices for Control and Management of your Community Bank’s Information Technology.

18 Aug 2015

Your IT Administrator Goes on Vacation: Now What?

Your IT Administrator Goes on Vacation: Now What?

Summer is nearing an end, and many employees are getting out of the office for their last vacation before school starts. For the community bank IT network administrator, this can be a challenging time. If you are the only person in the IT department, it can be daunting for both you and the financial institution.

A community bank’s technological assets are every bit as valuable as the money in the vault! Today’s community bank relies on the IT department to maintain its hardware and software and to ensure all systems are available when needed. The department is also responsible for monitoring an array of on-going IT concerns like antivirus status, patch compliance and email security to name just a few.

The FDIC encourages mandatory vacation time for bank employees of all levels, so taking some time off may not be a matter of choice. So, what happens when the key individual who is responsible for this crucial aspect of the financial institution is on vacation?

Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal IT resources. The right solution provider can serve as a true partner and work alongside current IT staff to manage the network and streamline technology needs. When the IT staff is out or unavailable, outsourcing select IT business processes helps fill the personnel gap and provide added peace of mind to all.



An IT and security service provider can help automate and control many of the administrative functions that normally fall to the IT department, making it less daunting for IT personnel to take time away from the office. These service providers can automate Microsoft and third party patch management and reporting, hardware and software inventory management, vulnerability remediation, and compliance-focused documentation and reporting. Providing the ability to actively monitor network information for diagnostic or security issues not only saves time and improves efficiencies, but also helps the bank extend its hours of support beyond the traditional 9 to 5 hours. This expanded presence is key for IT departments with limited staff.

The right technology service provider should offer your bank full support for the demands of today’s banking technology requirements and truly act as an extension of your internal IT department. At Safe Systems we understand the ever-growing complexity of community banks’ IT operations. By making the decision to partner with Safe Systems, your organization will benefit from time saving automation, an in-depth view of your IT network environment, and additional support in co-managing your IT operations. We want to provide you with assurance that the institution’s IT network is functioning efficiently, optimally, securely, and is in compliance with industry regulations at all times; but, especially when your institution’s key IT personnel are out of the office.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



11 Aug 2015

How Sound is Your Bank’s Hardware Infrastructure?

How Sound is Your Bank’s Hardware Infrastructure?

Community Banks and Hardware Warranties

While there are many factors that can play into your definition of soundness, some would say your bank’s network is only truly stable if you are fully covered by hardware warranties. In the most basic sense these warranties exist to mitigate the risk of a critical hardware failure. The hardware components you rely upon to provide a stable computing environment are themselves a highly complex amalgamation of numerous subcomponents; unfortunately, it is inevitable that some of these parts are destined to perish before their rightful time. While your community bank’s network users will likely not notice any impact from an all-too-common failed hard drive in a server’s RAID array, everyone will be painfully aware if your SAN experiences a critical failure.

Safe Systems believes that maintaining active hardware warranties for the full life of your hardware is as critical as keeping your Windows Operating System patched. A valid hardware warranty provides two incredibly valuable guarantees for your bank including faster replacement of failed parts and expedited hardware replacement times. When combined, these two benefits can drastically reduce downtime in a critical hardware failure scenario. Without an active warranty on hardware, any failure may cause the IT Administrator to scramble to find the right replacement part, and that can waste valuable time when your financial institution is trying to recover from hardware woes; furthermore, if the necessary part is backordered or otherwise unavailable, then the institution may be forced into completely replacing an entire piece of hardware.

Hardware warranties also allow your financial institution to better plan hardware related expenses. The costs associated with replacement hardware components, expedited shipping, and/or specialized installation labor can quickly add up. The total price tag of an emergency hardware repair can represent a significant unscheduled expense. Rolling those potential expenses into the cost of a hardware warranty allows bank IT managers to budget hardware maintenance in a tidy, predictable package.

Hardware Warranty Coverage Notes:

  • Standard coverages sold as 1 or 3 year
  • Standard warranty is 9×5 – Support Monday thru Friday 9 am – 5 pm with next day hardware replacement

Depending on the criticality of the hardware, consider these warranties:

  • 13x5xNBD – 8am-9pm and replacement part next business day
  • 4x7x4 – 24/7 support. Once it has been determined that there is a hardware issue, replacement part will be delivered within the hour
  • 24x7x6 – No Diagnosing. 6 hours to have replacement hardware onsite

Of course, the price goes up for the upgraded warranties.

 

Community Banks and Software Maintenance Contracts

Just like a hardware warranty, maintaining software maintenance agreements is critical. The importance of a valid hardware maintenance agreement is perhaps most apparent when discussing critical security patches. Keeping your systems secure is not the only reason to keep them fully patched. An estimated 60% of the lifecycle costs of producing software systems come from ongoing maintenance and patching, so without an active maintenance contract a software user may miss out on a number of software enhancements. While different providers vary in their policies, software maintenance is generally released for 4 different reasons:

  • Adaptive – modifying the system to cope with changes in the software environment
  • Perfective – implementing new or changed user requirements which concern functional enhancements to the software
  • Corrective – diagnosing and fixing errors, possibly ones found by users
  • Preventive – increasing software maintainability or reliability to prevent problems in the future

 

The Bottom Line

Hardware warranties and software maintenance are relatively inexpensive insurance policies for banks and credit unions. I would challenge any bank executive who tells me that a couple of hundred dollars is too much to keep critical pieces of your financial institution’s network performing optimally. Without hardware warranties and software maintenance, thousands of dollars in lost productivity could occur at any time with no warning.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



04 Aug 2015

Community Banks Can Extend Their Internal IT Team with Help from IT and Security Service Providers

Community Banks Can Extend Their Internal IT Team with Help from IT and  Security Service Providers

Running the day to day IT network administration for a community bank is a full-time job. One of the biggest challenges is the need for constant management of multiple solutions with a limited number of people on the IT team.

The typical IT department at a small community institution has a big job with limited staff. Not only is the department expected to oversee all the administrative work of setting up and maintaining the bank’s IT network, but they are also expected to work with the security officers to ensure that every technology component that constitutes the network is compliant with regulatory guidance. The department is also responsible for monitoring an array of administrative concerns like antivirus status, patch compliance, and email security to name just a few.

Furthermore, when auditors or examiners come knocking, the IT department must be able to produce a paper trail proving that daily practices match written policies and procedures. Then comes the matter of internal oversight. The processes that make use of those technology components must also align with the institution’s high-level policies, and this is where an IT steering committee, senior management, and the board of directors come into play. In order to support strategic IT decision-making, IT managers must be able to neatly package and explain network health and technology compliance in reports aimed at this group who hold the ultimate responsibility for protecting customer data.

As these financial institutions plan for a future that is increasingly taking more banking services online and mobile, a modern community bank’s lifeblood is its technology!

To help augment internal IT resources many institutions are turning to IT and security service providers to act as an extension of their organization — seeking a true partner to work together to streamline technology needs. The right solution provider can help bridge the gap between a financial institution’s everyday network administrative functions and the big picture goals of IT compliance and infrastructure planning.

An IT and security service provider can help automate and control many of the IT network administrative functions that are so time-consuming for in-house staff. Automating patch management and reporting saves your bank IT resources a tremendous amount of time. Providing bankers the ability to actively monitor network information for diagnostic or security issues not only saves time and improves efficiencies, but also helps the bank extend its hours of support beyond the traditional 9 to 5 hours. Additionally, outsourcing these business processes can help fill the gap when the IT staff is out sick or on vacation, providing added peace of mind.

IT service providers who focus on the community bank market can also offer account managers who act as facilitators and trusted advisors to help guide technology committees and provide tools to address financial regulatory governance. These account managers have a wealth of banking IT expertise and commonly attend technology steering committee meetings, assist with IT strategic planning, facilitate the responses to pre-exam IT questionnaires, and conduct periodic self-assessments of the bank’s IT infrastructure. With this structured guidance, financial institutions can gain deeper technology insights, complete more comprehensive control self-assessments, and enhance strategic IT planning.

The right IT service provider should offer your bank full support for the demands of banking technology and IT regulatory compliance by delivering your institution a solution that encompasses the three spheres of IT policy, procedure, and documentation. At Safe Systems we understand the ever-growing complexity of community banks’ IT operations and enhanced regulatory requirements. By making the decision to partner with Safe Systems and introduce our NetComply service, your organization will benefit from time saving automation and an in-depth view of your IT network environment. We want to provide you with assurance that your institution’s IT network is functioning efficiently, optimally, securely, and, most importantly, is compliant with FFIEC regulations.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



28 Jul 2015

Windows 10 Offers Community Banks and Credit Unions Improved Security

Windows 10 Offers Community Banks and Credit Unions Improved Security

This post is the final in a three part series exploring aspects of Windows 10. Also read: Part 1 discusses market statistics, and Part 2 dives into the interface.

Another Windows 10 area where Microsoft appears to be placing a heavy focus is security. In late April, Microsoft announced on their blog several new security features that will be present in Windows 10. This was in following up on another security-minded post from October 2014. These features center on managing application execution and user identity and are especially important to financial institutions.

The application execution component is being termed Device Guard. The feature will be certified or supported by hardware manufacturers and will allow for the designation of authorized applications. Financial institutions interested in using this new tool will define authorizations at the network or enterprise level. Applications will be checked against the list to evaluate trustworthiness and prevented from executing if not authorized. Microsoft’s intent for this feature is to assist in preventing execution of malicious code, as modification of an existing previously authorized application would cause it to be de-authorized. It is important to note that Microsoft specifically mentions Device Guard will not prevent macros within documents from running; thus, the feature would enhance but not remove the need to continue using existing anti-virus and anti-malware solutions.

Windows 10’s new Identity Management features are called Windows Hello and Microsoft Passport. These features can supplement or replace the existing password mechanisms most commonly in use today. Windows Hello deals specifically with biometric user authentication. Microsoft indicated that fingerprint scanning, iris scanning and picture identification will all be supported; of course, specific hardware may be required in order to use these features. The Microsoft Passport feature in Windows 10 will authenticate and authorize users to a service or a network by using a cryptographic key stored on a hardware device. This technology has been in use for years with smart cards, but Microsoft is aiming to integrate this into the hardware of devices running Windows 10. Microsoft Passport, when used in conjunction with Windows Hello, would require both biometric and specific hardware requirements to access a user’s account. This multi-factor authentication approach would provide superior security over the traditional username/password combination.

This concludes our series exploring Windows 10. Microsoft plans to release Windows 10 to the general public starting on July 29, 2015. Please reach out to Safe Systems if you need assistance with your Windows 10 upgrade.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



23 Jul 2015

What Community Bank IT Administrators Need to Know About Windows 10 Usability and Software Updates

Windows 10

This post is the second in a three part series exploring aspects of Windows 10. Part 1 discusses market statistics, and Part 3 discusses changes to the security posture in Windows 10.

Microsoft appears to be positioning Windows 10 to address the usability concerns many had with Windows 8. In theory, Windows 8 itself could be interpreted as an overreaction to the proliferation of touchscreen devices of the past few years. In an attempt to make Windows 8 an iOS competitor, Microsoft appears to have swung wide by removing the familiar Start menu and focusing more on touch-responsive UI and navigation.

Now, with the reintroduction of the Start button and a sharper focus on usability and navigation with a mouse, perhaps Microsoft can address the issues that made Windows 8 such a jolting transition. The revised Start button will function as a cross between the Start button of Windows 7 and the Start screen of Windows 8. Further, Microsoft appears to be making efforts to ensure that the user experience will be flexible enough to serve the needs of both desktop/laptop and tablet/smartphone users.

Another evolving feature that somewhat bridges the gap between usability and security in Windows 10 is the software update mechanism. Traditionally, Microsoft has provided an intermittent update cycle, through which they professed to not add new features outside of major version updates. In reality, what we have seen over the years was a major version release (Windows XP, 7, 8), and subsequent smaller updates in the form of “R2” releases or Service Packs. Windows 10 looks to introduce a more frequent update schedule that will make use of update “tracks.” This will allow administrators and users to select between a slow update speed and a fast update speed. Users on the fast track will receive updates earlier, and those on the slow track will get updates more slowly. This will bring Microsoft in closer alignment with the faster update schedule of Google Chrome, while still allowing a robust testing base. It should be noted that this paradigm only applies to feature updates. Security updates will still be deployed on a monthly basis, and the existing Microsoft Update system appears to be more or less intact in current preview versions.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



21 Jul 2015

Windows 10, What it Means to Community Banks and Credit Unions

 
 
Windows 10 Offers Community Banks and Credit Unions Improved Security

This post is the first in a three part series exploring aspects of Windows 10. Part 2 dives into the usability changes Microsoft has made in Windows 10, and Part 3 discusses changes to the security posture in Windows 10.

For nearly the past year Microsoft has been gearing up for the upcoming release of Windows 10. It will be the direct successor to the much maligned Windows 8, and a more spiritual successor to Windows 7. If you have seen Windows 9 in the wild, please let us know. It seems to have disappeared from Microsoft’s grand vision.

If you are reading these words on a desktop in mid-2015, there is a very good chance you are doing so on a Windows 7 machine. Hopefully, you are not still using a Windows XP device. If you are, fingers crossed in hopes that your auditor doesn’t know about it. Statistically speaking though, you probably are NOT using Windows 8.

The banking industry (perhaps even more so than the US at large) seems to have largely skipped out on Windows 8. By my recent count of NetComply client endpoints running a Desktop operating system, roughly 0.4% are currently running Windows 8 or 8.1. Put another way, for every 250 endpoints roughly one of those is running Windows 8. In fact, there are currently three times more Windows XP than Windows 8 devices within our NetComply clients. Thankfully, none of those XP devices are on your network! Right?

Given that Windows 7 was first released in July of 2009, one need not read too deeply to see Microsoft is expecting to upgrade many existing devices to Windows 10. Interestingly, Microsoft has indicated that it will provide free upgrades to Windows 10 for existing installs of Windows 7 and 8 on the consumer side. This may lend further credence to the theory that they are expecting to make up the difference in revenue from the business and enterprise side.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



14 Jul 2015

5 Things Community Bankers Should Consider when Choosing Hardware and Software Partners

5 Things Community Bankers Should Consider when Choosing  Hardware and Software Partners

Choosing who to trust and depend on when purchasing technology hardware and software is challenging, especially for community bankers. We have noticed that many bankers struggle with choosing the right hardware and software solutions that will work with their IT infrastructure and truly benefit their financial institution.

Today, many community banks are looking for IT systems to improve efficiencies in their organization. In addition, community bankers now need to meet mounting regulatory compliance requirements, which has increased the need for specialized expertise. Community banks also face challenges in providing competitive products and services their customers expect, while maintaining the advantages of being local banks.

All these concerns can amount to a lot of confusion for community banking executives. To avoid choosing the wrong IT solutions and vendors, we’ve highlighted some areas community bankers should consider to help avoid costly mistakes when choosing hardware and software partners.

  1. Does your hardware and software vendor understand the technical requirements of your core banking platform?

    Having the knowledge and ability to work with your core banking provider is imperative for all IT vendors that work with your financial institution. Vendors must know the inner workings of the core banking application. They should also be familiar with the various products that the core provider uses. It is also helpful for vendors to have a repository of core product specs to refer to before ordering equipment.

  2. Will the vendor understand your business?

    Hardware vendors and service providers must truly understand the ins and outs of operating a community bank. For example, they must understand the priority of a customer-facing teller line and the best technology needed to deliver such service. Another thing to consider is: will they listen to your banking business needs and make a recommendation based on solving those needs, not just placing a piece of hardware?

  3. Will your vendor understand regulatory compliance requirements?

    The ever-changing world of financial regulatory compliance governs every aspect of your IT network; and that includes what hardware and software you choose to deploy. In today’s banking environment, vendors must be able to make recommendations on how to manage hardware and software to meet regulatory expectations, including making sure your hardware stays under warranty and your software stays under support (i.e., when there is a critical service being run on a server, you can’t have the server warranty expire); certifying that you can always access your critical services as a part of a business continuity plan; and warranting that software is kept up to date with security updates.


    Read: Extending the Life of Your Hardware Maintaining hardware warranties
  4. Will your vendor have a plan or are they just filling orders?

    Building an IT network without a plan is like building a house without a blueprint. In order for hardware and software implementations to be successful, bankers and vendors must agree on a plan. A smart way for bankers to move forward is developing a strategic IT plan to manage your current business and provide a foundation to support new technology and services.

  5. Does your vendor have the ability to recognize and discuss trends within the banking industry?


    Technology is ever changing and it is nearly impossible for anyone to keep up with all the advancements happening day to day. Look for a partner with numerous bank clients facing similar challenges every day and one that has the experience of finding the best solutions for these challenges. Bankers need to employ new but stable technology with a focus on performance, security and recoverability.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



08 Jul 2015

4 Reasons Why Your Local IT Support May No Longer Be a Good Fit for Your Institution

Does Your Local IT Support Company Provide Fully-Compliant IT and Security Services for Your Community Bank?

It is very common to have people that you know in the community who run great IT companies. Many of these people often have personal relationships with the bank and bank employees, may have accounts with the bank, and may even have stock or sit on the board of the bank. In addition to the established personal relationship, most banks also like the idea of having someone who can physically be at the bank to assist when something breaks or needs attention.

These are all valid reasons for using a local IT service provider; however, it is also important to understand the risks that these providers pose to your institution, especially given today’s oversight environment.

  1. Examiner expectations

    In recent years the FFIEC has published very clear regulations focused on vendor management. To this point, several IT Examination Handbook booklets address managed security providers and cloud services. For example, the Outsourcing Technology Services and Business Continuity Planning booklets both contain explicit guidance on technology service providers.

  2. IT vendors that provide services, including antivirus, patch management, and event logging, have heightened expectations from the regulators. Your institution must perform a risk assessment on each vendor to validate that they conduct themselves in a sound and secure manner. Ideally, technology service providers should submit themselves to independent audits that take Trust Service principles into account (security, availability, processing integrity, confidentiality and privacy), and provide evidence in the form of an audit report. Many local IT support companies may not have the audits to validate that they are managing outsourced business processes consistent with the way financial institutions must manage them.

  3. They don’t know the expectations specific to our industry

    In the same addenda mentioned above, the regulators address risk assessment processes for IT vendors. They specifically mention knowing how many financial institution customers the vendors have versus their total customer counts. Vendors that don’t have a large number and percentage of their customers as financial institutions may not have the proper controls in place to validate compliance.

    From a purely technical perspective, working with banks is more complex. For example, one of the great advantages of technology management today is the ability to work remotely. Vendors with remote access that have no way to log and track access are not acceptable from either a business or compliance risk perspective.

  4. Limited knowledge of banking applications

    One recurring theme with vendors that support multiple industries is that they are usually very good at supporting systems that are common among their customer base. This includes items like Microsoft Office, email, printing and network communications. When vendors are supporting your systems their knowledge of your banking applications is vital. Making sure that the teller, new account, imaging, loan, and other applications continue to work within the updated IT infrastructure is imperative. In today’s world customers expect minimal downtime, and having a vendor with limited expertise in your bank’s critical applications lengthens the time required for problem resolution. When you need help with IT support, you don’t have time for your vendor to learn how the applications work before they start resolving the problem.

  5. Lack of documentation and reporting

    Most IT vendors are quite good at working to fix a problem or setting up systems to work correctly. However, that technical configuration is just a piece of the puzzle. As a regulated financial institution, you can’t outsource responsibility, so having proper reporting and documentation is imperative. You must prove that the way your devices are configured and managed adhere to your Information Security policies. For instance, if you can’t install a patch because it will break the teller system, you have to document the reasons why the patch was not deployed. This type of reporting and validation needs to be available so the technology steering committee and senior management can make informed decisions about IT issues.

Perhaps more importantly, auditors and examiners will also expect a thorough paper trail to prove that daily practices match defined policies and procedures. In today’s ever-changing environment of regulatory compliance requirements, it is essential your financial institution’s policies, procedures and practices are in perfect alignment with regulator’s expectations. Not doing so can cost your bank severely.
As a reputable partner to community banks, Safe Systems specializes in delivering technology, security and compliance products and services. We understand that community financial institutions like yours are under pressure to manage the constant evolution of technology and compliance. We maintain the proper audit certifications (SOC 2, Type II) to assure your examiners that our business practices are sound and secure. With our expert solutions, you can stay ahead of this ever changing environment while managing costs and limited resources.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



26 Feb 2015

How to Use Remote Server Admin Tools to Manage Active Directory Users and Computers

There are many reasons to step away from your desk. Coffee, for example, is an excellent reason. Or maybe you just need to stretch your legs (honestly, you probably deserve to take a break). But managing the functionality provided by your servers need not be a reason to leave your desk. With the right mix of tools you can control and manage many aspects of your servers and your domain(s) from the convenience of your primary machine.

When it comes to managing the network at a distance Windows Terminal Services\Remote Desktop and VMWare’s ESX VSphere (for those of you with a little virtual in your infrastructure) are two well-documented options. In this article I’d like to introduce you to a third, possibly less well known option – the Remote Server Admin Tool (RSAT). This optional update from Microsoft (KB958830, although it is not available through Windows/Microsoft Update) can allow easy access to server functions right from your desktop.

RSAT extends the functionality provided by the Microsoft Management Console (MMC). The MMC offers a centralized interface into which specific functionalities can be snapped.


Manage Server Roles and Features

    TechComplyImage_20150226_set2_01

  1. You can access the MMC by pressing the Start button and typing MMC into the search box. Note: Depending on the current inherent or delegated administrative rights assigned to your user account, you may need to use the “Run as Administrator” function when opening the MMC.
  2. TechComplyImage_20150226_set2_02

  3. Here, you can see the MMC in its default state.
  4. TechComplyImage_20150226_set2_03

  5. The default console is rather sparse, so your next step is to start adding snap-ins. From within the MMC, click on “File”, and then “Add/Remove Snap Ins”.
  6. TechComplyImage_20150226_set2_04

  7. By selecting items from the left pane (“Available snap-ins”), and clicking “Add” to move them to the right pane (“Selected snap-ins”), you will add those items into the console, as shown here.

You can now manage those Server Roles and Features as if you were interacting with them directly on the server! This is especially useful for unlocking domain accounts, managing group assignments, or (re)configuring group policy objects. However there are quite a few more specialized features you can manage with RSAT, some of which are shown in the “Add/Remove snap-ins” screenshot above.


Setting Up RSAT

(Updated May 11, 2020)

    RSAT Steps

  1. Open the Start menu, and search for Settings.
  2. RSAT Steps

  3. Once within Settings, go to Apps.
  4. RSAT Steps

  5. Click Manage Optional Features.
  6. RSAT Steps

  7. Click Add a feature.
  8. RSAT Steps

  9. Scroll down to the RSAT features you would like installed.
  10. RSAT Steps

  11. Click to install the selected RSAT feature.
  12. RSAT Steps

  13. Click back to the Manage Optional Features menu and you will see it installing.
  14. RSAT Steps

  15. It will also be in this list to uninstall afterwards.

Download RSAT (not required for W10): https://www.microsoft.com/en-us/download/details.aspx?id=45520

Microsoft’s RSAT documentation page (has an updated system requirements): https://docs.microsoft.com/en-us/windows-server/remote/remote-server-administration-tools


One more note on the MMC: Nobody likes to repeat themselves, so once you have selected your snap-ins of choice, you should save your console to a location of your choosing for quick access.

In summary, after a brief initial setup you can use the Remote Server Admin Tool to enhance the Windows Microsoft Management Console and manage aspects of your Domain, Active Directory, and Network directly from your desktop. You may be surprised at just how quick, easy, and powerful the combination of RSAT and MMC can be. Now, how about that cup of coffee?




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



26 Feb 2015

FFIEC Issues, New BCP Guidance

 
 
FFIEC Issues, New BCP Guidance

The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both the financial institution and the service provider across the entire business relationship.

Resiliency

It begins by stressing that although outsourced relationships with technology service providers (TSP’s) are an effective way for institutions to perform or support critical operations, the responsibility for overseeing these relationships resides with the Board and senior management. It focuses on these 4 key elements of resiliency:

  1. Managing the continuity risks of critical third-party relationships.
  2. Understanding the “concentration” risk when a third-party provides multiple services to you, or to multiple clients.
  3. Validating BCP’s (theirs and yours) through testing.
  4. Assuring that your BCP can accommodate a disruption caused by a cyber-event.

The third party management life-cycle begins prior to engaging the service provider, in the due diligence phase. At this point in the pre-contract stage, institutions should evaluate and thoroughly understand both the effectiveness of the vendor’s BCP, as well as the process the vendor uses to manage its subcontractors. Institutions should also make sure the vendors recovery time objectives (RTO’s) are in alignment with their own RTO’s for processes dependent upon vendor services. For example, if the institution has a 24 hour RTO for its teller processes, it must assure that any outsourced services required for those processes meet or exceed that RTO.

Important Contract Provisions

Once the decision is made to engage the service provider, a contract is the best way to define the obligations on both sides. Some important contract provisions are:

  • The right-to-audit clause. This gives the institution the right to either audit the provider directly, or have access to any audit reports addressing the provider’s recovery capabilities. For most institutions, the ideal audit report to establish confidence in the resiliency of the provider is the SOC 2 report.
  • Contractually defined service level agreements (SLA’s) relating to business continuity, such as clear recovery time and recovery point objectives.
  • In the event that the service provider defaults or otherwise does not meet their contractual obligations, what are your potential remedies?
  • If the vendor subcontracts, all contractual provisions (including SLA’s) must also apply to the subcontractor.
  • Because foreign countries may have different data and information security standards, the contract must specify that any contractor based in a foreign country must agree to adhere to U.S. regulatory standards.
  • The contract should specify BCP testing requirements for service providers, including test frequency, and the ability of the financial institution to periodically participate.
  • Data governance, including data ownership, backup and handling during and after the relationship.
  • Service providers must respond and adhere to all relevant regulatory guidance, and contracts should allow the institution to request those responses.
  • Contracts must clearly specify how the provider addresses a security incident, including when and how the institution is notified.

Business continuity requirements and capabilities on both sides of the relationship will change over time, making on-going monitoring the critical last phase in the management life-cycle. Periodic summary reports should be presented to the appropriate management committee(s) and to the Board, and any material changes should be reflected in the institutions BCP and (if necessary) in the vendor contract.

Replacing Vendors

The guidance also requires institutions to consider the realization that a critical provider may not be able to fulfill its obligations, and may need to be replaced. This could occur over time, such as with a gradually deteriorating financial condition, or suddenly, because of a severe cyber-event or wide-spread disaster. Regardless of the circumstances, the institution must be prepared to minimize the impact and meet their internal recovery time objectives without the failed service provider. This means having a plan in place to either convert to a new service provider, or (as a last resort) to move the out-sourced operations in-house.

Testing with the third-party is given increased importance, and regulators will expect that institutions either participate in, or at the very least review the results of, service provider testing. Testing scenarios should include service provider outages, disruptions at the financial institution, cyber-events affecting either party, and cyber-attacks affecting both parties simultaneously. Test results should be presented to management committees and the Board for review, with a gap analysis and action plans for strengthening resiliency if necessary.

Cybersecurity

Finally, the guidance addresses the importance of preventing, mitigating, detecting, and responding to a cyber-event. Since the cybersecurity landscape is constantly changing, preparedness is the key to resiliency. This includes periodically updating and testing the institution’s incident response plan, and including the third-party in testing whenever possible. It also includes identifying potential third-party forensic and incident management service providers if necessary.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



The implications of this guidance will be felt throughout the industry. Financial institutions will be expected to gain a much deeper understanding of provider recovery capabilities, which will require service providers to be much more transparent about all aspects of their business resiliency. Existing business continuity plans will require expansion to include more detailed information about recovery capabilities of critical service providers, including their RTO’s and RPO’s. Service provider contracts may need to be modified to include new expectations, and perhaps most significantly, institutions should understand much more about any vendor subcontracted relationships. Simply put, both the vendor and the financial institution must work more closely together across the entire spectrum of the relationship to ensure the optimal resiliency of the institution.

26 Feb 2015

How to Delegate Control in Active Directory Users and Computers

The Least Privilege Dilemma

A common trend from Auditors and Examiners lately is the review and questioning of accounts with administrative-level access. A linchpin for information security, The Principle of Least Privilege, states that an individual or account should only be granted the minimum amount of access needed to accomplish the role defined for them. Managing user accounts in Microsoft’s Active Directory is one place where this principle can be overlooked. The “easiest” way to allow someone access to manage users (unlock, reset password, create, delete, etc) is to add them to the Domain Admins security group. It is a rather common practice for institutions to grant an individual a second network login with these administrative privileges in order for that individual to service day-to-day user account needs in Active Directory Users and Computers (ADUC).

While this approach is appropriate in some cases, a security issue arises when the individual’s sole administrative responsibility is managing users. Granting a user Domain Administrator access, enables them to do much more than managing users. Domain Admins can remotely access servers, change permissions on folders, create/edit group policy, view contents of folders, and much more. While you may trust the user not to abuse their access, it can be difficult to defend this high level access during an audit.

Why Delegate Control?

If you have individuals who need “administrative access” strictly for resetting or unlocking a password, then you should consider delegating control. You can delegate control to a user for account administration without giving them the extraneous and potentially dangerous access a traditional administrative account commands. Typically, giving a user this reduced degree of access is more than sufficient for the job they need to perform. This can be done at a Domain level or, depending on your ADUC structure, more granularly at the Branch level.

The next few sections offer different scenarios of how you may choose to implement this.

Step-by-Step Instructions

I’ve detailed 3 different options below for delegating varying levels of user management in the steps below, ordered from the option with the greatest amount of control to the option with the least. Please choose the option that best fits your institution’s needs. All 3 option start with the same “Prep Work,” where you will create a group and decide where to delegate control.

A recommendation before you begin: While reporting on which users have Domain Admin group membership is easy, reporting on which users have certain delegated controls is not easy at all. For this reason, I recommend creating groups in ADUC and applying all delegated controls to these groups rather than to individual user accounts. Not only will this will grant you more flexibility to add users to (or remove users from) this group as business needs change, but the group will also act as a reporting touchpoint. Whether you take advantage of Safe Systems monthly reports posted to TheSafe, or if you use a tool like Dumpsec to monitor ADUC Users and Groups, tracking a single group is much easier than keeping tabs on multiple delegated employee accounts.


Prep Work (All Options)

    How to Delegate Control in Active Directory Users and Computers

  1. Create a group as mentioned above to which you can apply these rights.

    Again, you can assign these rights to individuals instead of groups, but reporting and managing this going forward becomes an issue.

    In Active Directory, right-click the Organizational Unit (folder icon with pc image on it) in which you wish to create the new group, and choose the option to create a new group object. Name the group, choose the scope, and select “Security” for the Group Type.

  2. How to Delegate Control in Active Directory Users and Computers

  3. Right click where you want these rights applied. There are two options I will list here – Domain-level or Organizational Unit-level.

    First, the Domain-level. Right click on the Domain and delegate control, giving the group the ability to make these changes to everyone in the domain.

    How to Delegate Control in Active Directory Users and ComputersOr, right click on a specific Organizational Unit, and delegate the control at that level. This will limit the controls assigned to only the accounts under the Organization Unit. This is a good option if you want a specific user at a branch to only manage the users at their branch.

  4. How to Delegate Control in Active Directory Users and Computers

  5. Assign the group or individual to get these delegated controls, then click OK to close the Select Users, Computers, or Groups window. Click Next to continue.

OPTION 1: Delegating the ability to Add/Remove/Reset/Unlock Users

    Consider creating a separate account for the user to assign these enhanced security rights. For example, their login account for logging into the network and performing their daily task may be JDoe, but a separate account named John.Doe may be created and added to the security group that receives this delegated control.

    How to Delegate Control in Active Directory Users and Computers

  1. Select the specific rights you wish to delegate, then click Next. For this option, you will choose the option to “Create, delete, and manage user accounts”.
  2. How to Delegate Control in Active Directory Users and Computers

  3. Click Finish and you are done.

OPTION 2: Delegating the ability to Reset/Unlock Users

    Less control than Option 1

    How to Delegate Control in Active Directory Users and Computers

  1. Follow all steps 1 – 3 in the Prep Work section above until you reach the Delegation of Control Wizard window.
  2. Assign the rights you want to delegate, then click Next. For this option you will need to choose the option to “Rest user passwords and force password change at next logon” to grant a more limited privilege level.
  3. How to Delegate Control in Active Directory Users and Computers

  4. Select Finish to complete.

OPTION 3: Delegating the ability to Unlock Users only

    Less control than Options 1 or 2

    How to Delegate Control in Active Directory Users and Computers

  1. Follow all steps 1 – 3 in the Prep Work section above until you reach the Delegation of Control Wizard window.
  2. There is no canned option for this limited degree of access, so you must create a custom task by selecting the “Create a custom task to delegate” radio button, then click Next.
  3. How to Delegate Control in Active Directory Users and Computers

  4. Select “Only the following objects in the folder” and then select “User objects”, then click Next.
  5. How to Delegate Control in Active Directory Users and Computers

  6. Select “Property-specific” and then scroll down to find Read and Write Lockout times. Select these items as well, then click Next.
  7. How to Delegate Control in Active Directory Users and Computers

  8. Select Finish to complete.

Delegating controls is a great first step in implementing the Principle of Least Privilege on your domain level accounts. There is one aspect of this change that is not addressed in this article, and that is how the user will access ADUC after making this change. Please see our article in this month’s newsletter about Remote Server Administration Tools, as this will most likely be your best option to allow the users to manage ADUC going forward.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



26 Feb 2015

Minding the Encryption Gap

Email technology presents a host of security concerns for financial institutions, many of which can be mitigated by implementing the proper controls. Virus and malware infection risks, for example, can be mitigated with email antivirus and spam filtering software to sniff out malicious attachments or phishing attempts. Legal or reputation risks related to employee misuse can be addressed by training users on acceptable email usage and appending email messages with a disclaimer message. However, one powerful security control designed to protect messages in transit has yet to become standard fare – email encryption.

The protocols that make modern email flow have remained largely unchanged since the early days of the Internet when the security of transmitted data was not a pressing concern. When you email a sensitive attachment to a coworker on the same mail server, there is likely little cause for worry; however, email messages to and from external parties must leave the protected space of your local network. By default, these email messages are transmitted in clear text, and are susceptible to interception, eavesdropping, or tampering while in transit. While the exposure of sensitive information is never good for any business, financial institutions face an added regulatory compliance risk if an intercepted message contains non-public customer information. While end-user training can limit the amount of sensitive data sent via email, it is not a guaranteed method of preventing the unintended disclosure of sensitive information. Bank security personnel should look toward a technology solution to fill this gap, and this is where email encryption comes into play.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions


Email encryption is almost synonymous with the Transport Layer Security (TLS) protocol. TLS was created to work alongside existing email protocols to protect messages as they traverse the wilds of the Internet. When using TLS encryption, the sender’s email server first encrypts the many individual data packets that make up an email message before transmitting them. Once the batch of packets reaches the relative safety of the recipient’s network, the receiving email server then unscrambles them using a decryption key before piecing them back together. While these encrypted packets of information can still be intercepted during the journey from sender to recipient, they are jumbled and useless to a malicious 3rd party without the proper decryption key.

In order for these secure communication sessions to work as intended, both the sending and receiving email servers must support and be configured to use TLS. So, even if you properly set up your system for TLS, there is no guarantee that your recipient’s email system can service secure communications. This potential mismatch in mail server capabilities is handled differently by different encryption solutions. Perhaps the least sophisticated way to jump this hurdle is to configure email servers and systems to use opportunistic TLS. Email systems using this method of encryption will always attempt to establish a secure channel for email communications; however, if the receiving mail system does not support TLS, then the sending system will opt to use traditional insecure delivery.

While opportunistic TLS is better than no encryption at all, this method of encryption does not provide the guaranteed security necessary for financial institutions. More robust encryption solutions close this opportunistic TLS security hole by delivering messages that are unable to be sent through secure channels to a secure portal site rather than the recipient’s email system. Instead, the recipient receives an informational email notifying them that a message is waiting for them to pick up. While there is a small hassle for the recipient to log into the SSL-secured website to collect their message, it maintains a consistent level of security.

Enabling TLS is a conscious decision, but it is not always an option. Many widely-used applications and devices have a built-in SMTP server, and can be configured to send email directly; unfortunately, many of these systems lack the sophistication to use TLS. Some common examples of such under-the-radar SMTP servers are SAN appliances that send performance and alerting information, backup software that sends backup status alerts, and standalone multifunction printing devices configured to email scanned documents. Multifunction printers in particular can be problematic. Loan packets or new account documents are goldmines of customer NPI, and if these are being sent across the Internet unencrypted, then they are at risk. For networks with an internal email solution, all email messages should be configured to flow through the internal mail server(s) to prevent any unintended email exposure. If a financial institution opts for a hosted or cloud-based email solution, they may face a trickier encryption gap.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



Since you cannot simply stop scanning from your MFP altogether just because you use a hosted email solution, management and IT staff should make efforts to mitigate the risk of unintended exposure. Luckily, there are a few options to consider. First, older network scanning devices could be replaced with more modern equipment that supports TLS, but this is not a viable option for many institutions. If the device cannot be replaced, then investigate if the device can be configured for scanning to a network folder location in lieu of scan-to-email. Finally, if all else fails, consider adding a secure relay to your network. A secure relay is a TLS-capable hardware or software solution placed on the network that receives, encrypts, and forwards messages to the remote mail system. All devices, appliances, or software that are sending messages but are not TLS-capable must then be pointed toward the secure relay. Once properly configured, a secure relay may be the last piece necessary to finally plug the encryption gap.

It is important to note that auditors and examiners do not currently require email encryption; however, encryption is considered a security best practice for any network that needs to keep the contents of their email messages secure. Depending upon your policies, network, and email solution, setting up encryption may be as easy as enabling TLS on the Exchange server, or as complex as implementing a secure relay. To ensure consistent security, the financial institution should consider how their system will handle receiving email servers that are incapable of TLS. Regardless of your solution, you cannot achieve consistent and comprehensive email security without a full understanding of how email flows through your network. Financial institution IT staff should scour the network and compile a list of all devices and systems dispensing email to ensure that your email practices match your policies.