Clearing Out the Kudzu: The Latest Information Security Guidance
Jackie Marshall, VP, I.T. Regulatory Compliance
Keeping up with the latest information security guidance can be a daunting effort- not unlike clearing that pesky kudzu off of the trees in your backyard. When you think you’re done with it, it’s back with a vengeance! As soon as you complete your initial risk assessment, close your vendor management files and get the Board to approve the latest changes to your Information Security Program, new guidance is released and it’s time to start the cycle all over again.
Your Board-designated ISO may not have the time to read every FDIC Financial Institution Letter, participate in every vendor’s security webcast or scrutinize the details of all those security monitoring reports. But, the message continues to be loud and clear: update and integrate, or the damage is inevitable (just like overgrown kudzu). Compliance is expected, as indicated by recent changes to the “FDIC Examination Questionnaire” and by news of significant fines to an OCC-regulated institution for violation of the Interagency Guidelines for Establishing Standards for Safeguarding Customer Information.
Some suggestions are listed below that will help your institution to mitigate risk, stay compliant with the latest information security guidance and keep information security a priority for all personnel:
- Don’t put your Information Security Program on the shelf. Remember this is a “living” document (not unlike kudzu).
- Confirm that the ISO is completing the Quarterly Review Checklist that is part of your Information Security Program. This checklist includes task items varying from verifying accurate and timely patch/updates and staying on top of vendor relationships to employee training reminders. (You can also add new tasks as appropriate.)
- Include information security issues for discussion at every Technology Committee meeting. The most highly prepared institutions keep information security awareness a priority for everyone from the “back room” to the “board room”.
- The enemy may be within! Recent statistics indicate that internal information security breaches are on the rise. Your ISO and other members of management must regularly review internal user access levels and activity reports. It is also recommended that you implement a remote access policy. This policy should dictate detail for how you configure and manage access to your systems by approved vendors and employees.
- Register for automatic emails from www.fdic.gov and other state and federal regulatory agencies. This is the quickest way to stay “in the know” when new guidance is released.
- Information security awareness training is required on an annual basis. Also, emphasize awareness by scheduling “lunch and learn” opportunities, send “newsy” emails and hang signs in the break room. Provide some comic relief with funnies like the one at the end of this article.
- The ISO should schedule one hour a week to check in with information security and preferred vendor websites for the latest trends, industry standards and best practices.
- Take opportunities to listen to information security related webcasts (a relatively inexpensive way to stay “in the know” – no travel expenses and lengthy time away from the office.)
- Share knowledge! Information security permeates every area of your institution and every employee. Create a library of resources of which personnel can take advantage. Purchase webcasts on CD, store policies on a public directory, encourage new “ideas” for mitigating risk from all the staff.
Finally, (last but NOT least) two weeks or more before your next exam/audit, review your policies and procedures. Don’t throw up any “red flags” by having “draft” still on the cover of your Information Security Program or a revision date over one year old. If you have purchased a Network/Internet Systems and Security Manual, don’t forget that we are your resource for helping you to get and stay compliant. We’ll update your policies, recommend procedural changes and even review your risk assessments. Staying on top of information security can be challenging, but with awareness and interest shared among personnel, your institution can stay compliant.