David Brooks, Vice President of Account Management
How strong is your “Core”? Not your Core Processor, but your “Core” business service, customer service. I recently went through an experience with my back that made me realize that my “Core” was not as strong as it should have been. I thought everything was fine, until one day I bent down and could not straighten up again. My doctor said my back went out because my core muscles were weak. As I went through my physical rehabilitation, I realized that if your “Core” is not strong, it can have a big impact in many different areas. When my back went out, it affected my ability to work, interact with my family and, most importantly, I could not play golf. However, the limited mobility did give me some time to reflect on the conversations I had with banks during my travels the 4th quarter of 2007. The conversations centered on the bank’s business plans for 2008 and the predominant refrain was, “We are not planning on expanding this year because of the uncertain economy.” That being the case, I think 2008 will be a great year for you to strengthen your bank’s “Core”. Just because your bank may not be expanding, doesn’t mean your Information Security/Technology Committee can take the year off. I guarantee you the examiners will not be taking the year off. In fact, I believe the exams this year will be more detailed in scope than they were last year.
Take a quick look at the FDIC IT Exam Questionnaire. (The latest version issued in December 2007.) The questionnaire is now more closely related to specific regulatory requirements. Therefore, if the questionnaire is more closely tied to regulatory requirements; it only makes sense that the on-site exams will also be more detailed. I think you can use this new questionnaire to help you strengthen your bank’s “Core” and, at the same time, get a jump on preparing for your next IT exam. Start strengthening your “Core” by reviewing some of your policies and procedures that may not have been reviewed in a while. When was the last time you truly reviewed your Network Policy, your Disaster Recovery Plan, and your Vendor Management Policy (not your vendors but your policy)?
When I hurt my back I found out I needed to update some of my policies and procedures, specifically my Vendor Management and Disaster Recovery policies. After my injury, I called my doctor only to find out that he had left the practice (not good Vendor Management). I also found out that I did not have a good Disaster Recovery Plan for being out on my back. I did not have a plan for getting things done at the office if I was not there or a backup plan if I could not attend Scout meetings with my boys.
You can always find parallels between your life at work and life outside of work. What makes this parallel so compelling is timing. Not only will 2008 be a great year to strengthen your “Core” processes and procedures, but now is a great time of year to start with Vendor Management and Disaster Recovery. Most of your vendors are probably on a calendar financial year-end, so they will have new financials out soon. Another great reason to review you Vendor Management program now is that the FDIC just added a section on Vendor Management with the latest edition of their IT Questionnaire.
Let’s talk about how to evaluate your vendors and Vendor Management Program. After reviewing the questions asked in the IT Questionnaire, I feel it can be summarized into a few main points. You must be able to show that you know who your critical vendors are and that you know what information to ask from each of them. More critically, once you have that information, you must be able to prove you have the right people review that information and reporting their findings to the appropriate oversight committees. Another key point to remember is you do not have to start from scratch every time you review your vendors. You only need to re-evaluate your relationship with them if anything has changed and their annual financials and SAS 70s. The area I see overlooked the most when it comes to Vendor Management is sub contractors. Often vendor contracts indicate that they may or can utilize sub contractors to provide the services. This is very important if the service has direct or indirect contact with customer information. The best example of this is the vaulting (backing up your data to an Internet site instead of using tapes) of your nightly backup data. You will see a lot of local and regional vendors provide this service, but they do not “house” the information. They actually outsource the processing and storage to third-party vendors and some of these vendors are located outside the U.S. which adds another level of complexity to your Vendor Management. You not only have to do your due diligence on the vendor you signed the contract with but also their sub contractors. As you can see, there is a lot to proper Vendor Management, so don’t wait until the last minute before your next exam, start now!
As far as reviewing your Disaster Recovery program is concerned, when was the last time you performed a Business Impact Analysis (if ever)? You really cannot have a functioning Disaster Recovery Plan if you do not understand how outages will affect all the different areas of your bank. If you have not done one since your bank opened, it needs to be done again. There are other questions you should ask yourself regarding your Disaster Recovery program: Do you have written procedures for recovering your network at an alternate site? Do you have a contract for an alternate site and hardware? Have you tested your nightly backups at an off-site location? Even if you can answer “Yes” to all of these questions, is your Network Administrator the only one who understands these arrangements or the only one who can follow the recovery procedures? If so, can you guarantee he/she will be available after a disaster? Hint-No?
Well hopefully, I have given you something to think about, and we have only scratched the surface on things you should do even in a year you were not planning on doing any big projects. My back is better now, but I still do my core strengthen exercises every week because strengthening your core is not a onetime event. Start strengthening your bank’s “Core” by preparing for your next IT Exam. For more directions on what to do, just review the IT Questionnaire; it is a great road map for your Information Security/Technology Committee or wait on my next article!