Jamie Davis, Education and Product Manager
Exams and audits can be a stressful time for any financial institution. In these tough economic times examiners tend to spend more time looking at lending practices and less time looking at your current information security procedures. While in a lot of ways this focus on lending can be more stressful, I recommend you enjoy the relaxed scrutiny on information security because once the dust settles, information security could quickly become the next major focus for examiners. This is mainly due to two frontiers that are expanding rapidly; one is the increased requirement from customers to have access to their information and accounts. This includes online banking, accessing accounts from mobile devices (e.g. smartphones), merchant capture, Twitter, Facebook, etc. Depending on your consumer segmentation, these are either being asked for or demanded by your customer base. The second frontier is cyber crime. Everyday there is news of a financial institution having a security breach or loss of funds due to viruses, spyware, key loggers, phishing, pharming, etc. These can be due to issues with a machine that does wire transfers, account creation, etc. or could be on a machine not controlled by your institution like a merchant capture machine. With cyber crimes increasing in the financial industry and customer’s access increasing, you can rest assured that examiner focus will surely increase.
Whether you are having a third-party company audit your institution or having examiners on-site for their yearly exam, you may want to run through this checklist to ensure you are prepared. Though the list may seem long, if you are doing some of these items on a regular basis, you will be well prepared and confident the next time an auditor or examiner walks through your doors. This list is just a starting point and you may want to add or remove items to meet your specific institution’s needs.
- Review last audit/exam findings, and responses. Have you resolved or responded to any outstanding issues?
- Has yearly information security training for employees been performed and documented?
- Has your risk assessment been updated with any new technology, software, or vendors that have been investigated or implemented?
- Information Security program updated?
- BCP tested and updated?
- Have documented board minutes of information security discussions?
- Third party assessment of Information Security Program
- Response to noted issues
- Has Safe Systems reviewed the assessment prior to examiners visiting?
- Response to noted issues
- Previous 30 day backup logs.
- Print out of antivirus status – are all machines listed, up-to-date, with no viruses?
- Print out of patch management status – are all machines listed and patched?
- Software inventory report printed and reviewed for compliance with authorized software list and license counts.
- DumpSec report reviewed for user access/change control.
- DumpSec report of all privileged user accounts.
- Remote access reports printed and reviewed.
- Report of Firewall/IDS/IPS and security logs printed and reviewed.
- Review Merchant Capture machines to ensure adherence to security requirements.
- Review FDIC exam questionnaire
- Review FFIEC Tier I and Tier II exam procedures
- http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf (Page A-1 *around page 101 of the PDF*)
Your Safe Systems Account Manager is always available to help you prepare for an audit or examination; additionally, Tom Hinkel, our Director of Compliance, is also available.