Niki Neese, VP Account Management
As I have discussed in previous newsletters, we have incorporated a compliance topic to the Quarterly System Review that we perform with your financial institution; the main objective being to present you with information on the latest compliance trends that we see throughout our customer base. Our goal this year is to incorporate topics that address the latest IT trends, goals and challenges for financial institutions and give you the tools and suggested solutions to help meet these common challenges.
We recently implemented a new title for our QSR that we perform with your institution: Quarterly Control Self-Assessment. The Quarterly Control Self-Assessment name comes from the FFIEC Operations handbook. The FFIEC IT Examination Handbook, page 87 & 96 states:
Self-assessments are useful in providing a warning flag to line management so problems can be addressed before they arise in testing reports. Self-assessments may be performed by operation personnel or by vendors under the direction of those at the institution who are responsible for the systems being assessed.
These controlled self-assessments may include the following:
- Assessing conformance to policies and procedures, including service provider oversight
- Scanning for technical vulnerabilities
- Verifying that device and network configurations are authorized and changes are properly processed
- Verifying that information is stored only where authorized
- Reviewing the adequacy of the risk assessment and monitoring plans
- Reviewing test results
What I’ve seen in the field is there is plenty of regulatory support for the CSA process. Most auditors have stated that institutions with an internal CSA process typically identify and correct weaknesses before an auditor finds them. So it is imperative to have a technology committee that consists of members from all functional units within the institution and a standardized agenda to follow. Last quarter we provided you with a template agenda for your technology committee meetings. We continue to update that agenda as IT and compliance trends change or evolve. Your Safe Systems Account Manager is available to help answer any questions that you might have on the CSA or even participate in your next Technology Committee meeting. As always, please contact me directly if you have a compliance topic suggestion that you would like us to incorporate next quarter.