EJ Owens, Account Manager
Our latest compliance topic for your Quarterly Self-Assessment (QSA) is a topic that has come up with many of my clients while in the field, and was also brought up by several of our clients at our National Users Conference earlier this year. This topic is the insider threat, and how it can negatively impact the growth, success, and overall reputation of financial institutions. Because of the potential impact, examiners and private audit firms are beginning to increase their scrutiny toward the Financial Institution’s (FI’s) internal controls to mitigate this risk.
As we have progressed over the years with the ever-growing complexity of technology and network security, the bulk of security defense and risk mitigation efforts are now transitioning from perimeter defense (blocking threats before they are able to enter the network) to an outside-in approach. This approach can provide much needed preventive controls, helping to mitigate the growing risk that your internal employees may potentially (intentionally or unintentionally) conduct malicious activity on your network.
Below are a few best practices to address these internal risks.
- Employee Training – First and foremost. It is imperative that FI employees understand the safety, security, and privacy policies of your institution, and how to protect customer data. They should also understand what they are and aren’t allowed to do with that data. The FFIEC recommends at minimum annual employee training, but many FI’s are starting to provide training on a quarterly or monthly basis, especially as regulations continue to change.
- Internal Audits – This usually involves a third party, and should also include an afterhours walk through to see what might be left on an employee’s desk, on a copier, or on a fax machine. Something as minimal as this can address possibly address larger security concerns.
- Commercial Customer Training – This is also a newer topic with the recent FFIEC Authentication Guidance  in regards to informing and educating your business clients of the risks of Internet transactions such as ACH, Cash Management, and Remote Deposit. Gladiator is releasing an online training session for your clients to address this. Additionally at Safe Systems, we have a Remote Deposit/Merchant Capture monitoring service to also ensure that your customers’ machines are up to date in regards to antivirus and patch management.
- Monitoring and Encryption of Employee Email – In today’s environment, a lot of non-public information will traverse via email. That is why our e-Scan and SafeSysMail solutions have built-in filters for sensitive information to be encrypted. It is critical that your employees understand this mechanism so that employee or customer information does not fall into the wrong hands.
- User Access Control – This is a bigger topic that I have seen grow significantly over the years. From an employee aspect, it is important to define employee login times as well as file and folder rights and permissions so they will not have unnecessary access to areas of the FI that aren’t required for them to do their jobs .
Also below are few articles that I found beneficial for your review in regards to this larger topic.
During this quarter’s QSA I will be discussing this topic and reviewing your existing controls. As always, please contact me directly if you have a compliance topic suggestion that you would like us to incorporate next quarter or if you would like to read more about a specific compliance topic in our Director of Compliance’s help site complianceguru.com.