What were you doing in the year 2001? It was quite a monumental year of events and some of those include: Apple introduced iTunes and the iPod, I graduated high school, Windows XP became available, Enron filed for bankruptcy, Jennifer Lopez had her first UK No. 1 single, and most notably, the September 11th attacks brought forth a global war on terror. Of course, these are only a few of the major events in 2001. However, another key event I’d like to reflect on is FDIC’s introduction of section 501(b) of the Gramm Leach Bliley Act, which continues to affect financial institutions to this day. More specifically, I’ll use the guidance to help reiterate a couple key areas that I believe need to be a part of your weekly checklist to help ensure the integrity of your customer’s information.
The written guidance – I’m sure you all can recite it by heart, just like our own Compliance Guru, Tom Hinkel. But just in case you forgot, I’ll do a brief overview. The guidance was issued to establish financial institution standards for protecting the security and confidentiality of financial institution customers’ non-public personal information….
The standards’ objectives are to:
- ensure the security and confidentiality of customer information
- protect against any anticipated threats or hazards to the security or integrity of such information
- protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer
The FDIC goes on to publish examination procedures to assist examiners in determining whether your bank or credit union is in compliance with these standards, and to help determine if they are consistently implemented.
Let’s focus on some important items I think should be periodically reviewed to ensure the integrity of your customers’ data. There are a few things I suggest your institution’s network administrator review regularly, even if some of these functions are outsourced to a third party IT service provider. You may ask, “why would I check these things if the third party vendor is monitoring and/or managing?” Ultimately, it’s worth taking the extra step because it’s important to have several layers of controls when safeguarding customer information and ensuring its integrity. If a service is managed or hosted by a third party vendor, then that company should provide you with reports to facilitate managing some of these critical functions.
Within the FDIC’s examination procedures, there’s a line item under managing and controlling risk reminding the auditor to review “measures to protect against destruction, loss, or damage of information from potential environmental hazards, such as fire and water damage or technological failures.“ I added emphasis to the phrase, technical failures, as this is a more common reason for data loss than environmental hazards, although you have to be prepared for both. It goes on to say in the clarification and annotation section, “Review data and system backup and business resumption capabilities.” It doesn’t say how often to review your backups, but in my experience I believe it’s important enough to review weekly, if not every day.
Common types of backups are either file level or image based. File level backups are backups for files and folders that provide a better degree of granularity for your users. Image based backups are a server recovery process that creates a copy of the operating system and all the data associated with it, including the system state and application configurations. Both of these types of backups can be either on-premise or hosted by a third party vendor. Again, the vendor should provide reports to help the institution review and facilitate management. On-premise solutions such as Backup Exec (file level) or Veamm Backup and Replication (image based) can often be setup to email regular reports or you can verify backups from the software application console. If you are a Safe Systems managed services client, we proactively monitor and – depending on your service level – resolve issues with your backups. However, the more eyes the better, so I still believe it’s important to periodically check these items on your own in addition to any third party management.
The Role of Hardware
Another common area where we see technological failures is hardware. Now more than ever, we are installing systems with redundancy and failover; however this does not replace the need to check the health of your hardware at least weekly. Our professional services team is frequently implementing storage area networks (SANs), as this technology has become more affordable. These platforms typically have better redundancy and failover capabilities. Of course, this doesn’t replace the need to regularly check disk space, disk health, replication, etc. SANs typically have an IP address, allowing users to easily navigate to a web interface to check these critical components. The standalone physical servers typically have software provided by the manufacturer that indicates hardware issues that need to be addressed. Furthermore, traditional physical standalone servers typically have light indicators on the hard drives that will illuminate red when there is a problem. A periodic physical check is a good idea as well.
SAN replication and Veamm Backup and Replication (B&R) are two common implementations we are doing in virtual environments. SAN to SAN replication can serve as an on-premise disaster recovery solution, and in Safe Systems’ typical implementation, it will give you failover in the event of environmental disasters or technological failures that result in site-down scenarios, such as an entire SAN outage or a communications outage at the primary site. The replication is done via the built-in manufacturer software application and, as previously mentioned, the replication health is easily verified though the SAN’s web interface.
For virtual server recovery, we typically utilize Veamm B&R to facilitate single or multiple server recovery. The standard backup frequency is daily, but it is possible to get a copy of your virtual server at more frequent intervals. Again, this application has a software console that can be used to verify successful backups. It is notable to mention that depending on your VMware licensing, there are built-in features that facilitate single or multiple server recovery. This is more common to larger networks and for clients that have less tolerance for server downtime. Both are viable solutions; however some of the built-in features of VMWare enable essentially instant recovery as opposed to Veamm which can recover the entire server to a point-in-time based on the frequency of the backups.
Although I only discussed a couple things in this article, I understand there are many other reports that are likely already a part of your weekly checklist. These include system reports such as patch management and antivirus, firewall logs, intrusion detection system (IDS) or intrusion prevention system (IPS) logs, and this list likely has several non-IT related items. This is why I recommend the checklist approach; it’s likely many of those reading wear several hats, and without a way of organizing all of these important tasks, something will inevitably slip.
I utilize checklists at work and at home. Otherwise it seems the more that I add to the plate the more difficult it gets to manage my day. As an IT advisor, we are here to help you manage the key aspects of your network, implement technologies that can better position you to safeguard your customer’s information, provide reporting for self-management, and provide training to show you how to check these key areas that warrant multiple layers of checks and balances.