2016 - Safe Systems

19 Dec 2016

Banks, Compliance Safe Systems 0 comment

Safe Systems Helps First Federal Bank Weather Hurricane Matthew with Ease

First Federal Bank ($170, 413,000 in assets) is one of the oldest locally-owned financial institutions in North Carolina, employing a staff of 60 and serving the communities of Angier, NC; Benson, NC; Clayton, NC; Dunn, NC; Erwin NC; and Fuquay-Varina, NC. The bank has a proven history with Safe Systems, originally selecting the company as a vendor partner in 2003 to help it navigate the fast paced change of its business and regulatory environment.

As the industry has continued to evolve and technology has become more advanced, First Federal Bank built on this relationship by adding many of Safe Systems’ solutions and services, including NetComply, Vendor Management, CVault, Safe SysMail, and ultimately, Safe Systems’ disaster recovery (DR) solution, Continuum.

Disaster Strikes the US Eastern Seaboard

In October 2016 Hurricane Matthew wreaked havoc on the Eastern Seaboard of the US, disrupting thousands of businesses and organizations, and impacting millions of people’s lives, including those who worked for First Federal Bank. As the news of the upcoming hurricane became more threatening, the bank and its BCP team began preparing for a possible disaster. While First Federal Bank’s location was forecasted to miss the brunt of the storm, the bank still reviewed its BCP and DR plans and ensured all designated personnel in each branch were fully prepared.

On Wednesday, October 5, Safe Systems was proactive in contacting First Federal Bank to help them manage their BCP process and support the bank’s preparedness for potential disruption. After reviewing all backups to ensure everything was working properly, the bank’s designated strategic advisor at Safe Systems guided bank staff through the entire process, outlining what they needed to do prior to the storm, helped with shutting down servers, ensured the server room was secure, and reinforced the proper communication protocols and contacts were correct and understood.

“Safe Systems served as a true partner for us through the storm and was there to guide us through the entire process, giving peace of mind to all,” said Leigh Barbour, vice president/IT Manager for First Federal Bank.

On Saturday, October 8, the storm hit North Carolina with a lot more force than the forecast predicted, and torrential rain and wind resulted in fallen trees and power lines. While the impact of the storm was more severe than expected, there was no physical damage at any of the bank locations, aside from the fact that the majority of the locations were without power.

On Monday morning, which was a bank holiday, the bank had a conference call with Safe Systems to update them on the situation and discuss the next steps in recovering from the storm. Later that day, the power was restored in most of the bank’s branches except for the Dunn branch and the Corporate Center. The power company said it would be five or seven days before the power would be restored. This news required the disaster recovery team to contact Safe Systems and begin implementing the BCP plan and procedures. Once contacted, the Safe Systems Continuum team worked with the bank to seamlessly switch to the disaster recovery environment. This enabled the bank’s technical environment to be restored remotely, giving them the ability to remotely access its network. Safe Systems colocation then became the actual environment for First Federal Bank, enabling it to securely run all of its solutions from a remote location.

Working together, the disaster recovery teams for First Federal Bank and Safe Systems had the bank ready to operate normally on Tuesday, October 11. Fortunately however, the power was restored Monday evening, so the full Continuum process was not executed.

While the bank and Safe Systems did work hard to ensure the Continuum environment was ready to operate, First Federal Bank reported that the stress of working to recover its network was greatly reduced due to the proactive BCP and DR testing it routinely conducts.

“The last test was completed on August 1, so we felt confident going into the storm that the plan would work and we would be able to resume business as normal in an efficient and timely manner,” said Barbour. “During our test we did cut the connection to our core processor and operated solely from the Continuum environment, which gave us the peace of mind knowing that it was operational and ready to go.”

“Even though we did not execute the full Continuum process, working with Safe Systems through the preparation was very helpful and reassuring,” continued Barbour. “Safe Systems was with us every step of the way to guide us and assure that our systems and processes were working and tested correctly. It is good to know that in the event of a disaster we have a reliable alternative until our environment is restored and a valued partner to support us.”

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

14 Dec 2016

Banks, Technology Jamie Davis 0 comment

Do Not Allow Your Institution to Fall Victim to the Power of One!

Outsourcing IT Network Management

Technology has become the lifeblood of today’s financial institution so it is imperative that all technology assets work efficiently. Modern community banks rely on their IT departments to maintain hardware and software and ensure that all systems are functioning optimally when needed. IT is also responsible for monitoring an array of on-going concerns like antivirus protection, patch management and email security, to name a few.

As a result, the network administrator position has become — both operationally and strategically — one of the most important within financial institutions. However, potential problems can occur for many community banks that find themselves with only one person running their IT departments, putting the bank at risk if that person goes on vacation, gets sick, changes jobs, or goes on extended leave. According to a CareerBuilder Job Forecast, the IT Manager/Network Administrator is one of the top five positions with the most turnover.

Strengthen your IT Department and Build Greater Continuity for Your Bank

To help ease the loss of a valuable resource, having a third-party integrated with existing IT staff to augment the department can make the transition smoother and eliminate gaps within operations should a bank’s IT manager leave for any reason. Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help supplement internal IT resources. Outsourcing even a portion of IT provides a level of continuity and stability that can be difficult for smaller community financial institutions to achieve on their own. Often, banks are at the mercy of a single individual, even if there are multiple people in the department, to make sure all activities are completed. The right solution provider can serve as a true partner and work alongside current IT staff to manage the network and streamline technology needs. When the IT staff is out or unavailable, outsourcing critical IT business processes helps fill the personnel gap to provide added peace of mind and stability for the institution.

Outsourcing Path

Use Checks and Balances to Stabilize Your Bank’s IT Outlook

In addition to having increased IT support, outsourcing brings a well rounded perspective to technology needs. This helps avoid a common issue among some community institutions in which the administrator’s level of influence and power can actually influence the institution’s corporate personality and approach to business. For example, a very conservative administrator may prefer not to “rock the boat,” push hard to make improvements or ask for funding and as a result, the institution might end up behind the technology curve in the long run. This creates a less than efficient organization and one that does not meet the growing demands of its customers. On the other hand, a more aggressive approach toward cutting edge technology can lead to excess spending in unproven or high risk technologies. To help balance this, it is good practice to have a trusted outside partner to offer guidance and ensure the bank implements technologies that make sense financially, will enhance current services and align with the institution’s long-term goals.

The right technology service provider should offer your bank full support for the demands of today’s banking technology requirements and truly act as an extension of your internal IT department. At Safe Systems, we understand the ever-growing complexity of community banks’ IT operations and apply that knowledge to providing our customers with an in-depth view of their IT network environments and additional support in co-managing their IT operations. We want to provide bankers with assurance that their institution’s IT network is functioning efficiently, optimally, securely, and is in compliance with industry regulations. No matter what changes an institution goes through, having an outsourced IT partner on the team can help to streamline processes and keep IT operations running smoothly.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

07 Dec 2016

Banks, Compliance Darren Bridges 0 comment

Small Town Bank Maintains Compliance Posture with Safe Systems’ Cybersecurity RADAR Application

Cybersecurity Defense

Compliance and regulatory issues, especially as they relate to cybersecurity, are top of mind concerns for financial institutions. For many community banks keeping up with the ever changing regulatory requirements and expectations can be a challenge. One area of concern for many banks is the Federal Financial Institutions Examination Council’s (FFIEC) CAT, which was released in June 2015 and is designed to ensure banks are prepared in the event of a cybersecurity attack. Although regulators said they would not require banks to complete the CAT, they began using this set of criteria to examine institutions and determine their level of cybersecurity preparedness.

This was the case for Small Town Bank, a $215 million institution headquartered in Wedowee, Ala., that serves East Central Alabama and its surrounding communities. To comply with the FFIEC’s cybersecurity requirements, Small Town Bank began implementation of the new CAT requirements. However, the bank’s IT department found the 123-page assessment to be a time consuming and cumbersome task for the bank to manage and understand. The bank was unclear on what they needed to do to improve their cybersecurity processes and understood they needed to find a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environment.

The Solution – Safe Systems’ Cybersecurity RADAR Application

Small Town Bank began looking for a solution that could simplify this process and provide guidance on exactly what the staff needed to do to improve its compliance posture. When the bank heard about Safe Systems’ new automated cybersecurity tool, the staff was excited to learn more about its key features and functionality and how this product could help them achieve their long-term goals for cybersecurity. The Cybersecurity RADAR solution combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. After reviewing the information about the Cybersecurity RADAR product, Small Town Bank knew it would have a knowledgeable team to provide expert knowledge and support to ensure a more streamline assessment process.

The Results – Improved IT Examination Results

Working with Safe Systems, Small Town Bank was able to realize significant operational efficiencies in its CAT assessment reviews and reporting and reduced the time its staff spent on completing the CAT from days to hours.

For more information on how Safe Systems helped Small Town Bank, please download our complementary case study, Small Town Bank Improves IT Examination Results.

Small Town Bank Improves Their IT Examination Results

Learn how Jennifer Dendinger, Information Technology Officer at
Small Town Bank, reduced the time needed to complete the CAT

30 Nov 2016

Banks, Security Tom Hinkel 0 comment

Why Board Involvement Should Be a Key Part of Your Bank’s Information Security Program

Information Security Threat

The Board of Directors plays a critical role in overseeing all affairs of the bank. While the board typically delegates the day-to-day operational responsibilities of conducting the bank’s business to its officers and employees, it cannot delegate its responsibility for the consequences of unsound or imprudent policies and practices, whether they involve lending, investing, cybersecurity and IT practices, or any other banking activity.

Board engagement has become more important than ever. Both the FFIEC Management Handbook updated in 2015, and the Information Security Handbook just updated in September focus specifically on the responsibility and accountability of the Board as it relates to information technology oversight. Boards that do not adhere to these new standards run the risk of penalties, lowered CAMELS Scores and audit rankings, and in extreme circumstances, individual director financial accountability. From January 1, 2009, through October 20, 2016, the FDIC has authorized suits in connection with 151 failed institutions against 1,213 individuals for Director and Officer liability.

Understanding the Regulatory Responsibilities of Officers and Directors

The FDIC states that they will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation. The key to proper deliberation is that Board members be fully informed, and that requires accurate, timely and relevant information. Not just data, but actionable information, and this is where the ISO plays a critical role.

The Role of the Information Security Officer

A bank cannot just add the title ISO to an IT administrator or employee. The ISO must be a separate role. In fact, the guidance clearly states that it cannot be a production resource assigned to the IT department. Banks that do not have a separation of roles will be cited with what is known as a “Concentration of Duties” finding, which must be resolved in a specified timeframe to avoid a downgraded score or additional penalties.

The ISO is responsible for overseeing the IT budget, performance management, professional development and training, participating in planning activities and ensuring the bank is in compliance with and adhering to government regulations. This reporting role, to ensure independence, should report to the Board and not to IT operations management. While this separation of duties can pose a challenge for smaller community banks that have limited staff and resources, banks need to keep in mind that while cost and benefit decisions must always be considered, this is not the place for cost reductions. The overall IT and compliance issues and decisions of a bank are of the utmost importance.

According to the guidance, the Information Security Officer (ISO) is required to provide an information security update to the Board at least annually. Presenting information in a manner the Board will truly understand is the key to successful Board engagement. The ISO must present information in a manner whereby the Board is able to consume, digest, and take action on it. A simple summary report of what the bank did this year is not sufficient to engage the Board or give them the kind of information they need to make the right decisions for the institution. The pace of change in technology requires a more frequent reporting schedule.

“Credible Challenge”

The Board is expected to provide a “credible challenge” to management in the oversight of IT initiatives. Too often, when management brings something to the Board, they approve it without discussion. However, examiners are now expecting the Board to ask probing questions, understanding not only what they are approving, but also why, making sure it is the right strategic decision for the bank, and comprehending the consequences and risks of not taking action. Responses to questions such as: “Why are we doing this?,” “What are we doing?,” “What’s the significance of this?,” “What’s the risk?,” “What if we do it the wrong way?,” “What if we don’t do it”, and “What if it fails?,” should all be asked, answered, and documented.

The ISO needs to ensure that the Board truly understands the “why” behind the bank’s actions. The Board of Directors must get information they can digest and make sense of, and it is the responsibility of the ISO to provide such information. If the Board shows a lack of understanding, the consequences could range from a Matter Requiring Board Attention (MRBA) finding in an examination report, to an informal enforcement action; such as a Board resolution or Memorandum of Understanding, to a formal action; up to and including a Cease and Desist order and civil money penalties. In 2015, 36 percent of examinations of satisfactorily rated (CAMELS 1 or 2) institutions resulted in MRBAs.

Increasingly, community banks are being stretched to gather more and more information and develop detailed reports and summaries in order to remain compliant. Working with an outsourced service provider, such as Safe Systems, can help streamline this process. With the reports and comprehensive information Safe Systems provides banks, the ISO is able to more efficiently communicate with the Board, helping them to make the right decision for the bank. For more than 20 years, Safe Systems has successfully helped financial institutions improve their CAMELS Score, avoid (and remedy) enforcement orders, and fill in cybersecurity gaps to ensure IT audits and exams go smoothly, and all regulators expectations are met.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

22 Nov 2016

Banks, Technology Mike Hudlow 0 comment

What Drives WAN Carrier Choice for Banks? Location, Location, Location!

Community banks utilize their WAN’s to transmit data to and from their branches and carry out daily functions in many areas. If you are a bank IT or operations manager, there is no more single important factor to WAN carrier choice than your bank’s physical addresses. Where your banks are located will dictate which carriers can serve your bank’s WAN needs.

When carriers have to go outside the footprint of their own network, they have to pay other carriers to get the circuit to the off-net sites (where they don’t own the underlying circuit). Using an underlying carrier to get to an off-net site is commonly referred to as Type II access. In scenarios where a carrier has to use Type II access, not only does the chosen carrier make a profit margin on the circuit, but the underlying carrier makes their profit margins as well – driving up costs for the institution.

Most banks have multiple physical locations, so the trick is to select a carrier once you understand all the available carrier options within your bank’s geography. Here are a few options to consider when choosing your bank’s network carrier:

Incumbent Local Exchange Carriers (ILECs)

ILECs are a definite consideration when choosing the best carrier for your bank. ILECs have the most extensive and established networks and own the vast majority of the outside physical plant (i.e., copper, fiber, etc.) within their territories.

The ILECs are essentially the remnants of RBOCs (Regional Bell Operating Companies), and enjoy a large portion of market share within their respective territories. Examples of ILECs include AT&T, Verizon, and CenturyLink.

ILEC Territory Example: Florida

See below for a map of the ILEC territories in the state of Florida:

Florida Map

Image from Geo Results

The various ILECs in Florida have territories that are not contiguous and are separated at times by great distances. These territories are also in a constant state of flux due to merger and acquisition. For example, Frontier recently purchased assets from Verizon in the Tampa and surrounding area.)

Tip: ILECs compete well when the vast majority of your bank’s locations fall within their respective territories.

CLECs Should Be Considered As Well

Banks should also consider carriers other than ILECs that essentially offer the same services (MPLS, Internet access, etc.). Competitive Local Exchange Carriers (CLECs) compete with ILECs and often have better re-seller arrangements. CLECs are typically not as expensive when they have to use Type II access for your banks that fall outside their territories. Birch, Airespring, and Level 3 would all be examples of a CLEC.

Tip: There are many scenarios when a bank’s geography does not fit nicely with an ILEC’s footprint. There are definitely scenarios where CLECs are a better consideration for your bank’s network.

Read how blueharbor bank deployed their new WAN

blueharbor bank needed to improve their internet bandwidth and phone line capacity while minimizing network downtime to better connect all its branches.

Tip of the Iceberg – Even More Choices

Community Banks should also consider cable companies like Charter and Comcast. In some scenarios, they can provide an extremely cost-effective solution. There are also power company network providers and even small independent carriers.

Engineering Best Practice

Understanding carrier options that are presented by your bank’s physical locations is essential in maintaining a cost-effective solution. Carrier territories are in a constant state of flux, and banks need to fully understand their options to make a sound decision. Let Safe Systems help you with all the research, because when multiple carriers compete to be your bank’s network provider, you win.

Don’t Go It Alone!

IT budgets are shrinking, and IT staff is focused on other priority projects. Safe Systems has seasoned WAN and telecom engineers that will guide you throughout the process of choosing WAN carriers that best suit your bank’s unique needs. There are many choices and we can ensure you get the right solution for your bank’s unique technology needs. Explore WAN Communications services now.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks to a provider who offers IT network management solutions exclusively tailored for community banks.

14 Nov 2016

Banks, Compliance, Security, Technology Jamie Davis 0 comment

What Community Banks Should Budget for in 2017

Many financial institutions are entering their 2017 budget season. Creating a budget is essential in helping you execute your strategy and plan for the future, however, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, Security and Compliance budget items that are often overlooked. Since we work with more than 300 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints, and offer some points for consideration in your budgeting for 2017.

In 2016, regulatory agencies have seemed to be more aggressive. We are consistently hearing from institutions that traditionally pass exams with ease that they have now been cited for new issues or have been asked to go above and beyond their normal remediation steps. We are now seeing that it is not uncommon for institutions to be cited for their handling of Cybersecurity Assessments, Business Continuity Planning and/or Vendor Management. 2016 was also the year of malware, and examiners are now focusing more attention on it as a pervasive problem in the industry. In addition, multiple institutions have been encouraged, if not “required,” to have a forensic analysis performed if the institution did not do a thorough job of performing their incident response procedures during a malware outbreak.

Often, once regulators cite an institution for one item, they dig deeper into other processes as well. Rarely have we seen an institution written up for one issue. The shift to a more proactive approach, including better preparation for and addressing of concerns or potential regulatory issues prior to an exam, is a much more efficient course of action and one that more financial institutions are adopting.

Community Bank Budgeting Money

With these ideas in mind, here are some areas financial institutions should consider when budgeting for 2017:

Malware/Ransomware Layers: $1,500 – $5,000

While the price will depend on the layers you choose and how many you choose to add, you should really consider taking a more aggressive step in your fight against malware. If 2016 taught us anything, it is that malware, and specifically Ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past. Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers. It’s now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.
Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity has come under increased regulatory focus, and with the latest Cybersecurity Assessment Tool being released this year, it promises to be a hot topic for the foreseeable future. You need to make sure you keep your security, business continuity and vendor management policies and procedures up to date.
Business Continuity Planning and Testing: $3,000 – $8,000

You must ensure that your business continuity policies, procedures and practices are in compliance with constantly changing regulations. A business continuity plan (BCP) should be a living, functional document that keeps pace with any changes in your infrastructure, strategy, technology and human resources. Be sure to budget for the following:
- BCP updated to meet current regulations
- Annual plan testing to validate
- Training for gaps found during test or updates to the plan
Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this.
New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:
- Windows® Server 2003
- VMWare ESX nodes 5.1 or lower (end of support August 24, 2016)
- SQL 2005 or earlier instances (end of support April 12, 2016)
- Domain replication from FRS to DFSR
- Extending warranties on hardware more than 3 years old
- VEEAM Backup & Recovery version to 8 or higher
Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.
Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

09 Nov 2016

Banks, Compliance Darren Bridges 0 comment

How an Automated Solution Can Enhance Your Cybersecurity Posture

Our industry has seen the frequency and severity of cybersecurity attacks continue to increase, with recent attacks involving extortion, destructive malware and compromised credentials. In fact according to the FDIC, Information Security Incidents were up 48% in 2014, and we expect similar increases this year. In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) in 2015. The assessment provides institutions with a repeatable and measureable process to inform management of their institution’s cybersecurity risks and preparedness.

What Do Examiners Expect You to Demonstrate?

While use of the CAT by financial institutions is voluntary, examiners expect all financial institutions to use some sort of framework or risk assessment process to demonstrate cybersecurity preparedness. This is important not only for the health of the institution, but also for the financial industry as a whole. Moreover, careful consideration of cybersecurity risk is absolutely critical when complying with regulatory requirements, as the new cyber elements will be added to future IT examinations. For many bankers, responding to an IT examination has become so time-consuming that it is essentially full time job. Having a user-friendly automated tool would certainly help streamline the assessment process, but to date, the FFIEC has not indicated that it intends to release an automated version of the CAT.

So, increasingly bankers are investigating their options when it comes to automating the assessment and reporting process. A well-designed automated solution should help financial institutions take a more informed, proactive approach to managing periodic FFIEC cybersecurity assessments. It should help bankers easily identify and resolve any cybersecurity gaps in an efficient manner, while also meeting examiner expectations. Such a solution enables the financial institution to collect, summarize, and report on its cybersecurity posture coherently (and consistently) and be better prepared for the actual IT exam.

Your cybersecurity compliance solution should enable your institution to:

Simplify the initial assessment by providing plain-English clarification for confusing questions;
Provide a way to actually track responses from one assessment to the next, which helps with reporting back to regulators in terms of consistency and in better articulating progress over time;
Develop thorough reports for the Board and other stakeholders, as well as a clearly articulated action plan;
Be more proactive vs. reactive in managing cybersecurity risks, by including items such as incident response testing and Board reporting;
Reduce the possibility of misinterpretation of information or questions, which can impact the accuracy of the entire assessment; and
Better understand or predict what to expect from regulators in the future.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

An Automated Solution for Community Banks

At Safe Systems, we understand that managing cybersecurity has become very time consuming and stressful for financial institutions. To help streamline this process, we have developed Cybersecurity RADAR. This comprehensive compliance solution couples compliance expertise with access to our Enhanced Cybersecurity Assessment Tool (ECAT) application. We’ve transformed the FFIEC’s 123-page Cybersecurity Assessment Tool into a much more user-friendly digital interface. The web-based ECAT application is designed to capture and document periodic changes to an institution’s risk and maturity, empowering you to measure the state of your cybersecurity risks and controls within the FFIEC’s framework, and easily generate reports in preparation for Board meetings or exams.

In alignment with the ECAT, our compliance consultants will help you complete the assessment, identiy and resolve cybersecurity gaps, complete cyber Incident Response testing, and report to the Board, and train employees. This combination helps community banks and credit unions clearly demonstrate Cybersecurity preparedness and ensure a smoother IT exam process.

26 Oct 2016

Banks, Compliance Tom Hinkel 0 comment

The Importance of Integrating Vendor Management and Business Continuity Planning for Community Banks

In today’s banking environment, most financial institutions rely on third party service providers (or vendors) to conduct business on a day to day basis. In fact, without the help of third party service providers, a bank’s ability to provide products and services to customers would be severely impacted. When banks choose to outsource key bank functions to a service provider, however, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations in a desired timeframe in the event of a disruption.

When creating a business continuity plan, financial institutions have to be able to account for all interdependencies within the institution and evaluate the risks. Interdependencies can be classified into assets, or things you own, and vendors, or things you outsource. The FFIEC recently issued new BCP Guidance in the form of an addendum to the IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers. The guidance requires institutions to have certain controls in place to mitigate these risks and discusses a few key points regarding the management of third party providers:

“Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.”
“Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.”
“Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.”

Why Does VM Come into Play When Talking About BCP?

As banks evaluate vendors, they are assessing several key elements, but mainly, the criticality of the product or service the vendor provides. In doing so, bankers should be asking: How important is this vendor to what we do? If they fail, how many of our services fail? Criticality is expressed in terms of Recovery Time Objectives (RTOs). Each bank must determine their own unique RTOs for their institution, and must also assign the same RTO to the third-party vendor. Banks then assign the criticality rating to the vendor based on the criticality of the service that the provider supports. This helps ensure the vendor is equipped to adequately perform their agreed upon task so the bank can conduct business as usual. If the provider is not up and running, then the bank can’t be up and operating either, at least not without work-arounds in place.

When doing BCP planning, the financial institution must look at all areas of the bank and the services and products provided – teller services, lending services, ATMs, accounting, etc. and identify all of the interdependencies or third parties necessary to make these services happen. BCP also looks at RTOs for the entire process. So, if the bank assigns an RTO of one day to the teller process on the BCP side then everything that process requires, including a third party provider, also now inherits that same RTO on the vendor side. There must be a tight cohesion between the vendor management process and the BCP.

Successfully integrating vendor management and business continuity planning is critical for financial institutions, especially when adhering to the FFIEC regulations and guidance. While this can be a tough assignment for bankers, it is a necessary process that has a direct impact on the health of the institution.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

14 Oct 2016

Banks, Compliance Safe Systems 0 comment

When Disaster Strikes – BCP and Disaster Recovery Lessons in The Wake of Hurricane Matthew

Hurricane Matthew

Last week, we all watched as Hurricane Matthew unleashed its fury on the Eastern Seaboard of the US, disrupting thousands of businesses and organizations, and impacting millions of people’s lives. The damage that the storm inflicted underscores the importance of disaster planning and preparation – time and again, we see a stark difference in the reaction from businesses who have a disaster plan in place and those that don’t. The same applies to financial institutions, especially community banks and credit unions. The lack of proper planning and preparation could be particularly devastating for a bank in terms of disaster recovery, and is even more challenging for smaller community financial institutions who often lack the staff and resources of larger institutions.

When disasters like Hurricane Matthew strike, it is imperative that financial institutions implement their Business Continuity Plans and Disaster Recovery plans, as required by FFIEC guidelines. These plans are instrumental in outlining the specific steps and processes the institution must take to be prepared and efficiently recover from disasters or business interruptions.

Preparing for Natural Disasters and Similar Events

First and foremost, community banks and credit unions should have an existing plan in place and execute that plan when conditions dictate it. Beyond this, there are several additional steps we at Safe Systems recommend each financial institution take to adequately prepare for natural disasters and similar events, including:

Double check all backups and ensure offsite copies are up to date and working. If using an on premise backup solution, make sure all hardware and backups are moved offsite to a safe location.
Uninterruptable Power Supplies (UPS) are designed for short term outages in power. If expecting longer power loss, preemptively shut down servers and all IT equipment. If equipment is not properly shut down, it can result in failures and malfunctions.
Ensure the security of the server room. Make sure the server room is locked with separate key access and all equipment is secure.
Ensure everyone is following the procedures in the BCP and DR plans and is aware of the proper communication protocols and contacts.

Common Issues

Many banks today try to manage their own technology solutions, including backups, email systems and server management. Some outsource these responsibilities to local providers who may not be experts in the financial services industry. Some issues financial institutions may run into when working with a local provider include:

Email Outages

Working with a local provider who hosts the email server locally means the server might be down due to possible power outages. This is also true if the bank hosts email internally.
Backups

If backups are stored with a local provider, that provider is likely also affected by the storm, meaning they might also be suffering from damage and loss that they need to recover before being able to help their customers. Furthermore, if using an on premise backup solution, it brings into question whether backup media will be accessible and/or if it is damaged in the storm.
Evacuation

As we saw last week, some communities may be forced to fully evacuate, which includes bank IT staff, and the staff of the local service provider. The true damage and loss won’t be known until they are allowed to return and start attempting to power back up.

Options for Outsourcing

These issues can be avoided when working with an IT service provider. Safe Systems is the leader in providing compliance-centric IT and security solutions exclusively to community banks and credit unions, and as such, we understand the unique needs each financial institution has when preparing for — and recovering from — a natural disaster. Financial institutions working with Safe Systems benefit from:

Remote and Secure Back-ups and Data Recovery Practices

Our backups are in two redundant remote facilities making sure your data is always protected. In addition, our NetComply One solution provides proactive alerting when a backup has failed or has issues, allowing time to rectify the situation and ensure all information is stored appropriately. Also, we annually test our customers’ disaster recovery plans and the integrity of backups to ensure customers can recover files and networks as documented in their BCP.
Available Staff and Engineers

No evacuated IT personnel! All IT personnel are able to handle situations remotely and our team is available to help 24 hours a day/7 days a week. In addition, during Hurricane Matthew, for any customers that may have been impacted, Safe Systems ensured additional engineers were available to help immediately.
Guidance

With our unique CRM software, we were able to target our customers who might be affected by the storm. We contacted them to guide them through the preparation process and are on standby to help when and if issues arise. Also, this included verifying our customers had current backups by performing a thorough review of all protected systems.
Offsite Hosted Email

SafeSysMail, powered by Microsoft Office 365™ email, eliminates the burden of running Microsoft Exchange™ internally; meaning email is not disrupted in the case of a natural disaster. As a vital part of your institution, your email solution needs to function smoothly and consistently in order to support your business functions, even during a disaster. Working with Safe Systems gives you access to an email solution that, while powered by Microsoft’s cloud email solution, is designed exclusively for financial institutions and includes extra layers of protection.
Continuum

With our disaster recovery solution, Continuum, we can restore a bank’s technical environment remotely, giving them the ability to remotely access their network. Our colocation becomes the actual environment for clients, enabling them to run all their solutions from a remote location, our colocation facility.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

You simply cannot prevent or anticipate every disaster, but proactively knowing where to go, who to contact and what critical functions need to be backed up and restored can provide confidence to you and your employees when responding to a disaster. Developing, implementing, and regularly testing disaster recovery and business continuity plans is crucial in today’s banking environment. At Safe Systems we have been working with banks and credit unions to manage their disaster recovery process for more than 20 years. Our hope is that it isn’t needed, but should it be, our proven experience enables us to provide the services and assistance necessary to ensure our customers are prepared for a disaster and able to quickly recover from one.

12 Oct 2016

Banks, Compliance Chuck Copland 0 comment

Simplify Business Continuity Planning for Your Bank with a Structured and Repeatable Approach

A bank’s Business Continuity Plan (BCP) has evolved to become the crucial blueprint for guiding an institution through the process of recovering from a business outage. Examiners are looking at these plans closely to verify that banks not only have the right plan in place, but are also able to successfully execute it. Many banks choose to keep continuity planning in-house and manually develop their plans. With increased levels of regulatory scrutiny, innovative bankers are embracing technology to make BCP a more efficient and streamlined process.

Many institutions take a qualitative approach to continuity planning, and this requires coordinating meetings between various stakeholders to come to consensus decisions. To create a more efficient BCP process, bankers should be looking to implement an application that will help their financial institution follow the FFIEC-prescribed process and facilitate the collaborative elements of BCP. The end result should include a complete and comprehensive plan that meets regulators’ expectations and equips the financial institution to handle and recover from possible disasters in a timely and efficient manner.   

Enterprise Modeling – The First Step to a Successful Business Continuity Plan

Each bank has a unique operating model based on its specific services, organization, processes, and technologies. Before an institution can figure out how to sustain or recover operations, it must first have a thorough understanding of all the functions and processes that make up those operations. At Safe Systems, we refer to this information gathering step as Enterprise Modeling. This involves breaking the institution into departments (aka Functional Units) and determining the team members responsible for each of these areas. Each department is responsible for one or more business processes, and each of those processes is comprised of multiple functions.

Enterprise modeling can streamline the BCP process and give bankers the ability to assign those most knowledgeable with their department’s operations the task of developing the recovery plan. It is difficult (if not impossible) for a single individual to have all of the knowledge required to recover operations for every department and process. Involving additional people, if not managed properly, can create an even more complex process. By starting with an Enterprise Modeling step, the institution will directly map required functions to those individuals responsible for accomplishing those functions. Organizing the process in this manner will simplify the gathering of business recovery information from each department head, ensure that all processes are addressed, and help institutions develop a more accurate assessment of their risks.

Automating Your Bank’s Manual BCP Processes

Business Continuity Planning is cyclical and assessments should be revisited regularly. Automating repetitive portions of BCP process eliminates the need to update cumbersome spreadsheets, and can carry over information from time-consuming data gathering and reporting activities completed in previous assessments. An automated BCP solution will help guide financial institutions through the entire process of BCP — from assigning department heads, documenting key activities, services, and applications, assessing critical recovery times, testing procedures, and staying on top of key updates related to the plan.  
 
It is crucial to ensure the BCP will meet regulatory scrutiny while providing an efficient and simplified process for the institution. Community banks, in particular, should have a business continuity plan that is easy to understand, easy to use, and developed specifically for their institution. An automated application should provide the necessary structure to keep banks on track, but should also allow for customization as each institution sees fit.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

At Safe Systems, we understand that BCP can be a very time consuming and stressful process for banks. To help streamline this process, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the BCP process. This application helps financial institutions move from a pieced together set of recovery procedures to a cohesive enterprise-wide approach for continuity planning. The end result will include a complete and comprehensive plan that meets regulators’ expectations and equips financial institutions to better respond when disaster strikes. For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks, by clicking the image above.

05 Oct 2016

Banks, Compliance, Security, Technology Christine Ray 0 comment

Building Success in the Banking World – Safe Systems’ 2016 NetConnect Conference Recap

Safe Systems hosted its 2016 NetConnect Customer Success Summit on September 13th in Athens, Georgia. The theme of the three-day conference was focused on customer success. Safe Systems brought together 73 financial institutions from around the country to hear inspiring key note speakers, attend informative educational sessions, and obtain key banking industry insights designed to help them build the best financial institutions for their communities.

A key goal of this year’s conference was to provide our banking clients with the necessary tools and guidance to build successful institutions and meet stringent regulatory demands. Safe Systems presented a short tongue-in-cheek skit that began with an FDIC examiner knocking on the front door of a bank, ready to do a full analysis. The bank felt confident that it would meet the examiner’s expectations, but ended up with less than satisfactory results. The examiner emphasized the need for the senior management and board’s involvement in all areas of exam preparation to ensure success, including cybersecurity, vendor management, business continuity planning and more. This example became an important topic of conversation and a key point that Safe Systems highlighted throughout the day.

Sticking with the theme of success, Safe Systems’ President, Darren Bridges, provided opening remarks encouraging banks to not only know what they do and how they do it, but to also have a strong understanding of why. This is an important part of creating a successful institution because the “why” is what makes a bank stand out from competitors and connect with the critical needs of its customers. During the keynote session, Dr. Randy Ross gave an energetic and memorable speech on designing a remarkable culture within financial institutions. He emphasized that culture is the single most important differentiator for community banks and sets the tone for how customers interact with the institution.

Safe Systems’ vice president of Compliance, Tom Hinkel, rounded out the day’s activities with an engaging presentation, where he highlighted some of the compliance challenges banks are facing today and provided helpful advice on how they can successfully manage this complex function.

Customer feedback sessions during the conference provided insights into current IT, security and compliance issues and trends bankers are most interested in and helped to identify areas where they will need the most support. Community bankers today wear many hats, and it can be daunting to keep up with all of the changes occurring in the world of IT. One big concern for bankers at the conference was being able to manage networks effectively and ensure that all activities are running smoothly for their institutions. Other major topics included understanding cybersecurity, managing new regulations, providing proper IT training for employees, and communicating effectively on IT issues with the board and senior management at the bank.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

Safe Systems also worked to create an atmosphere where customers could exchange ideas and learn more about the latest technologies and services in the financial services industry. The conference featured many trusted partners and vendors, who either sponsored the summit, exhibited during the trade show, or both. These companies included:

Thigpen, Jones, and Seaton
Banc Intranets, LLC
Consolidated Banking Services, Inc.
Rebycsecurity
iTransit Solutions
Porter Keadle Moore, LLC
Bitdefender
Jack Henry & Associates
CashTrans
ATM Response
Kaseya
Intronis

Overall, last month’s NetConnect Conference was an engaging and educational experience where bankers received invaluable knowledge and advice regarding technology, compliance, and security. Safe Systems continues to enhance its products and services to help community banks strengthen their businesses and build success! We look forward to the next event to grow and create new opportunities for our clients.

28 Sep 2016

Banks, Compliance Chuck Copland 0 comment

New IT Examination Procedures Impact Banks – Business Continuity Planning Becoming More Important Than Ever!

New IT Examination Procedures Impact Banks - Business Continuity Planning Becoming More Important Than Ever!

Over the coming months, FDIC-examined institutions will phase in new IT examination procedures, the first major overhaul since December 2007. The new format is called the InTREx program (Information Technology Risk Examination), and is designed to provide a more uniform and less subjective examination experience. The new format has cut the pre-examination questions nearly in half. Don’t be fooled though, this will not make for an easier exam, as these questions are more open-ended than a simply “Yes” or “No.” What the InTREx doesn’t cover in the pre-exam phase, it more than makes up for in the on-site examination.

This new process is a much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank. Proper documentation will often make the difference between a satisfactory and a less than satisfactory assessment. This means institutions must be adequately prepared for a more thorough and time consuming examination. One area the new IT examination procedures heavily reference is business continuity planning (BCP).

Business continuity planning has become a very important aspect of a bank and credit union’s successful IT exam and compliance rating. Business Continuity Planning is the process of creating systems and processes that provide resilience to, and recovery from, potential non-specific threats to a financial institution. Such events that could negatively impact normal operations include all man-made and natural disasters, such as failure of equipment, loss of or damage to critical infrastructure, and malicious cyber activity. Auditors and examiners are scrutinizing BCP processes more closely, specifically looking to verify that the institution’s methodology and plan structure closely adhere to the regulatory guidance.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

In addition to the new FDIC procedures, the FFIEC has also made some significant guidance changes, specifically updating the Business Continuity Planning Handbook. The FFIEC has increased its focus on cybersecurity resilience and recovery as well as important interdependencies such as third-party providers.

There is also significant overlap between the elements in the InTREx program and the FFIEC’s Cybersecurity Assessment Tool (CAT), which means that actions taken to strengthen cybersecurity control maturity will also strengthen overall IT controls. The CAT dedicates an entire section to cyber resilience, a concept which encompasses elements from both BCP and incident response. These new examination requirements prove that business continuity planning has become a crucial element of a financial institution’s cyber resilience strategy and overall information security program.

Events of the past 10 years have significantly increased the need for attention to emergency preparedness within financial institutions. In the last decade, we have seen an increased dependence on technology and third party vendors, business disasters such as power outages and connectivity issues, as well as severe natural disasters like hurricanes, tornadoes, and floods. Community banks must have a comprehensive business continuity plan in place to successfully face these unique and unexpected challenges and ensure the institution can recover business operations quickly and efficiently.

For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks.

23 Sep 2016

Banks, Technology Brendan McGowan 0 comment

Banks Beware: Not all Clouds are Created Equal

Many banks today are finding the cloud to be very appealing for their business objectives. Cloud services offer many benefits for banks, including reduced IT ownership costs, system standardization, centralization of information, the simplification of IT management and the built-in ability to stay up to date with technology updates and vendor software releases. In order for cloud services to be implemented successfully, financial institutions need to consider and understand the different types of cloud environments that are available.

Today, cloud computing can be implemented in three different ways: public clouds, private clouds and hybrid clouds. Each approach requires different levels of security and management based upon the applications involved and the nature of the data, government regulations and compliance issues at stake. Let’s take a closer look at the different options available for cloud services.

Public Cloud

A public cloud is a multi-tenant technology platform that any organization with a credit card, including banks, manufacturers and retailers, can sign up for and consume the needed technology resources. The purest definition of a public cloud, for example, would be a service like Amazon Web Services or Microsoft Azure. Community banks that select this option for cloud services can easily put any application they choose into the cloud. Many financial institutions choose this option because it is inexpensive to set up and to use the service. All hardware, maintenance and communication costs are covered by the provider, allowing banks to utilize a pay-per-usage model where the only costs incurred are based on the IT capacity that is used.

While public clouds are the lowest direct expense option for IT assets, they do pose some limitations. This model uses custom configuration, security, and SLA specificity that can be hard to implement, which poses challenges for financial institutions due to the regulations governing data security and compliance.

Private Cloud

Everything You Need to Know About the Cloud Get a Copy

Private clouds deliver similar advantages to public clouds, but with additional layers of security and required regulations for financial institutions. Unlike public clouds, which deliver services to multiple organizations using a multi-tenant technology platform, private clouds have been modified by providers to offer unique features and controls designed for the specific needs of vertical markets such as financial institutions. The hardware, data storage, and networking are customized to ensure higher levels of security and eliminate compliance and data privacy issues.

The goal of a private cloud is to gain the benefits of cloud architecture without giving up the control financial institutions have in maintaining their own data center. However, there is a price for this. It is going to be more expensive and harder to implement a private cloud service than a public cloud approach for the average small-to-medium sized community bank.

Hybrid Cloud

In a hybrid cloud environment, banks can choose to have some legacy applications and supporting IT assets remain on premise and some applications move to a cloud provider, while supporting communication between the two technology platforms.

Using a hybrid approach enables banks to migrate select IT assets to the cloud while still maintaining the internal assets required to manage certain legacy applications that are not yet ready to move to the cloud. By allowing workloads to move between the on premise and cloud computing platforms, banks have access to greater flexibility and more data deployment options as needs and costs change.

The Ideal Environment for Banks

Each bank has a unique corporate strategy that will guide how they move to the cloud, what type of cloud solution is best for their environment and what specific technology assets should be moved to the cloud. While the idea behind moving to the cloud is to eliminate servers, internal infrastructure, and applications that must be physically hosted inside your bank, as well as the associated work required to manage each one, there should be a process to determine the appropriate cloud solution for your institution.

Evaluating the various cloud options can be daunting for community banks. Working with a financial industry IT network service provider, such as Safe Systems, can help you with the decision process as well as the design and move to the cloud while ensuring the solution and applications are compliant and meet regulatory expectations. We work with each institution to create a plan, based on their goals and strategies, to determine what can and should be moved to the cloud. Ultimately, moving IT assets to the cloud enables your bank and IT executives to focus on the key capabilities that support your bank’s unique strategy and lets bankers go back to being bankers!

07 Sep 2016

Banks, Security Josh Morris 0 comment

TeamViewer Hacks Remind Banks to be Vigilant – Best Practices for Banks Using Remote Access Solutions

TeamViewer Hacks Remind Banks to be Vigilant - Best Practices for Banks Using Remote Access Solutions

Like many organizations today, many community banks use remote login technology, a service or software that allows individuals to log into their computers from remote locations. With such remote access solutions, bank employees have the ability to access a computer or a network from a different branch, while traveling, or when telecommuting from home. Remote control tools also allow external IT service providers and vendors to provide support and service to their applications quickly without the hassles of a site visit. While remote access software is most definitely convenient, it also introduces security issues that need to be top of mind for banks.

This has become even more apparent in light of a recent security event with TeamViewer, the maker of a cloud-based remote control solution. TeamViewer experienced a significant data breach where malicious actors were able to take control of users’ computers through their TeamViewer accounts, and, in some cases, steal personal details such as bank and PayPal account information.

It seems the cause behind this breach is unclear. TeamViewer is claiming it was compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services. These 3rd part breaches were linked to TeamViewer accounts through the “carelessness” of TeamViewer users who they claim used the same IDs and passwords across multiple sites and services; thus, when these recycled credentials were exposed elsewhere, the bad guys simply had to copy/paste stolen username and password information until they found valid credentials. In addition, TeamViewer also claims that many of its users did not take the time to set up and activate dual factor authentication features. Dual factor authentication strengthens credential strength by requiring a token in addition to username and passcode information.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

FFIEC Guidance Around Remote Access Solutions

While remote access solutions are becoming more popular, the FFIEC has clear guidance around remote access to systems. Primarly, the guidance states that financial institutions should disallow remote access by policy and practice unless there is a compelling business justification for its use. A “compelling business justification” is a tough standard, but most banks do use some form of remote control. For instance, many banks work with vendors that require remote access in order to access their services and provide support. If your institution deems remote access a necessity, then here are a few best practices a bank can implement to ensure their system is secure and compliant with FFIEC guidance:

Best Practices for Banks Using Remote Access Solutions

Maintain a detailed log of who is accessing the system, when the system is being accessed, and from where
Audit applications on workstations to check for anything that might not look normal
Do not use a free remote access platform
Remote access solutions should be initiated by the bank directly, and not a third party
Ensure there are triggers to deny access and control of the solution
Passwords for remote access accounts should change every sixty days, or less. For more information on password safety, review our blog, Creating Strong Passwords to Protect Your Community Bank
Review remote control logs regularly and look for login activity originating from unknown accounts or occurring during off-hours. These reviews can be done monthly or quarterly, depending upon the amount of use.
Have vendors use applications that remove themselves upon completion of the session.
Ensure remote users are fully disconnecting when their task is complete
In firewalls, only white list specific IP addresses from which support is going to come
Utilize dual factor authentication whenever possible

What Banks Should Look for in a Remote Access Solution

While there are many remote access solutions on the market today, banks should look for solutions that have proven security measures in place. First and foremost, the solution should provide strong session encryption. In order to provide a paper trail, the solution should offer detailed logging of session details. The remote control you choose should also have a handful of additional authentication requirements, including the option to implement dual factor authentication, granular permissions that require the bank to provide specific approval for each individual support representative, and the requirement that all users have a registered account in order to access the network.
While none of our clients using TeamViewer have been hacked, the fallout has served as a reminder that banks must remain vigilant when it comes to the security of all remote access solutions they use. Enforcing security policies and access controls for employees, external IT service providers, and vendors is challenging, but when individuals have privileged access to your bank’s networks and systems, you need to ensure those accounts are managed in a secure, auditable and compliant way.

17 Aug 2016

Banks, Technology Brendan McGowan 0 comment

4 Steps for Moving Your Community Bank’s Server Workloads to the Cloud

More and more organizations are moving line of business and ancillary systems to the cloud including community banks and credit unions. Moving applications to the cloud is a way for financial institutions to control spending, ensure compliance with regulations, and enable employees to focus on revenue generating activities. Cloud outsourcing may start with specific IT functions or processes such as disaster recovery, backup and network servers.

Today, core banking services are almost exclusively hosted from the cloud. The in-house servers, or the servers running ancillary systems, consist of lending applications, Microsoft applications, internal accounting applications, and voice response systems, among others. There is a lot of infrastructure involved in managing all the applications needed to run an efficient and successful financial institution.
While the cloud has proven to be beneficial for banks by enabling the limited in-house personnel to focus on core strategic initiatives instead of worrying about IT infrastructure, there are steps all financial institutions must follow. Here are four things to consider before moving your bank’s critical data to the cloud.

Support Your Bank’s Corporate Strategy

Each bank has a unique corporate strategy that is driven by its market situation, such as the desire to expand services offered, open new branches, merge with another institution or even to be acquired. This strategy will guide how and what should be moved to the cloud.

Catalog the Application Opportunities

Before moving to the cloud, your IT team must understand the requirements of the applications that are being used. Evaluate the IT infrastructure that must exist to provide each application and determine how to minimize the amount of IT assets that are needed internally. Then, the applications that can be moved to the cloud can be identified.

Determine the Best Cloud Service for your Bank

The idea behind moving to the cloud is to eliminate servers, internal infrastructure, and applications that must be hosted inside your bank, as well as the associated work to manage each one. This enables your IT team to work on higher value, strategically critical projects.

There are three options to do this:

Simply move your servers to a co-location facility or data center. This can be an attractive option since it does not require extensive configuration changes to applications and servers, but moves these critical assets out of the bank building to a highly available datacenter.
Move to an Infrastructure as a Service (IaaS) model, which means that instead of physically moving servers that you own, you pay a service provider to lease out the server capacity you need. You access the servers remotely to install, run, and maintain your applications. This can be a challenging option. It can be rather expensive, and the financial institution and IT personnel are still required to manage the process and technical specifications. IT personnel must reinstall all applications in a new environment and change all networking at the same time, which is a cumbersome and time consuming process to manage.
Rather than setting up additional infrastructure, banks are turning to the Software as a Service (SaaS) model, which is a software licensing fee and delivery model in which software is licensed on a subscription basis and is centrally hosted by the application software provider. This often enables financial institutions to run their applications from a browser, is supported by the developer and has no additional infrastructure to maintain.

Develop a Phased Approach

Long term, banks should consider moving all of their applications to the cloud, and most of the applications are ready to do so today. The migration should be completed in multiple phases, enabling a smoother transition. However, the applications that are not technically ready should not be forced to move as this can cause unnecessary complications and technical issues. Today, financial systems and even Microsoft solutions are cloud-based.

While the benefits of cloud computing — improved efficiency, scalability, cost, reliability, improved access, consistent security and compliance and compensation??? for limited in-house resources — are clear, making the leap to these services can be challenging and a daunting task for some community banks. Working with an outsourced service provider, such as Safe Systems, can help with the process, design and installation while ensuring the systems are compliant and meet all regulator expectations. Our cloud services are built specifically for community banks. With focus on regulatory guidance and compliance, we do extensive and rigorous vendor management vetting of all cloud providers before we offer or recommend a provider or service. We have more than 20 years’ experience offering products and services exclusively to community banks and credit unions. Safe Systems helps financial institutions to significantly decrease costs, increase performance, and improve their FFIEC compliance posture. Working with Safe Systems lets bankers go back to being bankers!

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

10 Aug 2016

Banks, Compliance Darren Bridges 0 comment

Reduce the Stress of Your Bank’s IT Exams

NetInsight Blog Featured Blog Image

Financial institutions are governed by stringent regulations, including strict guidelines for the institution’s information security program. Institutions must undergo regular audits, both internal and external, to help ensure their control environment is sound and compliant. These audits ultimately help the institution prepare for when the examiners come knocking. Regulatory agencies conduct these IT exams to determine if the institution’s policies and procedures are sound, and if daily practices are in line with those standards. Rarely are these experiences fun or care-free.

The IT audit and examination processes can both be very time consuming and stressful for security officers, IT Administrators, and the institution’s executives. IT audits, while invaluable, may result in a laundry list of suggested improvements, most of which come with a price tag. Senior management must decide which suggestions are worth the investment and which constitute acceptable risk. Then, they must be able to defend that position to examiners.
Recent developments, including the FDIC’s introduction of the Information Technology Risk Examination (InTREx) Program, emphasize that it is not enough to have a solid Information Security Policy and procedures. Today’s examiners are requiring ever-increasing amounts of documentation as evidence that your institution is indeed doing what your policies and procedures promise. Financial institution IT professionals, already tasked with the full-time job of keeping systems up and running, are also asked to help the Information Security Officer gather volumes of documentation that make up this paper trail.

Without help, this regulatory burden can be a major challenge for smaller community banks and credit unions that lack the resources and experience to adequately meet ever-growing regulatory demands. However, there are some steps these smaller institutions can take to ease the stresses associated with this near-constant scrutiny.

Be Proactive – Conduct IT Self-assessments

To help ensure better results on bank IT audits and examinations, all financial institutions should complete periodic (quarterly) control self-assessments that enable management to gauge the state of IT performance, system status, and emerging risks. These proactive IT self-assessments are essential for ongoing monitoring of security controls and ensuring prompt corrective action of significant deficiencies. These regular reviews are not just beneficial, they are also mandatory. FFIEC guidance dictates that financial institutions perform regular self-assessments to “validate the adequacy and effectiveness of the control environment.”

At Safe Systems our strategic advisors work with each client to perform quarterly technology self-assessments. While this assessment helps the institution ensure all things related to IT network technology controls are working and up to date, it also serves as time for the strategic advisor to educate bank personnel on new or changing government regulations. This helps the bank to remain in compliance and sets the institution up for success in audits and exams.

Auditor feedback from our clients indicates that financial institutions that work with experienced IT outsourcing vendors and have an effective internal self-assessment process in place generally demonstrate a much more evolved risk management process and have a smoother IT audit. Simply put, this results in fewer, and less severe, audit findings. These institutions tend to identify, correct and control weaknesses prior to an audit, as opposed to waiting for the auditor to identify them. Since one of the first things the examiner wants to see when they arrive is the most recent IT audit, this often results in fewer examination findings as well.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks.

Automate Reporting for IT Examinations

Documentation and reporting make up the paper trail that examiners are looking for to help validate your information security program. Being able to provide comprehensive reports that are easy-to-understand and provide clear and concise summary information is vital to any IT audit or exam. You may be asked for documentation on who is involved in technology reviews, frequency of meetings, minutes from each meeting, IT issues the bank is addressing, technology inventory management, patch management reports, testing policies and procedures, and disaster recovery plans, to name a few. These reports can be a time-consuming hassle to generate. However, with a financial institution specific reporting solution in place that automates the process and provides detailed on-demand reports, financial institutions can easily generate much of the appropriate documentation in a time efficient manner.

Preparing for an IT audit or exam can certainly be a headache! However, working with Safe Systems can provide your bank with peace of mind because by the time the examiner gets there, you are well prepared and can feel confident of the upcoming exam result. Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to improved IT audit and examination ratings. With an experienced IT services provider, bankers can get back to the business of banking while compliance-oriented IT professionals work to ensure network components, servers and workstations are operating properly and securely; all while helping to ensure that your institution is meeting regulatory requirements.

03 Aug 2016

Banks, Security Adam Rambo 0 comment

Advice on Adding New Applications to Jack Henry Core Banking Systems

Let’s face it, keeping up with evolving banking applications, meeting customer and regulatory demands and managing and securing a network can be a huge challenge for any financial institution, especially community banks. Today, in an effort to bring customers the best features and options banking technology can provide, banks are adding applications to their networks that must integrate seamlessly with their core banking system. Each core has its own complex product matrix comprised of layer upon layer of acquired companies and products. Because of this each core has its own specific application set and standard practices, most of which have been developed in separate silos from each other.

As a result, we typically see the core-provided solutions built in a modular fashion requiring little to no analysis of the existing environment. This can result in a disjointed network comprised of extraneous hardware and licensing that are difficult to manage and do not fit into the bank’s future strategic plans. Working with an independent IT provider who understands core providers can be a huge benefit when it comes to incorporating new core systems into the existing network and wider vision for the network’s growth.

As a Jack Henry customer you may have first-hand experience overcoming some of these same hurdles. With over 100 Jack Henry clients, Safe Systems has implemented many of the JHA and various Profitstar applications in many different environments. Here are some suggestions to help you identify and avoid common implementation challenges in the future:

Adapt Your Network Configuration to Support New Applications

When you are adding an application to your network the core will often require that the application be housed on its own designated server. They will often quote you physical hardware for the application to reside on as this fits their modular one size fits all mentality. Depending on your network infrastructure, new designated servers and/or suggested physical hardware may not be necessary to support the new application. Be sure to review your bank’s specific network configuration before licensing /acquiring any new hardware. This review can be a challenging endeavor unless you have a team familiar with both the product requirements and the existing network configuration.

Once you determine the optimal set up and new servers are required, there are many tasks that must be performed to ensure they are being managed properly. These servers must be set up on the network and added into the bank’s inventory of technology assets. They must also be enrolled in a credible patch management program and accounted for in the network disaster recovery plan and backup process. Working with an experienced bank IT network provider that has a holistic view of your entire network will help ensure you are not purchasing and running unnecessary hardware and that you avoid creating network management issues.

Ensure Compliance and Security Day One

What happens after new products and services are implemented in the bank? All new applications must be secure and in compliance with FFIEC regulations (How will this impact business continuity planning? How does it factor into the incident response program?). The right outsourced IT provider should have teams that work extensively with the core provider and the bank to ensure the new product is fully implemented correctly at the bank and meet all operations, compliance and security objectives.

Ensure Patch Management Out of the Box

Patch management is more important than ever! The lack of an effective patch management process has contributed significantly to the increase in the number of security incidents in financial institutions. An effective patch management program should include policies and procedures to identify, prioritize, test and apply patches in a timely manner. The longer that a system remains unpatched the more vulnerable the institution becomes. If you choose to work with an outsourced service provider, be sure they can offer your institution a comprehensive patching program that delivers quick, accurate, and secure patch updates to all applications. This process will help mitigate the multiple risks associated with running unpatched programs and automate the time-consuming process of testing and deploying new patches.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

Get The Right Help

Working with an experienced outsourced IT provider such as Safe Systems helps ensure your integration with Jack Henry core systems will be smooth and efficient. Safe Systems is a banking-specific technology specialist with more than 20 years in the industry and relationships with more than 600 financial institutions. We have a unique understanding of critical components such as Jack Henry core processing, 3rd party banking applications, financial industry best practices, information security, business continuity and FFIEC guidance.

We have been working with and supporting more than 100 Jack Henry core banking clients for more than 20 years. This experience has provided us with a thorough understanding of Jack Henry’s core banking solution, best practices for working with the solution and how to efficiently add applications in a secure environment. Our holistic approach to financial services ensures our financial institutions are running an efficient and secure network.

27 Jul 2016

Banks, Technology Scott Galvin 0 comment

10 Questions Every Community Bank Should Ask Before Implementing New Applications on Jack Henry Core Platforms

For community banks to remain competitive today, they must continually add or upgrade applications and solutions to their networks that integrate seamlessly with their core banking system, such as Jack Henry. If you are considering making a change, it is important to first understand the impact it will have on your existing IT environment (including costs associated with physical equipment, security and regulatory compliance).

To help you avoid unnecessary mistakes, we have prepared some pertinent questions to discuss before you start the project.

10 Questions to ask before Jack Henry Application Implementations:

What proprietary software do we have in place that will be affected by the change?
Is the proposed implementation of this application modular (i.e. one size fits all) or is it being implemented in a way that fits into my specific network design?
Are we getting the best or even competitive pricing on licensing, hardware and installation or should we seek comparison quotes?
Can I implement this application on a virtual platform to enhance fault tolerance, replication and recovery capabilities?
Is our current network sufficient and can it handle any increase in demand on existing resources?
How will this change affect our Business Continuity Plan and procedures?
How will this change impact our cybersecurity posture?
Can our current data replication and back up process handle this change or will we need to modify these capabilities at additional expense?
What amount of time, expense and other resources will it take to train our IT staff and maintain their skills to support the new application?
Do we need help evaluating our current IT environment to help us identify and minimize unforeseen impacts resulting from this change?

Today’s community bank IT administrators have a very challenging and time consuming role! They must stay abreast of ever changing banking applications, regulatory compliance requirements, maintain complex multibranch networks, while also meeting customer and board of director demands and expectations. Before implementing a new JHA core application, you should consider working with an outsourced IT provider who understands the Jack Henry software suite.

Safe Systems supports over 100 Jack Henry banks

Safe Systems has been providing IT, security and compliance services exclusively to community banks and credit unions for more than 20 years. We know from experience that the specific needs of financial institutions differ significantly from other network installations. Leverage our expertise to better understand:

Best practices for implementing and supporting Jack Henry Banking core applications
How to efficiently add banking applications in a secure environment
Security factors and FFIEC regulations
How to configure and install servers, backup solutions and fault tolerant host connectivity

Through our years of working with Jack Henry’s core solutions, we have built an extensive base of knowledge to effectively support banks who rely on a wide variety of Jack Henry core banking applications. We have a proven track record of implementing a diverse set of ProfitStars’ banking solutions, including Synergy Enterprise Content Management, Yellow Hammer’s BSATM compliance solution and ArgoKeys® LendingKeys™ branch sales automation platform successfully throughout our diverse Jack Henry customer base.

Working with an outsourced IT provider who truly understands Jack Henry solutions can be a huge benefit when it comes to managing your network and adding the banking applications that ensure your organization is competitive in today’s challenging financial marketplace.

20 Jul 2016

Banks, Technology Ben Amos 0 comment

The Need for Proper Patch Testing

All software applications require updates, (or patches), from vendors to keep these applications safe and secure, which means all financial institutions need to have an efficient and effective patch management program in place. One of the main components of an effective patch management program is patch testing. All patches should be carefully evaluated and tested prior to deployment to ensure new features introduced will not cause problems for you bank.

Without a proper patch testing procedure in place, financial institutions open themselves up to serious security breaches and compliance issues. The natural reaction is to make sure that all patches are installed as soon as they are released, but effective patch management is not that straightforward.

Patches are not always perfect. When providers attempt to fix one problem, they may inadvertently break something else. A bad patch can break a financial institution’s applications and disrupt daily processes that could ultimately impact the customer experience. A recent Forbes article highlighted the potential downfall of rushing patches to production devices. The piece detailed how many organizations that automatically installed the latest Windows 7 update to their systems experienced significant problems, including not being able to start or reboot their PCs. With a patch testing process, these situations could have been avoided.

How to Test Patches

To effectively test patches, banks should put together a test group in their own environment that is a representative sample of all the types of machines and applications in use. This test group should receive newly-released patches before they are rolled out to the entire financial institution network. This helps your institution verify that a patch will not cause more problems than it is worth and prevents the majority of devices from receiving bad patches.

Aside from the practical reasons for testing patches, there is also a regulatory compliance element. Having a test group is a minimum requirement according to the FFIEC guidance on patch management.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

Automated Assistance with Patch Management

Many banks and credit unions find managing patches and maintaining the appropriate settings for patches to work properly challenging and time consuming. This challenge has hindered many banks from having a stellar program, which has led to less than desirable patch scores. When auditors and examiners come to your institution, you want to ensure that all of your devices are up to date.

Automating the critical patch management process enables banks to gain efficiencies in the back of the house by significantly reducing time spent manually patching all systems within the institution. IT staff can use the time previously spent on menial patching tasks to focus on profit-generating activities that drive business forward. Additionally, automated solutions operate 24/7 and are less impacted by human error or employee absence, leading to increased security and a better overall compliance posture.

Working with an outsourced service provider, such as Safe Systems, provides a comprehensive patching process that delivers quick, accurate and secure patch updates to all workstations and servers, while mitigating the multiple risks of running unpatched programs and automating the time-consuming process of testing and deploying new patches. Safe Systems maintains all the settings required for patches to work, which diminishes administrative overhead and testing time. Furthermore, we are able leverage our scale to create a massive pool of test devices across a broad spectrum of environments. This allows us to test patches far more thoroughly than any other financial institution partner, and results in less downtime for all customers due to problem patches. Safe Systems’ financial institution focus means we test against the top core provider applications, and can quickly detect when a patch causes issues with these programs.

Timely and well-controlled patch management is a vital element of a comprehensive Information Security program. By partnering with Safe Systems, you can avoid the pitfalls of poor patch management, benefit from our efficiencies and enhance your institution’s security.

11 Jul 2016

Banks, Technology Jamie Davis 0 comment

The Real Cost of Hosting Your Bank’s Email Server and Why Outsourcing Is More Cost Efficient

Cost and efficiency are the two aspects of a product or process that any community financial institution must balance as it strives to find middle ground that satisfies stakeholder needs without breaking the budget. Email is no exception to this rule. Email has long been seen as a free communication tool. However, this free communication tool can easily end up costing $50,000 over a 5 year period. When email started it was a “nice to have,” but it is now a key part of communication and business processes. In fact, email has morphed into such a “must have” that email system sluggishness, instability, or downtime is not an option for most institutions.

What makes email so expensive?

Over a five year period, financial institutions that host email internally have costs related to:

Server-Hardware
Licensing

Client access licensing
Server OS license
Microsoft Exchange license

Backup and storage costs
Email filtering cost
Securing messaging (encryption) cost
Support cost – External or internal expertise
Monitoring/alerting cost
Redundancy/uptime/Recovery costs
Exchange Migration/upgrade costs
Costs for optional features such as archival and other add-ons

So, the cost of hosting an email server within your bank can add up quickly and be quite expensive. In addition to the high cost, many banks and credit unions prefer or even require a solution that is tailored for the specific needs of the financial services industry. For a community bank or credit union, the highest levels of security and confidentiality are necessary to meet strict regulatory requirements, making an off-the-shelf email platform unsuitable without modifications.

Outsourcing Email Hosting

To combat some of the expenses of hosting email servers internally, many financial institutions have turned to outsourcing their email needs. At Safe Systems, we have worked with financial institutions as they completed a simple cost comparison of hosting their email server internally versus hosting it with an outsourced provider, and most chose to outsource. In fact, we had almost 100 financial institutions move their email to our system to our email service solution that is now part of the Microsoft Exchange Online solution in the first year after it was released. Those that chose to keep email in-house often overlooked an increasingly critical cost – the cost of ensuring high availability of the email system. Over the last 18 months, we’ve seen institutions re-evaluate putting their email in the cloud in order to address this issue of availability.

The cost of using an outsourced email solution is typically much more straightforward than hosting internally. Here are some typical costs associated with moving to a hosted email solution:

Email, encryption, filtering – Price/User/Month
Add-ons – Price/User/Month

Archival

For this flat cost per user, customers receive:

High availability of email services
Minimal to no additional cost for maintenance/upgrades
Backups to geographically distributed locations
Email expertise that is hard to match on a smaller scale implementation

Ability to respond to phishing/social engineering attacks quickly
Responses to issues or downtime quickly

Customized Email Platform for Financial Institutions

To meet the demands of the financial services industry, Safe Systems has customized our email services offering, specifically for financial institutions by adding on layers for compliance and security. Our platform runs on Microsoft’s Exchange Online platform which is the biggest, most robust platform on the market today. Safe Systems eliminates the burden of running Microsoft Exchange internally, while maximizing productivity. With our suite of email solutions, a previous winner of the BankNews Innovative Solutions Award for best Consulting/Outsourcing/Training solution, financial institutions can eliminate the operational headaches and minimize the costs associated with the implementation, management, maintenance, and recoverability of your email system. This is accomplished while also greatly enhancing availability, maximizing uptime, and adding redundancy only available at scale.

Email is not free. In fact, it is very expensive. As a vital part of your institution, your email solution needs to function smoothly and consistently in order to support your business functions. In the end, it should provide a stable, scalable, robust, and redundant solution, but meeting all of these requirements cannot be easily accomplished with an internal solution at a reasonable cost. Working with Safe Systems gives you access to an email solution that, while powered by Microsoft’s cloud email solution, is designed exclusively for financial institutions. SafeSysMail includes extra layers of protection including products highly rated by Gartner and used by the government for SPAM and malware filtering, and on demand encryption. Working with one of the largest providers of hosted services designed exclusively for financial institutions and their specific needs offers the peace of mind and confidence that your bank’s email will be compliant, protected, and available – all at a lower cost than hosting internally.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

29 Jun 2016

Banks, Technology Chuck Copland 0 comment

The Importance of Efficient Patch Management

Patch management is more important than ever! The lack of an effective patch management program has contributed significantly to the increase in the number of security incidents in financial institutions. Patches are software updates designed to fix known vulnerabilities or security weaknesses in applications and operating systems. All software applications require updates from vendors, not just operating systems. This includes software updates for third party software programs such as Microsoft, Adobe, Adobe Reader, Adobe Flash, Chrome, and QuickTime. The most popular software products are tested by hackers for weaknesses, and vendors have to constantly release security updates to keep these applications safe and secure.

When it comes to patch management, many financial institutions today fall into one of two categories:

Those that don’t keep systems consistently up to date, and simply react when there is a problem or vulnerability.
Those that keep systems up to date, but spend a lot of time managing the patching process.

Examiner Expectations

Patch management’s importance was underscored with the recent release of the FFIEC’s Cybersecurity Assessment Tool. This assessment tool makes multiple references to patch management, and dedicates an entire contributing component category to statements covering patching practices. The tool defines clear expectations on what banks must do in order to remain in compliance, and lays out a path for improvement beyond the basics.

In addition, the most recent Supervisory Insights edition from the FDIC references the need for effective patch management as one of 4 key areas that institutions should manage to mitigate security threats. The FDIC also stressed effective patch management in a webinar last year, and stated that 99.9% of successful hacker and malware attacks that exploited a vulnerability did so more than a year after a patch was published to plug the security hole.

All of these sources point to some best practices regarding patch management:

Updates should be rolled out to all devices
Timeliness of patching is critical as the longer an unpatched system is in production, the larger the risk
Devices with patching issues need to be addressed promptly to avoid a security issue
Updates should be tested to ensure they don’t create an issue for the institution’s applications
Patches that are not deployed because of bank applications must be documented
Senior Management and Board of directors should be provided with reports on patch status

Components of an effective patch management system

An effective patch management program should include policies and procedures to identify, prioritize, test, and apply patches in a timely manner. The longer that a system remains unpatched the more vulnerable the intuition becomes. It is crucial that all systems are patched, if at all possible. To support a comprehensive patching program, the bank should create an asset inventory cataloging all systems that require patch management oversight. This asset inventory should list all software and firmware, including every server, switch, router, firewall, operating system, printer, laptop, desktop and ATM in the bank that are subject to periodic patches from vendors. Effective patch management is much broader than just making sure that Microsoft patches are flowing.

Bank executives should also stay abreast of possible threats by monitoring reports on identified vulnerabilities, and should ask if such vulnerabilities can be patched. Once a vendor stops supporting a software application they typically also stop releasing patches to plug newly discovered vulnerabilities, so executives should stay informed about assets nearing end-of-life. Management should also establish strategies to migrate from unsupported or obsolete systems and applications, and implement strategies to mitigate any risk associated with these products.

To comply with the FFIEC guidance, the board and senior management at the bank should require regular, standard reporting on the status of the patch-management program, including reports monitoring the identification and installation of available patches. Independent audits and internal reviews should validate the effectiveness of the bank’s patch management programs.

Automated Patch Management

Many financial institutions find managing the patch management process and maintaining patching solutions both challenging and time-consuming. Working with an outsourced service provider such as Safe Systems can provide your institution with a comprehensive patching program that delivers quick, accurate, and secure patch updates to all workstations and servers. This process will help mitigate the multiple risks associated with running unpatched programs and automate the time-consuming process of testing and deploying new patches.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

15 Jun 2016

Banks, Technology Safe Systems 0 comment

Cybersecurity – What Senior Leadership at Your Bank Needs to Know

Cybersecurity is a serious concern for banks today. Hackers have stolen more than $1 billion from banks, as well as sensitive customer data, bank email information, ATM data, and PIN numbers. They have managed to do this in various ways such as reprogramming a bank’s ATMs or hacking into the online platform. Hackers are clever so banks must step up and be even more vigilant!

FFIEC Cybersecurity Guidance

In fact, in light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT)to help institutions identify their risks and determine their cybersecurity maturity. The assessment provides institutions with a repeatable and measureable process to inform management of their institution’s cybersecurity risks and preparedness.

Is Your Bank Ready to Discuss Cybersecurity with Regulators?

Recently I had the privilege to teach at the Southeast Community Bank Symposium at Georgia Southern University. This symposium consisted of senior leaders from banks in the southeast (CFO, senior lenders, President, CEO, and board members). I was tasked with educating the group on cybersecurity, and I focused on threats, examiner expectations, and best practices for the management of cybersecurity risk. My goal was to provide the audience with a better understanding of cybersecurity and some tangible takeaways to manage this risk at their banks.

As part of the session I informally polled the audience regarding how many of them had filled out the CAT. To my surprise, only about 10-15 percent raised their hands. I determined that either the bank filled out the CAT without including senior leaders in the process, or the bank simply did not fill out the CAT at all.

Does Your Leadership Team Fall into These Categories?

If so, here are some things to think about:

Opt-out? The regulators are stating that filling out the CAT is optional. While the CAT is not a requirement to complete, all government agencies have stated they intend to use the tool to assess an institution’s cybersecurity readiness. Regulators have already begun to issue citations to financial institutions that have lapses or are not meeting regulations. If you have not completed the CAT, your bank should expect to have findings targeting the management team, not just IT/Operations.
Same bank, different employees, different answers. All employees need to be on the same page and complete the CAT with the same answers. Your entire team, including management, needs to be trained, informed, and truly understand its cybersecurity plan. This should result in employees communicating consistent and accurate information to regulators.
What’s your risk level? Every bank thinks their cybersecurity risk is minimal on the threat level, and that is just not the case. Innovative banking technology has clearly improved the customer experience, and has even transferred activities that had to happen at the branch to computers and mobile devices. This expansion of the availability of technology is great in many ways, but at the same time this technology increases the risks to your institution.
Cybersecurity is a real threat. What would happen to your bank if hackers got control of your core data and would not let you access the systems? How much protected information could the hackers get if they controlled access to your key systems? What would happen to your business and reputation if you did not have access to your IT systems for 10 days, and then the hackers deleted the data?

How to Engage Bank Management

What should you do if your management team is not engaged, or the bank has not filled out the CAT? Here are the best next steps:

Complete the CAT as a management team (NOT just Operations/IT)
Educate Senior Management and the Board on the risk findings and the gaps in your current cybersecurity control maturity
Validate maturity level meets risk level through testing that emphasizes cyber threats

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

The 4 Best Ways to Manage Cybersecurity Risk

Banks must incorporate cybersecurity into the bank’s overall risk-management framework. This includes a well-managed set of overlapping security controls to help prevent, detect, or recover from cybersecurity events. The FDIC recently encouraged bank supervisors to focus on four critical components to manage cybersecurity risk:

Corporate governance
Threat intelligence
Security awareness training
Patch-management programs

While all four areas are necessary, patch management programs are vital. The lack of a solid patch management program has led to an increasing number of security incidents. An efficient patch management system should include written policies and procedures to identify, prioritize, test, and apply patches in a timely matter. Without efficient patch management in place banks leave themselves vulnerable.

Understanding the Cybersecurity Expectations for Financial Institutions White Paper — Understanding the Cybersecurity Expectations for Financial Institutions
Get a Copy

Safe Systems Can Help!

With the increase in cybersecurity risk comes the promise of additional guidance to come. Safe Systems can help your financial institution manage its cybersecurity program and meet the compliance needs that come with government regulations. As a trusted advisor exclusively serving financial institutions, Safe Systems offers a network management solution to enhance your institution’s cybersecurity posture – one that includes a comprehensive and highly automated patch management capability to fit your bank’s needs.

09 Jun 2016

Banks, Compliance Niki Neese 0 comment

Preparing for Your Bank’s Quarterly Control Self-Assessment

NetInsight Blog Featured Blog Image

To help ensure better results on bank audits and examinations, all financial institutions should complete periodic (generally quarterly) control self-assessments that allow management to gauge IT performance, system status, and emerging risks. These proactive self-assessments are key in providing ongoing monitoring of security controls and ensuring prompt corrective action of significant deficiencies. FFIEC guidance dictates that financial institutions perform regular self-assessments to “validate the adequacy and effectiveness of the control environment.”

Auditor feedback indicates that financial institutions with an effective internal self-assessment process in place generally demonstrate a much more evolved risk management process. Simply put, this results in fewer, and less severe, audit findings. This makes sense because these institutions tend to identify, correct, and control weaknesses prior to an audit, as opposed to waiting for the auditor to identify them. Since one of the first things the examiner wants to see when they arrive is the most recent audit, this often results in fewer examination findings as well.

Specific areas that should be reviewed in the assessment

Network Compliance Reporting
- Antivirus, Patch Management, Server Health and Warranty Analysis
Network Security Reporting
Vulnerability Assessment
Policy and Procedure Verification
- Vendor Management, Network/Internet, Information Security
Regulatory Trends and Changes
Site/Server Recovery and Disaster Recovery Plans

Expect support from your IT network management provider

Actually conducting the self-assessment can be a challenge, and requires a mix of regulatory and technical understanding. One way to improve this process is by working with an experienced IT network service provider who is knowledgeable in financial regulatory requirements. You should expect your account manager to help with every step of the self-assessment by providing structure, feedback, and an impartial outside perspective. This control self-assessment is also a time for the financial institution to share with account managers issues and pain points they have come across. This way the account manager is able to provide informed guidance, and help the bank utilize the right tools and procedures to adequately address any issues.

At Safe Systems our account managers work with each client to perform quarterly technology self-assessments. This assessment is a tool to help the institution ensure all things related to IT network technology controls are working and up to date. However, the self-assessment is more than a simple diagnostic procedure. This is a time for the account manager to educate bank personnel on new or changing government regulations, helping the bank to remain in compliance, and setting the institution up for success in audits and exams.

Regulatory compliance is always on a financial institution’s mind. Quarterly control self-assessments provide the bank with peace of mind, because by the time the examiner gets there, they have already had a trial run and feel well prepared and confident of the upcoming exam result. Working with Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to improved audit and examination ratings!

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

01 Jun 2016

Banks, Credit Unions, Technology Chris Banta 0 comment

Safe Systems Launches Enhanced IT Network Management Service for Community Banks, Credit Unions

Chris Banta
Director of Security
and Automation

Marshall Jones
Director of Managed
Services Development

Enhanced IT Network Management

To help ensure community banks and credit unions operate even more efficiently, securely and compliantly, we have enhanced our solutions to better meet our customers’ needs. Our new NetComply One managed IT offering is now available to help financial institutions further decrease costs, increase performance, and improve their compliance posture. We have rebuilt our entire IT network management service using insights gained while managing IT networks for more than 300 financial institutions over the past eight years.

NetComply One

NetComply One removes the burden of maintaining IT networks for community banks by further enabling Safe Systems to manage and monitor a client’s network hardware and software in a holistic manner. This eliminates the need for clients to directly administer challenging and time consuming tasks internally including patch management, anti-malware (optional add-on), and reporting. NetComply One uses automated patch management services to deliver patches for both Microsoft and common 3rd party applications. In addition, it reduces the device exposure through server hardening. Educational resources and Account Management services help prepare banks for IT audits and exams, and reporting shaped by FFIEC guidance all help the bank to meet and exceed regulatory standards.

Additional NetComply One Services

A centralized monitoring console with remote control access and monitoring capabilities
Dual factor authentication to log into the console
More comprehensive network monitoring and alerting function
Account Management services including quarterly control self-assessment preparation and meetings, which consist of audits, reviews, and executive meetings
Enhanced reporting functions, with reporting based on FFIEC requirements for IT audits
Security baseline services to ensure institution servers are secure
Online education material and live webinars on compliance and technology

Qualified Alerting

NetComply One also provides enhanced qualified alerting capabilities, which reduces the number of false alerts clients must review, making for a more streamlined and efficient level of service. Through this qualified alerting function Safe Systems engineers will review and validate alerts before they are sent to the bank, nearly eliminating all of the noisy false positives and providing less distractions for the bank’s IT personnel. Safe Systems will continue to constantly monitor and alert on hardware failures, back-up failures, software updates, PC issues, servers, routers, switches, and more.

Redesigned Platform

In addition to delivering an enhanced set of services, Safe Systems has redesigned its underlying IT management and reporting platform to better support Microsoft Windows 10. This technology enhancement is designed to make it easier to implement future platform integrations. We have always brought outstanding IT network monitoring, alerting and reporting to our community financial institution clients. Our research revealed that clients who allowed Safe Systems to fully administer patch management services consistently out-scored other institutions on audits. The integration of our patch management best practices into NetComply One offers bankers a superior way to run their IT networks, enhance IT security, reduce risks, and minimize time spent with auditors.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

13 Apr 2016

Banks, Technology Scott Galvin 0 comment

Today’s Bank WAN: How to Cost-Effectively and Efficiently Connect Branches

Today’s bank IT network and operations managers are increasingly focused on their WAN communication infrastructure. Banks with multiple branches continue to struggle with efficient and cost effective methods for electronically moving and sharing data between each location. With this function becoming a necessary tool in performing day-to-day operations, bankers are focused on improving their understanding of network options and how to enhance network performance to ensure a positive experience.

Banking applications are becoming more robust and data hungry, resulting in the need for increased speed and reliability when transferring data through the WAN. Many banks today are in an either/or scenario when evaluating options to improve their WAN performance. They are forced into implementing a private circuit (T-1) architecture that offers reliability at a high cost. This makes T-1 infrastructure an ideal option for the primary connection but an expensive and often impractical solution for redundancy.

The alternative is to utilize broadband Internet solutions which offers faster data communication speeds at a lower cost, but can also suffer from frequent outages, lack of visibility, oversubscription and non-existent or weak SLAs. Additionally, passing data over an insecure medium such as the Internet requires an overlaying secure communication element such as a VPN that must be setup and maintained by internal staff. These challenges have been enough for most financial institutions to avoid using broadband for their primary connectivity option.

Banks require a solution that provides the flexibility to securely connect users and branches via a reliable, cost-effective method. Implementing a virtual overlay, or WAN fabric in data centers and branch offices, unifies the network by deploying a hybrid WAN using multiple types of network connectivity, including MPLS, cable, DSL and LTE. This WAN optimization solution aggregates constantly changing information about the traffic on the Internet and then uses this information to route traffic and data over the optimal secure path. This provides your bank with a means to monitor and control network connectivity while ensuring consistent performance in a cost-effective manner.

This new approach to wide area networking, which moves beyond WAN optimization, provides banks with a complete map of the network and applies dynamic path selection and intelligence to help IT network managers see, control and optimize their network connectivity.

A WAN overlay solution combines unique communications technology with:

Dynamic Intelligent Path Selection
WAN Acceleration
Data Reduction
Path Conditioning
Traffic Shaping
Global Visibility

Safe Systems new WANworks solution gives financial institutions the flexibility to securely connect their users to bank applications via the most cost-effective source of connectivity and cost-effectively and securely connect all branches. For more information about this solution, visit our WAN Communication page.

06 Apr 2016

Banks, Technology Scott Galvin 0 comment

Will Google Fiber Impact your Small Community Bank?

A well-known disrupter out of Mountain View, California has been hard at work trying to shake up the world of Internet access. Let me state right off the bat that I am no spokesman for Google or their Google Fiber service. You could argue that the service is merely a self-serving ploy by the search giant to give more people access to Google’s own vast Internet properties. In fact, industry watchers have widely speculated that this was the unspoken intent in creating Google Fiber in the first place. Despite their intent, it would be difficult to deny that Google or Alphabet (Google’s newly formed holding company) has gotten serious about improving the state of Internet access in this country. You may be asking yourself what one company could possibly do to move an entire industry. It’s all about the speed. Google is laying the groundwork (literally) for affordable gigabit Internet access, a speed which is 100 times faster than your average US internet connection. This is not a cheap endeavor, so starting back in 2011 Google began a slow rollout to a pair of test cities. In the past 5 years their scope has expanded to include 22 cities either installed or announced, ranging from California to Florida.

While this expansion has been impressive, the real payoff is neither the physical infrastructure that Google has built up, nor is it in the brand goodwill accumulated from offering affordable or free Internet access to those in need. The biggest impact of Google’s offering is the ripple effect of Google Fiber on the incumbent providers in these communities. These cities already have what most would consider decent options for Internet connectivity; albeit, many times a single provider has a near monopoly in the market. These existing providers are the complacent monstrosities that you are likely getting your Internet access from today – Comcast, Charter, Time Warner, and AT&T. Google is a brand new player in these markets, and their very presence is shaking things up.

Traditional ISP’s have made significant investments building up their infrastructure, and have become firmly entrenched. It comes as no surprise that they have fought this new competitor every step of the way by incorporating such tactics as misleading advertising campaigns, lawsuits, and lobbying for favorable legislation. In the end, these providers have been forced to adapt or lose their customers. They have been given little choice but to innovate and offer an entirely new levels of service at more competitive prices. One could argue these more modern, more affordable services would not be available today but for this interruption in the market.

Now, I am not claiming that traditional providers would never have innovated without an outsider agitating change. Google’s presence has, however, greatly accelerated the pace of change. While it would take Google decades to bury the fiber, wade through the city ordinances, and strike the necessary agreements to provide gigabit access to the all of the communities that require access, existing industry giants already have much of the infrastructure in place. At the very least, they have the appropriate resources and political connections to rapidly install this infrastructure.

While ISP’s are not classified as public utilities, they certainly model one. These mega corporations tout their infrastructure and imply that they are the only game in town. As that façade has begun to crumble, they have been increasing speeds of existing customers without increasing the price, seemingly in an effort to appease their existing customer base and stop them from looking around at new providers. This suggests that the pieces to increase capacity were already in place, but the resources were only tapped upon the introduction of disruptive competition.

I’ve told this tale not to sing the praises of Google or cut down major Internet providers, but to demonstrate just one of the influences on the telecom and broadband industry as a whole. While it is easy to think of your Internet provider as a slow-moving behemoth, they are still a technology company…and a lot can change in 3 years.

So how does this all apply to you and your business? Industry undercurrents are constantly changing the circuit options available to your institution. It is all too easy to research and enter an agreement with a service provider, then put that binder on a shelf. In many cases, though, a little bit of investigation past the status quo can improve your performance speeds, lower your cost, or possibly both. To this end, I urge you to learn about your available options every 18 months if you are on a 3 year agreement.

When doing your research, it is important to make sure you are asking the right questions. For example, Comcast may offer a cheaper per-month price on their gigabit service than AT&T, but do they have a data cap and what is the cost once you exceed it? What does your termination notice window look like and what are the auto-renew terms if you miss that window?

Communications have become an important interdependency in modern banking, so it is imperative to develop a strategy to build and manage your financial institution’s WAN infrastructure. If you find that you would benefit from some assistance in sorting through these challenges, then it may be time to bring in an impartial expert. Safe Systems can help you address your current needs at a competitive price, while keeping an eye out for where your future needs may intersect with the ever-evolving telecommunications industry.

30 Mar 2016

Banks, Technology Mike Hudlow 0 comment

Bank WAN Circuit Access Options: Ethernet is the New T1

As more and more applications move from your premises to the cloud, bank IT and operations managers are placing greater focus on their WAN communication infrastructure. This is a shift from traditional views of the data communication network as a largely inconsequential but necessary utility, in the much same vein as your water or light bill. With this portion of the network increasingly becoming the lynchpin to performing day-to-day operations bankers are focusing on improving their understanding of this network segment and the many options the market provides.

Better understanding the basics of Datacom technology empowers you to make better choices for your financial institution and potentially see gains in performance, price, or both. To kick off this education, we would like to start with the most common question that bankers ask about data communications: “Help me understand what today’s telecom technology is and where the trends are going.” To answer this request, we will briefly describe how the industry has evolved over the past few years, and we will touch on the different types of circuits available for banks and credit unions.

T1’s = Tried and True (but a Little Dated)

T1s dominated the bank WAN market for nearly a decade before newer options starting become more prevalent over the past few years. Often, T1’s were the only available option in more rural areas, so institutions in these areas made due with slower speeds or higher costs for their WAN links. Despite their widespread use, T1’s provided only modest speeds, but carriers could bond multiple T1 circuits to achieve up to 10 Mbps. T1’s were an established technology, but soon became outdated with the emergence of cable modem and Ethernet fiber access, which often offered 10x the speed at a greatly reduced cost.

What Drove WAN Access Technology? Need for Speed

Banking applications became more robust, feature-rich, and data hungry, driving ever-increasing WAN speed requirements. Additionally, new cloud-based applications depend upon fast and reliable data exchange. User experience for these applications is highly contingent upon WAN speed and quality. Fast, reliable networks act as the underlying infrastructure required to deliver a satisfying user experience for today’s highly online and mobile banking consumers. In these cases the communications infrastructure is foundational, not unlike the steel girders underpinning a skyscraper. Choosing the appropriate technology for your WAN has become more important than ever, and T1’s are likely no longer the only game in town. Next, we will look at two more modern WAN technology solutions that might be available to your bank.

Today’s High Speed Options for Banks
Cable Modem vs. Ethernet Fiber

[/vc_column_text][/vc_column][/vc_row]

Cable Modems (Coax)

Cable modem solutions currently dominate the small business market where businesses have a relatively small number of concurrent network users. Cable modems are a mass-consumed product, but can be a good fit for some bank WAN needs.

Use Cases:

Ideal for backup Internet connectivity (business continuity)
Good fit for locations with no fiber access or locations where fiber build-out costs are prohibitive
Often used for 5 users or less (micro-businesses, which is where cable modems dominate the market)

Pros

Cable Modems are the “Why Not?” product – they offer the most bang for your buck for download speed – 50 Mbps download for less than $200 per month? Why not?
Least expensive technology used for delivering high broadband speeds — up to 150 Mbps Down/20 Mbps Up
Asymmetrical by nature – a lot more download speed than upload speed
Designed for mass consumption, focused on downloading data

Cons

Do not present Service Level Availability (SLAs) - Frequent outages are typical
Require an overlaying secure communication element, such as a VPN
When outages occur, cable modem companies are notorious for their lack of customer service
Not reliable enough transport for many emerging bank applications – which demand speed + high SLA levels
Cable modem networks are copper-based, and have all the problems associated with degradation of this physical medium over time
Cable modem networks are shared and oversubscribed by nature and often will not consistently, if ever, produce the download/upload speeds advertised
Cable companies don’t compete against each other – Their footprints don’t overlap – cable company choice is dictated by where your bank is located and the provider in the area

Ethernet Fiber

Ethernet fiber is the new T1 for banks. Most banks consider it as the preferred option to satisfy their need for fast, reliable transport.

Use Cases:

Ideal for primary WAN connectivity (MPLS and Dedicated Internet Access)

Pros:

Will offer much higher SLA levels (great for emerging bank applications)
New physical fiber plant – not as many problems with new physical media
Private and dedicated - not oversubscribed
Speeds of up to 10 Gbps
Offer great flexibility and scalability – more bandwidth is a phone call away and only requires configuration changes
Fiber companies compete against each other – presenting multiple carrier options and competitive pricing

Cons:

More expensive than cable modems – you get what you pay for
Typical installation intervals are 90 days or more
Bank geographic location can limit options – fiber isn’t everywhere

Engineering Best Practice / Conclusion

Consider Ethernet fiber as the preferred access technology for your bank’s WAN. The fast, reliable transport offered by Ethernet fiber will provide the infrastructure necessary for a quality user experience for the emerging applications that will drive business-critical bank applications in the future. Fiber’s limiting factors may be cost and/or availability. While the cost per Mb may be cheaper than T1’s in some cases, this technology is not available at the lower connectivity speeds; therefore, upgrading to Ethernet Fiber may constitute an increase in the overall communications budget. Additionally, the geographic availability of fiber is rather unpredictable, although providers are installing fiber infrastructure at a torrid pace. T1’s and cable modems remain viable options if fiber isn’t a fit for or even available to your institution. As with any technology, to maximize your investment in your communication infrastructure, you need to have a plan of where your communication needs are going.

Don’t Go It Alone!

IT budgets are shrinking, and IT staff is focused on other priority projects. The right IT service provider for your institution should employ seasoned WAN and telecom engineers that will guide you throughout the process of designing a WAN strategy that meets your specific requirements. There are many choices for your communications infrastructure – partnering with a trusted technology service provider can ensure you get the right solution for your bank’s unique technology needs.

09 Mar 2016

Banks, Technology Darren Bridges 0 comment

Why Should My Small Community Bank Outsource IT Network Management? Part I

The Use of Technology in the Community Banking World Has Become Widespread

While its evolution has made many processes and procedures more streamlined and efficient, managing a financial institution’s IT network has also become a full time, demanding responsibility. A community bank’s IT staff must understand the ever-growing complexity of IT operations and applications, continuously changing regulatory requirements and FFIEC compliance guidelines. Even with all these important responsibilities, many community banks only have one or two people to manage all of the IT operations. Even further, many may not have banking backgrounds.

Regardless of location and size, small community banks are subject to largely the same regulations as larger institutions. Regulatory agencies are continuously changing and increasing guidance regarding cybersecurity and are liberal in issuing citations to financial institutions that have lapses or are not meeting regulations.

With these changes, smaller financial institutions are, or should be, looking for ways to more efficiently manage their IT networks and compliance procedures. Oftentimes they determine outsourcing the management of underlying IT, security and compliance operations is the most effective and efficient solution. Smaller financial institutions can benefit in many ways from outsourcing with a provider who offers IT network management solutions exclusively tailored for community banks.

Finding, training and retaining qualified staff to manage an IT network can eat up considerable time and energy from your bank’s management team, taking away valuable time needed to support customers and banking operations. Maintaining the knowledge and expertise of the evolving IT landscape is a time-consuming endeavor and small institutions trying to manage this function internally often find it nearly impossible to remain competitive with their technology in today’s banking environment. Outsourcing underlying IT operations to a knowledgeable banking IT provider eliminates management’s time involvement in recruiting IT personnel, training new IT personnel on the unique technology and compliance aspects of banking, and the on-going issues associated with competitive compensation.

Any time a bank system is down, be it the teller system, WAN circuit, or loan documentation system, it causes a disruption to the financial institution. Such disruptions can be greatly reduced by working with a knowledgeable service provider. The right service provider can monitor and proactively identify many technical issues on network devices, and address or fix the problem prior to failure. This results in less downtime, improved employee efficiency and a consistently high level of customer service.  

For more information on how outsourcing can benefit your community bank, please download our complimentary white paper, 7 Reasons Why Small Community Banks Should Outsource IT Network Management.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

08 Mar 2016

Banks, Technology Darren Bridges 0 comment

Why Should My Small Community Bank Outsource IT Network Management? Part II

With so many hardware advances, software choices and requirements from your core banking software provider and other banking software vendors, determining what is right for your institution has become more complicated than ever. An IT services provider can help alleviate this stress by evaluating the infrastructure of the bank and eliminating the unnecessary hardware, processes and tasks. This helps with the overall management of the institution by simplifying management needs, reducing ongoing costs and maintenance management.

Selecting who to trust and depend on when deciding to partner with an IT services provider is challenging, especially for community bankers. Many bankers struggle with choosing the right solution that will work with and truly benefit their financial institution.

Smaller community financial institutions can benefit from outsourcing or partnering with a provider who offers network management solutions exclusively tailored for community banks. Having a system in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation, and compliance-focused documentation reporting to verify that your financial institution’s network is adhering to your policies and procedures is critical in today’s environment.

The right IT service provider should offer your bank full support for the demands of banking technology and IT regulatory compliance by delivering your institution a solution that documents that your policies and procedures are being followed. A solution provider can help bridge the gap between a financial institutions everyday network administrative functions and the big picture goals of IT compliance and infrastructure planning.

For more information on how outsourcing can benefit your community bank, please download our complimentary white paper, 7 Reasons Why Small Community Banks Should Outsource IT Network Management.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

02 Mar 2016

Banks, Technology Safe Systems 0 comment

How to Measure the Success of Your Community Bank’s New IT Administrator

It might have taken some time, but you have finally found what you think and hope is the right candidate to fill your bank’s IT network administrator position. Today’s community bank relies on the IT department to maintain its hardware and software and to ensure all systems are available when needed. The IT department is also responsible for monitoring an array of on-going IT concerns like antivirus status, patch compliance and email security, to name just a few, so ensuring the new IT administrator is managing all this efficiently and effectively is very important.

Once the new IT administrator has been on the job for at least several months, if not longer, how can you really measure their success and make sure they are efficiently managing this crucial aspect of the financial institution? There are a few key areas to evaluate.

How are they able to handle and recover from downtime?

Ensuring all systems are working correctly is a crucial aspect of the IT administrator position. Anytime one of the systems is down, be it the teller system, ATM network or online banking portals, it affects customer service expectations and causes a disruption in the financial institution.

Your bank’s IT administrator should be able to quickly investigate, analyze and resolve complex hardware problems on the bank’s computer systems and quickly perform advanced hardware and software repairs and support on a wide range of PC-based computers and peripherals. In addition, this individual must provide troubleshooting support for escalated software and hardware problems as well as respond to after-hours system problems in a timely and efficient manner. Financial institutions have little tolerance for downtime, so ensuring the IT administrator is able to quickly resolve technical issues and ensure the bank IT infrastructure is running smoothly is critical.

How smooth is the transition?

Ensuring a seamless transition between IT administrators is important for all banks. The new bank IT administrator should establish a new list of passwords, run a security audit and investigate and become aware of all previous processes and procedures of past administrators. These processes should be completed with little interruption for banking personnel.

Cybersecurity and Incident Response Tests

Having cyber incident response plans, policies and procedures in place is a critical aspect of compliance for financial institutions today. In addition to simply having the policies in place, a critical element is testing that these policies actually do what they claim. A comprehensive incident test can expose gaps in even robust plans and provide valuable insight into whether the incident response plan delivers its stated claims. The new bank IT administrator should perform these tests to make sure the financial institution is safe and in compliance with government regulations.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

You’re only as good as your last backup and disaster recovery test!

A backup and recovery test is an important process of assessing the effectiveness of a financial institution’s software and methods of replicating data, as well as its ability to reliably retrieve that data should the need arise. Backup and recovery testing is an essential part of a disaster recovery plan. In addition to ensuring the backup of mission critical data, testing also uncovers problems in software or processes that could lead to serious loss of data.

Insufficient testing leaves the bank vulnerable to data loss, downtime and redundancy of effort, not to mention in violation of government regulations. Backup and disaster recovery testing should be done at least yearly; however, this can be completed more frequently should the need arise or when changes are made to personnel and/or technology systems and procedures. The new bank IT administrator should run their own backup test to ensure they are familiar with the processes and systems.

People Skills — Are they able to work with people as well as machines?

In addition to showcasing stellar technical skills, IT administrators must also have good people skills. Good people skills have as much of an impact on the success of your IT administrator as their technical skills, and this area can be evaluated pretty quickly. They must showcase a good demeanor when they have to respond and interact with both customers and employees. When a problem arises, bank IT administrators need to be able to communicate with individuals about the problem, what has been done so far and ultimately how it will be resolved.

IT audit scores

Each year banks must go through an examination process with the Federal Reserve where the government agency evaluates the bank’s soundness, the level of risk involved in the bank’s transactions and activities and its compliance with banking laws and regulations. They also review the adequacy of corporate governance and the quality of the board of directors and management, as well as areas that must be strengthened to improve the bank and its overall compliance. Once the evaluation is complete, examiners will provide an overall rating for the bank. The rating is very important for the bank as it is proof of its success, soundness and compliance. Ultimately, it is the responsibility of the IT administrator to ensure all things are in place for a successful evaluation and rating. This is a longer-term evaluation as this is typically conducted once a year.

A community bank’s technological assets are every bit as valuable as the money in the vault! The success of today’s community bank relies on the IT department so ensuring you have the right person leading this department and all its assets is crucial.

24 Feb 2016

Banks, Technology Kai Xu 0 comment

9 Things To Do as a New IT Administrator in the First 30 Days – Part 3

We’ve reached the final installment in our “New Bank IT Administrator” blog series. After reviewing vendors, ensuring security and creating a solid disaster recovery program, it’s important for a new bank IT administrator to become extremely familiar with your bank’s processes and team. The final three steps will help communications and create a smooth and seamless transition for new bank IT administrators.

7. Examine the Network Infrastructure of Your Bank’s Branches

Determine how information comes and goes to ensure your portals and locations are all equally protected. For example, you might have two branches that share the Internet that comes directly from one of the branches. When you perform the audit you might discover that the firewall is not working the way it is designed to, creating a significant security hole. It is important to take the time to ensure all network systems and hardware are working correctly and that everything is secure within all branches. This process can also uncover policies that should be revised or updated, giving you the chance to provide the bank instant value.

8. Review Previous Exams at Your Bank

Become familiar with anything brought up within an IT exam that needs to be fixed or reviewed. Make sure you are able to put a plan in place to immediately address these issues as you will ultimately be responsible for the next audit.

9. Work Closely with Your ISO and CTO in the First Five Days

Have a list of questions and points to go over with your information security officer and CTO during your initial meetings. This will help uncover previous pain points the bank has been experiencing, objectives moving forward and expectations for your role. This will also set priorities in place for the next 30 days to a year and will ensure the entire team is on the same page.

In addition to the meeting with your bank’s technical management team, you should also set up meetings with key vendors, which might include, the core vendor, loan origination software vendors, backup solutions vendor, security provider, the IT managed services provider and the hosted email vendor.

By following these important steps, a community bank’s new IT administrator should have all the tools he/she needs to succeed. Taking inventories of hardware/software, reviewing vendors, double checking security measures and creating solid relationships are all important measures to ensure both the IT administrator and the bank thrive.

Download this 3-Part Series for Later

17 Feb 2016

Banks, Technology Kai Xu 0 comment

9 Things To Do as a New IT Administrator in the First 30 Days — Part Two

In our last blog, we explained the first three tasks that should be accomplished as a new community bank IT administrator. The IT administrator wears many hats and plays multiple roles within a community bank. After taking hardware, software and vendor inventories, the next three steps are important to ensure the financial institution is secure and successful.

4. Determine Most Recent Dates of Hardware and Software Vendor Audits

In addition to simply completing a vendor audit, it is also important to vet vendors or at least identify the last time vendors were audited. If they haven’t been reviewed in a while, they should be, as IT admins need to ensure updated information on all aspects of the relationship and that the vendor is in compliance with all recent Federal vendor management guidelines.

5. Determine and Test the Backup Schedule

Every bank has to perform backups. The IT admin should familiarize themselves with the software used to perform backups. Are the backups being done on schedule, are the backups up to date, and when was the last time a successful restore was performed. Along those same lines, determine if the backup is done on-site, off-site or in the cloud and are the backups being encrypted with the correct cipher strength. Are the backups being done in-house or is it outsourced? It is very important to make sure backups are being done regularly. The schedule should be evaluated closely to make sure it aligns with the most recent disaster recovery plan. If they are not aligned, the schedule should be adjusted.

One of the main tasks associated with the administrative side of the IT administrator’s job is making sure you become familiar with the disaster recovery plan and ensuring it is up to date with any updated regulatory requirements. If the plan was last updated four or five years ago, you will need to redo it to meet new Federal requirements. This is usually done by a committee that consists of the information security officer and CTO. You should work closely with the information security officer to go through policies and procedures and to make sure everything is documented to remain in compliance with current regulatory guidelines.

6. Run a Security Audit and Ensure Previous IT Administrator’s Access to Systems is Disabled

There are also some steps you should take to transition from the prior IT administrator. This starts with making a list of all user names and passwords and disabling the previous administrator’s accounts. As the new IT administrator, you should run a new security audit. You need to be fully aware of what the previous administrator did so you can be familiar with the security processes and correct anything that was not done to standards.

This audit includes making sure passwords are changed, and the previous administrator’s access is terminated and accounts are disabled. If an administrator had remote access, you need to ensure this access is taken away or denied. Another area to examine is the use of programs such as Dropbox, often times used to store information so that it can be accessed remotely. When the administrator leaves the bank, this access to information must be eliminated.

Once you create hardware, software and vendor inventories, the bank IT administrator should have the capabilities to take the next three steps in ensuring your community bank is secure. Reviewing vendors, evaluating backups and security and auditing security operations are all important steps that should be performed within the first month of a new IT administrator. In our next blog, we will explore the final three steps in extending your review of your bank’s IT operations.

Download this 3-Part Series for Later

10 Feb 2016

Banks, Technology Kai Xu 0 comment

9 Things To Do as a New IT Administrator in the First 30 Days — Part One

Starting a new job is always a challenge, but stepping into the role of a community bank IT administrator can be especially daunting. Oftentimes, the IT administrator is overwhelmed and at a loss as to where to start, given the demands of the position. After all, the health of a bank’s IT assets is every bit as valuable as the money in the vault!

The IT administrator position must support two distinct roles. The position serves as the technical resource as well as an administrative resource. Primarily, they are the IT resource for servers, workstations, networks, software and other technical aspects of the bank. Additionally, the IT administrator must work with the CTO and ISO in an administrative capacity to help with IT audits, regulatory examinations and providing senior management with information about the bank’s IT infrastructure.

Today, we’ll explore the first three things a new IT administrator should accomplish for a successful initial week on the job:

1. Create an Inventory of All Hardware

The IT administrator should immediately familiarize themselves with the equipment used in the bank. Identify your servers and their roles, tally your workstations (production and any spares), examine the networking equipment in use and continue this process for printers and other peripherals until you have created a thorough inventory of all equipment you have in-house. With your inventory results in-hand, check on warranty status for all your key equipment; warranty coverage can be invaluable in case of hardware failure or if you need customer support. Be sure to include serial numbers and warranty expiration dates for every device in your master inventory.

2. Audit All of the Software in Use

What operating systems and versions are you running? What software do you use for your teller stations, for loan operations and/or ATM management functions? Don’t forget about common third party software such as MS Word, MS Excel and Adobe Acrobat. Next, determine if all software is still being supported by the vendor, and make note of the support contact for each software system or application. Finally, investigate the support end of life date for the current software systems in place. This last step will significantly help come budget season by giving you a good idea of what should be replaced in the coming year.

3. Compile an Updated List of Vendors

After the hardware and software audits are complete, begin looking at the vendors your bank uses. For regulatory compliance purposes, your institution should have a thorough vendor management program. You may be able to work with the ISO to obtain the existing list of vendors, but your fresh start with the company is a great chance to take a fresh look at the list. This should include original manufacturers, third party resellers and service providers. Vendors should be identified for both hardware and software. For example, if you use Cisco network routers, did you purchase these from Cisco or are you leasing devices from a third party reseller? Create a comprehensive vendor list of who you will contact for support during both normal business hours as well as any emergency contacts for afterhours emergencies. Your final document should have a list of all vendors and primary contacts for each specific service provided.

These three steps set the foundation for the next steps required in keeping your community bank running smoothly while transitioning to a new IT administrator. While this sounds like a large amount of work, an IT administrator does not have to do it all alone. Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal IT resources. The right IT solution provider can serve as a true partner and work alongside current IT staff to help manage the network and streamline technology processes. When the IT staff has turnover or is simply unavailable, outsourcing select IT business processes helps fill the personnel gap and provide added support resources and peace of mind to all.

Read Part 2 Read Part 3

Download this 3-Part Series for Later

03 Feb 2016

Banks, Technology Mike Hudlow 0 comment

Three Different Approaches to Managing Your Bank’s WAN

WAN (Wide Area Network) optimization is an important part of enterprise network strategy for financial institutions. Community banks and credit unions utilize their WAN’s to transmit data to and from their branches and carry out daily functions regardless of location. The WAN is often comprised of public networks, such as the telephone system, leased lines, or satellites. Effectively managing your bank’s WAN consists of monitoring both the on-premise communication equipment (routers, layer 3 switches, firewalls, etc) and the circuits that carry the communication; however, this monitoring can be costly and complex. Let’s discuss some different options that today’s community financial institutions have to manage their WAN.

Option #1: WAN Management via the Carrier

Banks often use telecom carriers to provide network management for their WANs. Most telecom carriers offer an option that includes a router for termination of MPLS circuits, Internet access circuits, etc.

Banks use this option because it is the most economical approach to managing their WAN; however, expect minimal support. Carriers typically design simplified support tools to fight fires by focusing on managing the up/down status of the circuits. This reactionary type model offers minimum maintenance. The telecom carriers wait until they are notified of an issue, most frequently by the end user who, themselves, are only aware when they begin experiencing poor performance or downtime.

In most cases these tools simply aren’t sophisticated enough to allow for deep inspection of traffic patterns or usage. Even for administrators with enough expertise to keep WAN administration an internal function, these tools should be supplemented to allow for more proactive monitoring. Layering 3rd party software or services on top of the basic telecom-provided greatly enhances this approach to monitoring.

Pros: Least expensive option
Cons: Minimal support, supplemental 3rd party tools needed

Tip: Carrier-provided WAN management will focus primarily on WAN circuit status – they position themselves in this manner to limit their involvement concerning the overall functionality of your WAN. NOC’s (Network Operations Centers) are not profit centers within the carriers – most telecom NOC’s run “lean and mean.”

Option #2: WAN Management via Core Providers

Core providers also provide a network management option for your bank’s WAN. Most banks that use this strategy like the convenience of using a single provider for both core processing and WAN connectivity. All connections are seamlessly connected back to the core provider, and, depending on the vendor and purchased options, these connections may be more closely monitored by the core provider’s NOC. This option provides a single point of contact as well as a single bill for your bank’s solution.

Expect to pay a premium for convenience. Core providers do not own the underlying infrastructure used to deliver the WAN circuits. Core providers typically use a single large national partner (e.g., AT&T, Verizon, etc.) to offer WAN connectivity services. Those underlying carriers have a profit margin to make, and that is stacked on top of the margin that core providers will take. Taken together, these factors make bundling through your core provider the most expensive way to manage your bank’s WAN.

Beyond the extra cost there is often another area that can prove to be problematic for your financial institution if you allow your core to provide your WAN. Core providers can be very limited in the flexibility of the WAN technology that they provide. Most bankers are familiar with the rigid standards required by core providers when you are running out of their service bureau. In much the same way, core providers tend to be very limiting on routing configurations. These restrictions are perhaps most visible to an average FI when they move to implement a BCP/DR strategy. Most cores will not allow the protocols required to have Internet and network server connectivity automatically re-routed in the event of an outage.

Pros: Single bill, single point of contact
Cons: Most expensive option, limited carrier choice, limited flexibility

Tip: Convenience offered by WAN management from core providers comes at a steep cost.

Option #3: WAN Management via a Managed Services Provider (MSP)

Many banks opt to use 3rd party MSP’s to manage their WAN connections. Many telecom carriers offer unmanaged circuits (i.e., they offer a circuit-only option that does not include a managed router). Under this approach, unmanaged loops are terminated on equipment that is bank-owned or provided by an MSP. The MSP manages the overall solution to varying degrees, based on the vendor and product.

Unlike the core providers, MSP’s typically have multiple arrangements with national carriers and will often offer more options for WAN connectivity. This flexibility typically translates into lower cost to the bank than their core provider can offer.

Another benefit offered by this approach is that you assign the proper roles and responsibilities to the appropriate parties. Carriers specialize in ensuring the simple up/down status of circuits and this management model allows them to focus on this one important responsibility. Similarly, MSP’s are responsible for the overall health and management of the WAN solution.

Pros: Best support, competitive pricing, multiple carrier options
Cons: Multiple bills, multiple contacts

Tip: MSP’s typically offer a wider variety of management tools and better reporting on WAN usage.

Engineering Best Practice/Conclusion

There are many choices when it comes to managing your bank’s network. While only management can decide which option is the best fit for your financial institution’s needs, a specialized MSP offers the most comprehensive set of services at a competitive price. While not the cheapest option available, a MSP may be the most cost-effective option by ensuring that your WAN properly fits your business needs. Such specialized 3rd party vendors can also offer the expertise necessary to help your bank explore more advanced networking, such as ensuring high availability and implementing disaster recovery fail-over scenarios for both core processor and Internet connectivity.

Don’t Go IT Alone!

It seems like IT budgets shrink every year, and IT staff members must often focus on other priority projects. The right vendor to help you seize control over your WAN should offer an experienced staff that can guide you through the process of designing a WAN infrastructure. Don’t accept a one-size-fits-all solution, and seek out a vendor that will listen to your concerns in order to help implement a management strategy that meets your requirements. WAN connectivity presents a significant recurring business expense, and a solid WAN management partner can help you get the most out of this investment.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

27 Jan 2016

Banks, Technology Safe Systems 0 comment

How to Find a New Community Bank IT Administrator and What to Look for in Potential Candidates

It can be devastating to learn your bank’s IT Administrator is moving on to a new job. Many community banks find themselves wondering, what should I do now and what are the steps I should take to successfully find a new IT administrator to fill this key role?

Start with an updated bank IT administrator job description

The first step any bank needs to take is to update or put together the actual job description for the role they are looking to fill. Oftentimes responsibilities, requirements and required technology skillsets change based on process improvements and new technologies in the financial industry. The job description needs to be a collaboration between bank management, the board and key stakeholders within the bank.

Networking critical to spread the word

Once the description and key requirements have been put together, the position should be posted to key career sites such as LinkedIn, your state’s community bank association website, CareerBuilder and networking needs to start. The community banking network is a close-knit group so networking is crucial. Ask peers inside your organization and network if they know of anyone who they would recommend. Word of mouth can be very efficient in the hiring process!

Cast a wide net

Make your search broad. Given the rural location of many community institutions, locating qualified individuals locally can be a challenge. Don’t restrict recruiting to only your immediate community. Reach out to nearby markets, even other states and larger cities. Qualified candidates may be looking to relocate to your community and this could be the perfect fit for them.

Seek help during the hiring process

While all this sounds easy enough, it can be challenging to find the right candidate for your bank, and you certainly don’t want to make a rushed or hasty decision. It can take two to three months to find a suitable candidate that meets your needs for an IT administrator. Unemployment rate is low (2.3%, for IT jobs in the United States), so you may need to enlist the help of a recruiter who might have a pool of qualified candidates.

In addition, bank executives may find themselves at a loss to ask the right questions and assess qualifications during the interview process. This is typically due to a lack of knowledge of the technical details and skill sets required for this position. The IT Administrator is responsible for overseeing the selection, implementation, and ongoing support of technology throughout the entire bank, so having the right person in place is crucial. Don’t be afraid to ask for help from technology partners or even recruiters during this process. These professionals can help ensure the candidate does indeed possess the right IT and financial industry knowledge needed to efficiently and successfully perform the duties of the bank IT administrator role.

Key skill sets to look for in candidates

Since this position is responsible for the entire bank’s IT network, advanced knowledge of a wide range of computer hardware, systems software, applications, networking and communications technology is required. In addition, they should have:

The skills necessary to maintain, repair and provide technical support for these systems;
The ability to efficiently communicate with both staff and customers as well as have the ability to manage and supervise staff; and
Solid understanding of the regulatory environment and compliance issues banks are facing today.

Given their remote location and possible hiring challenges, smaller community financial institutions can benefit from outsourcing or partnering with a provider who offers network management solutions exclusively tailored for community banks. An outsourced solution provider will work with your IT department, serving as a true partner and eliminating the possibility of a single point of failure. In today’s banking environment it is critical to have a system in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation, and compliance-focused reporting to help you verify that your financial institution’s network is adhering to your policies and procedures.

Don’t get blindsided when a single employee leaves

Have a solid back up plan and a trusted partner to ensure your financial institution continues to run smoothly and stays in compliance with today’s demanding regulatory requirements.

For a complete list of the skills and requirements for an ideal bank IT administrator, please see our complimentary job description.

IT Administrator
Job Description

20 Jan 2016

Banks, Compliance Tom Hinkel 0 comment

Banks Can’t Outsource Responsibility, but You Can Ensure a Solid Vendor Management Program

Banks Can't Outsource Responsibility, but You Can Ensure a Solid Vendor Management Program

You Can’t Outsource Responsibility

The vast majority of financial institutions rely on third-party service providers to offer not only specialized IT services and technology assistance that help improve the overall quality and efficiency of the organization, but also for the software and hardware that actually run their business. However, even when a service is outsourced, the ultimate responsibility for the management of the vendors and the risks associated with that activity lies with the financial institution, specifically the Board of Directors and the senior management team.

The Burden of Vendor Management

All federal regulators have issued guidelines recently to help financial institutions understand and manage the risks associated with outsourcing a bank activity (including supporting a bank activity) to a service provider. To remain compliant with governing organizations, it is important for all financial institutions to find ways to strengthen their vendor management programs.

While it is more important than ever for financial institutions to manage the risk associated with vendors, many struggle with the best way to efficiently and successfully accomplish this. Most community financial institutions do not have a formal internal department dedicated to vendor management. In fact in a recent survey, only one out of 300+ of our financial institution clients has a full-time dedicated vendor relationship manager. Instead, because many outsourced relationships have a technology component, this responsibility often falls to the IT department or the ISO. Furthermore, most still perform this process manually, potentially leaving the institution vulnerable to risk.

Finding the Right Partner

Many financial institutions are looking for ways to more effectively manage their outsourced vendors and protect themselves from the risk, often referred to as inherited risk, acquired by association with outsourced service providers. Financial institutions must be aware and responsible for any cybersecurity risks of their vendors, and the potential for any vendor that stores, processes or transmits data to expose the bank or credit union to additional risks. In addition, the criticality of the vendor must also be assessed. What specific processes performed by the institution require proper operation and/or support from the vendor? Does the contract specify both required actions as well as specific remedies in the event of a cybersecurity incident at the vendor?

Is Automation Right for You?

So, what is the best way to manage this risk in an efficient manner while not overwhelming the vendor manager? Oftentimes, financial institutions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions built around the specific needs of all of the key players within the financial institution saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. A complete vendor management system ensures your vendor managers (and any other stakeholders) are notified of all of the critical activities and actions required to effectively monitor a third party relationship, such as ensuring all risk assessments, controls reviews and documentation, is up to date.

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Automating vendor management functions not only saves your financial institution time today by helping you focus your resources, but also helps protect you from future regulations and guidelines. It also reduces costs through closer oversight of contract renewals; provides reporting to all stakeholders; and generally increases security (including cybersecurity) throughout the organization.

Ultimately, it is the financial institution’s responsibility to protect the financial institution and its sensitive data no matter where that data is stored, processed or transmitted, and an automated vendor management solution is an important step in this process.

13 Jan 2016

Banks, Technology Darren Bridges 0 comment

What to Do When Your IT Administrator Leaves

When Your IT Administrator Leaves Header

What to do when your IT Administrator Leaves

It’s inevitable. You have finally found a stellar IT network administrator and things are running smoothly, when that person decides it is time to move on and explore new endeavors. For the community bank with limited resources, this can be a challenging time. If you have a one or two person IT department, it can be daunting to think about all that needs to happen for a smooth transition.

A community bank’s technological assets are every bit as valuable as the money in the vault! Today’s community bank relies on the IT department to maintain its hardware and software to ensure all systems are available when needed. The department is also responsible for monitoring an array of ongoing IT concerns like antivirus status, patch compliance and email security, just to name a few.

So, what happens when the key individual who is responsible for this crucial aspect of the financial institution decides to leave?

First, there are some technical issues to consider immediately. Change the IT administrator’s previous password and disable their account. This includes changing passwords for any service accounts that they might have known, including access to any virtual infrastructure as well as disabling access to all systems including email, email archival, network management, remote control, security monitoring, ancillary network services and remote access.

Contact information for key vendors should be changed and web hosting sites should be redirected. Also, make sure you know what reports need to be reviewed on a weekly, monthly and quarterly basis to ensure no regulatory compliance lapses occur. This is just the beginning of a vast number of things that have to happen to ensure your institution is secure and run efficiently.

Solution Options

To help alleviate this cumbersome process, many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal IT resources. The right solution provider can serve as a true partner and work alongside current IT staff to manage the network and streamline technology needs. Outsourcing select IT business processes helps fill the personnel gap and provide added peace of mind to all.  

An IT and security service provider can automate and control many of the administrative functions that normally fall to the IT department, making it less daunting for bank personnel. These service providers can also automate third party patch management and reporting, hardware and software inventory management, vulnerability remediation and compliance-focused documentation and reporting. Providing the ability to actively monitor network information for diagnostic or security issues not only saves time and improves efficiencies, but also extends the bank’s support hours beyond the traditional 9 to 5. The right technology service provider should offer your bank full support for the demands of today’s banking technology requirements and truly act as an extension of your internal IT department.

At Safe Systems, we understand the ever-growing complexity of community banks’ IT operations. By making the decision to partner with Safe Systems, your organization will benefit from time saving automation, an in-depth view of your IT network environment and additional support in co-managing your IT operations. We want to provide you with assurance that the institution’s IT network is functioning efficiently, optimally, securely and is in compliance with industry regulations at all times.

For more information on what to do when your IT administrator leaves, please download our complimentary checklist of tasks to complete.

05 Jan 2016

Banks, Compliance Tom Hinkel 0 comment

4 Key Elements of a Compliant and Effective Cybersecurity Program for Community Banks

Compliant Cybersecurity Program

Because of the prevalence of outsourcing, for most financial institutions cybersecurity readiness means effectively managing your vendors and having a proven plan in place to detect and recover if a cyberattack occurs. However, according to the FDIC, a cybersecurity risk management program should contain a bit more.

An Effective Cybersecurity Program Should Contain these Four Elements:

Governance: risk management and oversight
Threat intelligence and collaboration: Internal & External Resources
Third-party service provider and vendor risk management
Incident response and resilience

Let’s look into each area with a little more detail and discuss how you can best comply with each requirement:

Governance

Virtually all FFIEC examination handbooks list proper governance as the first and most important item necessary for compliance. According to the FFIEC, governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, and monitoring and accountability.

In order to comply with the governance regulations, you should regularly update and test your policies, procedures and practices. It’s important to verify that cyber threats are specifically included in your information security, incident response and business continuity policies. To assess your cybersecurity risk, focus on your controls in three categories: preventive, detective, and responsive/corrective and make sure all results are documented. Adjust your policies, procedures and practices as needed based on the risk assessment results.

Threat Intelligence and Collaboration

This element reflects both the complexity and the pervasiveness of the cybersecurity problem, and can be a particular challenge to smaller institutions who often lack dedicated cybersecurity resources.

Regulators expect all financial institutions to identify and monitor cyber threats to their organization, and to the financial sector as a whole, and to use that information to inform their own risk environment as well as their specific controls.

Third-party Service Provider and Vendor Risk Management

For the vast majority of outsourced financial institutions, managing cybersecurity really comes down to managing the risk originating at third-party providers, also known as “inherited risk”. Smaller institutions might be even more at risk because they tend to rely more on third parties and tend to lag behind larger institutions when it comes to vendor management.

Regardless of size, all institutions should employ basic vendor management best practices to understand and control third-party risk. Pay particular attention to the existing contracts and agreements to understand what elements are in place for protecting the institution against cyber threats, and how you’ll be notified in the event of a security breach involving you or your customer’s data.

Incident Response and Resilience

Incident response has been mentioned in all regulatory statements about cybersecurity, and for good reason – regardless of whether it originates internally or externally, a security incident is a virtual certainty. Regulators know that, although vendor oversight does provide some measure of assurance, you have very little actual control over specific vendor-based preventive controls. As a result, responsive and corrective controls must compensate for such.

Make sure your incident response program (IRP) has been updated to accommodate a response to a cybersecurity event. All IRP’s should contain the incident response team members, a method for classifying the severity of the incident, a response based on severity, including internal escalation and external notification, and periodic testing and board reporting.

It is important for all community financial institutions to review the requirements for cybersecurity and ensure all components are included in your current policies, procedures, and practices. All measures should be documented and ready to be shared and discussed with regulators.

For more information on what you should be doing to comply with cybersecurity standards, download our complimentary eGuide, Understanding the Cybersecurity Expectations for Financial Institutions.

Disaster Strikes the US Eastern Seaboard

Driving Compliance Through Technology

Strengthen your IT Department and Build Greater Continuity for Your Bank

Use Checks and Balances to Stabilize Your Bank’s IT Outlook

Dispelling 5 IT Outsourcing Myths within Financial Institutions

The Solution – Safe Systems’ Cybersecurity RADAR Application

The Results – Improved IT Examination Results

Small Town Bank Improves Their IT Examination Results

Understanding the Regulatory Responsibilities of Officers and Directors

The Role of the Information Security Officer

“Credible Challenge”

Driving Compliance Through Technology

Incumbent Local Exchange Carriers (ILECs)

ILEC Territory Example: Florida

CLECs Should Be Considered As Well

Read how blueharbor bank deployed their new WAN

Tip of the Iceberg – Even More Choices

Engineering Best Practice

Don’t Go It Alone!

7 Reasons Why Small Community Banks Should Outsource IT Network Management

Malware/Ransomware Layers: $1,500 – $5,000

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Business Continuity Planning and Testing: $3,000 – $8,000

Robust Vendor Management Solution: $2,500 – $5,000

New and Replacement Technology: $500 – $10,000

Training: $500 – $1,500

Vendor and User Conferences: $1,000 – $1,800

Dispelling 5 IT Outsourcing Myths within Financial Institutions

What Do Examiners Expect You to Demonstrate?

Your cybersecurity compliance solution should enable your institution to:

Driving Compliance Through Technology

An Automated Solution for Community Banks

Why Does VM Come into Play When Talking About BCP?

Taking Business Continuity Planning to the Next Level:A Better Way for Banks

Preparing for Natural Disasters and Similar Events

Common Issues

Email Outages

Backups

Evacuation

Options for Outsourcing

Remote and Secure Back-ups and Data Recovery Practices

Available Staff and Engineers

Guidance

Offsite Hosted Email

Continuum

Taking Business Continuity Planning to the Next Level:A Better Way for Banks

Enterprise Modeling – The First Step to a Successful Business Continuity Plan

Automating Your Bank’s Manual BCP Processes

Taking Business Continuity Planning to the Next Level:A Better Way for Banks

Taking Business Continuity Planning to the Next Level:A Better Way for Banks

Taking Business Continuity Planning to the Next Level:A Better Way for Banks

Public Cloud

Private Cloud

Hybrid Cloud

The Ideal Environment for Banks

Dispelling 5 IT Outsourcing Myths within Financial Institutions

FFIEC Guidance Around Remote Access Solutions

Best Practices for Banks Using Remote Access Solutions

What Banks Should Look for in a Remote Access Solution

Support Your Bank’s Corporate Strategy

Catalog the Application Opportunities

Determine the Best Cloud Service for your Bank

Develop a Phased Approach

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Be Proactive – Conduct IT Self-assessments

7 Reasons Why Small Community Banks Should Outsource IT Network Management

Automate Reporting for IT Examinations

Adapt Your Network Configuration to Support New Applications

Ensure Compliance and Security Day One

Ensure Patch Management Out of the Box

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Get The Right Help

10 Questions to ask before Jack Henry Application Implementations:

Safe Systems supports over 100 Jack Henry banks

How to Test Patches

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Automated Assistance with Patch Management

What makes email so expensive?

Outsourcing Email Hosting

Customized Email Platform for Financial Institutions

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Today’s High Speed Options for Banks
Cable Modem vs. Ethernet Fiber