In our last blog, we explained the first three tasks that should be accomplished as a new community bank IT administrator. The IT administrator wears many hats and plays multiple roles within a community bank. After taking hardware, software and vendor inventories, the next three steps are important to ensure the financial institution is secure and successful.
4. Determine Most Recent Dates of Hardware and Software Vendor Audits
In addition to simply completing a vendor audit, it is also important to vet vendors or at least identify the last time vendors were audited. If they haven’t been reviewed in a while, they should be, as IT admins need to ensure updated information on all aspects of the relationship and that the vendor is in compliance with all recent Federal vendor management guidelines.
5. Determine and Test the Backup Schedule
Every bank has to perform backups. The IT admin should familiarize themselves with the software used to perform backups. Are the backups being done on schedule, are the backups up to date, and when was the last time a successful restore was performed. Along those same lines, determine if the backup is done on-site, off-site or in the cloud and are the backups being encrypted with the correct cipher strength. Are the backups being done in-house or is it outsourced? It is very important to make sure backups are being done regularly. The schedule should be evaluated closely to make sure it aligns with the most recent disaster recovery plan. If they are not aligned, the schedule should be adjusted.
One of the main tasks associated with the administrative side of the IT administrator’s job is making sure you become familiar with the disaster recovery plan and ensuring it is up to date with any updated regulatory requirements. If the plan was last updated four or five years ago, you will need to redo it to meet new Federal requirements. This is usually done by a committee that consists of the information security officer and CTO. You should work closely with the information security officer to go through policies and procedures and to make sure everything is documented to remain in compliance with current regulatory guidelines.
6. Run a Security Audit and Ensure Previous IT Administrator’s Access to Systems is Disabled
There are also some steps you should take to transition from the prior IT administrator. This starts with making a list of all user names and passwords and disabling the previous administrator’s accounts. As the new IT administrator, you should run a new security audit. You need to be fully aware of what the previous administrator did so you can be familiar with the security processes and correct anything that was not done to standards.
This audit includes making sure passwords are changed, and the previous administrator’s access is terminated and accounts are disabled. If an administrator had remote access, you need to ensure this access is taken away or denied. Another area to examine is the use of programs such as Dropbox, often times used to store information so that it can be accessed remotely. When the administrator leaves the bank, this access to information must be eliminated.
Once you create hardware, software and vendor inventories, the bank IT administrator should have the capabilities to take the next three steps in ensuring your community bank is secure. Reviewing vendors, evaluating backups and security and auditing security operations are all important steps that should be performed within the first month of a new IT administrator. In our next blog, we will explore the final three steps in extending your review of your bank’s IT operations.