Author: Darren Bridges

10 Aug 2016
NetInsight Blog Featured Blog Image

Reduce the Stress of Your Bank’s IT Exams

NetInsight Blog Featured Blog Image

Financial institutions are governed by stringent regulations, including strict guidelines for the institution’s information security program. Institutions must undergo regular audits, both internal and external, to help ensure their control environment is sound and compliant. These audits ultimately help the institution prepare for when the examiners come knocking. Regulatory agencies conduct these IT exams to determine if the institution’s policies and procedures are sound, and if daily practices are in line with those standards. Rarely are these experiences fun or care-free.

The IT audit and examination processes can both be very time consuming and stressful for security officers, IT Administrators, and the institution’s executives. IT audits, while invaluable, may result in a laundry list of suggested improvements, most of which come with a price tag. Senior management must decide which suggestions are worth the investment and which constitute acceptable risk. Then, they must be able to defend that position to examiners.
Recent developments, including the FDIC’s introduction of the Information Technology Risk Examination (InTREx) Program, emphasize that it is not enough to have a solid Information Security Policy and procedures. Today’s examiners are requiring ever-increasing amounts of documentation as evidence that your institution is indeed doing what your policies and procedures promise. Financial institution IT professionals, already tasked with the full-time job of keeping systems up and running, are also asked to help the Information Security Officer gather volumes of documentation that make up this paper trail.

Without help, this regulatory burden can be a major challenge for smaller community banks and credit unions that lack the resources and experience to adequately meet ever-growing regulatory demands. However, there are some steps these smaller institutions can take to ease the stresses associated with this near-constant scrutiny.

Be Proactive – Conduct IT Self-assessments

To help ensure better results on bank IT audits and examinations, all financial institutions should complete periodic (quarterly) control self-assessments that enable management to gauge the state of IT performance, system status, and emerging risks. These proactive IT self-assessments are essential for ongoing monitoring of security controls and ensuring prompt corrective action of significant deficiencies. These regular reviews are not just beneficial, they are also mandatory. FFIEC guidance dictates that financial institutions perform regular self-assessments to “validate the adequacy and effectiveness of the control environment.”

At Safe Systems our strategic advisors work with each client to perform quarterly technology self-assessments. While this assessment helps the institution ensure all things related to IT network technology controls are working and up to date, it also serves as time for the strategic advisor to educate bank personnel on new or changing government regulations. This helps the bank to remain in compliance and sets the institution up for success in audits and exams.

Auditor feedback from our clients indicates that financial institutions that work with experienced IT outsourcing vendors and have an effective internal self-assessment process in place generally demonstrate a much more evolved risk management process and have a smoother IT audit. Simply put, this results in fewer, and less severe, audit findings. These institutions tend to identify, correct and control weaknesses prior to an audit, as opposed to waiting for the auditor to identify them. Since one of the first things the examiner wants to see when they arrive is the most recent IT audit, this often results in fewer examination findings as well.




7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks.


7 Reasons Why Small Community Banks Should Outsource IT Network Management

Automate Reporting for IT Examinations

Documentation and reporting make up the paper trail that examiners are looking for to help validate your information security program. Being able to provide comprehensive reports that are easy-to-understand and provide clear and concise summary information is vital to any IT audit or exam. You may be asked for documentation on who is involved in technology reviews, frequency of meetings, minutes from each meeting, IT issues the bank is addressing, technology inventory management, patch management reports, testing policies and procedures, and disaster recovery plans, to name a few. These reports can be a time-consuming hassle to generate. However, with a financial institution specific reporting solution in place that automates the process and provides detailed on-demand reports, financial institutions can easily generate much of the appropriate documentation in a time efficient manner.

Preparing for an IT audit or exam can certainly be a headache! However, working with Safe Systems can provide your bank with peace of mind because by the time the examiner gets there, you are well prepared and can feel confident of the upcoming exam result. Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to improved IT audit and examination ratings. With an experienced IT services provider, bankers can get back to the business of banking while compliance-oriented IT professionals work to ensure network components, servers and workstations are operating properly and securely; all while helping to ensure that your institution is meeting regulatory requirements.

09 Mar 2016

Why Should My Small Community Bank Outsource IT Network Management? Part I

The Use of Technology in the Community Banking World Has Become Widespread

While its evolution has made many processes and procedures more streamlined and efficient, managing a financial institution’s IT network has also become a full time, demanding responsibility. A community bank’s IT staff must understand the ever-growing complexity of IT operations and applications, continuously changing regulatory requirements and FFIEC compliance guidelines. Even with all these important responsibilities, many community banks only have one or two people to manage all of the IT operations. Even further, many may not have banking backgrounds.

Regardless of location and size, small community banks are subject to largely the same regulations as larger institutions. Regulatory agencies are continuously changing and increasing guidance regarding cybersecurity and are liberal in issuing citations to financial institutions that have lapses or are not meeting regulations.

With these changes, smaller financial institutions are, or should be, looking for ways to more efficiently manage their IT networks and compliance procedures. Oftentimes they determine outsourcing the management of underlying IT, security and compliance operations is the most effective and efficient solution. Smaller financial institutions can benefit in many ways from outsourcing with a provider who offers IT network management solutions exclusively tailored for community banks.

Finding, training and retaining qualified staff to manage an IT network can eat up considerable time and energy from your bank’s management team, taking away valuable time needed to support customers and banking operations. Maintaining the knowledge and expertise of the evolving IT landscape is a time-consuming endeavor and small institutions trying to manage this function internally often find it nearly impossible to remain competitive with their technology in today’s banking environment. Outsourcing underlying IT operations to a knowledgeable banking IT provider eliminates management’s time involvement in recruiting IT personnel, training new IT personnel on the unique technology and compliance aspects of banking, and the on-going issues associated with competitive compensation.

Any time a bank system is down, be it the teller system, WAN circuit, or loan documentation system, it causes a disruption to the financial institution. Such disruptions can be greatly reduced by working with a knowledgeable service provider. The right service provider can monitor and proactively identify many technical issues on network devices, and address or fix the problem prior to failure. This results in less downtime, improved employee efficiency and a consistently high level of customer service. 


For more information on how outsourcing can benefit your community bank, please download our complimentary white paper, 7 Reasons Why Small Community Banks Should Outsource IT Network Management.




7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks to a provider who offers IT network management solutions exclusively tailored for community banks.



7 Reasons Why Small Community Banks Should Outsource IT Network Management

 
 

08 Mar 2016

Why Should My Small Community Bank Outsource IT Network Management? Part II

With so many hardware advances, software choices and requirements from your core banking software provider and other banking software vendors, determining what is right for your institution has become more complicated than ever. An IT services provider can help alleviate this stress by evaluating the infrastructure of the bank and eliminating the unnecessary hardware, processes and tasks. This helps with the overall management of the institution by simplifying management needs, reducing ongoing costs and maintenance management.

Selecting who to trust and depend on when deciding to partner with an IT services provider is challenging, especially for community bankers. Many bankers struggle with choosing the right solution that will work with and truly benefit their financial institution.

Smaller community financial institutions can benefit from outsourcing or partnering with a provider who offers network management solutions exclusively tailored for community banks. Having a system in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation, and compliance-focused documentation reporting to verify that your financial institution’s network is adhering to your policies and procedures is critical in today’s environment.

The right IT service provider should offer your bank full support for the demands of banking technology and IT regulatory compliance by delivering your institution a solution that documents that your policies and procedures are being followed. A solution provider can help bridge the gap between a financial institutions everyday network administrative functions and the big picture goals of IT compliance and infrastructure planning.

For more information on how outsourcing can benefit your community bank, please download our complimentary white paper, 7 Reasons Why Small Community Banks Should Outsource IT Network Management.




7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks to a provider who offers IT network management solutions exclusively tailored for community banks.



7 Reasons Why Small Community Banks Should Outsource IT Network Management

 
 

13 Jan 2016

What to Do When Your IT Administrator Leaves

When Your IT Administrator Leaves Header

What to do when your IT Administrator Leaves

It’s inevitable. You have finally found a stellar IT network administrator and things are running smoothly, when that person decides it is time to move on and explore new endeavors. For the community bank with limited resources, this can be a challenging time. If you have a one or two person IT department, it can be daunting to think about all that needs to happen for a smooth transition.

A community bank’s technological assets are every bit as valuable as the money in the vault! Today’s community bank relies on the IT department to maintain its hardware and software to ensure all systems are available when needed. The department is also responsible for monitoring an array of ongoing IT concerns like antivirus status, patch compliance and email security, just to name a few.

So, what happens when the key individual who is responsible for this crucial aspect of the financial institution decides to leave?

First, there are some technical issues to consider immediately. Change the IT administrator’s previous password and disable their account. This includes changing passwords for any service accounts that they might have known, including access to any virtual infrastructure as well as disabling access to all systems including email, email archival, network management, remote control, security monitoring, ancillary network services and remote access.

Contact information for key vendors should be changed and web hosting sites should be redirected. Also, make sure you know what reports need to be reviewed on a weekly, monthly and quarterly basis to ensure no regulatory compliance lapses occur. This is just the beginning of a vast number of things that have to happen to ensure your institution is secure and run efficiently.

Solution Options

To help alleviate this cumbersome process, many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal IT resources. The right solution provider can serve as a true partner and work alongside current IT staff to manage the network and streamline technology needs. Outsourcing select IT business processes helps fill the personnel gap and provide added peace of mind to all.



An IT and security service provider can automate and control many of the administrative functions that normally fall to the IT department, making it less daunting for bank personnel. These service providers can also automate third party patch management and reporting, hardware and software inventory management, vulnerability remediation and compliance-focused documentation and reporting. Providing the ability to actively monitor network information for diagnostic or security issues not only saves time and improves efficiencies, but also extends the bank’s support hours beyond the traditional 9 to 5. The right technology service provider should offer your bank full support for the demands of today’s banking technology requirements and truly act as an extension of your internal IT department.

At Safe Systems, we understand the ever-growing complexity of community banks’ IT operations. By making the decision to partner with Safe Systems, your organization will benefit from time saving automation, an in-depth view of your IT network environment and additional support in co-managing your IT operations. We want to provide you with assurance that the institution’s IT network is functioning efficiently, optimally, securely and is in compliance with industry regulations at all times.

For more information on what to do when your IT administrator leaves, please download our complimentary checklist of tasks to complete.

15 Dec 2015

Community Banks Options for Help with Cybersecurity Regulations

Community Banks Options for Help with Cybersecurity Regulations

Financial institutions today are under pressure to comply with mounting regulatory requirements, especially as they relate to cybersecurity guidelines. In fact, the FFIEC recently issued an update to the FFIEC Information Technology Examination Handbook’s Management Booklet to more explicitly integrate cybersecurity concepts. Additionally, the FFIEC released a new resource called the Cybersecurity Assessment Tool (CAT) to help financial institutions identify risks and determine cybersecurity preparedness. This in-depth “assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time,” according to the FFIEC.

Due to the “increasing volume and sophistication of cyber threats,” cybersecurity has quickly become a hot topic with regulatory agencies. Regulators expect banks to show evidence that they are measuring cybersecurity threats and preparedness using the CAT or a comparable framework. This expectation applies to banks of all sizes, from a rural one-branch bank to a national bank with billions in assets. For smaller banks with fewer resources and less compliance expertise, complying with the new regulations and requirements can be a challenge.

While some regulatory agencies have indicated that completion of the Cybersecurity awareness Tool is not mandatory, all have stated they intend to use the tool to assess banks’ cybersecurity readiness. Examiners have already begun to issue verbal and written recommendations to financial institutions that have not filled out the CAT.

After completing the CAT, many community banks are finding they have a higher risk factor than they expected and are frantically searching for ways to efficiently manage the strategies needed to mitigate that risk.
What are your bank’s options for mitigating this increased cybersecurity risk?

Try to manage it yourself

Many banks that try to manage cybersecurity guidelines themselves in-house often run into hurdles immediately. Maintaining the knowledge and expertise of the evolving regulatory environment is a time-consuming endeavor. The CAT assessment alone is about 128 pages. Small banks do not have the bandwidth to manage cybersecurity compliance efficiently and in a manner that meets regulator demands. Many community banks simply can’t afford to have a team dedicated to regulatory management.

Use a local IT service provider

Community bankers have a natural inclination to “shop local,” and that includes looking for service providers who can assist with IT and compliance needs. However, it is also important to understand the risks that generalist IT service providers pose to your institution given today’s oversight environment. Local IT service providers often do not have experience with the regulatory demands bankers face. Auditors and examiners will expect a thorough paper trail to prove that daily practices match defined policies and procedures, and often this must flow through IT resources. Knowledge of your banking applications, cybersecurity and compliance environment is vital!

Engage an experienced bank IT and compliance professional

To help augment limited personnel resources, community banks are increasingly partnering with financially-focused IT and security service providers to better manage their growing compliance and security needs. It is important to partner with an organization with the right skills, knowledge and expertise.

The right IT service provider couples security measures with an understanding of and support for the unique compliance demands of the financial industry.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



10 Nov 2015

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions
 

Recent cybersecurity incidents affecting financial institutions have largely involved third-party service providers, prompting increased attention by regulators, and increased scrutiny on oversight of third party relationships. To maintain compliance with today’s stringent regulatory environment, community banks and credit unions must ensure their vendor management processes monitor and document every aspect of their vendor relationships, including vendor concerns such as financial viability and information security practices of their vendors.

To address this concern, we at Safe Systems are now offering our new vendor management solution to the marketplace. This web-based software automates the process of contract management, product risk assessment, and controls review to help banks and credit unions effectively manage third-party service providers and maintain regulatory compliance. This proven solution has been in use by a select group of approximately 20 client institutions during the past year.

“By the time I had used Safe Systems’ Vendor Management application for several weeks, I was convinced that this product met State Bank of Cochran’s needs for an automated vendor management solution. Their Vendor Management application met all of the regulatory specifications of a sound vendor management program: risk assessment, due diligence in selecting a third party, contract structure and review, documentation and reporting, as well as independent reviews, and ongoing oversight,” said Leesa Anderson, CTO of State Bank of Cochran.

 

As a Software as a Service (SaaS) solution, our vendor management software centralizes vendor profiles and data into a client dashboard to provide real-time alerts, reporting, and recommended controls. This customizable solution enables banks to automate vendor management activities, assess risk, and easily upload and track contracts from multiple vendors. Our vendor management solution also stores information in a SOC1 and SOC2 audited datacenter and integrates vendor information into our client management portal, “the Safe.” In addition, we provide ongoing training and consulting services with each license.

Vendor management is often the most under-manned function within a bank’s IT department. Many community financial institutions keep track of their vendor management activities manually using spreadsheets, but with our web-based software solution, banks and credit unions can easily monitor and manage multiple third-party service providers; understand the level of risk each vendor poses to your institution; and ensure compliance with regulatory guidelines.