Category: Compliance

08 Oct 2020
Best Practices for Developing a Compliant Cyber Incident Response Program

Best Practices for Developing a Compliant Cyber Incident Response Program

Best Practices for Developing a Compliant Cyber Incident Response Program

If you think a cyber incident won’t impact your financial institution, you are seriously underestimating the lengths cybercriminals will go to steal your customers’ or members’ non-public information. According to a new report from NuData Security, a Mastercard company, financial institutions receive the highest percentage of sophisticated attacks (96%) amongst all industries.

As cybercriminals continue to exploit organizations and increase the quality of their attacks, financial institutions need to have a compliant incident response plan in place to control, contain, and recover from a potential cyber incident quickly and efficiently.

Safe Systems held a webinar discussing what a compliant cyber incident response plan should look like and shared key best practices community banks and credit unions should use to effectively document a cyber incident. In this blog, we’ll cover a few of the key points from the webinar.

Elements of a Compliant Incident Response Program

The requirements for incident response have changed significantly since 2005. The guidance was broad enough to encompass many of the events that are occurring today including cybersecurity and pandemic-related events. According to the Federal Deposit Insurance Corporation (FDIC), there are five key elements of a compliant incident response program:

  • Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused
  • Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information
  • If required, filling a timely suspicious activity report (SAR), and in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities
  • Taking appropriate steps to contain and control the incident to prevent further unauthorized access or use of customer information
  • Notifying customers when warranted in a manner designed to ensure that a customer can reasonably expect to receive it

Although these requirements have essentially stayed the same, there is one key change that has occurred in the FFIEC’s 2019 update to the Business Continuity Handbook. The guidance now requires financial institutions to reference or include the incident response plan (IRP) in the business continuity management plan (BCMP). While still acceptable to have a separate incident response plan, somewhere within your BCMP you must now reference the IRP.

How to Document and Maintain Evidence of an Incident

Documentation is a key component of incident response to provide auditors, examiners, and other stakeholders with key information about the abnormal event or incident. Initial steps include the recording of basic facts about the suspicious event before it becomes an official incident.

Key questions include:

  • What specific abnormalities were noticed?
  • Where were they discovered?
  • When were they discovered?
  • Who first noticed the abnormality or event and who did they notify/involve?
  • If the event escalates to an incident, how did it happen, and what were the contributing factors that allowed it to happen?

If the event is categorized as an “incident,” you need to know how to document and maintain the evidence; what decisions were made; and the resulting actions taken. When enacting your containment strategies, part of that should involve collection and preservation of the evidence, including all the key records created by all the various technologies your institution uses. The guidance references that all financial institutions should have some type of logging intelligence. But which logs are most important for incident response?

When creating a logging strategy, there are five key challenges to consider:

  • Sources – Logs are generated from various sources such as users, databases or file shares, endpoints, networks, applications, and cloud services. With so many logs coming from different sources, it’s important to be aware of all the systems and applications generating logs and know how to access them to monitor efficiently
  • Log Volume – The volume can be different depending on the source. Some sources are quiet and easier to manage while other sources like network switches and firewalls are a constant torrent of volume and may be difficult to log. It’s important to determine what is realistic for your institution to store and manage
  • Log Protocols – All of the various sources speak different languages or protocols. Some of them are sending emails using a language called simple mail transfer protocol (SMTP), while other sources like network switches are sending information using a constant stream of Syslog data. It is nearly impossible to create a centralized system that can speak all of these languages perfectly so you must determine how your institution will extract intelligence from the logs
  • Log destinations – Once you’ve collected information, where are you going to send it? You’ll need to determine storage destinations for the different types of logs
  • Log interaction – After you’ve built the logging platform, do you want it to be searchable? You’ll need to decide how you want to interact with the data and how long you will keep it. Adding data retention can become significantly more expensive depending on the time frame for storage

Different types of data likely require different lengths of time for retention. Your retention policy should outline the expected retention time frame for each data log. Institutions should carefully consider all these key challenges when building a logging strategy that fits their unique needs.

If you’d like to learn more about cyber incident response, download our recorded webinar, “Not If, But When: Best Practices for Cyber Incident Response.”

01 Oct 2020
After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

In 2020 we’ve learned a lot about ourselves, and whether the general population realizes it or not, they have learned a lot about something often relegated just to banking: Risk Tolerance. And with that in mind, here are seven key items that your institution should consider while budgeting for 2021:

1. Laptops

Supply is down, demand is up, so from a pricing standpoint, you are unlikely to find great deals on laptops, but their portability has been a key component to companies and employees being successful during the pandemic. Remote work is a great option for employees who do not need face-to-face interactions with customers or members, but not every department can work successfully outside of the main office or branch.

When planning for next year, each position in the institution needs to be evaluated, if it hasn’t already, to determine the ability and effectiveness of remote working. When possible, consider having remote employees use a company laptop going forward. In a recent Safe Systems survey of community financial institutions, 1/3 of respondents have already decided that they will be purchasing more laptops this year.

2. Hardware Management Software

How many of the controls you use to secure your institution’s devices require the device to physically be in the office? As the work environment changes and more people make the shift to working from home offices, your current controls need to be evaluated to ensure they work just as effectively outside of the branch. For years, the push for “agentless” controls has been popular, but many of these controls assumed the office was a well-defined building where all devices used the financial institution’s network. As the home office becomes the new standard for many banks and credit unions, the need for agent-based controls is greater than ever. Controls/security measures are no longer effective if they require the device to be on premise.

3. Business Continuity Plan (BCP) Update

Having an updated pandemic plan as part of your BCP is still likely a need for many institutions. Because it has been more than a century since a full-scale pandemic hit the U.S., many of the assumptions and concepts that pandemic plans were based on have proven to be incorrect. For instance, many plans outlined operational changes based on only 50% staff for just a week or two. Much of the concern before 2020 was making sure staff members were properly cross trained in the event key individuals were unavailable for days or perhaps a few weeks. While this is still very important, it represents only a tiny portion of truly being ready for a pandemic.

Pandemic plans often did not address managing operations for a long duration or important measures like social distancing, security measures, consumer access, etc. Financial institutions must take a hard look at key lessons learned so far during the COVID-19 pandemic and update their plans accordingly.

4. Moving to the Cloud

Recognizing that having employees working outside of the office is a real possibility moving forward, investing in new servers and putting them in offices is becoming an antiquated idea. The cloud provides a level of redundancy, scalability, and accessibility that cannot be matched by buying a single server. It also means no one has to be in the office to manage the infrastructure. As servers need to be replaced, banks and credit unions should seriously consider the process of moving to the cloud.

5. Client Experience

One question every institution should be asking itself is: “how can we better enhance the customer experience?” While IT is usually seen as a cost center, the events of the past year may have opened a door for IT to step up and offer solutions that directly affect the customer experience. The pandemic has forced many people, some maybe for the first time, to adopt digital banking solutions. If IT can offer specific tools and/or insight into how to improve the customer experience, this may be the opening that IT has hoped for to secure a “seat at the table” among their institution’s leadership.

6. Cybersecurity

Garmin, the GPS and active wear company, reportedly paid $10 million in 2020 to counter a ransomware attack. Their customers were without the services for over a week while Garmin’s data was held hostage. All of the information about their case is not available yet, but the sad reality is that they likely could have prevented the entire situation with just a few technology solutions and security settings being implemented correctly. The threat to your data is as real today as it ever has been. Be sure to have a conversation with a security company you trust to ensure that even if you are the target of a ransomware attack, it won’t be able to hurt your business long-term. Invest in cybersecurity now, so that your institution won’t end up paying much more later.

Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report, and cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights.

Unfortunately spend and layers of protection most likely need to increase annually to address this issue.

  • Employee training – to ensure adequate and effective
  • Perimeter protection – to ensure the appropriate layers are enabled and all traffic is being handled correctly including encrypted traffic
  • Advance threat protection and logging – to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy – to ensure ransomware can’t wipe out your data

Per Computer Services, Inc (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

7. ISO

With the increase in responsibilities of the Information Security Officer and the focus on separation/segregation of duties, there has been an uptick in the number of institutions looking for virtual ISO (VISO)-type solutions. These solutions can help by taking some level of burden off of internal resources, provide staff with templates or toolsets when needed, and oversight to ensure nothing is falling through the cracks.

For 2021, there are a lot of things to consider. One focus should be to look at the changes your institution had to make because of the pandemic and what changes you should consider making in the future to improve cybersecurity, information security, and as always, your customers’ and members’ experience.

21 Sep 2020
Three Often Overlooked Elements of an Effective and Compliant Incident Response Plan (IRP)

Three Often Overlooked Elements of an Effective and Compliant Incident Response Plan (IRP)

Three Often Overlooked Elements of an Effective and Compliant Incident Response Plan (IRP)

In today’s security environment, it’s not if a cybersecurity incident will impact your institution, but when and how big? That’s why having an effective and compliant incident response plan (IRP) is so important to ensure your institution is prepared for the unexpected and equipped to recover.

When a financial institution experiences a cyber incident, the information security officer (ISO), along with the incident response team, must assess the situation and determine if this incident has resulted (or might reasonably result) in exposure of non-public personal information (NPI). If the answer is “yes,” then the team must activate the IRP to contain and control the situation and ensure quick and efficient response and recovery. When activating an IRP, there are three key elements that we sometimes see financial institutions overlook:

1. Incident Response Team Participation

When building your incident response team, it is important to include representatives from each functional unit of the institution. Too often the incident response team consists of IT personnel only. While an incident might seem to be isolated to a certain department (like IT), there could be residual effects impacting other parts of the organization.

For example, let’s say you have an incident that seems to be limited to a group of customers who received a phishing email appearing to be from the institution asking them to click a link to change their ebanking password.

In this situation, you may be inclined to simply involve IT and deposit operation teams. However, because there could be a ripple effect that goes beyond that one incident, you’ll want to include other departments such as lending, human resources, and accounting. For instance, the customer could have a lending relationship or home equity line with the institution that might be impacted as well. Or, the customer could also be a vendor. Furthermore, with the increased possibility of pretexting during a social engineering attack, the Human Resources department may want to use the incident as an opportunity to conduct refresher training to ensure employees know how to verify customer information. As such, it’s important to have all your bases covered and include all functional units on the incident response team.

2. Designated Spokesperson and Social Media Monitoring

Once you’ve activated your plan, it’s important to understand that you cannot simply hope to contain the incident within your organization. A cyber incident may involve key external stakeholders including the Board and senior management, regulatory agencies, law enforcement, third-party service providers, insurance, legal, customers, and may even attract the attention of the media.

When an incident occurs, it is important to have designated spokespeople pre-selected to communicate with each external stakeholder that needs to be informed. For example, you’d want to have your IT admin in contact with the point person at your outsourced IT company because they most likely have a direct relationship with this vendor. However, you probably wouldn’t want that same person reaching out to regulators or customers. A member of senior management would be the best choice for that. In addition, you should designate one or more individuals to be your media contact. Don’t forget to have someone monitoring social media channels to ensure news about the incident isn’t spreading online potentially exposing you to reputational harm.

When developing an incident response plan, designating spokespeople to communicate with external stakeholders and monitoring online social media channels often gets overlooked because the main focus is usually on how the incident happened and how to fix it quickly. The moment the incident response plan is activated it is critical for the incident response team to assign these roles and keep these individuals updated with any interactions they may have with stakeholders.

3. Detailed Incident Documentation and Log Retention

It is imperative that the incident response team creates detailed documentation outlining everything that occurred from the time the event was first identified, even before it became classified as an incident. Again, this is often overlooked as the team engages in containment and control activities. However, regulators, insurance companies, third-party forensics companies, the Board, law enforcement, etc., will need full details when and if they are drawn into the incident. The documentation should detail who responded, what actions were taken, when each action was taken, (the timeline), and why and how (if known) the incident occurred.

Equally important is the retention of any data logs that might assist with the response and recovery phase. Often insurance carriers will need this information if they are involved, and forensic firms will definitely need it if they are drawn into the investigation phase.

We’ll dive deeper into security event logging and best practices for responding to a cyber incident in a future blog post.

For more information, register for our upcoming webinar, “Not If, but When: Best Practices for Cyber Incident Response.”

03 Sep 2020
The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The ISO is tasked with multiple simultaneous activities; supervising the financial institution’s business continuity planning, project management, vendor management, cybersecurity, exams and audits, and information security, which can be an overwhelming responsibility for one person to manage. This presents operational and compliance challenges for the institution if there is no second-in-command should the ISO become suddenly unavailable. For this reason, the Federal Financial Institution Examination Council (FFIEC) in their Management booklet outlines the importance of succession planning for key roles within the institution, including the ISO.

The Challenge

Effective succession planning involves proactively identifying alternate personnel and initiating proper cross-training for critical roles well in advance. A case in point is Billy Peele, who has worked with Iva, South Carolina-based The Peoples Bank for 45 years, and who has plans to retire by the end of 2020. Overseeing the bank’s IT and InfoSec departments, Peele has also functioned as the institution’s ISO. With a succession plan in place, the bank selected Jill Seymore and Addrian Wilson to jointly assume the title and responsibilities of the ISO in preparation of Peele’s departure.

Although highly skilled in banking operations, Seymore and Wilson initially lacked the level of ISO related experience necessary to fulfill the role. Specifically, the pair wanted a better grasp on the IT reports and to learn best practices in reviewing these reports from the ISO perspective. This learning curve could have been overwhelming for the new ISOs, but The Peoples Bank decided to implement a proven virtual ISO solution to give Seymore and Wilson the tools to become more confident in the new role.

The Solution

Too often, new ISOs do not receive a detailed hand-off document from the predecessor and may not know where to start to complete key responsibilities. Fortunately this was not the case for The Peoples Bank as Safe Systems’ ISOversight Virtual ISO Solution formalized all responsibilities into a structured framework for Seymore and Wilson, allowing for methodical review of all tasks on a monthly, quarterly, and annual basis to ensure continuity for the bank.

ISOversight serves as a risk management tool designed to support the role of the ISO by augmenting existing personnel and ensuring that all tasks and related activities are completed on time and properly reported to the various stakeholders. ISOversight helped ease Seymore and Wilson into the ISO position by grouping all of the various responsibilities into a unified platform to effortlessly manage compliance and security activities. Not only did this clearly outline key requirements of the ISO, but it also educated Peele’s successors on how to effectively perform the role.

The Results

ISOversight gave Seymore and Wilson the confidence that allowed them to trust the bank’s IT department while verifying all interrelated activities are running smoothly and securely. Reviewing reports and receiving alerts with the assistance of the VISO helps the new ISOs extract relevant, actionable information to determine if there are anomalies or exceptions that they should be aware of and act on.

The key to succession planning is to find ways to standardize and maintain the consistency and continuity of the responsibilities of the ISO. In this case, the bank can be confident that information is secure, tasks are being completed on time, and documentation is shared with auditors, examiners, and the board. At The Peoples Bank, ISOversight provided a seamless transition for Seymore and Wilson, while laying a solid foundation for future ISO activities.

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

27 Aug 2020
Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.
– FFIEC Information Security Handbook

Information security officers (ISO) have a wide range of responsibilities and navigating them can be quite challenging, especially with increased scrutiny from examiners on alignment of policies, procedures, and practices. Adding to that challenge is the associated element of accountability; the premise that unless your practices are properly documented and reported to the various stakeholder groups, there may be doubt in the mind of the examiner as to whether or not they actually happened.

As a result of this responsibility + accountability challenge, many financial institutions are turning to virtual information security officer (VISO) solutions to support the role of the ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time; are following approved procedures; and are properly reported to the various stakeholders.

In a recent webinar, Safe Systems outlined the three virtual ISO delivery models available to community banks and credit unions today and discussed key considerations when implementing each.

1. Outsource All Activities

In this model, the financial institution hires a third-party provider to take on all of the responsibility and accountability tasks of the ISO role. Outsourcing these activities minimizes your staff’s involvement, potentially freeing up time to focus on more revenue generating activities, but this approach is typically more expensive because the third-party provider is doing all of the heavy lifting.

Another important consideration is that outsourcing everything can also isolate key personnel from important procedures and practices. If the institution isn’t involved in the day-to-day information security activities, when IT auditors and examiners question your personnel, they may not have the necessary day-to-day procedural knowledge to answer their questions. For example, there will likely be activities the outsourced provider is doing that the ISO is unaware of or they are using procedures not familiar to your personnel. This could lead to audit and examination observations or findings, as the ISO is expected to have comprehensive knowledge and understanding of all information security activities

Outsourcing information security tasks is best for financial institutions with neither the time, expertise, nor inclination to perform the duties of the role. However, it comes at a higher cost, both in terms of capital outlay and also in the possibility of ISO disassociation from actual procedures and practices. The FFIEC Management Handbook uses terms such as “engaging with…,” and “working with…,” and “participating in…,” and “informing…,” to describe the typical responsibilities of the ISO. This level of involvement may be more difficult under the “outsource all” model.

2. Toolset only (Apps, Checklists, Templates, etc.)

Another option is to select a model where there’s a toolset provided to accomplish ISO tasks. The toolset could consist of applications, checklists, or templates that may be prefilled or partially filled. With this model, you’re given the tools to manage ISO responsibilities without the support. There’s less human interaction, which typically means the service is less expensive.

However, the toolset model requires more effort from staff and requires the financial institution to rely on internal resources for information security expertise and guidance. Without this guidance, this model may also introduce some inconsistencies between the institution’s policies and procedures. For example, if you specify something in one area of your policies and you reference something that may conflict with that in another area, auditors are likely going to notice and question you on it, and that could cause them to dig deeper into other areas. Policy/procedure consistency is one of the most important indicators of strong infosec governance.

This model may include access to compliance guidance and expertise, but it would be reactive instead of proactive. It is best for institutions that have the necessary internal expertise, but they just need the additional structure a toolset provides to ensure all activities are completed in a timely manner.

3. Hybrid (Toolset + Consultation)

Finally, a hybrid model combines the first two models to provide a toolset plus additional expertise, proactive guidance, and consultation. It typically has better integration between various ISO practices because it’s all under one umbrella. As a result, the institution gains consistency and better coordination within and among its policies for business continuity, vendor management, incident response, project management, and information security. However, because of the tight integration, financial institutions that do not adopt all of the tools that support this model may not see the maximum benefit. Also, because of the increased level of ISO engagement, it may be more resource intensive initially, especially if the institution is behind on key ISO tasks. However, once tasks are brought up to date, ongoing maintenance is simpler due to the integrated toolset. This model is also quite flexible and can easily adapt to the evolving needs of the institution.

This is the model we decided to adopt for our virtual ISO solution, ISOversight. We’ve found this model is best for institutions that desire the advantages of regular active involvement with outside expertise, plus a toolset and reporting to ensure the ISO remains fully engaged. The price point is somewhere between the other two models; less than a complete outsource, but a bit more than toolset only.

ISOversight is a risk management solution that provides accountability for all of the responsibilities of the ISO. We have monthly touch point meetings, and we tailor the service to meet each institution’s unique requirements.

To learn more about the information security officer role and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

13 Aug 2020
One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with Safe Systems’ Virtual ISO Solution

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Mergers and acquisitions can present significant operational challenges for information security officers (ISO) who are tasked with ensuring a smooth transition of the information security program. Often, some key responsibilities of the ISO may be overlooked as other tasks related to the merging of the two institutions take precedence, overextending the ISO as they work to manage the information security program effectively and stay on top of regulations.

The Challenge

Eric Nadeau, chief financial officer at One Florida Bank, faced this very issue when his bank acquired another bank in Florida to expand the institution’s reach across the state. Nadeau wore many hats at the bank serving as the information security officer, chief financial officer, head of accounts payable, and director of both HR and IT. Although Nadeau understood the role and responsibilities of the ISO, he simply lacked the necessary time required to develop a formal program to efficiently complete all ISO-related tasks.

After acquiring the other bank’s charter and then merging the two institutions, Nadeau knew that his bank’s existing compliance management practices would not be enough to accommodate the rapid growth and continue to satisfy the regulators. While he needed assistance in managing the information security program, the institution was not yet ready to make the investment to expand personnel by adding a dedicated ISO.

The Solution

Following the merger, the bank needed a strong operational structure in place to get the now larger institution up and running and meet regulatory expectations quickly. During the acquisition process, Nadeau was introduced to Safe Systems’ ISOversight VISO (Virtual Information Security Officer) solution. The institution One Florida Bank acquired was already a Safe Systems customer using its network management services. After learning more about the VISO and compliance program, Nadeau performed his due diligence and made the decision to implement the ISOversight solution to streamline the bank’s information security processes.

A VISO serves as an extension of the in-house ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time and are all properly documented and reported to the various stakeholders. ISOversight’s integrated approach to vendor management, business continuity planning, cybersecurity, strategic planning, and information security influenced Nadeau to implement a VISO strategy.

“We had a very aggressive growth plan and I was wearing many hats. I couldn’t cobble together a bunch of Excel-based risk assessments and manual tasks into a formal process within an acceptable time frame,” said Nadeau. “I needed a support structure that I could leverage very quickly to sustain our bank’s strong and rapid growth plan and ISOversight provided that.”

The Results

While Nadeau expected the bank to grow, he did not anticipate that the bank would become a $690M institution in just 18 months. With ISOversight, Nadeau was able to quickly implement new operational structures for the institution amidst this rapid growth.

ISOversight combines all the various risk assessments into one centralized portal with ease, eliminating the use of multiple spreadsheets and numerous documents. The VISO enabled the bank to create a new compliance infrastructure with easy-to-read summaries of all ISO activities, as well as establish a new fully compliant business continuity management plan, a robust vendor management program, and comprehensive project and audit/exam tracking. ISOversight provides an integrated approach to all these initiatives as they all work hand in hand.

“The first year after the acquisition required a massive amount of work, but ISOversight allowed our bank to prioritize and complete tasks until we reached a smooth and successful integration,” said Nadeau. “Even examiners have commented on the progress we’ve made and recognized the value that the integrated platform provided to our management.”

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

06 Aug 2020
Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Of the many roles within a financial institution, the information security officer (ISO) is the most critical for the protection of confidential and nonpublic personal information and maintaining compliance with federal regulations. In fact, the Federal Financial Institution Examination Council (FFIEC) goes so far as to mandate that all financial institutions have one or more individuals dedicated to the position of ISO.

Safe Systems held a webinar last week outlining the most common challenges for ISOs and some helpful ways that they can better identify, perform, and document their regulatory responsibilities. In this blog post, we’ll highlight two of the most important elements of the ISO role and outline 8 key regulatory responsibilities all ISOs should focus on to meet examiner expectations.

Key Elements

For ISOs, everything ultimately hinges on responsibility (specific tasks the ISO must perform) and accountability (specific documentation ISOs must provide to key internal and external stakeholders). In fact, these terms are referenced multiple times within the FFIEC guidance:

“The ISO is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. – FFIEC Management Handbook

“Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.” – FFIEC Information Security Handbook

Individuals in the ISO role must effectively demonstrate both elements to adequately meet regulatory expectations.

Maintaining Compliance

The ISO must not only be able to perform key responsibilities of the role, but he or she must also provide proper documentation to specific stakeholders to satisfy the accountability requirements. The FFIEC’s Management Handbook outlines 8 key responsibilities of the ISO role including:

  1. Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks
  2. Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks
  3. Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information
  4. Monitoring emerging risks and implementing mitigations
  5. Informing the board, management and cybersecurity risks and the role of staff in protecting information
  6. Championing security awareness and training programs
  7. Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats
  8. Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate

When performing these key responsibilities, the ISO must reference the institution’s policies (what you say you do); procedures (how you say you’ll do them); and actual practices (what you actually do and are able to document). In our experience, we’ve seen that there is often a gap between procedures and practices, which often results in the majority of audit and exam findings for financial institutions.

To address this issue, many community banks and credit unions are turning to virtual ISO solutions. A virtual ISO platform serves as a risk management solution that addresses the regulatory expectations and important tasks that the ISO must oversee. The solution helps financial institutions augment their internal ISO role, streamline responsibilities, and ensure the institution’s procedures and practices are properly aligned. Most importantly, a virtual ISO can make sure that all stakeholders; Board, committee, auditor, and regulator, have the appropriate reports to document that alignment.

To learn more about the information security officer role, the 3 virtual ISO delivery models, and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

16 Jul 2020
The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

  • “Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
  • “Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

  • When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
  • Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
  • How do you plan to continue providing services in the event of the loss of key employees?
  • Have you been in communication with your critical third-party providers?
  • Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

14 Jul 2020
The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

According to the Federal Financial Institution Examination Council’s (FFIEC) Information Technology Examination Handbook, “ISOs are responsible for responding to security events by coordinating actions to protect the institution and its customers from imminent loss of information, managing the negative effects on the confidentiality, integrity, availability, or value of information, and minimizing the disruption or degradation of critical services.”

When faced with an operational crisis such as the current Covid-19 Pandemic, potential disruption of critical services is the primary concern. Since the information security officer (ISO) acts as the “quarterback” over the many different departments and functions within the institution, they must make sure all routine tasks are still being completed, in addition to ensuring that the institution has adapted to the unique circumstances of the crisis.

The FFIEC Management Handbook lists 8 broad categories of responsibilities for ISO’s. We’ve identified a few of those areas that should be of particular focus during a crisis:

Working With The IT Steering Committee

During any crisis, the ISO must work closely with the IT Steering Committee to ensure that the institution minimizes the risks to the security and confidentiality of non-public information and financial transactions. As difficult as this is during normal operations, it may be even more of a challenge during a crisis. Key considerations include:

  • The IT Steering Committee should still perform their normal duties and maintain a normal schedule. Phone /video conferences can suffice if in-person meetings are not an option.
  • Attention to on-going and planned IT project road map/initiatives. Timelines and all supporting activities must still be tracked, project plans updated, and all stakeholders informed.
  • Review the Remote Access Policy and the Remote User / Acceptable Use Acknowledgement with IT and HR as your current situation may include unique risks that have not been previously addressed. For example, some employees may have to use their personal devices to access the FI’s network to do their job. Take particular note of the Remote Access and Use of Remote Devices sections of the FFIEC Information Security Handbook and any other related best practices and/or guidance initiatives. Trusted third parties can also be an important resource for this effort.
  • Document all actions taken and lessons learned during the crisis so far. Then, incorporate them into your next round of policy updates.
  • Continue to report the status of all IT and information security activities to the Board.

Managing Incident Response, BCP/IRP, and Cyber Responsibilities during an Adverse Event

The ISO is typically the Incident Response Team Coordinator and may determine whether or not to activate the formal Incident Response Plan (IRP). The declaration of a pandemic or other adverse operational event does not in itself require the IRP to be invoked, however, any disruption of normal business services may create vulnerabilities that a cyber attacker could take advantage of.

The ISO will also likely be involved with general business continuity planning and recovery efforts. The criteria for activating the Business Continuity Plan will vary by institution, but the ISO is typically one of the few key individuals tasked with evaluating whether the event is likely to negatively impact the institution’s ability to provide business products and services to customers beyond recovery time objectives (RTOs).

In adverse situations, cyber awareness should be heightened. For example:

  • The institution could have key personnel out, and alternate personnel may not be adequately trained or have the same level of cyber awareness as the primary staff members.
  • The institution may be implementing workarounds for new software or devices when trying to accommodate customers affected by the event. In the interest of expediency for customers, the institution may take shortcuts that it normally wouldn’t or otherwise fail to follow normal procedures.
  • The institution could run into issues with the critical vendors that perform or support its perimeter security, compromising real-time alerting for the organization. This is known as “cascading impact”, where a product or service provided by a third-party is degraded, which in turn affects you.
  • The institution could experience secondary disruptions where hackers may attempt a cyber-attack against perceived weakened defenses.

The ISO must anticipate all of these risks and should communicate with critical third parties to ensure they have a plan in place to keep the NPI and financial transactions secure and provide critical operational services at acceptable levels of risk.

Addressing Auditor and Examiner Expectations

Although a pandemic, as a crisis event, was de-emphasized in the 2019 BCM Handbook, financial institutions should expect regulators to issue additional joint statements in the post-pandemic phase due to the shear impact and duration of this event. ISOs should expect examiners to ask about the specific actions the institution has taken in response to COVID-19, including:

  • Succession plans – ISOs should be prepared to share the institution’s succession plans, how these plans were implemented during the pandemic, and any key updates to the plan post-pandemic.
  • Cross-training efforts – the ISO (if also the BCP Coordinator) should explain the institution’s plans for cross-training and how these plans were implemented during the pandemic.
  • Remote access controls – the ISO should address all of FFIEC requirements for remote access and document any updates or changes that occur.
  • Third-party/supply chain issues – the ISO should communicate with all critical vendors to ensure there are no interruptions to critical services, and he or she should have contingency plans in place if a third-party provider can no longer provide adequate service.

Information security officers ultimately must be able to show auditors and examiners exactly how the institution withstood the pandemic, maintained compliance, kept all non-public information secure, and kept all stakeholders informed, all of which is no small task during normal operations!

For more information on responding to crisis events, view our pandemic resources.

02 Jul 2020
Keys to Develop a Compliant Business Continuity Management Program

Keys to Develop a Compliant Business Continuity Management Program

Keys to Develop a Compliant Business Continuity Management Program

Financial institutions (and examiners) are still adjusting to the Federal Financial Institution Examination Council’s (FFIEC) 2019 update to its BCP IT Examination Handbook. The handbook, now renamed Business Continuity Management (BCM), included several updates to the previous 2015 guidance. According to the FFIEC, BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

To ensure financial institutions do this effectively, the FFIEC expanded the original BCM process.

The previous handbook encouraged institutions to adopt a four-step approach:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management (essentially, recovery procedures), and
  4. Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

  1. Risk Management (Business Impact Analysis, Risk/Threat Assessment)
  2. Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
  3. Training & Testing (aka Exercises)
  4. Maintenance & Improvement
  5. Board Reporting

Additionally, the business continuity management process outlines 10 key steps financial institutions must complete to achieve a more enterprise-wide approach and meet examiner expectations. This is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance.

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

  1. Oversee and implement resilience, continuity and response capabilities
  2. Align business continuity management elements with strategic goals and objectives
  3. Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts
  4. Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions
  5. Develop effective strategies to meet resilience and recovery objectives
  6. Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management
  7. Implement a business continuity training program for personnel and other stakeholders
  8. Conduct exercises and tests to verify that procedures support established objectives
  9. Review and update the business continuity program to reflect the current environment and
  10. Monitor and report business resilience activities.

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTO) for each business process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
  4. Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
  5. Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
  6. Does your Board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

If you would like to make sure your BCM is up to date with the latest regulatory expectations, a complimentary plan review is the best place to start.