19 Jan 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Balancing Strategy and Compliance: Addressing the Strategic Needs of Your Institution While Remaining Compliant

Balancing Strategy and Compliance

Banks and credit unions require a complex interconnected infrastructure to support their employees, serve customers, and maintain their operations. This entails an array of owned and outsourced elements: hardware, software, controls, processes, and evolving technologies such as cloud, artificial intelligence (AI), machine learning, and more. In addition, effective data governance and data management are fundamental to maintaining the confidentiality, integrity, and availability of information. The data management process is highly regulated and financial institutions are under increasing pressure when trying to balance the strategic needs of their organization with the increased demands for remote employees and online customers.

Evolving Remote Workforce and Customer Base

Over the past couple of decades, advancements in communication and technologies have allowed for a more mobile workforce and customer base, and the ongoing COVID-19 pandemic quickly intensified this trend. During the first year of the pandemic, Gartner conducted a survey that found 82% of businesses intended to allow remote work at least part of the time, with 47% of companies allowing it full time. Although 2o20 represented a significant increase in remote work and digital engagement, the trend seems to be continuing for the foreseeable future. According to Upwork’s Future Workforce Report 2021, 40.7 million American professionals, nearly 28% of respondents, will be fully remote in the next five years, up from 22.9% from the last survey conducted in November 2020.

This trend requires adding more technology and devices to enable online access to financial services, and to enable secure access to the information and other resources needed for remote workers to perform their duties away from the office. Banking customers want convenient access to financial services, whether through a physical location, the internet, or a mobile app, and institutions need the tools and techniques to keep them secure. With more devices in the hands of employees and customers, there are many more vectors for cyberattacks and way more endpoints to secure. Even institutions that have been trying to avoid the risks that come with enabling remote engagement are forced to reevaluate the costs and benefits.

Increasing Regulatory Requirements

Privacy and data security have become key compliance issues for financial institutions as they adapt to accommodate employees and customers who prefer to work and bank remotely. From a regulatory standpoint, the Federal Financial Institution Examination Council (FFIEC) has always expected financial institutions to have data management controls in place to protect data in physical and digital forms wherever the data is stored, processed, or transmitted. This includes any data relating to the organization, its employees, and its customers. “The data management process involves the development and execution of policies, standards, and procedures to acquire, validate, store, protect, and process data,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet. “Effective data management ensures that the required data are accessible, reliable, and timely to meet user needs.”

The FFIEC requires institutions to follow a wide range of other guidelines and procedures, which are reflected in various FFIEC booklets and include:

Governance – Management should promote effective IT governance by establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems.
Know-your-customer – Financial institution management should choose the level of e-banking services provided to various customer segments based on customer needs and the institution’s risk assessment considerations.
Resilience – Financial institutions are responsible for business continuity management (BCM), which is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

Strategic Compliance Solutions

With so many compliance issues to address, it can be difficult to balance the needs of your financial institution, your remote workers, and your customers. Safe Systems has a team of compliance experts and a broad range of compliance solutions to help you manage government regulations, information security, and reporting efficiently. Our team of compliance experts are trained in banking regulations, hold numerous certifications, and are laser-focused on delivering the tools and knowledge to give you compliance peace of mind.

30 Dec 2021

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

28 Dec 2021

Banks, Credit Unions, Security Jamie Davis 0 comment

Cybersecurity Insurance and Multi-Factor Authentication

Financial institutions are increasingly embracing cybersecurity insurance as an important aspect of their information security program. Cyber insurance can offer vital coverage to protect businesses from various technology-related risks. Data breach insurance, for example, helps companies respond if personally identifiable information gets lost or stolen from their computers—whether intentionally by a hacker or accidentally by an employee. Cyber liability insurance offers expanded protection to help businesses prepare for, respond to, and recover from cyberattacks.

As cybercrimes continue to intensify, more cybersecurity insurance companies are calling for organizations to employ multi-factor authentication (MFA). Some carriers are even refusing to provide insurance quotes to companies that are not using this authentication method. From their perspective, MFA adoption makes perfect sense; it keeps unauthorized individuals from accessing sensitive information, reducing ransomware, data breaches, and other cyberattacks. This, in turn, minimizes insurance claims and saves carriers money.

For insurance providers, MFA is appealing because it lowers cyber risk by requiring users to verify who they are. The individual must furnish valid identification data followed by at least one other credential: a password, one-time passcode, or physical characteristics like their fingerprint or face. This strict authentication system allows organizations to certify people’s identity—before granting them access to sensitive information, an account, or other assets—and this can significantly strengthen their security.

While MFA is heavily promoted by many cyber insurance companies, an institution’s regulators may not require financial institutions to use multi-factor authentication. However, implementing MFA for a whole internal network may not be a simple task. Depending on the solution, it may require installing agent software to all the endpoints requiring MFA and configuring appropriate “break-glass” accounts for emergency use, which creates more infrastructure to be monitored and managed.

MFA Implementation Tips

To simplify MFA implementation, Banks and credit unions can apply a sequenced strategy instead of jumping straight to the internal network. As a first step, institutions can ensure MFA is turned on for all remote-access users, including creating endpoint control policies for their devices. The next logical step would be to lock down MFA for cloud applications. This includes Microsoft Online services like M365 (formerly Office 365) and Azure Active Directory (Azure AD). These solutions come with a variety of free security features that organizations can customize to their business requirements. Even at low licensing levels, these products allow MFA to be turned on for all users—which can be highly effective for averting business email compromise and ransomware attacks. But institutions will need higher-level licensing if they want to make conditional access policies based on the specific location, identity, or device of users. Azure AD Premium P1 and M365 Enterprise E3, for example, have a variety of advanced features that allow conditional access policies to be established to enhance security.

MFA is just one layer of security for banks and credit unions to consider. We hope this post provided some insight into applying MFA for both security and insurance purposes. To learn more about this topic and other security layers, listen to our recent “Ransomware, Cybersecurity, and MFA” webinar, hosted by our Chief Technology Officer, Brendan McGowan.

08 Dec 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 Compliance Lessons Learned in 2021 to Bring into the New Year

As the challenges presented by the COVID-19 pandemic persist, there are important compliance trends and new regulatory guidance that financial institutions should consider to ensure they are well prepared to begin the New Year.

Accounting for Operational Risk

During the pandemic, banks and credit unions have made necessary adjustments that have increased their operational risk. Two prime examples are switching to a remote workforce and accommodating a more remote customer base. Having employees work remotely extends an institution’s network out to that endpoint and, in effect, broadens security considerations to that point as well. Serving a remote customer base—including expanding e-banking and implementing electronic signatures—creates a similar risk. Security implications multiply as more employees and customers access services electronically.

Rapid changes in operational practices and increases in fraud and cyberthreats can cause a heightened operational risk environment if not properly managed. Examiners will want an account of how institutions determined what changes were necessary, how those modifications were implemented, whether those changes were temporary or permanent, and if controls (primary and compensating) have been adjusted for any resulting operational risk increases. They will review the steps management has taken to evaluate and adjust controls for new and modified operational processes. For instance, for permanent changes, did the institution factor in the operational risk of downtime relating to the new processes?

As a measure of governance effectiveness, examiners will also very likely:

Assess actions that management has taken to adapt fraud and cybersecurity controls to address the heightened risk associated with the altered operating environment.
Review management’s post-crisis efforts to assess the controls and service delivery performance capabilities of third parties.
Consider how imprudent cost-cutting, insufficient staffing, or delays in implementing necessary updates impacted the control environment.

Temporary vs. Permanent Changes

For the most part, because we are still dealing with the impact of the virus and its variants, institutions have chosen to maintain many of the temporary measures they implemented during the pandemic. So, because they may have rolled out the changes anticipating an eventual rollback, it may be necessary to “backfill” some documentation to address what is now permanent. Examiners will want to know if the changes were properly risk-assessed prior to implementation, including any new processes and interdependencies. Institutions should be able to provide a report to regulators if they ask—and ensure their board is appropriately updated. This could be a matter of going back and reviewing previous board reports to ensure that any gaps in their risk management reporting were addressed and properly reported to the board.

Ransomware Self-Assessment Tool (R-SAT)

With the pervasive occurrence of cyberattacks, regulators are increasingly concerned about cybersecurity, particularly reducing ransomware. Consequently, regulators in some states are more aggressive than others about having institutions fill out the Ransomware Self-Assessment Tool (R-SAT), which is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. However, most state regulators we’ve spoken with are not going to make completing the R-SAT compulsory—although they may recommend it. If they do, the majority of what is asked by the 16-question tool should already be in place in the institution’s existing incident response and business continuity plans. Your decision to complete or not should be based on a self-assessment of your existing efforts in this area.

Regulatory Updates

New Architecture, Infrastructure, and Operations (AIO) Booklet

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) revamped its Information Technology Examination Handbook series with a new Architecture, Infrastructure, and Operations booklet. The revised guidance provides examiners with fundamental examination expectations about architecture and infrastructure planning, governance and risk management, and operations of regulated entities. Credit unions, banks, and non-financial, third-party service providers are expected to comply with the new guidance, which replaces the original “Operations” booklet issued in July 2004.

The FFIEC indicates that the release of the updated booklet is warranted because of the close integration between institutions’ architecture, infrastructure, and operations. “Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems,” explains a June 2021 FFIEC press release.

An important component of the new booklet is the resilience and proactive measures that must be built into an institution’s AIO components. Importantly, the handbook also recognizes special treatment for smaller or less complex entities, which is reasonable because examiners are starting to indicate that smaller entities will often implement these concepts differently from large, multinational, multi-regional financial organizations, while still achieving the same objectives. The refreshed guidance also takes a different approach to data classification; it factors in value, along with criticality and sensitivity. However, (and this is consistent with all FFIEC Handbooks released in the past 3 years) the new booklet states that it does not impose requirements on entities; instead, it describes principles and practices examiners will review to assess an entity’s AIO functions. (Of course, we have always found that anything an examiner may use to evaluate, or grade, your practices becomes in effect a de facto requirement.) A much deeper dive into the booklet is here.

New Cyber Incident Notification Rules

Another big update that will impact 2022 and beyond, the new cyber incident notification rules. Officially called “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, they were proposed and submitted for comment in early 2021, approved in November 2021, and become effective in April 2022. Visit our partner site, ComplianceGuru.com, to read the latest post and gain an understanding of how these rules will impact both you and your third-party providers going forward.

To learn more about these and other critical compliance topics, listen to our webinar on “2021 Hot Topics in Compliance: Mid-Year Update.”

06 Dec 2021

Banks, Credit Unions, Security Jamie Davis 0 comment

How Layered Security Can Address Growing Cyberthreats

With the increasing complexity of cyberattacks, financial institutions need to implement more effective—and comprehensive—security measures. They need a variety of elements to create a layered approach to secure their data, infrastructure, and other resources from potential cyberthreats.

Many organizations rely on a castle-and-moat network security model where everyone inside the network is trusted by default. (Think of the network as the castle and the network perimeter as the moat.) No one outside the network is able to access data on the inside, but everyone inside the network can. However, security gaps may still exist in this model and others. The best approach to compensate for gaps is to surround the network with layers of security.

The basic “table stakes” for a layered security approach include a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process. Banks and credit unions could also invest in additional and more sophisticated layers but each one will have associated acquisition and management costs, along with ongoing maintenance. So, it’s prudent for institutions to invest only in the number of layers/solutions they can competently manage.

Key Concerns

Today the top IT security concern for many organizations is ransomware. Due to the proactive measures many financial institutions have taken, the banking industry has fewer security breaches than health care and some other industries thus far. However, when a breach does happen to a financial institution, the impact is more costly than breaches occurring in other industries.

Four-Layer Security Formula

With these concerns in mind, here’s a four-layer “recipe” organizations can employ to improve their security posture:

Training and Testing: Using email phishing tests can serve as a good foundation for minimizing BEC and other social engineering threats.
Network Design: Institutions should refresh older networks to segment their components into different zones. It’s no longer sufficient to have servers, workstations, and printers sitting in one IP space together.
Domain Name System (DNS) filtering: DNS filtering prevents potentially damaging traffic from ever reaching the network. Because it proactively blocks threats, this makes it one of the most effective and affordable security layers institutions can apply.
Endpoint Protection: Institutions should have this type of protection on each of their endpoints, and the best endpoint protection tools have built-in ransomware solutions.

Other Important Considerations

It’s important to back up data regularly and ensure that those backups are well beyond the reach of ransomware and other threats. (Backups done to a local server that’s on-site and are still on the network may be susceptible to ransomware.) One way to address this issue is to have immutable backups, which are backup files that can’t be altered in any way and can deploy to production servers immediately in case of ransomware attacks or other data loss. Another option is to send backups to a cloud solution like Microsoft Azure Storage, which is affordable and easy to integrate because there are no servers to manage.

Another crucial element in security is Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption protocol, which can be somewhat of a double-edged sword. About 80 percent of website traffic is encrypted to protect it from unauthorized users during transmission. Traditional firewalls don’t have the ability to scrutinize traffic against a content filtering engine, which means savvy hackers can hide ransomware and other dangerous content inside. But firewalls with advanced features are capable of TLS/SSL inspection; they can decrypt content, analyze it for threats, and then re-encrypt the traffic before entering or leaving the network.

There’s an array of security solutions that institutions can implement to establish layered protection against cyber threats. For more insights about this topic, listen to our webinar on “Cyber Threats, Why You Need a Layered Approach.”

23 Nov 2021

Banks, Credit Unions, Security Brendan McGowan 0 comment

Importance of Security Layers

In the past, it wasn’t uncommon for organizations to maintain basic information security: a firewall, anti-malware software, and maybe a few other resources. But modern operating environments require financial institutions to go beyond limited measures and implement multiple security layers to protect their sensitive information, infrastructure, and other assets.

Today banks and credit unions have a variety of elements that comprise their computer networks, and these components require numerous security solutions for them to operate securely. There’s no such thing as having too many solutions—although some entities invest in more resources than they can competently manage. The most appropriate approach is for institutions to employ all the security layers they can afford to pay for and oversee effectively.

The security landscape has changed significantly over the years. With the evolution of technology, cybercriminals are launching more frequent and sophisticated attacks against organizations. (The bad guys have it easy; they only have to get it right once. Security professionals, on the other hand, have to get it right all the time.) Currently, the top security threats for financial institutions are a remote workforce, ransomware, and the Internet of Things devices like webcams, Amazon Alexa, and Google Chromecast.

Security Considerations

Financial institutions often select security products based on what their security posture requires to pass exams. But the emergence of new threats is motivating more institutions to select solutions not just based on examiner expectations, but to also consider what is essential for operational safety. Generally, the security products that institutions invest in are determined by their cost and ability to mitigate risk.

For the most part, the financial services industry is interested in solutions that require minimal management involvement and customization to be effective. The industry also tends to adopt solutions once they’ve reached a certain level of commoditization and are priced lower. For example, well-commoditized solutions like anti-virus agents and anti-ransomware tools allow institutions to protect against expensive threats for the minimum cost. An effective anti-malware agent—especially one with some specific anti-ransomware technology—is another essential layer for endpoint protection.

Ultimately, increased competition leads to technology innovation and consolidation. A good example of this is what’s happened with firewalls. Implementing a firewall used to equate to a simple router that separated public and private networks. Things evolved when people began adding dedicated appliances like intrusion detection and prevention systems, antivirus gateways, web content filters, and other technologies. Through commoditization, these different elements became consolidated into the firewall to create a unified threat management system. More recent innovations that allow institutions to inspect encrypted traffic and sandbox potentially hazardous traffic have ushered in the next-generation firewall.

Going Beyond Basic Requirements

A fundamental requirement for layered security is multi-factor authentication (MFA), which involves several elements for validating the identity of users. While some organizations have concerns about MFA negatively impacting user experience, the technology provides an advanced level of protection that strengthens security.

Transport Layer Security is now implemented to secure over 80% of web traffic. The TLS protocol is used to encrypt data between a web browser and a website. While this is great for user privacy, it prevents institutions from inspecting all user traffic for threats. Transport Layer Security (TLS) Inspection has become a more common—and critical—security tactic for financial institutions. TLS inspection allows institutions to decrypt and inspect TLS traffic, so they can filter out malicious information and protect their network.

The increased adoption of endpoint security and other innovative technologies is making it easier for financial institutions to implement a layered approach to security. Safe Systems offers a wide range of security solutions to help community banks and credit unions incorporate multiple levels of protection to enhance their security posture.

16 Nov 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

Using the Free Features of Microsoft Azure AD and O365/M365 to Enhance Cloud Security

Microsoft Azure Active Directory (Azure AD) and Office 365/M365 have a variety of free security settings that financial institutions can customize to their needs. These settings are important because they can enhance an institution’s cloud environment and operational security—and they’re available to everyone with Azure AD or O365/M365. Remember, even if the license was acquired through a third party, your institution is still responsible for managing all the security features of these cloud-based solutions.

Be aware that while adjustments made to the defaults can strengthen your cloud security, they will also impact the way people use the products. For instance, multifactor authentication (MFA) is a great first step at improving the security of your cloud environment but does impact how your users will log in.

Here are some other important free security settings you can optimize in Azure AD and/or O365/M365 to enhance security:

Global Auditing — The global auditing feature logs events that happen across Azure AD and O365/M365. It is advisable to enable Global Auditing. The information gained with this feature can help troubleshoot problems and investigate issues. Once Global Auditing has been enabled, it can take about 24 hours for the new setting to take effect.
Alert policies — Alert policies are designed to help you monitor threats against your existing resources. There are default built-in policies, and you can also create additional custom policies for free on your own. Keep in mind, you need to set the target recipient(s) for these policies.
Sharing in Microsoft OneDrive and SharePoint — Since these products were created to foster collaboration, their default setting is normally set to enable external data sharing. This allows users to create anonymous access links that make it possible for anyone in any organization with OneDrive and SharePoint to sign in and view their information. It is recommended that you review the level of sharing to control the flow of data based on what is appropriate for your organization.
External access in Microsoft Teams — Teams is set up by default to make it easy for individuals to connect with users located anywhere in the world, even in other organizations. You should review the platform’s security and compliance settings to ensure it fits your organization’s standards. You can block all external domains to restrict users’ ability to communicate externally.
Enterprise applications — Enterprise apps can represent a huge risk if users have the freedom to add them on their own. You can change the security setting to prevent anyone from randomly adding apps without the administrator’s approval. When this feature is activated, Microsoft will block users’ attempts to add apps and notify the administrator, who can approve or deny their requests.
Application registrations — Similarly, institutions can alter their security features to block users from registering any applications. There’s rarely a reason to allow users without administrative rights to create app registrations, so reviewing and/or adjusting this setting is essential.

Making these adjustments will help you to maintain control over users’ activities and tighten security. To learn more about M365 security topics, listen to our recent webinar, Ask the Experts: O-M365 Security Basics for IT Administrators.

Safe Systems’ M365 Security Basics solution provides visibility into these and other security settings and allows banks and credit unions to regularly monitor and review their configurations making it easier for them to manage their Azure AD and O365/M365 accounts.

05 Nov 2021

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

26 Oct 2021

Banks, Credit Unions, Technology Christine Ray 0 comment

Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Our CloudInsight™ M365 Security Basics solution is helping community financial institutions increase their security posture. Take Glennville Bank, for example. The Georgia community bank, which has $312 million in assets, seven locations, and 66 employees, jumped at the chance to capitalize on the service to identify and secure threats to its Microsoft 365 settings. M365 Security Basics provided the bank with greater visibility into cloud security settings for Azure Active Directory (Azure AD) and M365 tenants through reports and alerts.

Like most financial institutions, Glennville Bank leverages technology to better serve its customers and maintain its operations. Also, like other institutions, the bank has a variety of Microsoft licenses, and managing the security settings for these products became difficult and time-consuming, particularly for Glennville Bank’s network administrator, Zach Horn, who describes his proficiency with Microsoft as “fairly limited.”

“Given the complexity of our cloud tenant settings, I’m not comfortable enough with Microsoft or their updates to manage every setting correctly,” Horn explained. “With all the potential security risks out there, I knew I needed reports that could help me identify risky security settings, monitor identity controls, and ensure our configuration matches our information security policy.”

With M365 Security Basics, Glennville Bank was able to set data trends and identify several settings that needed addressing, such as creating a baseline for failed logins. The bank also discovered that its user access details were often inconsistent, and through the M365 Security Basics service they received easy-to-follow instructions for correcting the problem. “Safe Systems did a great job fine-tuning the product to the demographic we needed,” Horn said. “Their knowledge has been helpful in pointing me in the right direction in knowing which Microsoft licenses I need to go to in the future.”

Product Highlights

M365 Security Basics is the first offering in Safe Systems’ CloudInsight™ family of products. It’s specifically designed for community banks and credit unions that have Microsoft 365 products (Exchange Online, SharePoint, or OneDrive), use Azure AD, and store non-public information in the cloud. M365 Security Basics’ reporting, alerts, and quarterly reviews are customized to help financial institutions improve their cloud security awareness by identifying potential risks and common signs of compromise. The product is developed by engineers who hold dozens of certifications, including the Microsoft 365 Certified: Security Administrator Associate certification. M365 Security Basics makes it easier for institutions to monitor their configurations for current and new features that are automatically enabled by major cloud providers like Microsoft Azure.

The powerful reporting from M365 Security Basics enables financial institutions to review vital Microsoft cloud tenant settings. This allows them to recognize unsafe security settings, examine identity controls, make sure their configuration is consistent with their information security policy, and demonstrate this to examiners and stakeholders. Reports are available as “Summary” versions (with brief information, such as the Tenant Summary and User Summary) and “Details” versions with more in-depth data. (Glennville Bank uses the Tenant Summary to highlight important issues during IT steering committee meetings.)

M365 Security Basics also offers alerts and quarterly reviews as add-on services. Alerts provide notifications about the most common indicators of compromise (like unauthorized access) and are grouped under Azure AD Roles, Azure AD Sign Ins, OneDrive, SharePoint, and Exchange Online. The quarterly reviews give institutions a periodic, objective analysis of their recent M365 Security Basics reporting, so they can gain a better understanding of their Microsoft 365 tenant security.

CloudInsight™ M365 Security Basics not only helps financial institutions like Glennville Bank secure their information but also makes it easier to compile data required for examiners. Read the complete Glennville case study to see how your organization can benefit from M365 Security Basics.

21 Oct 2021

Banks, Compliance, Credit Unions Jamie Davis 0 comment

The Importance of Cybersecurity, not Just in October—but All Year Long

Do Your Part. #BeCyberSmart.

With October being Cybersecurity Awareness Month, it’s the opportune time for everyone to focus on online safety and to become more cyber savvy. This month, the Cybersecurity & Infrastructure Security Agency (CISA) and National Cyber Security Alliance (NCSA) are encouraging all Americans to do their part and be cyber smart. This means organizations and individuals need to own their role in protecting cyberspace, which requires taking personal accountability and proactive steps to enhance cybersecurity.

The first step to increasing cybersecurity is to understand its importance. Cybersecurity, according to the CISA, is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring the confidentiality, integrity, and availability of information. And the importance of applying effective strategies to keep computer systems and electronic data secure is growing as cybercrime rises. But the key to enhancing cybersecurity is to recognize the hazards that can threaten online safety: malware erasing an entire computer system; a hacker breaking into a system and altering files; someone using another person’s computer to attack others; or an intruder stealing credit card information and making unauthorized purchases.

To minimize the risk of cyberattacks, organizations should consider implementing these best practices from the CISA:

Keep software up to date by installing software patches to prevent hackers from taking advantage of known problems or vulnerabilities.
Run up-to-date antivirus software to automatically detect, quarantine, and remove various types of malware.
Install a firewall to prevent cyberattacks by blocking malicious traffic before it can enter a computer system.
Employ multi-factor authentication (MFA) to validate users’ identity.
Change default usernames and passwords, which are readily available and can be used by malicious actors.
Select strong passwords that will be difficult for attackers to guess and use different passwords for different programs and devices.
Beware of suspicious emails that may be engineered to steal information and money or install malware on devices.

While taking precautions cannot guarantee complete protection against hackers, improving cybersecurity practices can certainly help. It’s also important to become more knowledgeable about effective strategies for reducing cybersecurity risks, which is a major goal of Cybersecurity Awareness Month. In addition, Cybersecurity Awareness Month, formerly called National Cybersecurity Awareness Month, strives to ensure that individuals and organizations have the resources they need to be safer online. People can take advantage of the CISA’s cybersecurity tips, cyber essentials, and other information to become more cyber smart—not just this month, but throughout the year.

Safe Systems also offers a wide range of resources to help financial institutions enhance their cybersecurity and protect the confidentiality, integrity and availability of their information. Our multi-layered security suite, which is designed to protect vulnerability points inside and outside the network, includes DNS filtering, endpoint protection, next-generation firewall, security event log monitoring, and vulnerability monitoring. Community banks and credit unions can implement these security services to improve their cybersecurity posture, prevent cyberattacks and keep their operations running smoothly.

19 Oct 2021

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

What Makes a Successful Business Continuity Management Plan (BCMP)?

Minimizing the impact of disruptions of any kind, natural or man-made, or cyber should be a priority when it comes to the overall security of your institution. But how do you know if you’ve checked off all the important boxes?

A compliant and successful business continuity plan has the following components: Risk management (Business Impact Analysis, Risk/Threat Assessment); continuity strategies (Interdependency Resilience, Continuity, and Recovery); training and testing (aka Exercises); maintenance and improvement; and board reporting. In addition, the expanded FFIEC BCM IT Examination Handbook calls for all “entities” to rethink their approach to business continuity and be prepared to make appropriate plan revisions to meet these expectations.

To comply with regulatory requirements, it is important for institutions to not only understand the BCM process but also focus on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity management for the entire organization, not just the information technology department. It seems like a lot, but the risks an institution could face by not having a compliant and effective plan in place can be even more costly.

Don’t know where to start? We’ve developed a blog that walks you through the key requirements of BCMP, provides insight into the new guidance and the specific changes you may need to make to meet these expectations, and helps you ultimately determine what to include in the plan. View the original blog post here.

13 Oct 2021

Banks, Compliance, Credit Unions Marshall Jones 0 comment

Stories from the Front Lines: How Real Financial Institutions Handled an O365/M365 Cloud Security Compromise

Stories from the Front Lines

Microsoft 365 (formerly Office 365) comes with an array of settings that customers can modify to enhance their security controls. When these settings are not effectively adjusted though, serious cloud security compromises can ensue. Our M365 Security Basics solution helps financial institutions detect and respond to potential problems. From our recent webinar, here are real-life stories about financial institutions (whose names have been changed) that had their cloud security compromised. See how they handled each situation, so you can learn what to do and not do to secure your O365/M365 account.

Loan Officer – Email Forwarding

Luke, a loan officer, is constantly emailing people inside and outside his organization. He often sends sensitive information but uses encryption to protect his outbound emails and multi-factor authentication (MFA) to protect his identity. Somehow his email account was compromised—for eight whole months—before the problem was discovered. Our M365 Security Basics reporting indicated there was an issue with his email being forwarded to an external domain. We worked with the IT administration team to confirm that a suspicious Yahoo address was not an authorized send-to address for the emails Luke had been receiving. The intruders’ cunning scheme involved a modified mailbox setting that predated Luke’s MFA setup and the other precautions Luke had implemented. We were able to resolve the compromise by removing the forwarding property. Moving forward, Luke’s IT team needs to keep a close watch to ensure the organization’s email accounts are protected.

IT Administrator – Global Auditing

Han works at a smaller organization and wears multiple hats as an IT, compliance, and security administrator. While he’s not well versed in cloud security, Han thinks the cloud is the best option for his organization. He selects various Microsoft cloud resources and works with a vendor to establish a tenant in Azure Active Directory (Azure AD), which is a requirement for O365/M365. Han provisions his account administrative rights in Azure, synchronizes users and passwords, and gets help training end-users on Microsoft 365 services like OneDrive, SharePoint, and Teams. Then he notices an Azure AD account that he and his team have never seen—and the name of the account is strangely almost identical to an existing end-user. Han called our support staff for assistance and learned that his global administrator account had been compromised. To make matters worse, Han had left his security settings at defaults and had not enabled global auditing, which meant there was no way to determine what the attacker had changed in the system. The best solution was to move the organization’s data, email, and identities to a brand new Microsoft tenant. This extensive migration project could have likely been avoided if Han had enabled MFA and the proper audit settings.

HR – External Document Sharing

Human resources vice president Leah employs a variety of technologies to facilitate working from home and the office. Leah relies on the Cloud, and desktop and mobile apps to access documents on all her devices and enjoys using Teams to share files with others in her organization. Using these technology services has caused her to inadvertently place the company at risk of exposure and identity compromise because her IT administration team had not implemented the appropriate security controls for all their organization’s licensed technology services, creating a security gap. Luckily, the IT team received an M365 Security Basics alert for a file being shared externally in OneDrive, which is a common alert that we see. There was also enough data in the alert to indicate the multiple bad security, identity, and compliance practices that Leah has. The IT team resolved these issues by reducing the default sharing levels of SharePoint Online and OneDrive and retraining Leah on good and bad practices for security, identity, and compliance.

CEO – Multifactor Authentication

As the CEO of his organization, Chewy’s contact information is very public; his email address is prominently displayed on the company’s website, LinkedIn, and other social media platforms. Chewy uses multiple devices to get work done in the office and at home. He often signs into whatever computer is handy, whether it’s his or his wife’s laptop. Chewy’s account is under attack in Azure AD from a Russian IP. M365 Security Basics Alerting was able to notify his IT team of this by way of the Large Number of Failed Sign Ins for a Single User alert. Unfortunately, the IT department did not require MFA registration for most of the organization’s users, including Chewy, even after being alerted to the attack. The Russian attackers eventually compromised Chewy’s account. Once they did, our alerting engine promptly notified the IT team of a successful sign-in from outside of the USA, which they promptly responded to, limiting the amount of time the account was compromised.

Listen to the full stories or watch the complete webinar.

11 Oct 2021

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

Employee training to ensure adequate, effective, and safe practices
Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

29 Sep 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

It’s important for financial institutions to understand Microsoft Office 365 (O365) and M365 settings, so they can optimize the security controls and quickly detect potential areas of compromise. The educational journey begins with acknowledging the role of Azure Active Directory (Azure AD), Microsoft’s cloud-based user authentication platform.

When your institution purchased O365 (recently rebranded as M365), it established a Microsoft tenant with Azure AD. Since that tenant belongs to you and your institution—not the licensing reseller—it is your responsibility to understand Azure AD and its controls. This is where you can customize the settings to create more sophisticated and appropriate security policies for your institution.

Monitoring for Exceptions to Security Controls

Once your institution has good policies in place, it’s essential to monitor for exceptions. There are so many security controls to check; it can be difficult to know if there is a policy exception or even an active compromise. As an added challenge, some controls can have a major impact on the user experience, and these controls cannot be created arbitrarily by a third party simply based on what is presumed to be best practice.

Therefore, you must build policies around what users are allowed to do, what your institution’s risk assessment defines, and what users will tolerate. Making appropriate policy-related adjustments to O365/M365 requires knowing how to connect with and analyze specific Microsoft data to modify the related security controls. Microsoft has created a plethora of controls, which can be difficult for many customers to navigate. That’s where it can be beneficial to partner with a value-added reseller like Safe Systems.

M365 Security Basics

Safe Systems consults with clients to help them best use O365/M365 controls and uncover their cloud security “blind spots.” M365 Security Basics is the first CloudInsight™ offering that provides visibility into security settings for Azure Active Directory and O365/M365 tenants.

M365 Security Basics consists of three main parts—reporting, alerting, and quarterly reviews— that your institution can choose from based on its needs. The reporting feature pulls Microsoft data that may not be easily accessible and compiles it into a user-friendly format. The reports show the fundamental settings at a glance, so institutions can track configuration changes over time. There are summary reports that IT administrators can use to quickly identify anomalies in their organization as well as detailed reports that include the specifics of a given anomaly.

While reporting generates important ongoing details, it can produce a substantial amount of information for you to review. Alerts can notify you as soon as possible about the most common setting changes or activity that can represent an indicator of compromise, so you can investigate and respond.

With the quarterly review component, Safe Systems will help you walk through the content of all your reports and discuss your overall strategy for adjusting the configurations. Having all this data at your fingertips makes it easier to make assessments to determine which settings are right for your organization. Two key settings to enable are multi-factor authentication—which should be universal for every user because it adds a critical layer of protection to the user sign-in process—and auditing which is crucial for investigating changes.

Educate. Expose. Empower.

The goal of M365 Security Basics is to educate financial institutions about the unfamiliar concepts related to O365/M365, expose the reality of what they are already living today, and empower them to take action where changes are needed.

For more information about how to understand O365/M365 settings to ensure your security controls are effective, listen to our webinar on “Cloud O365-M365 Security – Do You Know if You Are Currently Compromised?”

21 Sep 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

Multi-Factor Authentication Offers Secure, Reliable Access Control

In our increasingly digital world, financial institutions must go beyond requiring only usernames and passwords for the sign-in process. They need to employ a combination of factors to validate the individuals using their resources, whether they’re customers accessing electronic products and services or employees accessing systems, applications, and data. Institutions can choose various levels of authentication to verify people’s identity before giving them access to sensitive information, accounts, and other assets. However, multi-factor authentication (MFA) offers a secure and reliable approach for reducing the potential for unauthorized access.

One of the key values of MFA lies in its use of multiple factors for the validation process. MFA adds a layer of protection by requiring users to present a variety of elements to prove who they are. With this method, users must supply valid identification data such as a username followed by at least two types of credentials, such as:

Something the person knows: This represents “secret” information that is known or shared by both the user and the authenticating entity. Passwords and personal identification numbers (PINs) are the most commonly used shared secrets, but newer methods of identification are gaining popularity. Users may be required to answer questions that only they should know, like the amount of their monthly mortgage payment. Another example is they might have to identify their pre-selected image (chosen when they opened their account) from a group of pictures.
Something the person has: This is often a security token or a physical device, such as an I.D. card or smartphone, that people must have in their possession. Password-generating tokens can significantly enhance security because they display a random, one-time password or passcode that the recipient must promptly provide to complete the authentication process. Having unpredictable, one-time passwords makes it more challenging for hackers to use keyboard logging to steal credentials.
Something the person is: This more complex approach to authentication uses a physical characteristic (biometrics) such as face, fingerprint, or voice recognition to verify people’s identity.

Since MFA incorporates factors based on knowledge, possession, and/or biometrics, it makes it more difficult for cybercriminals to compromise people’s identity. Thus, MFA is an ideal verification method to use when more sensitive or critical assets are at stake. MFA is so reliable that the Federal Financial Institution Examination Council (FFIEC) recommends applying it in more high-risk situations. “Management should use multi-factor authentication over encrypted network connections for administrators accessing and managing network devices,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet.

MFA gives financial institutions a valuable security control for their internal and cloud resources. Take our quiz to see how much you know about multi-factor authentication.

14 Sep 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

How Financial Institutions Can Better Manage Their Azure Active Directory Responsibilities

If your institution is using Microsoft 365 (formerly Office 365), you also have—and are responsible for—Azure Active Directory (Azure AD), Microsoft’s cloud-based identity and access management service. Microsoft Online business services like M365/O365, require Azure AD for sign-in and to help with identity protection. If you subscribe to Microsoft Online business services, you automatically get Azure AD with access to all the free features.

With an Azure AD tenant, you’re responsible for overseeing Azure AD’s security features, which can be customized to your business requirements. For instance, you can use Azure AD to require multi-factor authentication for users who are accessing important organizational resources. You can also employ Azure AD utilities to automate user provisioning between your existing Windows Server AD and cloud apps, including M365.

The Good News: You’ve Already Vetted Azure AD

If you’re daunted by the idea of overseeing Azure AD, don’t be. You’ve likely already vetted Azure AD for compliance because you’re using M365/O365. So, if you properly completed the vendor management process, Azure is already covered. In addition, Microsoft has taken steps to secure the environment that houses data in the Azure AD platform.

However, customers have the ability to choose settings that can make Azure AD more secure. Since M365/O365 is designed to be a collaborative environment, their out-of-the-box security settings are calibrated for sharing, requiring some modifications to enhance the security features. For example, you can use the Azure AD management interface to adjust the sharing dial to keep users from disclosing non-public or sensitive information.

Oversight Responsibilities

If you obtain an Azure AD license through a third party, you’re still responsible for managing, controlling, and monitoring access within your organization. This includes access to resources in Azure AD and other Microsoft Online services like Microsoft 365/Office 365. More importantly, your institution (not your vendor) is responsible for managing all the security features of Azure AD.

With an Azure AD tenant, you should:

Manage your cloud and on-premises apps
Manage your guest users and external partners, while maintaining control over your own corporate data
Customize and control how users sign up, sign in, and manage their profiles when using your apps
Manage how your cloud or on-premises devices access your corporate data
Manage your organization’s identity through employee, business partner, vendor, service, and app access controls
Detect potential vulnerabilities affecting your organization’s identities, configure policies to respond to suspicious actions, and then take appropriate action to resolve them
Gain insights into the security and usage patterns in your environment through reports and monitoring

Safe Systems can help financial institutions optimize key features in Azure AD and M365/O365 to meet or exceed their security objectives. Our M365 Security Basics solution can provide expertise and visibility into security settings through reporting, alerting, and quarterly reviews.

08 Sep 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

Key Terms FIs Need to Know for Microsoft 365 (Office 365) and Azure Active Directory

Many financial institutions rely on Microsoft 365 (formerly Office 365) and Azure Active Directory (Azure AD) to access resources that can enhance their employee productivity and business operations. Here are some basic, but important, terms to keep in mind for these products:

Microsoft 365 (M365) versus Microsoft Office (O365)

Microsoft announced early last year that it was rebranding most of its O365 products to M365.

“We are changing the names of our Office 365 SMB SKUs on April 21, 2020. Yes, that’s right, the Office 365 name is hanging up its jersey and making way for Microsoft 365.”

Because Office 365 was so widely used, it has taken a while for this name change to catch on. Adding to the confusion, Microsoft already had M365 products prior to the name change. In most cases today, M365 and O365 are terms that are used interchangeably.

Azure AD

Microsoft Azure AD is a cloud-based identity and access management service that enables users to sign in and access various resources. You may be familiar with Active Directory as your on-premises identity management platform. What you may not realize is this: When you purchased M365, you received Azure AD along with it. Azure AD allows your employees to sign into resources like M365, the Azure portal, and other SaaS applications. They can also use Azure AD to sign into some of your institution’s other resources, such as apps on the corporate network and intranet.

Azure AD Sign in

Since all O365/M365 services are funneled through Azure AD, whenever employees try to access these resources, they must first sign in to Azure AD. Essentially, Azure AD facilitates sign-in attempts by authenticating users’ identities. Because Azure AD works behind the scenes, employees may not realize they’re not directly signing into O365/M365.

Basic versus Modern Authentication

Customers of O365/M365 and Azure AD can choose basic or modern authentication to access their services. Basic authentication requires simple credentials like a username and password while modern authentication goes a step further with multi-factor authentication. This advanced login protocol requires a username, password, and another identity verification such as scanning a fingerprint, entering a code received by phone, or using the Microsoft Authenticator app. This adds another layer of protection to the sign-in process before users can access their O365/M365 and Azure AD accounts.

Safe Systems can make it easier for financial institutions to strengthen their security posture when using cloud-based solutions like M365 and Azure AD. M365 Security Basics provides visibility into security settings for these products through in-depth reporting, alerting, and quarterly reviews.

01 Sep 2021

Banks, Compliance, Credit Unions Kai Xu 0 comment

FIs Must Plan Ahead for IT Projects to Get Hardware in Time

The coronavirus pandemic has fueled ongoing inventory and material shortages in a number of industries and IT is no exception. Many components, such as servers, routers, firewalls, network switches, phones, keyboards, microphones, webcams, and more are still in relatively short supply. We’re seeing lead times for hardware delivery lasting four to six months—and the situation could get worse with the Delta variant. So, it’s crucial for financial institutions to plan ahead when ordering IT equipment.

There’s a combination of factors driving these hardware shortages and delivery delays. With more people working from home, there’s an increased need for hardware, and the rise in demand for electronic devices has placed an extra load on the semiconductor industry. Semiconductors, commonly referred to as computer chips or chips, are a core element in almost everything electronic. The semiconductor market is also consolidated with only three manufactures who can produce the most advanced chips. These factors account for some of the reasons why chips are becoming scarce during a time of heightened demand. Currently, semiconductor lead times are stretching to more than 20 weeks—almost three times the pre-pandemic norm, according to Bloomberg.

Another key factor in hardware shortages is the just-in-time production (JIT) model that many companies, including those that manufacture chips, use to turn out small batches of products instead of creating huge inventories. While this lowers their production costs, it can cause supply chain problems when there’s a rapid surge in demand. Employee shortages worsened by the pandemic have only helped to strain hardware supply chain output even further.

If you’re planning to make upgrades or replace any end-of-life (EOL) equipment, you should order it now to help ensure your institution gets what it needs in time. Another issue is not about ordering the hardware; it’s about having time to properly execute the implementation. For instance, if you need new servers, routers, or phone systems, you need ample lead time to design the project, sufficient time for deployment, and additional time to ensure everything works properly post-implementation. Thinking ahead will make the hardware acquisition and implementation much easier to manage in the long run.

Potential Impact of Not Planning Ahead

Lack of effective planning for hardware purchases could result in serious complications. For instance, if you need a new phone system, you might not be able to secure phones, switches, and routers in time for your scheduled implementation. The delivery delay could be several months which not only impacts deployment but also results in a disruption to your current business functions.

In addition, a delay in installing new equipment could lead to security problems. Often, the new version of software will not install on old hardware, which could leave your institution using obsolete software that doesn’t get the appropriate patches and updates. So, actively researching any EOL issues that could lead to this problem is critical, (Incidentally, Microsoft Server 2012 is coming up on its EOL.)

Keeping hardware and software properly updated is also a matter of regulatory compliance for financial institutions. Management should implement policies, standards, and procedures to identify assets and their EOL time frames to track assets’ EOLs and to replace, or upgrade, the asset, according to the FFIEC Examination Handbook’s Architecture, Infrastructure, and Operations booklet. The guidance states, “Failure to maintain effective identification, tracking, and replacement processes could have operational or security implications (e.g., unavailable or unapplied security updates [patches] that make technology vulnerable to disruption).”

The bottom line is: If you need any IT equipment, it could be months before it’s available. So, plan your project accordingly and order the hardware as soon as possible to ensure the success of your implementation timeline. If you need assistance with researching lead times on hardware such as servers, routers, firewalls, network switches, and more or would like support with EOL products and planning for what is ahead, Safe Systems has experts on hand to help.

18 Aug 2021

Banks, Compliance, Credit Unions Jamie Davis 0 comment

How Banks and Credit Unions Are Responding to Emerging Cybersecurity Threats

Cybercriminals are always looking for new ways to bypass defense measures and exploit emerging weaknesses. Today, financial institutions are fending off security threats that are more ubiquitous, complex, and costly.

As more employees than ever before engage in remote work and online collaboration, this presents a host of potential security gaps. Unsecured home Wi-Fi networks, remote servers, mobile devices, a lack of encryption, and inadequate intrusion detection software are just a few of the factors that contribute to a spike in cyber attacks.

From an internal operations standpoint, it’s equally as important for financial institutions to secure data from basic human error, as 85 percent of data breaches involve a human element, according to the Verizon 2021 Data Breach Investigations Report. Employee awareness training can be the first (and best) defense against emerging cybersecurity threats like business email compromise which is designed to trick people into processing a payment or sharing valuable information.

Leveraging the Latest Technology

Next-generation firewalls (NGFWs) and cloud platforms can also support organizations’ efforts to combat cybersecurity threats. NGFWs offer advanced features that make risk easier to detect, manage and eliminate. SSL/TLS inspection can ensure that encrypted traffic is safe to transmit over the firewall. In addition, threat feeds can help firewalls effectively analyze traffic and route potentially dangerous traffic to a virtual “sandbox,” where it can be processed securely. Automated log analysis is then used to enhance the difficult job of managing voluminous logs and resolving security issues. To learn more about how these advanced features work, listen to our recorded webinar, “Firewall Chat: A Panel Discussion on the Technical Advances in Firewalls”.

Cloud computing is also providing benefits to financial institutions to enhance their security resources. While cloud technology is nothing new, innovations from major platforms like Microsoft, Amazon and Google offer enticing advantages to moving data and business processes into the cloud. But it’s important to keep in mind that employing cloud services requires institutions to use different security practices in order to minimize data breaches and other cyber threats.

Growing Need for Insurance and Expertise

As another developing trend, more companies are adding cyber insurance to their security toolbox. A cyber insurance policy can be an effective way to mitigate risk related to financial losses from cyber attacks. But with more cybercrime happening, organizations can expect to see higher premiums, decreased limits, and changes in exclusions for certain losses.

As cybersecurity threats become more frequent, sophisticated and expensive, financial institutions need to apply more vigilance and expertise to keep hackers at bay. Safe Systems can help ensure that community banks and credit unions have the technical resources they need to effectively address the latest security issues. Managed Perimeter Defense (MPD) offers a combination of professional IT solutions, including device monitoring and management, sandbox analysis, dynamic threat feed analysis, and SSL/TLS inspection.

09 Aug 2021

Banks, Compliance, Credit Unions Christine Ray 0 comment

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Implementing a technology-enhanced information security program doesn’t have to be a daunting task. Working with a third-party expert can make the process easier and smoother than managing all the requirements completely in house.

Effective information security (InfoSec) allows organizations to safeguard key IT assets, business processes and data from potential threats. It involves the broad measures that ensure the confidentiality, integrity and availability of the information being processed and stored by computer systems. Most financial institutions, especially those with limited IT resources, can benefit from having an outside vendor provide additional technical expertise and solutions to enhance their existing InfoSec program.

First State Bank Improves InfoSec with Safe Systems

First State Bank of Blakely, Ga. is a prime example of how a financial institution was able to tap external resources to expand its InfoSec program. The bank, which has about 100 employees and 10 branches, was handling most of its InfoSec requirements in house. But when First State Bank’s InfoSec consultant retired, the bank opted to expand its vendor management relationship with Safe Systems to include information security.

Safe Systems made the implementation quick and easy, recommending strategic tweaks that significantly streamlined the process. Consequently, First State Bank was able to avoid “reinventing the wheel” by importing some of its existing information. And since the program elements are web-based and accessible through any internet browser, it will be easy for the bank to make future edits.

First State Bank’s IT Manager, William Barnes, specifically references Safe Systems’ expertise, saying: “The knowledge and experience of the experts I worked with during implementation were very helpful. It is good to know they are there to consult with. I think overall, we are in a good place with the new information security program.”

In addition, the program provides an easy-to-follow guide for securing the First State Bank’s operations and processes. The program is reviewed at least annually, which serves as a reminder of important security requirements. “It helps us stay on top of the risks within the bank and has all the available forms that we need for most policies and procedures,” Barnes says.

Benefits of Technology-Enabled InfoSec

Having a technology-enabled InfoSec program offers a host of benefits for institutions like First State Bank. In general, an automated security program can help banks better support the hardware, software, policies, procedures, and information assets needed to accomplish their business objectives. More specifically, incorporating technology can simplify an InfoSec program; it can streamline the process of identifying and classifying the vast number of assets institutions often have scattered across multiple branches and geographic locations. And a built-in risk assessment tool can provide pre-determined default risks for different assets based on commonly known threats and vulnerabilities.

All of this can reduce the need to create huge spreadsheets to maintain the amount of data typically required for an InfoSec program. As a result, financial institutions can have more accurate security-related information, enhanced board reporting, and better decision making and governance.

Consulting with a trusted vendor like Safe Systems allows institutions to immediately expand their information security expertise and resources. Safe Systems includes three applications in their service including Risk Assessment, Policy Manager, and Enterprise Modeling, to help banks and credit unions centralize and automate their InfoSec program. These powerful applications can make it easier for institutions to enhance their processes for assessments, notifications, reporting, policy/procedure updates and regulatory compliance so they can optimize their security posture.

04 Aug 2021

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Technical Advances in Firewalls and How FIs Can Make The Most of Them

Firewalls have been a critical first line of defense in network security for decades. Over the years, they have evolved beyond simply filtering traffic between internal and external networks to offering more advanced features. Today banks and credit unions can capitalize on the technical innovations of next-generation firewalls (NGFW) to significantly enhance their network security.

NGFW Features

NGFWs offer a combination of advanced elements that can help financial institutions better manage incoming and outgoing traffic. Encryption is one example and is a key defensive weapon—but it can be a two-edged sword. While encryption is designed to ensure that only the intended audience can see the data being sent, a network’s security system may not be able to properly view, examine, and identify the encrypted traffic.

When a firewall receives encrypted traffic, it has to unscramble it into readable, usable, plain text. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) inspection are required to allow this unscrambling. Without these next-gen inspection features, it is estimated that more than 80% of internet traffic will traverse the firewall uninspected. This means encrypted web traffic can deliver malware to the client without the firewall ever knowing it. Additionally, many advanced firewalls employ “sandboxing,” which ensures suspicious traffic is processed in a secure alternative environment without posing risks to the production network.

Many NGFWs also use what are known as “dynamic” and “static” threat feeds. These lists of potential and current threats enable the firewall to determine whether certain traffic will be passed through or denied. Suspicious traffic gets flagged and remains in the database to support future evaluations.

With threat feeds, a static list is generally used for a small number of IP addresses – in part because it requires more manual labor for maintenance and updating. A dynamic list is typically automated from the cloud, which makes it less user-intensive, easier to keep updated, and more effective than a static list. Geo IP filtering, for example, is just one type of dynamic feed that institutions can use to block certain countries from accessing their outbound or inbound traffic.

Website whitelisting and cross-site hosting are additional tactics for managing and troubleshooting firewalls. Whitelisting allows access to websites that have been blocked by the firewall, and cross-site hosting comes into play when a different but related site is requested.

When it comes to advanced firewall devices, logs and log analysis are especially critical. Logs provide records of every action and event that happens on a network and provide valuable insight into identifying issues that impact performance, compliance, and security. As data logs can surpass millions of lines from just a single 24-hour period, manually analyzing this data is an overwhelming undertaking. With NGFW features such as automated log collection and analysis, institutions can improve data gathering and log management to detect and address potential security problems more effectively.

So which NGFW features are the most important? All of them are important. They’re intended to complement each other and work together toward a common goal: enhancing network security.

There are a few additional, important aspects to consider when implementing a firewall, such as ingress vs. egress rules, cloud services, or content delivery networks, protecting a remote workforce, and ongoing employee training. To learn more about these and all the advanced firewall features, listen to our webinar, “Firewall Chat: A Panel Discussion on the Technical Advances in Firewalls.”

29 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2021 Hot Topics in Compliance: Mid-Year Update

2021 Hot Topics in Compliance

While the COVID-19 pandemic certainly isn’t over, financial institutions have learned valuable lessons so far. In retrospect, the pandemic’s impact on community banks and credit unions hasn’t been as catastrophic as examiners had initially feared—at least not financially. Key impacts have been mostly operational, involving risk related to temporary measures taken to weather the crisis. For instance, examiners will want to know what modifications institutions have made to their operational processes to accommodate an increasingly mobile customer and member base and remote employees, and whether they accounted for additional fraud, cyber threats, or other risks as a consequence. If institutions implemented new products or services, they would need to also account for the operational risk associated with these changes—especially if additional third-party providers were involved. That said, throughout the pandemic, the overall industry demonstrated a very high level of resilience.

In addition to the post-Pandemic lessons, there are other important compliance trends and new regulatory guidance that institutions should anticipate as we approach the rest of the year:

Emphasis on Ransomware Cybersecurity

Recently, ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely ramp up going forward. This will be reflected, in part, by the number of (and types of) assessments that they may expect financial institutions to perform on an annual basis, including the familiar Cybersecurity Assessment Tool (CAT) and newer, non-compulsory Ransomware Self-Assessment Tool (R-SAT) developed partly by the State regulatory bodies.

In addition, at the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) has recently developed its Cyber Security Evaluation Tool. This tool is not specific to the financial industry but rather designed to apply to multiple industries. And the National Credit Union Association (NCUA) decided earlier this year to move away from using its version of the CAT, known as the Automated Cybersecurity Evaluation Toolbox (ACET). It’s now prioritizing a modified InTREx for Credit Unions (InTREx-CU), which is designed to enable credit unions to identify and remediate potential high-risk areas, including within the cybersecurity controls domain.

Changes with Cyber Insurance

Major shifts are also happening with cyber insurance. Because of excessive losses by the insurance industry, there will very likely be increased deductibles, increased exclusions, and decreased limits for covering cyber losses. Cyber insurance coverage—which is not an absolute requirement by regulatory agencies—is going to be more difficult and expensive to obtain. So, the lesson is: As insurance policies come due, don’t automatically renew before you assess what has changed in terms of the coverages, exclusions, and limitations, and make sure you’ve documented your cost-benefit decision.

New Guidance on Architecture, Infrastructure, and Operations

In June, the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. The updated guidance, which replaces the “Operations” booklet issued in July 2004, acknowledges the inextricable link between an institution’s operations, architecture, and infrastructure. Or as a recent FFIEC press release states:

“The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers, along with the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet provides a fresh take on several concepts: It recognizes different treatments for smaller or less complex institutions and adopts a different approach to data classification by factoring in value with criticality and sensitivity. All entities—not just credit unions and banks but also non-financial, third-party service providers—are expected to adhere to the guidance.

In addition, there are also pending new rules for incident notifications for banks, service providers, and core providers, which isn’t surprising with all the recent cybersecurity attacks. Finally, examiners are also expecting more detailed board reporting, such as showing how an institution’s business continuity management plan, business strategy, and risk appetite are all aligned.

For more information about the latest expectations, compliance trends, and regulatory guidance, listen to our “2021 Hot Topics in Compliance: Mid-Year Update” webinar.

22 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

As financial institutions face greater expectations for corporate accountability from regulators, effective board reporting and governance are becoming even more essential in the banking sector. While board members aren’t generally involved in the day-to-day operations, they are ultimately responsible for the success of their institution. Proper reporting can enable the board to make decisions without having to be involved in routine activities, and technology can help institutions enhance their board reporting and, in the process, help directors exercise the care, skill, and diligence required for good governance.

Five Essential Elements of Reporting

Board members need access to a range of financial and non-financial information relating to their organization’s products and services. In order to function effectively as a feedback tool for the board and senior management, the FFIEC Management Handbook states that information systems reporting should meet five essential elements:

Timeliness: To facilitate prompt decision-making, an institution’s information systems should be capable of providing and distributing current information to appropriate management or staff
Accuracy: A sound system of automated and manual internal controls should exist to ensure the validity of the information and should include appropriate editing, balancing, and internal control checks
Consistency: To be reliable, data should be processed and compiled uniformly. Variations in data collection and reporting methods can distort information and trend analysis
Completeness: Reports should contain the necessary information to inform decision-makers without voluminous detail
Relevance: Information systems should provide current, applicable, and actionable information

Reporting that contains the essential elements above can provide decision-makers with facts that support and enhance the overall decision-making process and can also “…improve job performance throughout an institution.” At the board and senior management level, information systems reporting provides the data and information to help the board and management make strategic decisions. At other levels, information systems reporting allows management to monitor the institution’s activities and distribute information to staff, customers, and members of management.

Applying Technology

Advances in technology have increased the volume of data and information available to management and directors for planning and decision-making. Converting that data into actionable knowledge is essential for the board to provide a “credible challenge” to management, which involves being actively engaged, asking thoughtful questions, and exercising independent judgment. Integrating technology into their InfoSec efforts, institutions can create a comprehensive system to generate, collect, and analyze data to support a more effective process for board reporting and a more knowledgeable board.

Heather Helms, CFO and Information Security Officer of Mount Vernon Bank, knows firsthand the importance of having an application that supports board reporting. “Before we started our partnership with Safe Systems, we were not up to par with the industry standards of reporting. Since redoing our Information Security Program and moving away from a paper-based model to automated applications, we’ve seen noticeably better results in our board reporting and regulatory updates,” said Helms. “When trying to wear numerous hats within a small community bank and stay on top of a topic so huge in a regulatory world, solutions like Safe Systems’ Information Security Program makes all of the difference.”

There are several advantages to financial institutions using technology solutions to automate and optimize board reporting and governance. The primary advantage is the ability to generate on-demand reporting on all aspects of information security management; from managing projects, to risk assessments (including risk appetite), to managing critical vendors, to mitigating operational risk through business continuity planning. Reporting should allow just enough detail to enable the board to fulfill their responsibilities, but not be so detailed that they struggle to comprehend. Ideally, technology should support high-level reporting, with the ability to “drill down” as necessary. The emphasis should be on quality, not quantity.

Another potential advantage of technology in reporting is the ability to aggregate business intelligence from multiple sources enterprise-wide. This not only gives the board a more complete picture of risk but can also stimulate internal collaboration and deeper insights, giving directors more meaningful information for analysis. The importance of timely, accurate, relevant, complete, and consistent information cannot be overstated, as the success or failure of management is often defined by the decisions they make. As the FDIC states, “The extreme importance of a bank director’s position is clearly emphasized by the fact that bank directors can, in certain instances, be held personally liable.” By having a comprehensive system in place for optimal decision-making, institutions can improve the quality of the information flowing from management to the board, and then from the board to other internal and external stakeholders—helping directors not only improve governance, but also enhance regulatory compliance and possibly even reduce lawsuits, monetary fines, and other negative consequences from inadequate board reporting.

Technology not only optimizes board reporting and decision-making but also makes it easier for directors to access the information they need to perform their due diligence and oversight obligations. It all boils down to implementing technology to exercise better accountability—ensuring sound policies are in place to promote strategic objectives and regulatory compliance.

Safe Systems offers a wide range of compliance-centric, innovative solutions that can help financial institutions take advantage of technology to improve their board reporting and governance.

15 Jul 2021

Banks, Credit Unions Safe Systems 0 comment

Cybersecurity Shouldn’t Be Keeping You Up at Night

There’s been a notable uptick in cyberattacks in recent years, some of which have drastically impacted institutions’ overall security. At Safe Systems, we believe that proactively protecting customer data will always be more cost effective than falling victim to malicious activity.

From malware and ransomware to managing security needs, we’ve got you covered on how best to protect your financial institution against any type of cybersecurity threat. After all, that’s why we’re here, right?

Make sure cybersecurity isn’t your institution’s weakest link by taking a look at our original blog post on the matter here.

01 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Benefits of Integrating Technology into Your InfoSec Program

Information security (InfoSec) is a critical aspect of keeping an organization’s computers, networks, sensitive information, and users safe from potential threats. Integrating technology into a financial institution’s InfoSec program can make it easier to manage risk and protect their information and infrastructure assets. Institutions can utilize automation to capitalize on a variety of other benefits, including:

Simplicity

Banking is a complex business. Banks and credit unions maintain a wide assortment of information technology devices, systems, and applications to support their operations. They also have multiple personnel, partners, and third-party providers spread across different geographic areas. The interconnectivity of their operations can make it even harder for institutions to protect the hundreds (and in some cases, thousands) of assets they must maintain. An automated system can make it easier for institutions to inventory and classify their assets—without having to create enormous, time-consuming spreadsheets. It provides a centralized solution for tracking the criticality, location, and risk exposure level of each asset. Identifying the source of risk is the essential first step to effective risk management. Technology and various Software as a Service (SaaS) applications can greatly simplify the process of inventorying assets, assessing the risk, and selecting controls. Technology can also create automatic updates to ensure that all policies and procedures are current and based on industry standards and regulatory requirements. Additionally, on-demand stakeholder reporting can be generated to provide the requisite documentation to management committees, board of directors, and regulatory authorities, respectively.

Completeness and Transparency

Integrating technology can help financial institutions get a clearer sense of their security posture, so they can develop a more complete InfoSec program. Automation makes it easier to identify and categorize each asset, along with its related risks, threats, and controls. This can enable institutions to make a more accurate assessment of where their security risks actually lie. With enhanced transparency, institutions can determine the most appropriate level of protection for each of their assets. As a result, they can more effectively use, manage, and secure these assets. Proactively identifying risks, threats and controls can also better position them to minimize the impact of security incidents in the future.

Better Intelligence and Insights

Some financial institutions rely on manual spreadsheets to manage the vast amount of information and other assets in their InfoSec program. But manual spreadsheets are not always the most effective tracking and reporting mechanism. People can inadvertently feed the wrong data into spreadsheets and produce unreliable results (“garbage in, garbage out”). Plus, since creating spreadsheets is such a repetitive and time-consuming process, information may be infrequently updated—which can make it less timely and thus less useful. However, integrating technology can help institutions enhance the accuracy of the intelligence that supports their InfoSec program. In turn, their board and management can have better insights into the important issues that impact the information security of their organization, which in turn empowers them to make better decisions.

Enhanced Reporting

To make the best decisions for their institution and perform their fiduciary oversight duties, boards and management committees need accurate, relevant, and timely information. By incorporating technology in their InfoSec program, institutions can put an efficient process in place to generate, collect, and analyze data to support board and committee reporting. This can enhance the overall quality of the information being reported to the board, shareholders, and auditors, and regulators. Optimized, on-demand reporting can improve governance, foster compliance, and potentially reduce negative consequences from inadequate board reporting.

Resource Collaboration and Augmentation

InfoSec resources are limited at many financial institutions, and most community banks and credit unions do not have a dedicated InfoSec specialist in-house. Additionally, information security officers (ISOs) tend to wear multiple hats and are often stretched thin by their broad range of responsibilities. An automated application can create a centralized solution that creates a multi-user approach to allow the ISO to leverage internal resources wherever and whenever possible. For example, a department head or process owner can be a valuable internal resource for assessing vendors impacting the department’s functionality. Similarly, the process owner (and not necessarily the ISO) would be the most logical choice to perform the process Business Impact Analysis. In this way, InfoSec becomes an “all hands on deck” operation, with all personnel sharing ownership of the process. Outsourcing additional aspects of InfoSec via a virtual ISO solution can provide an institution with additional subject matter expertise and solutions to further support their designated ISO and the overall security of their systems and information.

Read more about the benefits of integrating technology into your information security. Download our white paper on “How Financial Institutions Can Use Technology to Build an Automated, FFIEC-compliant Information Security Program.”

24 Jun 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Automating Your Information Security Program: How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Working with paper-based information security policies can be limiting for financial institutions. Automation allows banks and credit unions to take their policies off the shelf and move them online to reap multiple benefits.

There are 2 major challenges to having a static, paper-based information security program; the first is making sure policies accurately reflect the financial industry’s current guidance and best practices, and the second is making sure they accurately reflect your institution’s specific practices. Often new paragraphs and sections get added to cover additional policies while almost nothing gets expunged. Or a revision in one section of the program might not be properly updated in all other related areas.

These twin challenges are the primary cause of disconnects between policies, procedures, and practices —and compliance-related findings from IT auditors and examiners. Today examination auditors are scrutinizing documents far more closely, and they expect to see documentation that proves institutions are doing what their policies say they are. And unfortunately, policy disconnects and lack of adequate documentation in IT often reflect poorly on management. It is not unusual for us to see weaknesses in the IT area pull down the CAMELS management component in other areas. In a study conducted by the OCC earlier this year, researchers found that:

“… both the CAMELS composite and Management component ratings have significant predictive power for features of the distribution of banks’ return on assets (ROA), non-performing loans (NPL), stock returns, stock return volatilities, and market-to-book ratios.”

Advantages of Automation

Leveraging technology for an information security (InfoSec) program offers significant benefits by addressing both challenges. A key advantage is that it places all InfoSec related documents in one place where personnel can easily access them. Having a digitally enhanced program makes it easier to minimize exam findings related to inconsistencies between policies (what you say you’re going to do) and procedures (how you say you’re going to do them). Automation streamlines the process of updating policies and documenting the corresponding procedures that are in place to support them.

As another advantage, automation promotes personnel collaboration and engagement in the information security process. Having a web portal where staff can access the policies and procedures related to their area of focus enables collaboration, encourages engagement, and generally helps generate buy-in. As a result, personnel becomes better informed and more engaged in the information security program.

Automation also supports change management by facilitating periodic, detailed reporting to update various stakeholders about the status of the information security program. Reports can focus on a specific area or be customized for different stakeholders who may need more specialized reporting. They may be high-level summaries, or highly detailed. Most importantly, as regulatory guidance and best practice evolve, automation can allow policy updates to happen with the click of a button.

Our Unique Approach

At Safe Systems, we took a unique and comprehensive approach when creating our new Information Security Program solution. The program includes a comprehensive set of policies and a process-based risk assessment. It’s also structured around the Information Security and Management handbooks by Federal Financial Institution Examination Council (FFIEC). And it features a detailed, easy-to-navigate table of contents that will look familiar to auditors and examiners. The idea is to make it as easy as possible for IT auditors and examiners to find what they’re looking for, so they can move on to other areas!

Another way our approach is unique is that our methodology starts with enterprise modeling: We find out everything about the institution’s departments, processes, functions, and required interdependencies. That data then flows directly into the risk assessment and links to other areas that may be added later, such as business continuity management or vendor management. All of these areas will “talk” to the model to support automatic updating whenever global changes are made.

Positive Feedback

Our Information Security Program—which has been years in the making and incorporates everything we’ve learned about what does and doesn’t work—is effectively simplifying an inherently complex process for institutions of all types and sizes. So far, we’ve heard great feedback from auditors, examiners, and customers. (In fact, the risk assessment was developed in close collaboration with IT auditors.) Customers are finding our information security program much easier to manage than having multiple disjointed policies in Word documents and PDFs strewn across disparate folders. They can access policies without worrying if they have the most current version. And our broad and deep understanding of financial institution risk management allows us to start with a pre-filled set of policies, which are then customized to each institution. This greatly accelerates the onboarding process. Customers also like being able to work one-on-one with our team to build a process-based risk assessment model, being able to customize policy language as needed, and not worrying about what changes to make, or where to make them.

For more details, listen to our webinar on “Automating Your Information Security Program: How Technology Can Get Policies Off The Shelf.”

18 Jun 2021

Banks, Credit Unions, Technology Jamie Davis 0 comment

5 Areas to Outsource So Your IT Administrator Can Go on Vacation

5 Areas to Outsource so Your IT Administrator Can Go on Vacation

It’s summertime. And COVID restrictions are finally being lifted. Maybe now your IT administrator can go on vacation—if there’s someone available to fill in.

Third-party IT and security service providers can make it easier for smaller banks and credit unions to manage when staff takes time off. Here are five areas where financial institutions can outsource to maintain adequate IT resources—and peace of mind—while the IT administrator is out of the office enjoying some downtime:

1. Network monitoring for diagnostic or security issues — Monitoring is critical for detecting, diagnosing, and resolving network performance issues. A network monitoring solution can gather real-time information to ensure the system is being effectively managed, controlled, and secured. With proactive monitoring, IT staff can find and fix network issues more quickly and easily. This can help them keep the network operating smoothly, stay ahead of outages, and avoid expensive downtime. It can also help the IT department maintain critical business services and reduce potential security risks for the institution. Outsourcing network monitoring can lighten the workload for time-strapped staff who are probably juggling more tasks while the IT administrator is away.

2. Managed replication and real-time backup to the cloud — Replication tools can automate the process of copying data across multiple sources, relieving the IT department from the burden of monitoring backups on a daily basis. The data gets stored in multiple locations, increasing its redundancy and resiliency. Using cloud-based managed data replication and backup solutions can make it easier for institutions to have the data they need to maintain normal business functions. It also provides another major benefit: No matter where the network admin is, it will be easy to restore data if a hardware failure, power outage, cyberattack, or some other disaster impacts the system.

5 Things to Outsource So Your IT Administrator Can Go on Vacation Get a Copy

3. Regulatory and IT reporting — The need for data to confirm controls are in place does not go away when someone leaves or goes on vacation. It is important for management to have access to timely reporting about IT issues to enhance security and meet regulatory compliance. Having a system in place that generates reports in a single location, rather than manually created reports or reports pulled from disparate systems helps ensure data on security controls can be reviewed by anyone anytime. Partnering with a third-party provider that can aggregate reporting and control data can make it easier for institutions to meet these requirements.

4. IT support experts — Financial institutions must have the appropriate IT expertise to stay on top of complex security issues. Outside vendors can provide access to IT specialists who can augment the efforts of their IT team. The added support not only can be a godsend while the system administrator is on vacation, but it can also meet an ongoing need. An institution can use outside experts to provide technical knowledge and resources that may be lacking in the IT department.

5. Cloud-based infrastructure — Virtual servers, storage, software, and other cloud-based solutions offer access to resources on demand. And since cloud infrastructure is flexible and scalable, it is the ideal way to modernize a computer system and build redundancy. Using cloud-based infrastructure allows financial institutions to have duplicate copies of their data and core systems available whenever they’re needed. So, if an IT issue comes up, a third-party service provider can troubleshoot the problem remotely while the IT administrator is on leave.

Safe Systems offers a range of IT and security solutions to help institutions keep their operation and network running efficiently. Learn more about how our compliant solutions can provide professional support whenever your IT administrator takes a much-needed break.

10 Jun 2021

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Technology, Compliance, and Security Best Practices – All in One Place

Resource Center

A few years have passed since we launched the Safe Systems online Resource Center, which provides community banks and credit unions access to a centralized knowledge base of materials that help you learn more about technology, compliance, and security best practices.

With a wide variety of content, ranging from videos to white papers to case studies, the Resource Center allows you to stay current with the latest trends and insights in the industry. For example, visit the Resource Center to view our latest webinar, infographic, or a short and timely blog. Come back often, as we add new content every week!

Just in case you missed our Resource Center reveal, or you would like a few more details on what it has to offer, please view the original blog post here.

03 Jun 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

What CEOs Should Know about Disaster Recovery

Disaster recovery—the process of restoring IT infrastructure, data and systems in the aftermath of a major negative event—is a specialized area of technology that’s not always top of mind for executives. CEOs must ensure their organization is equipped to quickly resume mission-critical functions following a calamity.

Here are some key considerations that bank CEOs should keep in mind to make sure their financial institution has a feasible approach to disaster recovery.

Expect the Unexpected

A disaster can happen anytime—and in any form. While people typically think of disasters as being natural occurrences, manmade catastrophes such as power outages, equipment failures, cyber attacks, and network downtime due to human error are equally common causes of disruption. Regardless of the source, the need for DR is truly a matter of when—not if. So, CEOs should get comfortable with the uncomfortable idea that some type of disaster will eventually impact their institution.

Be Proactive

DR planning is the key to both preventing disasters, and when they do eventually occur, successfully recovering from a natural or manmade calamity. Not having a sufficient plan in place can hit an institution where it hurts most: a loss of data, business functions, clients and reputation—not to mention time and money. Therefore, bank CEOs must ensure their management team is taking proactive steps to adopt effective DR strategies. This includes implementing—and testing—a plan for getting operations back to normal with minimum interruption.

Besides the practical need for DR planning, the Federal Financial Institutions Examination Council (FFIEC) advocates taking a preemptive approach to this often overlooked area of technology. The FFIEC IT Handbook’s Business Continuity Management booklet advises: “Management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the BIA. In addition, management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software.”

The business impact analysis (BIA) is one tool that bank management can use to ensure their financial institution is adequately preparing for DR. This important mechanism predetermines and prioritizes the potential impact disruptive events will have on business functions. Essentially, the BIA can show gaps in critical processes that would impede disaster recovery and, in turn, the institution’s business continuity.

Consider Outsourcing DR

The intricacies of disaster recovery planning can be daunting, which is why many organizations fail to create a viable DR plan. More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyber attacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient and cost-effective. Outsourcing DR can be especially advantageous to smaller banks that may lack this type of specialized knowledge in house. It can also benefit larger institutions that want the comfort of having third-party services available to support their resident DR specialists.

CEOs have a lot on their plates but paying attention to these important DR issues can help ensure both operational resilience during a disaster as well as regulatory compliance. To learn more about how Safe Systems helps financial institutions and their CEOs develop well designed, compliant DR plans, explore our Managed Site Recovery solution.

13 May 2021

Banks, Compliance, Credit Unions Safe Systems 0 comment

Is Your Financial Institution BCM Compliant?

It’s been a few years since the FFIEC updated its BCM IT Examination Handbook and expanded its focus from “business continuity planning (BCP)” to “business continuity management (BCM).” While most financial institutions should already be aware of the updates to the handbook, it’s always beneficial for banks and credit unions to refresh their plan to remain up to date and compliant when it relates to business continuity.

In a recent post, Safe System’s compliance expert, Tom Hinkel, discusses five key points to keep in mind when evaluating your Business Continuity Management plan:

Resilience
Entities vs. Institutions
MAD vs. MTD
Exercises and Tests
Guidance vs. Requirements

In case you missed the full blog, view it here

06 May 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

After the Disaster: Real Community Banking Recovery Stories

Even the best-laid plans can go awry—especially after a disaster. Our real-life stories from actual community financial institutions underscore the importance of having an effective disaster recovery (DR) process in place.

It’s obvious that a disaster can strike anywhere and anytime. What’s less obvious is that a natural disaster doesn’t have to happen for a financial institution to implement its DR plan. For instance, a server room and all the equipment inside could become damaged by a fire or flood. A power outage or loss of a communications line could take out an institution’s phones, email, and internet. This could be devastating because communication is such an integral function of a financial institution.

Not knowing how long a power outage will last can further complicate the issue. If the outage stretches over a few hours or days, the institution should be thinking about implementing its DR process. But making that call can be difficult. That’s where having an outside team of DR experts available can be helpful. For example, we can help institutions quickly leverage Microsoft Azure for cloud site recovery. We can also assist with ongoing monitoring, maintenance, and testing to ensure the viability of their DR plan.

Real DR Stories from Community Banks

For example, a tornado struck one of our community bank clients and severely damaged its main office. The branch was rendered completely inoperable, unable to serve customers or employees. Fortunately, the critical servers that were housed in the building were not destroyed, and we were able to relocate them to a different branch location. The bank operated the servers from that site for a year while the main office was being rebuilt. Ultimately, we returned the servers to their original location and made the necessary reconfigurations to get everything functioning again. Moving the severs to a different place allowed the bank to avoid failback, which can be the most complicated aspect of the disaster recovery process.

Another DR scenario involves a financial institution on the South Carolina coast, where hurricanes frequently make landfall. In this case, a hurricane demolished the main office and completely flooded the location. As a result, the institution lost its servers, internet connection, and ability to communicate. The bank’s DR strategy relied on using 4G to restore internet connectivity, but the cell towers were down. Thankfully, the network had an old telecommunication circuit that we were able to get turned on and operational. So, after we dealt with the communication curveball, we were able to get the network—and bank—up and running again.

Community Bank in Alaska Shares Insights

It’s often the physical environment that determines the disasters that an institution may encounter. Potential hazards for Fairbanks, Alaska-based Denali State Bank include flooding from nearby rivers, jolting earthquakes, and volcanic eruptions on the Aleutian Chain. Therefore, Denali State Bank—which has $380 million in assets and 150 endpoints across five branches—focuses on ensuring that it has critical IT staff and services available during a disaster.

As part of its DR solution, the bank maintains a designated alternate site—one of its branches—that sits on a separate portion of the power grid. Denali also uses cloud-based Microsoft Azure, which makes it easy to run and test critical functions. During testing, the bank can shut down all connections to its main office (including large SQL servers), quickly spin up everything virtually through Azure, and establish connectivity through a Safe Systems co-location facility. This helps to ensure that vital functions will work properly to support the institution after a disaster.

Get more community banking DR insights. Listen to our webinar on “After a Disaster: Real Community Banking Recovery Stories” to make sure your institution is better prepared for an unexpected negative event.

29 Apr 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

The 4 “Rs” of Disaster Recovery

Organizations can be impacted by a natural or manmade disaster at any time. Having an effective approach to disaster recovery (DR) can help banks and credit unions meet their regulatory obligations, better protect themselves from the impact of a significant negative event and enhance their ability to bounce back and continue operating in the aftermath of a disaster.

There are four “R’s” when it comes to disaster recovery that every financial institution should focus on: Recovery Time Objective (RTO); Recovery Point Objective (RPO); Replication; and Recurring Testing. Here’s why each of them is integral to DR:

RTO

RTO, the longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens, is a crucial facet of DR. Established RTOs essentially represent trade-offs, with shorter RTOs requiring more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. Ideally, financial institutions will have RTOs predetermined before a disaster strikes, and the RTOs will be included in the institution’s Business Impact Analysis (BIA) as part of the business continuity planning process. Following a disaster, the recovery process will depend on the type of institution, technology solutions, and business functions as well as the amount of data involved. Institutions with an outside vendor guiding their disaster relief efforts typically have a more streamlined and less stressful recovery process.

RPO

The RPO represents the amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. The Information Security Officer (ISO) and management must define exactly how long they are willing to go without having a copy of their data available. As banks and credit unions become more dependent on technology, however, their tolerance for not having critical functions available shrinks. Increasingly, financial institutions are turning to outside vendors to bolster their recovery solutions, but they must ensure that those third-party providers are adequately equipped to satisfy their RPO requirements.

Replication

Effective DR replication is essential because it allows an exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. DR requires the duplication of data and computer processing to take place in a location not impacted by the disaster. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster. Options for recovery can take various forms: fully redundant systems at alternate sites; cloud-based recovery solutions (either internally developed or outsourced); another data center; or a third-party service provider; according to the Federal Financial Institution Examination Council (FFIEC).

Recurring Testing

Recurring testing allows banks and credit unions to pinpoint key aspects of their DR strategy and adjust as needed to accomplish their objectives. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback. The institution should employ a variety of tests and exercises to verify its ability to quickly resume vital business operations in a disaster situation. Regular testing can reveal possible problems in the institution’s DR plan so that it can immediately address these issues. The aim is not necessarily to pass each test or exercise, but rather to find and fix flaws before a disaster occurs.

Read more about how your bank or credit union can be better positioned to recover from a disaster. Download our “4 Rs of Disaster Recovery” white paper.

22 Apr 2021

Banks, Compliance, Credit Unions Marshall Jones 0 comment

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

As part of business continuity management (BCM), banks and credit unions must ensure they can maintain and recover their operations after a catastrophic event happens. Their BCM strategy should outline all the significant actions they intend to take after a natural disaster, technological failure, human error, terrorism, or cyber attack. The goal is to lessen the disaster’s impact on business operations, so the financial institution can continue running with minimal loss and downtime.

Disaster recovery (DR) is essentially the IT part of the business continuity plan. It should address the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software needed to get operations back to normal, based on the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

The Need for a Comprehensive DR Solution

Financial institutions must have effective DR measures in place to ensure they can deliver the resources their employees need to continue serving customers after a disaster. That’s why having a comprehensive DR service is so critical. The simplest and most cost-effective way to accomplish this is with a cloud-based solution.

With DR in the Cloud, institutions are always prepared to respond to natural and man-made disasters as well as infrastructure and technology failures. The Cloud allows institutions to access their data—no matter what kind of disaster strikes. This could be crucial if a severe storm does damage to an entire city and multiple locations of a community financial institution. The institution would not be able to handle DR on-site, making the Cloud the most viable option. The March 25th outbreak of tornados in central Alabama is a good example of the potential need for cloud DR. The tornadoes tore into hundreds of miles of Alabama forest and neighborhoods, causing significant damage, according to the National Weather Service.

The Cloud provides major benefits in any DR situation, including ease, expediency, and efficiency. If institutions have been doing ongoing backups, they can leverage the Cloud to initiate DR right away. The process is quick; recovery can take minutes instead of hours or days as it did for older DR solutions. However, it’s important to set up DR processes so that they are not subject to issues that can impact the institution’s main system. Take, for instance, the rapidly increasing problem of ransomware. It’s important to have cloud DR services structured so that the DR backups cannot also be infected with the same ransomware.

Essential Aspects of a DR Service

Another essential element for a cloud DR service is testing. The test results should be documented and available for Management and the Board of Directors to scrutinize. This can help institutions ensure their expectations are being met by the DR service. Institutions that are not using a comprehensive DR service are more likely to delay the testing and validation steps that are critical to business continuity planning (BCP). It’s basic human nature: IT admins tend to prioritize addressing urgent day-to-day issues over doing routine testing.

So, either testing doesn’t get done regularly or it doesn’t happen at all. A third-party DR service with a team of experts available can make sure testing gets done at the proper time. Another important issue for institutions is having IT staff available with the appropriate knowledge when a disaster strikes. With an external service provider, someone with the right expertise will always be there to execute the disaster recovery. So, the success of the institution’s DR plan will not depend on the availability of just a few employees.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. It can give financial institutions the best bang for their buck. Not using cloud DR can be cost-prohibitive for many institutions, considering the hardware and software requirements, maintenance, ongoing testing, and documentation required. Ultimately, a cloud DR solution from an external service provider can give institutions the comfort of knowing their DR plan is being adequately tested and will work during a real disaster.

15 Apr 2021

Banks, Credit Unions, Technology Jamie Davis 0 comment

Latest Microsoft Updates Show Importance of Patch Testing

In early March 2021, Microsoft published some cumulative updates for different versions of Windows 10, including KB5000802. Unfortunately, the new updates and patches caused a variety of problems, including workstation crashes when printing, problems opening emails in Outlook, and some vendor products, such as Fiserv’s Navigator, not displaying correctly.

As a result, many people could not use printers from several popular brands such as Kyocera and Ricoh, and the new patches caused some users to experience the dreaded “Blue Screen of Death” (BSoD) when they clicked on the “print” option in some apps. Ultimately, Microsoft addressed the issue and rolled out a fix for the printer problems.

Importance of Patch Testing

The problems associated with Windows 10 KB5000802 serve as effective real-world reminders of the importance of patch testing as these issues could have been avoided by implementing proper testing procedures. Vendors are constantly releasing patches to correct software problems, improve performance and enhance security. But as the recent Microsoft incident clearly shows, patches can sometimes trigger new problems while trying to address existing ones.

All of this demonstrates why it is so important for banks and credit unions to test patches before installing them. Ideally, financial institutions should create a test group of the different kinds of machines and applications used in their environment and then apply any newly released patches to the elements in the group. Besides being a pragmatic approach, utilizing a test group also adheres to guidelines of the Federal Financial Institutions Examination Council (FFIEC), and it helps effectively protect institutions from downtime, security breaches, and IT issues.

Value of a Third-Party with Financial Industry Expertise Managing Patches

The problems surrounding the latest Microsoft patch also illustrate the value that a qualified third-party IT expert like Safe Systems can bring to community banks and credit unions. Through our meticulous testing process, which includes more than 2,000 machines running a wide variety of banking and lending applications, Safe Systems was able to identify both general PC issues and banking application issues related to the patch. This regimented testing process, which follows FFIEC guidance, enabled Safe Systems to minimize the impact on more than 25,000 financial institution devices. As a result, clients were able to avoid major hassles and headaches with a vast majority of their devices.

Safe Systems issued an official notification about the situation, spelling out the specific problem, impact, resolution, and action required for customers and eliminated the patch from the environments of clients that were having trouble. Customers using NetComply One to manage patches didn’t need to take any additional action—unless they still had problems after the patch was removed. For clients with lingering complications, Safe Systems’ fully staffed Network Operation Center (NOC) was available to resolve their issues quickly.

Safe Systems’ proactive actions to neutralize possible issues relating to the patch is a prime example of the benefit of our NetComply One solution. Part “product” and part “service,” NetComply One is a comprehensive patch management solution that offers quarterly advisement from Safe Systems experts. It provides valuable reporting and insight into potential issues to help community banks and credit unions pass audits and exams. To learn more about how NetComply One can help your financial institution, click here.

08 Apr 2021

Why Security Solutions Fail and What Your Financial Institution Can Do to Stay Safe Featured Blog Image_Header Image

Banks, Credit Unions, Security Safe Systems 0 comment

Proven Security Solutions to Keep Your Financial Institution Safe from Cybersecurity Threats

Why Security Solutions Fail and What Your Financial Institution Can Do to Stay Safe Featured Blog Image_Header Image

Like many other professional industries, the financial sector of business was forced to work from home due to the COVID-19 pandemic. With an unprecedented number of employees still working remotely, now more than ever financial institutions are susceptible to a cyberattack. The increased threat of a security compromise has prompted financial institutions and other organizations across the country to increase their cybersecurity posture to help prevent a future attack.

In a recent post, Safe System’s guest blogger, Keith Haskett, president and CEO of Rebyc Security, discusses 5 reasons security solutions fail, such as lack of multi-factor authentication or improperly configured spam filtering and what you can do to keep your institution safe. In case you missed the full blog, view it here.

02 Apr 2021

Banks, Credit Unions, Security Brian Brannon 0 comment

Is Cybersecurity Your Weakest Link?

SKIP AHEAD:

Importance of Being Secure
Malware and Ransomware
Internet of Things (IoT) Attacks
Phishing Scams
Lack of Third-Party Vendor Security
Insider Threats
Lack of Employee Training and Security Expertise
Combating Security Threats and Ensuring Institution Security
Managing Security Needs

Is Cybersecurity Your Weakest Link?

The financial landscape has changed drastically in the last 20 years, one of the most notable changes being the variety of financial services now being offered online. Although the wide-spread use of internet has made it possible to receive financial guidance from anywhere in the world, it has also created an environment where sensitive information and data could potentially be compromised by cybercriminals.

Today, professional hackers are spending more time and money than ever before to gain access to personal information for both monetary gain and “professional” recognition. The sensitive information that the financial services industry has access to continues to make them a prime target for hackers and other cybercriminals. Attacks can range from malware threats, DDOS attacks, phishing attempts and data breaches – all of which bad actors can use to commit fraud themselves or sell to a third-party.

Importance of Being Secure

Cybercrime continues to be a growing problem for banks and credit unions across the country. The impact of a cybercrime can be very costly for a financial institution, both financially and from a reputational standpoint. The main risks include theft or unauthorized access to sensitive customer information along with the disruption of normal business operations.

In addition, as the number of security threats continues to increase in the financial services industry, regulators are taking a closer look at financial institutions’ policies and procedures to ensure that they can effectively safeguard confidential and non-public information. As an example, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) is designed to ensure financial institutions are prepared in the event of a cybersecurity attack. The FFIEC CAT is now the guide regulators are using to examine institutions and determine their level of cybersecurity preparedness.

Some of the most common security threats financial institutions face today include:

Malware and Ransomware

Ransomware has established itself as one of the leading cyber threats for many organizations, but especially financial institutions. Using ransomware technologies, hackers can gain complete access and control over legitimate websites, often by encrypting data or programs, and extort ransom payments from victims in exchange for restoring access to the individual or business. Malicious software, or “malware”, is no longer characterized by simple aggravating popups and sluggish computer performance, but rather the encryption of all data on a machine, rendering it unusable.

Internet of Things (IoT) Attacks

Unsecured Internet of Things (IoT) devices such as DVRs, home routers, printers and IP cameras are vulnerable to attack since they are not required to have the same level of security as computers. To breach a financial institution, attackers will target insecure devices to create a pathway to other systems. Unsecure IoT devices are also used to launch distributed denial-of-service attacks (DDoS) against institutions. These DDoS attacks prevent legitimate users from accessing computer systems, devices or other online resources. The perpetrator floods the victim’s machine or network with false requests from various sources to overload the system and prevent legitimate access. A well-executed attack can interrupt a host of banking services including website access, ATM networks, and online banking platforms, in addition to internal systems and functions.

Phishing Scams

Phishing scams that specifically target financial institutions’ employees, attempting to obtain sensitive information such as usernames and passwords, have become increasingly common within the last few years. The goal of phishing is to direct employees to a fraudulent website where they are asked to share login credentials and other personal information. The information that employees are tricked into providing then allow for cybercriminals to read a bank or credit union’s critical information, hack into the employee’s bank and social media accounts, send emails on an employees’ behalf, and gain access to internal documents and customer financial information.

Lack of Third-Party Vendor Security

While a financial institution might have the right security systems and policies in place to protect itself and its customers from a cyber-attack, its third-party providers may not have the same level of security and diligence. This creates a major vulnerability for the financial institution. Without a proactive approach to vendor management, financial institutions are opening themselves up to increased levels of risk that can have a negative impact on the institution’s financial standing, compliance posture and overall ability to serve its customers. Federal regulators have issued guidelines to help institutions better understand and manage the risks associated with outsourcing a bank activity to a service provider. The FFIEC IT Examination Handbook was revised to help guide banks to properly establish and maintain effective vendor and third-party management programs.

Insider Threats

Often, all it takes is a disgruntled employee or ex-employee to release valuable security information and compromise system and data security. Additionally, cybercriminals are increasingly realizing success through bribery as a means to entice bank employees to give up their login credentials or other security information, allowing direct access to internal systems.

Lack of Employee Training and Security Expertise

The COVID-19 pandemic has certainly brought its share of challenges to the financial sector of business, including increased network vulnerability and internal threats as employees transitioned to a remote work environment. These changes required cybersecurity personnel to change their online security baseline and continuously adapt to the changing IT security landscape. With the increased popularity of remote work, company IT staff are encouraging employees to take charge of their own online security through testing and training. The training includes topics like the importance of password security and multi-factor authentication and helps employees understand their roles and responsibilities in protecting against security threats. Until this learning gap is resolved, financial institutions will continue to struggle to efficiently manage cybersecurity threats.

Combating Security Threats and Ensuring Institution Security

While cybersecurity has become a major point of discussion among professionals within the financial industry, the truth is that many financial institutions are too complacent when it comes to protecting themselves. With hackers using advanced technology, the “bare minimum protection” is no longer enough to keep sensitive information safe. To adequately protect against security threats, financial institutions must ensure that every device on the network has up-to-date antivirus software, adequate firewall protections and that all patches are up-to-date as a minimum requirement. In addition, financial institutions should also employ a layered security strategy, from the end-user to the internet to establish a secure IT environment. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation.

A uniquely tailored layered security approach enables financial institutions to:

Monitor antivirus for servers, workstations, and off-site laptops
Use services that evaluate site lookups to avoid exposure to compromised websites
Scan the network for vulnerabilities and detect unusual activity against hackers and rogue employees
Block access to all external ports while also monitoring the access of various machines
Meet government regulations and requirements
Counter extortion threats by preventing a hacker from holding your customer’s personal data for ransom with special customized software for stopping ransomware
Patch machines, encrypt laptops, and install alerts on new devices plugged into the network

The security landscape is constantly evolving, and it is imperative to have a solid security plan in place that accounts for this evolution. It should be a fluid document that is frequently reviewed, updated and that specifically outlines administrative, technical, and physical controls that mitigate evolving risks. It is also important to test the full plan on a regular basis to ensure all procedures can be executed successfully and verify that all regulatory requirements are met.

Managing Security Needs

Many community banks and credit unions find that managing the security needs of their organization can be a time-consuming and challenging task. To help augment the security responsibilities, these institutions are turning to financial industry-specific IT and security service providers to act as an extension of their organization, provide timely support, and help the financial institution successfully design and execute a comprehensive security strategy. The right solution provider couples security measures with an understanding of and support for the unique security and compliance demands of the financial industry.

At Safe Systems, we believe that proactively protecting customer data will always be more cost effective than falling victim to malicious activity. To that end, we have the unique expertise to ensure that financial institutions employ the right combination of both broad and specific security products to create an ecosystem of protection. Safe Systems helps secure an organization’s endpoints, devices, and users by assessing vulnerabilities, detecting unwanted network activity, safeguarding against data loss, and preventing known threats while staying ahead of developing ones.

01 Apr 2021

The Security Evolution Featured Blog Image

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The Security Evolution: The Integration of Security and Technology in Your Bank’s Infrastructure

The Security Evolution Featured Blog Image

Financial institutions and other organizations face a head-spinning number of information security risks—and the threats are becoming more complex and difficult to detect. In 2020, the FBI’s Internet Crime Complaint Center received a record number of complaints: 791,790, with reported losses exceeding $4.1 billion. The complaints—many of which included sophisticated phishing emails, business email compromise, and ransomware—represented a 69-percent increase in total from 2019, according to the FBI 2020 Internet Crime Report. In almost every case, a financial institution was involved; either as the direct target, a payment intermediary, or the account holder (victims) source of funds.

Importance of Resilience

With IT security, one of the primary goals for financial institutions is to minimize operational risk by limiting downtime; a process also referred to as “resilience”. Formally defined as the “…ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions…”, resilience also includes the ability to withstand and recover from deliberate attacks or naturally occurring disasters.

Resilience extends beyond after-the-fact recovery capabilities to incorporate proactive measures for mitigating the risk of a reasonably anticipated disruptive event in the overall design of operations and processes, including IT infrastructure. Resilience strategies, including maintaining security standards, should extend across the entire business, including outsourced activities. Because of the constantly changing threat environment, banks and credit unions should be regularly refining their security strategies. But it can be challenging for institutions to effectively manage the resources required to create a resilient infrastructure, including the staff, hardware, software, facilities, utilities, and other resources required to support operations. This monumental task encompasses everything from technology and telecommunications infrastructure to the critical dependencies provided by third-party service providers.

With so much complexity, having integrated security controls that coordinate and communicate with each other can make it easier for institutions to detect and prevent an incident before it happens, and to respond and recover afterward. Integration involves blending separate technology and controls into a single system that simplifies the work of short-staffed, time-strapped IT departments. The integration of security technology can ensure that financial institutions have a more manageable—and sustainable—approach to addressing the increasing volume and sophistication of security threats that they encounter.

Compliance and IT Security Integration

Of course, the rationale for integrating security and technology goes beyond the practical need to safeguard an institution’s information, infrastructure, and other assets, as it’s also a matter of compliance.

Information security should be embedded within the institution’s culture, according to the Federal Financial Institution Examination Council (FFIEC), and an institution’s security culture contributes to the effectiveness of its information security program. In fact, the FFIEC IT Handbook’s Information Security booklet indicates that “an institution with a stronger security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications.”

Financial institutions should have a robust and effective information security program that supports their IT risk management process, according to FFIEC guidelines. Based on the FFIEC IT Handbook’s Information Security booklet, an effective IT program should:

Identify threats, measure risk, define information security requirements, and implementing control
Integrate with lines of business and support functions in which risk decisions are made
Integrate third-party service provider activities with the information security program

Third-party Management

Integrating third-parties into your security program is not just accepted by the regulators, it’s expected. According to the FFIEC, “In many situations, outsourcing offers the institution a cost-effective alternative to in-house capabilities…without the various expenses involved in owning the required technology or maintaining the human capital required to deploy and operate it.” However, the FFIEC goes on to recommend that institutions who elect to outsource technology, line of business activities, and support functions, ensure the integration of these activities with their information security program through an effective third-party service provider (vendor) management program. The FFIEC IT Handbook’s Information Security booklet asserts that: “Effective integration of these programs is evident when the institution creates and enforces expectations that align with the internal information security program in such a way that the combined activities of the institution and its third-party service providers result in an acceptable level of risk.”

Security threats will always be a constant challenge, but successfully integrating security and technology within an institution’s banking infrastructure can help institutions win the fight. Safe Systems provides banks and credit unions with an array of compliance-focused IT services to help them improve their overall security posture. Our proven experience, paired with our compliance-focused technology and security solutions, enables financial institutions to significantly strengthen their resilience by seamlessly aligning compliance and security.

25 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The ISO in 2021: New Challenges and Expectations Require a New Approach

The ISO in 2021 Featured Image

One of the key lessons financial institutions learned from the COVID-19 pandemic is that regardless of new challenges and seemingly constant change, they were expected to ensure their customers and members continued to receive products and services uninterrupted. The past 13 months (and counting) have been a live exercise in operational resilience.

The current crisis—perhaps more than any even prior—has underscored the true scope of the Information Security Officer’s job. Technically, there are only eight broad areas of responsibility for ISOs outlined in the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Management booklet. But the actual scope of ISO accountability spans at least 36 elements. One of the key challenges and responsibilities of the ISO is stakeholder reporting, which is intricately linked to accountability. The relationship between responsibility and accountability is that while the ISO is responsible for making sure critical InfoSec tasks are completed, they are also accountable to the various stakeholder groups, which requires providing documentation that a task is being completed a certain way, with a certain group, or with a certain frequency.

To meet their accountability obligations, because information security is pervasive, ISOs must be engaged at all levels across the enterprise and in all lines of business. This requires understanding every place that data is stored, processed, or transmitted—whether it involves a customer or member, employee, or vendor. The ISO also needs to be aware of the latest emerging risks and be able to implement an effective mitigation strategy. Ultimately, ISOs need to be effective at translating information to the board, management committee, and IT auditors and examiners, in a manner in which these various stakeholders are best able to consume and comprehend it.

The expectations for ISOs also extend beyond the traditional area of ensuring the confidentiality, integrity, and availability of data. ISOs are also responsible for minimizing the disruption or degradation of critical services—which has emerged as the more urgent necessity during recent pandemic and cyber events.

Some of the early challenges ISOs faced during the pandemic ranged from the technical, such as securing virtual private network access, to the administrative, such as ensuring that employees have signed acceptable-use policies and remote-access agreements. Fortunately, we’ve found that most institutions adjusted well to the initial hiccups, resulting in minimal degradation in their services. However, cybersecurity promises to keep that pressure on for the foreseeable future, even post-pandemic.

Predictably, financial institutions are now seeing more exam scrutiny in three areas.

Business Continuity Management (BCM)

When the FFIEC implemented a BCM update in 2019, it created new terminology and new expectations that are finally beginning to emerge in exam findings.

Strategic Planning

The expectation for additional strategic planning is calling for more formal project management procedures. On the IT examination side, FIs are receiving requests for “pre-initiative” risk assessments, meaning that ISOs are expected to assess the risks of a project or initiative before they even agree to move forward and select a vendor. The FFIEC’s Development and Acquisition Handbook states that “Poor planning often contributes to projects failing to meet expectations.” This early stage is referred to as the “initiation” or “feasibility” phase of the project. Once the project clears this phase and moves forward, a vendor or vendors are selected, and vendor due diligence and on-going management can proceed. As the project proceeds to completion, management should be kept informed.

Board and Committee Reporting

Which is now focusing on not just what gets reported, but the frequency of the reporting as well. Suffice to say that the traditional annual updates won’t get it done going forward.

A New Approach to Virtual ISO Services

With ISOs being forced to wear multiple hats, some institutions are choosing to leverage a virtual ISO solution. Whether outsourced, insourced, or a hybrid virtual ISO model, each offers varying levels of service, flexibility, and support. Further still, several FIs are leveraging technology in tandem with security expertise to support their ISOs.

Safe Systems’ ISOversight is a proven risk management solution that provides complete and comprehensive accountability for the responsibilities of the ISO position. This third-party solution assigns a dedicated ISO oversight lead who understands the details of the institution’s environment and provides institutions with expert guidance and access to additional resources. ISOversight is an ideal asset for new (or frankly, overwhelmed) ISOs that may be struggling to keep up with the complex responsibilities of their position. And now with federal and state examiners tightening their level of scrutiny, ISOversight is proving even more crucial for institutions that need to enhance their information security expertise.

To learn more about how Safe Systems is supporting ISOs in the industry, listen to our webinar on “The ISO in 2021: A New Approach to New Challenges and Expectations.”

18 Mar 2021

Banks, Credit Unions, Security Jamie Davis 0 comment

Top Phishing Scams and Emerging Trends Your Bank or Credit Union Staff Should Be Aware of

Phishing—the practice of using fake emails and other schemes to obtain sensitive information or data, such as usernames, passwords, or credit card details—continues to be one of the most prevalent security threats today. This blog covers some of the top phishing scams, as well as some new trends, that banks and credit unions should know about, so they can better protect themselves.

Top Scams

One of the most widespread and potentially devastating types of phishing scams is “impersonation phishing,” according to the Q1 2021 Financial Crime Report by Feedzai, a data science company that prevents, detects, and remediates fraud risk for financial institutions. With this tactic, cybercriminals target people by a phone, text, or email claiming to be from a financial institution or government agency. The objective: Convince the potential victim to make some kind of payment, which will enable the culprit to access the person’s credit card or financial account. Or the impersonator might send a “Suspicious Account Activity”’ email from a financial institution, asking the targeted individual to log into their online account and verify a transaction. Then when the person logs in using the button or link provided in the email, the attack ensues.

Spear phishing is another common con that financial institutions should have on their radar. Almost two-thirds of all known groups carrying out targeted cyber attacks use spear-phishing emails, according to Symantec’s 2019 Internet Security Threat Report. Many of these attacks originate from hijacked business email accounts, and as a result, can be quite effective. The perpetrator normally already knows some information about the recipient, so the fake emails appear to be legitimate.

Clone phishing, a variation of spear phishing, involves the attacker recreating or cloning a legitimate and previously opened email with a new attachment or link included. The duplicated email is then sent with an infected attachment that can be used to control or steal information once clicked or downloaded.

Top Emerging Trends

A new approach that banks and credit unions should know about is “vishing” (or voice phishing). Cybercriminals are now using Voice over Internet Protocol (VoIP) platforms to launch vishing attacks against employees worldwide, the FBI warns. In these cases, vishers try to get users of VoIP platforms to pick up the phone and authenticate themselves on a phishing website designed to steal their credentials. Vishing scams have now evolved to the point where perpetrators are successfully faking caller IDs and pretending to be someone else.

We are also seeing phishing scammers modifying their basic tactics. Many are now sending emails that simply ask for “urgent attention” rather than payment transfers, which suggests they are altering their approach to bypass standard fraud-prevention methods. They’re also using strategies like the “Zombie Phish” which involves taking over an email account and responding to an old email conversation with a new phishing link. Additionally, phishers have started using shortened URLs, which have an easier time getting past filters and vigilant employees.

As an evasive strategy, attackers link potential victims to the websites of trusted cloud filesharing services like SharePoint and OneDrive. Consider this: More than 5,200 SharePoint phishing emails were reported in a 12-month period, along with almost 2,000 attacks involving OneDrive, according to Cofense Intelligence’s Q3 2020 Phishing Review. More advanced phishing campaigns are also employing unusual attachment types to elude the controls imposed by secure email gateways. For example, .iso files are being renamed to .img files to sneak malware through a gateway.

Ultimately, the best defense against phishing is human intelligence, so training employees to detect this type of fraud is essential. Financial institutions can also take advantage of third-party information security services to strengthen their security posture against phishing attacks. Safe Systems, a national provider of fully compliant IT and security services, is enabling institutions to win the cyber battle against phishing through a full spectrum of solutions specifically designed to help community banks and credit unions enhance their security posture.

11 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s essential that banks and credit unions maintain segregation of duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the overall health of their operations.

From a regulatory standpoint, the separation (or segregation) of the ISO’s duties is the corrective action to a concentration of duties finding. Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet. The booklet states: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”

The FFIEC also provides guidance on this matter in the IT Handbook’s Management booklet. “The institution should separate information security program management and monitoring from the daily security duties of IT operations. The IT department should have personnel with daily responsibility for implementing the institution’s security policy,” the booklet explains. “Responsibility for making changes and granting exceptions to policy should be segregated from the enforcement of the controls.”

Oversight Is the Key Issue

The importance of isolating the ISO’s duties comes down to oversight as separating the functions of the ISO and network administrator helps to create a clear audit trail and ensures that risk is being accurately assessed and reported to senior management. Without proper oversight reporting, financial institutions and their Boards lack a clear picture of their information security posture and can face other negative repercussions, such as downgrades in their Management IT component.

If, for instance, the ISO shares administrative duties and an administrator account, oversight dynamics can be undermined. As an example, the admin may have day-to-day responsibility for patch deployment, but the ISO is ideally suited to monitor and validate the overall patch management program—not the network administrator. The ISO has a higher-level, enterprise perspective of the impact of day-to-day activities; whereas the admin is at the ground level and may not always be capable of accurately assessing the full impact of performing, or not performing, a particular task. In addition, the definition of “oversight” is basically having another set of eyes validate the actions of someone else.

Understanding the Role and Duties of the ISO

The ISO’s oversight role primarily serves to ensure the integrity of a financial institution’s information security program. In essence, by segregating the admin/ISO duties, ISOs are the “other set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders.

The responsibilities of the ISO are clearly outlined in the FFIEC’s Information Security and IT Management booklets. Some of the ISO’s key duties include responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.

However, in fulfilling these obligations, ISOs are expected to continually meet a high standard of information privacy and security. It’s imperative for institutions to not only assign the proper responsibilities to the ISO but to also select the right individual to assume the role.

Banks and credit unions often have difficulty designating an ISO with the appropriate technical and regulatory compliance expertise. Institutions in rural or small communities—where the talent pool is meager—might even have their chief financial officer or chief operations officer wear the hat for this “part-time” job. Regardless of these challenges, community institutions are expected to maintain the same level of segregation of duties as larger institutions. Size and complexity considerations may allow for some leeway in the timing of the separation, but not the ultimate outcome.

Leveraging a Virtual ISO

For every responsibility, there is an associated piece or set of documentation that must be provided to demonstrate adherence to and alignment with your formal written procedures. Not having an ISO with the requisite knowledge and/or time to effectively manage the assigned responsibilities of the position can result in control failures—and possibly policy or procedure non-compliance. In some cases, financial institutions may have a separation of duties “on paper”, but not so in practice. Again, the absence or presence of oversight is the key.

In fact, feedback from examiners indicates that because of the lack of oversight, there is a certain level of concentration of duties that cannot be adequately addressed internally. But institutions can remedy this problem by engaging a third-party, virtual ISO to add assurance that all responsibilities are being successfully addressed. A virtual ISO can provide another set of eyes and an independent layer of oversight on top of what the institution already has in place internally.

Virtual ISO services from Safe Systems, a national provider of fully compliant IT and security services, can be the ideal solution for community banks and credit unions. Safe Systems has proven experience in providing institutions with dependable technical expertise to ensure there is adequate separation of ISO-related duties within their organization—enhancing network security and significantly increasing regulatory compliance.

04 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 ISO Duties that Can Be Automated for FIs

Information security officers (ISOs) at financial institutions typically have myriad responsibilities on their plates, and each of those responsibilities comes with one or more forms of documentation to verify the actions taken. While these duties relate to the main categories of network security and regulatory compliance, there are a host of functions that fall under the ISO’s oversight role.

Fortunately, many ISO responsibilities can be automated in some areas to facilitate the management of the institution’s information security program. Here are five of them:

1. Business Continuity Management (BCM)

ISOs are responsible for overseeing and coordinating BCM, providing detailed guidance on how to recover from a business interruption, and ensuring that the appropriate people, processes, and technology components that make up the network of interdependencies are also restored. Automation can make it easier for the ISO to identify the interdependencies, complete the annual updates, and conduct the training exercises and testing required. Automation can also enable alerts for tasks due by process owners, and generate reminders for annual plan board approval, and report the test results to the board. While the tests for BCP cannot be automated, the documentation and reporting of the tests can—something that can significantly streamline the ISO’s oversight responsibilities and make it much easier to locate these documents at audit and examination time.

2. Updates to the Information Security Program and Information Security Risk Assessment

Automation can provide alerts to help ISOs keep abreast of updates from regulators. Then the ISO can easily pull reports on the revised areas to present them for board approval. Essentially, it’s plan maintenance that can be automated—although some interpretation is needed to support the process. Automation can prevent an institution’s information security program from becoming out-of-date (which can happen easily when an ISO is relying on manual processes for management) as failing to make an important update can have significant, negative consequences. For instance, if management misses a major BCP update, or an annual test, or board reporting, auditors may construe this as a general weakness in management, and scrutinize other areas more closely, such as lending practices or financial reporting. Automation can help institutions avoid inadvertent missteps and resulting hassles within their information security program.

In addition, many recent examination findings relate to inconsistencies between the institution’s policies (what they say they do) and their procedures (how they say they will do them). Automation, when combined with integration between applications, can greatly reduce this probability by easily propagating policy and procedural changes throughout all elements of your information security program. For example, sometimes financial institutions will update their BCM plan but might be lax with other policies—something that can result in a disconnect between different policies. In this case, one policy may refer to a process that is no longer being used; or a policy may contain conflicting references for a process that has been updated. These and other kinds of inconsistencies are virtually impossible to catch without automation and integration.

3. Tracking Audit Exam Findings

Unresolved, or “repeat” findings are usually treated very harshly by regulators. Making sure that all audit and exam issues are resolved in a timely manner is crucial. Automation can rate the severity, assign them to a responsible party, assign a due date for resolution, and sending “ticklers” and reminders as the dates come due. At the end of the process, the ISO can quickly generate reports to provide to the institution’s board, examiners, and other stakeholders. Alerts and on-demand reporting can enhance accountability for addressing each of the findings to improve internal controls and other areas.

4. Managing Third-party Relationships

Financial institutions are required to manage the risks of their third-party vendors and the responsibility to assure this is done falls squarely on the shoulders of the ISO. Institutions can use automation in every aspect of their vendor relationship management, including alerting and tracking of periodic updates to the risk assessments, annual updates to the control reviews, contracts, and contract renewals. With automation, the ISO can instantly identify required tasks and produce the necessary documentation related to its vendor management activities.

5. Cybersecurity

Cybersecurity is an important sub-component of information security, and automation can significantly enhance the ISO’s multiple oversight efforts in this area. An automated system can remind ISOs to verify that crucial assessments are completed, including the annual Cybersecurity Assessment Tool (CAT) and the Ransomware Self-Assessment Tool (R-SAT). Alerts can be scheduled to prompt ISOs to conduct annual incident response tests, a gap analysis, and cybersecurity training for employees and the board. And on-demand reporting can keep all stakeholders informed on the progress of your cybersecurity efforts.

One final thought about automation; when the application is combined with a provider familiar with, and dedicated to, the regulatory environment of the financial institution, you do not have to worry about a non-compliant policy or procedure. All necessary regulatory and best practice updates are built-in to the automation.

As a national provider of fully compliant IT and security services, Safe Systems offers a variety of innovative solutions that can help financial institutions automate some of the important responsibilities of their ISO.

25 Feb 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Five Key Areas of Focus for Your Regulatory IT Exam

Key Areas of Focus for Your Regulatory IT Exam

We’re back with part two of our IT Exam Prep blog series.

Picking up where we left off, there are five key areas where we expect you’ll likely be scrutinized closely at your next exam cycle:

Cybersecurity
Business continuity management
Outsourcing and third-party vendors
Governance and management engagement
Strategic planning

Of these, the most challenging, and most important, for smaller institutions might be governance and management engagement; the CAMELS “M”. This is true because often smaller institutions may have a more informal reporting structure.

For example, relevant issues may be discussed in committees and may even be reported upstream—but they may not be sufficiently documented. The issue is not just a matter of how you engage and report to senior management and the board, but rather, how you document that the necessary practices are in place. This is important when discussing day-to-day operational matters, but even more important when addressing issues of long-term strategic significance.

Although documenting management engagement can be particularly challenging, institutions must focus on all areas when prepping for an exam. You may not have time to rigorously prepare for every aspect, but you cannot afford to be lax in any one area, as examiners expect all areas of information security to be addressed. However, even if you are not where you need (or want) to be in any particular area, knowing where you are will often buy you additional time.

Our experience is that examiners will often give you additional time to address an issue if they know A) you are aware of it, and B) you have a plan in place (including a timeline) to address it. In short, if you haven’t had the opportunity to conduct a BCM exercise in the past 12 months, at least acknowledge it and have one on the calendar for the near future.

Ransomware on The Rise

As we discussed here and here, both the pandemic and cybersecurity will continue to dominate the infosec landscape for the foreseeable future, and because of that, are sure to receive special consideration during your next exam cycle. In particular, ransomware is a hot-button issue for examiners as attacks have been accelerating and cybercriminals capitalize on the security vulnerabilities and disruption caused by more employees working from home.

These malicious destructive malware attacks are becoming more targeted, more sophisticated and more costly, according to the FBI. Even more disconcerting is the fact that modern ransomware variants can not only lock data in place so that it’s no longer available to the institution but also exfiltrate data, making a secondary data disclosure attack much more likely. Another recent variant locks your data and initiates a distributed denial of service (DDoS) attack against your website if you don’t respond.

Resiliency

One common denominator between all five areas of focus is the concept of “resiliency”, which is the ability to withstand and recover from unplanned and unanticipated events. Examiners increasingly want to see a proactive approach to resilience, and when institutions implement the proper measures ahead of time, this can reduce their risk of operational downtime during a cyberattack, pandemic, natural disaster or another event.

Simply put, once ingrained into your practices and procedures, the reactive measures taken today become the proactive measures of tomorrow. Also, don’t forget to build resiliency into all future initiatives. If the initiative is important enough to implement and maintain, it’s important enough to protect from downtime.

Today, banks and credit unions are taking advantage of a host of resources to mitigate ransomware and other IT security issues, including the Cybersecurity Assessment Tool (CAT), the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and the Ransomware Self-Assessment Tool (R-SAT). In addition, consulting with a third-party IT expert can help institutions better prepare for assessments and respond to difficult questions from examiners.

The bottom line is that regardless of the format regulators require for an examination, you can expect them to address a wide variety of areas. So, focus on the areas outlined here and in part one of this series, but be prepared to discuss all the relevant actions your institution is undertaking.

23 Feb 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

Part 1 - Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

While sometimes the IT examination is separate, most of the time it’s incorporated into the Safety & Soundness exam. Regulatory examinations like Safety & Soundness are designed to assess the financial health and risk management practices of a financial institution, and the results are expressed as a number “grade” from 1 (highest) to 5 (lowest). An information technology (IT) exam is narrower in scope and utilizes four components to assess information management maturity: Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).

With the twin challenges of the Pandemic and cybersecurity continuing into 2021, on top of an already full plate of regulatory expectations, it’s critical for institutions to be prepared to address all IT issues to meet regulator expectations and ensure their safety and soundness.

So exactly what should financial institutions expect at their next IT regulatory exam? We’ll break it down in a two-part IT Exam Prep blog series.

The Pre-examination Questionnaire

On one hand, anticipating the exam elements is relatively straightforward, as the examiner will provide a pre-exam questionnaire. This is somewhat akin to an open-book test where the questions are provided ahead of time.

However, there is no single standardized questionnaire that all regulators adopt—and there likely won’t be in the foreseeable future. (The InTREx was an attempt by the FDIC a couple of years ago to standardize the process, but it is not yet caught on universally.) So, when the examiner sends his or her pre-exam questionnaire, that essentially provides the framework you should follow to prepare for your examination.

Nevertheless, bankers should expect a certain amount of the unexpected. While you should expect examiners to closely adhere to the pre-examination questionnaire, there will most likely be “curveball(s)” included. Curveballs are deviations from the questionnaire that could trip you up if you’ve followed it too strictly.

But if you’ve done your job correctly and addressed all infosec matters adequately since your last exam, you are better positioned to pivot when you need to during the exam. In other words, treat the pre-exam questionnaire more as a starting point than a checklist. And if you find yourself presented with a difficult question, do not respond with anything you are not 100 percent sure of, and that you know you can document. It is perfectly acceptable – and advisable — to wait and answer the question later when you have the appropriate information available.

One final point about examiner interaction: we strongly advise that your ISO be the primary point-person for the exam.

In most institutions, the ISO has the broadest and deepest knowledge of your information security procedures and practices. The ISO can bring in others as needed (network admin, internal audit, external providers, etc.), but they should still stay very close to the conversation. We’ve seen many situations where someone other than the ISO is interviewed by the examiner, and because of the person’s comparative lack of knowledge, it has resulted in exam findings that otherwise could have been avoided.

To ensure your financial institution’s next regulatory IT exam is a success, stay tuned for part two of our IT Exam Prep blog series, where we will dive into the key areas of focus you can expect to be evaluated on.

18 Feb 2021

Is Your FI Ready to Move to the Cloud? | Webinar Recap

Banks, Credit Unions, Technology Marshall Jones 0 comment

Webinar Recap: Is Your FI Ready to Move to the Cloud?

Is Your FI Ready to Move to the Cloud? | Webinar Recap

With organizations in virtually every industry employing cloud computing to enhance their infrastructure, cloud adoption is becoming mainstream. But is your bank or credit union ready to make the move to the Cloud?

Before you attempt to answer this question, start with why you should be considering the Cloud. There are significant benefits to using cloud-based solutions: guaranteed uptime; rapid scalability for expanding or reducing resources; flexibility for reprovisioning; and improved redundancy. Another important—but often undervalued—reason for moving to the Cloud is ease of use. The Cloud simply makes it easier for IT administrators to do their jobs and easier for financial institutions to manage infrastructure costs. Instead of buying, owning, and maintaining physical data centers and servers, institutions can procure IT resources over the Internet on an “as-needed” basis with true “pay-as-you-go” pricing. This kind of arrangement can be especially appealing to a de novo, a growing bank, or any institution wanting a more efficient, cost-effective way to manage IT-related expenses.

In addition, cloud systems offer the key advantage that they’re built from the ground up to cater to remote users. Bank and credit union employees can access the same tools, applications, and resources using the Internet whether they’re working on-site, from home, or in another location, making the Cloud the ideal tool for both remote work and collaboration.

Determining When to Make the Move

So how do you know if your financial institution is ready to move to the Cloud? The main indicator is whether management is supportive of the idea or feels implementation would be too burdensome. If your institution can’t manage the research, preparation, and challenges involved with cloud migration, it may not be the best time to make the transition.

One obvious sign that you are ready for the Cloud is if your organization is steadily growing and needing to augment resources. Perhaps you’re looking at expanding to new servers or rethinking your current architecture. Maybe it’s a situation where you’re tired of being stuck in a cycle of dealing with replacement projects for new servers. If you’re looking at replacing multiple servers that are running out of warranty, it could be the opportune time to move some of that workload up to the Cloud.

Transitioning Slowly

Moving to the Cloud can be a complex undertaking, but the good news is that your institution doesn’t have to make the leap all at once. In general, it’s best to be slow and methodical. This strategy can involve transferring one aspect at a time over several years. We are seeing a number of institutions start with moving their disaster recovery solution to the Cloud or using a “brick-by-brick” approach by migrating one or two servers at a time.

Don’t forget, the Cloud isn’t just a new tool, it’s a whole new world. Once your institution makes the jump to the Cloud, you need to monitor and manage the systems in the Cloud going forward. As with everything in IT, some adjustments may be needed over time. If you engage with a trusted partner for cloud services, they may be able to assist with your ongoing monitoring and management of your resources in the Cloud.

For more insights about cloud migration, watch our webinar on “Are You Ready to Move to the Cloud.”

11 Feb 2021

Banks, Credit Unions, Security Jordan Hendrix 0 comment

Using Advanced Firewall Features and Other Technologies to Strengthen Network Security

A traditional firewall can only do so much to protect a network against the invasive security threats that financial institutions are facing. Add to that, cybercriminals are becoming more sophisticated and creative with their schemes, meaning banks and credit unions need more advanced defensive measures in place.

Malware and other cyber threats have been steadily increasing—especially against financial institutions, which are 300 times more likely than other companies to be targeted by a cyberattack, according to research by Boston Consulting Group. Institutions can capitalize on next-generation firewall (NGFW) features and other advanced technologies to increase the likelihood of warding off attacks, including:

Antimalware Scanning

Malware is intentionally designed for a perverse purpose: to damage a computer, server, client, or computer network. To keep malware at bay, banks and credit unions can use antimalware to thoroughly scan their computer network and detect and remove malicious ransomware, spyware, and other software that might be lurking on the system. Taking this proactive step can help institutions keep their network from being damaged, disrupted or compromised and overall improve the delivery of their services in a safe and secure manner.

Dynamic Threat Feeds

Threat intelligence data feeds can provide institutions with constantly updated information about potential sources of attack. Industry-specific feeds deliver up-to-date information on the latest security threats in the banking industry. Dynamic threat feeds make it easy for institutions to permit “good” network traffic in and “bad” traffic out while ensuring critical processes continue to work.

Dynamic threat feeds, essentially, take valuable parts of the information related to establishing connections and find similarities within them to act on potential or current threats. A key type of threat intelligence feed that institutions can implement are GEO-IP threat feeds. With this technology, a bank can map an IP address to the geographic location of an Internet-connected computing device. Then, they can analyze the Geo-IP data to detect threats from high-risk locations to improve their security posture. This analysis can be accomplished with processing times equal to less than a few milliseconds.

Another effective threat feed that institutions can use is IBM X-Force Exchange. This cloud-based threat intelligence platform allows banks to consume, share, and act on a variety of threat intelligences. IBM X-Force enables users to quickly research the latest security threats, gather actionable intelligence, consult with experts, and collaborate with peers. They can also integrate other tools to facilitate configuring feeds, providing a major benefit for smaller institutions with fewer resources. With dynamic threat feeds, banks and credit unions can have greater peace of mind with their firewall and security posture.

TLS/SSL Inspection

NGFWs offer capabilities that go beyond traditional firewalls, including inspecting TLS/SSL encrypted traffic. TLS/SSL technology helps protect online traffic; it creates an encrypted link between a web server and browser, ensuring the privacy of the data being transmitted. TLS/SSL inspection is important because it allows firewalls to scrutinize this encrypted web traffic and close holes in security. These security gaps could be exploited by would-be cybercriminals who attempt to use encrypted traffic for malware to circumvent the firewall’s inspections.

TLS/SSL traffic inspection allows institutions to decrypt traffic, inspect the decrypted payload for threats, then re-encrypt the traffic before it enters or leaves the network. Such deep content inspection can better protect institutions from internal and external risks. This makes TLS/SSL inspection the ideal defensive weapon against menacing malware and other security issues.

Sandboxing

Sandboxing can also help institutions augment their network security efforts. Traditional firewalls evaluate traffic based on static factors like where it originated, it is destination going, and the port being used. However, these are no longer sufficient for combating modern security threats. Sandboxing—physically or virtually segmenting a system, network, or entire environment—creates a secure location to test and neutralize potential hazards. Having a safe space to “detonate” payloads for analysis results in less risk and damage to the production environment, and, ultimately, enhances network security.

For more information about using advanced firewall features and other technology to strengthen network security, read our “Improving Security Posture Through Next-Generation Firewall Features” white paper.

04 Feb 2021

Banks, Credit Unions, Security Greg Batore 0 comment

Does Your Financial Institution Have the Right Security Layers in Place to Combat Today’s Threats?

In 2020, 80 percent of firms experienced an increase in cyberattacks, and the pandemic was at the root of a 238-percent spike in attacks on banks, according to Fintech News. In a world of ever-increasing cyberattacks, does your bank or credit union have the appropriate security layers in place to effectively thwart these threats?

There are some proven, preemptive measures that financial institutions should take, including:

Effective Log Analysis

Logs record every activity and event that occurs on a network, providing valuable clues about potential performance, compliance, and security issues. But it can be challenging for an institution to analyze, manage, and tailor all the log data that it receives—which can exceed millions of lines in just a 24-hour period. Without sufficient data analysis tools, information technology (IT) professionals are severely limited. They have to depend on their own processing capabilities to manually analyze data, which can be a labor-intensive, mistake-prone task.

Effectively managing log analysis has become more problematic with shifts in the security landscape: the expansion of security features, increase in firewall complexity, rapid emergence of new security threats, and constant growth in endpoints. This creates a situation that no security team can effectively manage on its own without some level of automated log collection and analysis.

With this technology, firewall logs are sent to a device that deftly collects and interprets the data. Information is then displayed in a format that is more readable, searchable, and useful for security engineers. While this process can go a long way toward improving the gathering of raw data, institutions can do even more to enhance their log management by building in additional security layers through the automated threat identification.

Log analysis automation equips security professionals to more effectively receive alerts about current and possible threats. Many banks and credit unions have limited personnel and expertise available to analyze their vast amount of traffic logs manually. But automated log analysis allows institutions to maximize their resources by leveraging more advanced technologies, like artificial intelligence (AI), cloud-based computing, and big data to collect alerts more efficiently.

Improved Education and Continuous Improvement

Staff training and education are also an important aspect of solidifying an institution’s security posture, and institutions can employ a variety of tactics to ensure their employees are better able to interpret and respond to alerts. Bank tellers, loan officers, and administrative staff all benefit from informative seminars, brochures, and other learning opportunities. Information security operations personnel can improve simply by calling on experienced colleagues to share their expertise in a more informal exchange of information. These combined efforts can help institutions minimize the number of threats and manage their operations more efficiently on a daily basis.

Financial institutions must also commit to continuous improvement in regard to their firewall security. While enhancing log analysis is not an exact science, there is value in institutions asking targeted questions to help determine the need for specific enhancements to help ensure that the most actionable and best information is being presented to the individuals who need to review it.

Integrating Advanced Technologies

Additionally, banks and credit unions should leverage next-generation firewall (NGFW) features and other advanced technologies – like dynamic threat feeds – to optimize their security initiatives, helping ensure they allow “good” traffic in and keep “bad” traffic out while maintaining critical processes.

NGFWs also enable financial institutions to perform functions beyond that of a traditional firewall, including deeper inspections of transport layer security (TLS) and secure socket layer (SSL) encrypted traffic. The practice of “sandboxing” to physically or virtually segment a system, network, or entire environment creates a secure location to test and neutralize potential threats.

Learn more about how your institution can incorporate the right security layers to combat today’s threats by downloading our “Improving Security Posture Through Next-Generation Firewall Features” white paper.

14 Jan 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Looking Ahead to 2021: A Regulatory Compliance Update

As we mentioned in our previous blog, the Pandemic dominated the regulatory landscape early in 2020, and cybersecurity dominated the last few months of the year. This double-whammy forced financial institutions to quickly make operational adjustments to their procedures and practices. In the previous post, we explored the Pandemic. In this post, we’ll summarize the regulatory focus on cybersecurity in 2020, and look ahead to 2021.

Focus on Ransomware

The escalation of ransomware attacks (also referred to as destructive malware) has prompted a greater focus on addressing this aspect of cybersecurity. On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies about possible sanctions for facilitating ransomware payments. Financial institutions should be aware that they (and their cybersecurity insurance provider) could be in violation of OFAC regulations should they decide to pay a ransom to anyone on the Specially Designated Nationals (SDN) list. This would place the institution on the hook for payments made by themselves, or by any third-party on their behalf. Institutions should address this issue during incident response testing by including their cyber insurance company and making sure they know that paying a ransom could trigger penalties or sanctions.

The heightened emphasis on ransomware also led to the release of a new Ransomware Self-Assessment Tool (R-SAT) in October 2020. Developed by the Bankers Electronic Crimes Taskforce (BECTF), the U.S. Secret Service, and state bank regulatory agencies, the R-SAT follows established best practices to help financial institutions reduce their risk of ransomware. We have reports from several banks around the country that their State examiners are requesting completion of the R-SAT prior to their examination. Unlike the CAT, the 16-question tool only allows “Yes” or “No” responses, it does not give users the option to answer “Yes with compensating controls”. This lack of flexibility does not work in the favor of smaller, less complex financial institutions, which may have informal practices in place that still accomplish the same objectives as the more formal practices of the larger institutions.

Nonetheless, the yes/no response format should not be an issue if institutions have already taken steps to address ransomware and, more broadly, cybersecurity. They can simply point regulators to relevant supporting details, (completed CAT assessments and incident response plans and tests for example) and that should be sufficient to demonstrate compliance. It’s also important to note that what we’ve heard from state regulators is that they are not strictly requiring institutions to employ the R-SAT, only that they intend to use the assessment as a starting point for further discussion. Increased discussion surrounding shared cyber threats facing financial institutions is never a bad thing!

Finally, the OCC released their semi-annual Risk Perspective in November and singled out cybersecurity as a key operational risk. While they point out that overall banks have adequate cybersecurity systems, they have seen some weaknesses related to IT, change management, and information security. We can expect increased scrutiny in these areas, and cybersecurity generally, for the foreseeable future.

What to Expect in 2021

One common denominator between the Pandemic and cybersecurity is the concept of resilience. Resilience, or the ability to withstand and recover from unplanned and unanticipated events, is all about proactive as opposed to reactive measures. It equates to implementing procedures ahead of time—rather than just responding to past events—to reduce the risk of operational downtime. Granted, the impromptu procedures established during the COVID-19 pandemic, or following a cyber-attack, are reactive in nature. But, once firmly in place and tested in the real world, they become the proactive resilience measures ready for when the next event occurs.

One additional factor common to both Pandemic and cybersecurity is proper management and oversight of third-parties. We expect that examiners will scrutinize how institutions manage the third-party lifecycle; from the initial decision to engage the third-party, to assessing and controlling on-going risk, to disengagement at the end of the relationship. Among the elements attracting attention are whether you are tracking the complementary user entity controls for critical vendors. These are found in the SOC 2 reports and list the controls expected of you by the vendor. Be aware of these vendor expectations, and document how you’ve addressed them.

In summary, take extra precautions in 2021 relating to cybersecurity (particularly ransomware), another potential Pandemic event, and third-party management. Document everything you’ve done or plan to do (e.g., resilience measures), and most of all stay flexible. If we’ve learned anything from 2020, it’s to expect the unexpected!

08 Jan 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2020 in the Rearview: A Regulatory Compliance Update

The COVID-19 pandemic dominated the regulatory landscape early in 2020, with cybersecurity dominating the last couple of months. Here is a look back at important regulatory changes and trends in 2020 and a look ahead at what to anticipate for 2021.

Characterizing Causes of Weakness

When it became obvious that the pandemic would have a pervasive and wide-ranging effect, the Federal Financial Institution Examination Council’s (FFIEC) issued several statements to address the situation. The FFIEC outlined some of the adjustments and accommodations that regulators expect bankers to make concerning lending, operational risks, and other areas. For instance, if an exam results in downgrading component or composite ratings for an institution, a distinction will be made between any weakness caused by the pandemic vs. management and governance issues.

Essentially, examiners will differentiate between a weakness resulting from an external event versus an internal systemic issue—even if the event is beyond management’s control.

The statement issued in June 2020, states, “Examiners will consider whether institution management has managed risk appropriately, including taking appropriate actions in response to financial and operational stresses caused by COVID-19 impacts.”

It is uncertain exactly how this issue will be interpreted in a post-pandemic world. After all, pandemic should be a part of all financial institutions’ business continuity planning, and as such, not completely outside the realm of a reasonably anticipated threat. So ideally management should have anticipated such an event, and have been prepared to respond. The only unanticipated aspect of the current Covid 19 event is the extreme extended duration compared to a standard Pandemic. It will be interesting to see how the agencies square the concepts of a “reasonably anticipated threat” vs. “external factors beyond management’s control”. Aren’t most threats both reasonably anticipated, and also beyond management’s control? We’ll let you know if and when we get any clarification on that.

Regardless of the scenario, documentation is crucial and often overlooked. Most folks are laser-focused on just getting past this and back to “normal” business, but memories fade over time, and documenting what adjustments you’ve made (or plan to make) during the pandemic will make the post-pandemic adjustments easier to explain to management and justify to examiners. Documentation can also help establish your increased ability to anticipate and respond to the next threat, also referred to as “resilience”. Institutions should make every attempt to document all management decisions, such as the minutes from management meetings, communications with third-parties, and any strategic or procedural changes you may have made or need to make. For example, if you’ve implemented technology to enable an increased mobile workforce (a strategic change), have you updated the remote access procedures and best practices in your employee Acceptable Use Policy accordingly (a procedural change)? Have all remote employees signed the updated AUP?

In our next blog post, we will dive into the focus on ransomware mitigation, how best to address cybersecurity, and what to expect heading into 2021.

31 Dec 2020

Banks, Credit Unions, Security Jamie Davis 0 comment

The Importance of a Layered Approach to Financial Institution Security: Best Practices in Leveraging Firewalls and Encryption

What You Need to Know About Securing Azure AD

Over the last decade, we have seen major advances in the world of online security, mainly with the development of firewalls and encrypted data options.

Safe Systems hosted a live webinar earlier this month discussing how firewalls, encryption and other online security measures work; why a layered security approach is best in all situations; possible threats to each security measure; and what your financial institution can do to keep your information secure and uncompromised. In case you missed it, here are a few key points from the webinar.

What are firewalls and how did we get to where we are today?

Firewalls became a necessity when banks and credit unions started connecting all of their computers to the same network that was then connected to the internet. Firewalls functioned as the first line of defense – but were nowhere near the caliber of defense we have available today.

When attacks started to occur, it put company computers and the data stored on them in a compromised position. A need arose to come up with appliances that were either in line with the firewall or were an additive to the firewall’s system. The new appliances included IDS/IPS systems, AV Gateways and Web filters – all of which added new layers of security to the firewall.

Today, the latest generation of firewalls, known as Next Generation Firewalls, combines earlier firewall models and offers multiple layers of protection as part of the firewall service. However, some of the additional layers may be included by default and some require extra licensing to take advantage of specific features.

What is the layered security approach and how do today’s firewalls implement that strategy?

What we have learned over the last several years is that security solutions may be incredibly strong in some regards but have gaping holes in others. A layered security approach assists in closing those gaps and lessens the potential risks for an online attack.

What is encryption, how does it work and what can we do better?

Encryption is another aspect of the layered security approach. The two encryption types highlighted in the webinar are Secure Socket Layer (SSL) and Transport Layer Security (TLS), and while they use different nomenclature, the two encryption types are essentially the same – TLS is just a slightly new version.

The goals of TLS:

Encrypt Data
Authentication
Data Integrity

In the last 5 years, there has been major growth in website encryption. It has expanded from being used only when a user types in their username and password to include approximately 90% of the most visited websites today encrypting all of their webpages.

Although having encrypted sites gives users a more secure experience, encryption has some unintended consequences. When traffic is encrypted between the website and the desktop browsing the site, the firewall cannot evaluate the traversing traffic. This means, in the past, a firewall could evaluate a large majority of web traffic. Now, the firewall can only evaluate about 10% of web traffic, because the rest is encrypted.

Bad actors have focused on these security holes and have built their malware to navigate encrypted traffic to get through the firewall and to the workstation. To fight this issue, TLS inspection can be implemented on a Next Generation Firewall to inspect the encrypted traffic passing through on a daily basis.

Today, with TLS inspection, firewalls can get back to inspecting a majority of web traffic farther than just 10% that isn’t encrypted today. This closes a major security gap many institutions may not even know they have.

What steps can you take to increase your online security?

Although there are several ways you can increase your level of online security, as of now, there is no software that guarantees you will not be compromised. However, in addition to encryption, you can take several steps to keep your online presence safe and secure.

A few of the steps you can take to fight malware are:

Anti-Malware Scanning – an anti-virus engine that came about in the Universal Threat Management (UTM) devices. Anti-malware is a software program designed to prevent, detect and remove malicious software on IT systems.
Sandbox Analysis Piece – an additive that enables a firewall to analyze a file and determine its risks level. If the file is determined to possibly be malicious, the file can be sent to the sandbox where the file can be detonated. If the file appears malicious after detonation, the file is blocked from being downloaded to the end user. If the sandbox determines the file is likely safe, the file is allowed to pass through the firewall to the end user for us.

To learn more ways to protect your institution, watch our recorded webinar, “Why You Shouldn’t Ignore Encryption.”

23 Dec 2020

Banks, Credit Unions, Technology Eric Delgado 0 comment

What You Need to Know About Securing Exchange Online: Connecting to Exchange Online

What You Need to Know About Securing Azure AD

Technical Level: Beginner/Intermediate

Note: Previously, we discussed PowerShell basics. Later in this series, we’ll discuss security concerns.

TL;DR:

In order to properly secure Exchange Online, you need to know how to traverse and manipulate settings with PowerShell. In this guide we cover the installation of the EXOv2 module, using the module to connect to an Exchange Online instance, and running some basic commands.

Exchange Online Security with PowerShell

In this post we are going to pick up where we left off last time. Now that we have the basics of PowerShell under our belt, we can go ahead and install the newer ExO V2 Module and then use that module to connect to an Exchange Online instance. Finally, we will go over a few simple commands just to verify the connection has been established.

Exchange Online V2 Module Installation

If you follow the link above for the EXOv2 Module you will find the installation instructions point you to the PS Gallery page for the module.

Securing Exchange - Code Example

The PS Gallery has a few ways to install the module.

Securing Exchange - Code Example

If your package manager is already set, you can enter the following statement to begin the installation of the module:


Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3

Note: In this case, -RequiredVersion is a switch parameter (I just call them switches) to indicate the version you are looking to download. You don’t have to specify the version when you run the command.

If you run the command you should see that PowerShell prompts you to confirm the installation. I would show you that with a screen grab, but I was met with an error:

Securing Exchange - Code Example

I decided to include this error because you will inevitably run into errors when trying to run command logic. Being able to troubleshoot based on the error description is pretty much a necessity with PowerShell and thankfully the error messages are mostly useful. In this case, even though I had uninstalled the Exchange Online V2 Module previously, there are some remnants of the module still in place on my system. PowerShell won’t let me override existing commands with commands from a new module, unless I give explicit permission with a switch. In this case, I ran the following command to get the module installed:


Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3 -AllowClobber

Securing Exchange - Code Example

This time there was no error and I was just brought to the next line. I am kind of a cautious guy, so this lack of feedback is disconcerting. How can we tell if the module was really installed? A valid question to which there is a valid response: the Get-InstalledModule command. You can use the following command to verify the installation:


Get-InstalledModule ExchangeOnlineManagement

Securing Exchange - Code Example

Tips and Tricks

Once you get into using various modules it can be difficult to keep track of all the different module names. Thankfully, the Get-InstalledModule command is pretty versatile. If you know at least part of the module name you can surround it with wildcards (the * symbol) to have PowerShell find any module that contains the text between the wildcards. For example, running the command below will also show us that the Exchange Online Management module is installed:


Get-InstalledModule *Exchange*

Securing Exchange - Code Example

Exchange Online v2 Module – Connecting to Exchange Online

Now that the module has been installed, we can use it to connect to an Exchange Online instance. There are a few different types of connectivity options depending on the type of workflow you are using to connect to Exchange Online. For these examples, the assumption is that you are an administrator for a single instance of Exchange Online. Without delegated rights or service principals to worry about, connecting is straight forward. Use the following code and an account with enough access to connect to Exchange Online:


Connect-ExchangeOnline

Securing Exchange - Code Example

Since the new ExO V2 module supports modern authentication, if your account has MFA enabled, you will be asked to sign in with modern authentication:

Securing Exchange - Code Example

After you successfully authenticate, you will be brought back to a new line:

Securing Exchange - Code Example

Once again this is one of those things you are just going to have to take on good faith that the authentication was successful. If it wasn’t, you will be prompted with an error.

Get Over Here!

In general, there are three basic command archetypes within Exchange Online: Get, Set, and New. Get commands are basically read operations. They get values/properties and are really pretty harmless to run so this is where we will start.

Note: Set commands are all about modifying existing values/properties and New commands are about creating new values/properties. Both have some inherent risk so we will cover them in a future post.

Let’s use our new connection to grab the mailbox objects for all our users. Use the following code to utilize the new v2 cmdlets to gather all mailboxes:


Get-EXOMailbox

Securing Exchange - Code Example

Side bar: I am really impressed with the new cmdlets! They are just so much faster than the old ones and since there is full backward compatibility you don’t have to take my word for it, you can run the old one and the new and see the time difference yourself!

Ready For A PowerShell Picnic?

My number one recommendation for new NOC analysts and administrators unfamiliar with PowerShell is always to fool around with it and the more you work with it, the less intimidating it will be. With that in mind, it is time to reach back to our previous picnic themed post and pull the concepts from that picnic basket and start eating a PowerShell sandwich made from mailbox statistics.

The command to get mailbox statistics using v2 cmdlets is:


Get-EXOMailboxStatistics

Securing Exchange - Code Example

Yea I kind of set you up for failure on that one but I had a good reason I promise! The command failed but the reason why it failed is important and so is the resolution. Both can be found in the red text of the error but to make it a bit easier to read and understand, I have included the important bits parsed here.

The reason for the failure is “Identity is a mandatory value to provide for running Get-ExoMailboxStatistics.” What this means is we tried to run the command, but it has a mandatory switch that must be provided for the command to run properly.

Note: You can find out which switches are required by looking at the documentation for the command either online — honestly, using your favorite search engine and searching for the command to get to the Microsoft documentation page for the command is your best bet for this option — or straight from within PowerShell with the get-help command.


Get-Help Get-EXOMailboxStatistics -Full

The suggested resolution is:

You can specify identity by using either of the following

Any one of the three available parameters: Identity, ExchangeGuid, UserPrincipalName.
ExchangeGuid and DatabaseGuid.

What this means practically speaking is that the command was not intended to be run to gather statistics for all mailboxes in the organization at once. It requires a specific mailbox and then it will gather the statistics for just that one mailbox. That is the intent of the command but I really would not want to type that command a hundred times just to be able to view the statistics for all my users.

The acceptable identity parameters are Identity, ExternalDirectoryObjectId, or UserPrincipalName. All three are properties that are provided in the default set of properties for a mailbox object. In other words, when we run the command to get mailboxes, the objects that are returned have the information we need to be able to run the mailbox statistics command.
You can see this in action with the following code logic:


Get-EXOMailbox | Get-EXOMailboxStatistics

Securing Exchange - Code Example

Bring Home the Leftovers

Ok, seriously I am kind of running out of picnic metaphors so I may have to switch it up in the next post. Lets wrap up this PowerShell picnic by exporting the data for easier consumption. For me, there are two trains of thought here depending on what I plan to do with the data. If the plan is just to view the data, then pipe the results to an export-csv command and you are set.


Get-EXOMailbox | Get-EXOMailboxStatistics | Export-Csv -NoTypeInformation -Path “c:\temp\EXOMailboxStats.csv”

Securing Exchange - Code Example

If you plan to use that data for more PS commands (in the same session), then store it in an object first and then export the data. This way you won’t have to spend time gathering it again.


$exoMailboxStats = Get-EXOMailbox | Get-EXOMailboxStatistics
$exoMailboxStats | Export-Csv -NoTypeInformation -Path "c:\temp\EXOMailboxStats.csv"

Securing Exchange - Code Example

Conclusion

That about sums it up (pun totally intended). In this post we went over installing the new ExO V2 module, using the module to connect to Exchange Online, and then using our new connection with some small scripting logic to gather mailbox statistics.

Get commands really are important because they are what will show you all your current Exchange Online properties. There are so many properties though, so which ones are important to look at??? Join us next time around as we solidify our grasp of the get commands and start to look at security related properties that could help show you if your users have been compromised!

← Previous 123…6 Next →