Category: Uncategorized

03 Dec 2015

Can Smaller Community Banks Afford a Dedicated Resource to Manage IT Networks and Workstations?

Managing a financial institution’s IT network is a full time, demanding job! A community bank’s IT administrator needs to truly understand the increasing complexity of IT operations, continuously changing regulatory requirements and FFIEC compliance guidelines. However, many smaller community banks are often located in communities that lack the qualified personnel resources to efficiently manage their IT and regulatory responsibilities.

Can Smaller Community Banks Afford a Dedicated Resource to Manage IT Networks and Workstations?

In addition, community banks often can’t afford to have a team dedicated to IT management. Given the remote location of some community institutions, locating, training and retaining qualified individuals is a challenge, and many community banks cannot afford to pay qualified individuals enough to keep them. Banks that do try to maintain an in-house department often spend an inordinate amount of time and effort recruiting and training staff as community banks are faced with losing employees to competitive salaries in the marketplace.

However, regardless of location and size, these community banks are under the same regulations as larger institutions. Regulatory agencies are continuously changing and increasing regulations around cybersecurity and network management. In fact, the FFIEC recently released the Cybersecurity Assessment Tool (CAT) that is designed to help institutions identify their risks and determine their cybersecurity preparedness. Even though some regulatory agencies have indicated that completion of the tool is not mandatory, all the agencies have stated they intend to use the tool to assess an institution’s cybersecurity readiness, and have already begun to issue citations to financial institutions that have lapses or are not meeting regulations.

Smaller financial institutions should be looking for ways to more efficiently manage their IT networks and compliance strategies. Oftentimes, they determine outsourcing the management of IT needs and security risks is the most cost-efficient method.

Another factor small community banks should consider is the need for an outsourced provider to manage individual PC’s and workstations in addition to their IT networks. By assigning an outsourced provider to manage your banks’ individual PC’s and workstations, the chances of the workstations having issues is reduced, and easily resolved with no added stress to the bank’s IT team.

Given their modest internal resources, smaller community financial institutions can benefit from outsourcing or partnering with a provider who offers network and workstation management solutions exclusively tailored for community banks. Having a service in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation and compliance-focused reporting to verify that your financial institution’s network is adhering to your policies and procedures is critical in today’s environment.
 

Capabilities to look for in an outsourced solution include:

  • Network and Workstation Monitoring
    A solution should be able to provide proactive remote monitoring, alerting, preventive maintenance, ticketing, support and reporting for servers, workstations and other devices.
  • Network Management
    A team of certified network engineers who have expertise, banking knowledge and a true understanding of a financial institutions’ technology and technology needs. This expertise ensures issues are resolved in a timely and efficient manner.
  • Workstation/PC Support
    This includes bank applications as well as internal systems and applications. Tasks such as keeping the individual computers up-to-date with anti-virus software are completed and managed by the provider.
  • Compliance-Focused Reports
    Reports that deliver pertinent and useful information to help management ensure the institution is adhering to FFIEC regulatory policies and procedures and to meet the needs of regulators and examiners expectations.
  • Documentation
    Dedicated account managers and experts who understand the financial industry’s regulatory requirements and overall best practices. The Account Manager should deliver compliance-focused Quarterly Control Self-Assessments and Annual Systems Reviews as recommended by the FFIEC as well as provide ongoing strategic planning, technical consulting and participation with your technology committee meetings.
  • Compliance Guidance
    IT regulatory assistance by experts who can be available for IT audit and examination support. Working together pre and post audit/exam, this team prepares banks and credit unions for audits/examinations and can assist the financial institution with any findings.
  • Educational Webinars and Education
    Continuous education and webinars on recent trends and changes in technology and compliance provide financial institutions with a forum where they can learn and interact with subject matter experts and banking peers.

Eliminating the burden of IT network and workstation management, security and regulatory compliance enables your institution to focus on strategy and customer care and have peace of mind in knowing your institution is safe from cybersecurity threats and in compliance with government regulations.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



14 Oct 2014

5 Dos and Don’ts of Technology Systems Upgrades

Scott_v2Scott Galvin, Executive Vice President of Technical Solutions | Safe Systems

No technology lasts forever. New systems, new hardware and new techniques are constantly being developed to improve uptime, increase efficiency and control costs. Just about every four or five years (if not earlier) technology becomes unsupported and out of date, or no longer meets the needs of the institution. These changes push just about every institution to perform an upgrade to overhaul or improve its network systems. And while few technology upgrades are ever simple, a little preparation goes a long way to ensuring success.

Whether you’re considering a systems upgrade now or sometime down the road, here are five dos and don’ts that will help ensure success.

(more…)

03 Oct 2014

A No-Nonsense Approach to Network Systems Upgrades

Ohio-based Kingston National Bank enhances its IT through virtualization

Gunn2Matt Gunn, Managing Editor

When it came time to modernize Kingston National Bank’s network systems, Lara Hauswirth took a no-nonsense approach in finding the support her institution needed to grow.

“I wanted to talk to someone about technology right off the bat,” says Hauswirth, IT Director of the Kingston, Ohio-based community bank. And, importantly, she wanted someone who understood technology’s role in the highly regulated framework of banking. “I didn’t want to hear the fluffy stuff.  I didn’t want to hear about solutions.  I wanted to know what I needed to accomplish my goal.”

The $243 million asset size institution had outgrown its old IT systems. As Kingston National Bank added staff, branches and services, its IT infrastructure began to reach a breaking point. But as is the case at many community banks, Hauswirth was on her own and wearing many hats, including managing the bank’s IT and marketing efforts. She realized she’d need a little help implementing a large-scale systems upgrade. (more…)

02 Sep 2014

Technical Solutions to Meet the Challenges of Modern Banking

Zach_v2Zach Duke, Executive Vice President, Business Development

This year I celebrated my 15th anniversary at Safe Systems. While in some ways this milestone snuck up on me, it’s given me a chance to reflect on the many changes our industry has experienced over the last decade and a half.  At Safe Systems we work exclusively with financial institutions. Throughout my career, I have had the luxury of working with some great clients at banks and credit unions. Working with these great people, supporting the role community institutions fill in their local economy and seeing the level of customer service these bankers provide their neighbors has fueled my own passion for the industry.

As time has gone by, we’ve seen pressure mount on these small institutions: pressure to compete with the services offered by big banks, pressure from regulators, pressure to survive dramatic economic change. Still, community banks are expected to provide the same level of personal service to their customers. I’d like to spend some time highlighting the challenges I’ve seen institutions face and share my thoughts on how to address them.

The Changing Face of Technology and Staffing

Fifteen years ago, institutions were just starting to access the Internet. Some still used DOS software. Only a handful of banks had real-time processing, and Novell was a common server platform. Just six years ago, Apple updated the iPhone, allowing access to Microsoft Exchange and connecting a new generation to their professional email accounts. Today, virtualization,  mobile devices, electronic banking and cloud services have connected us as users and service providers in ways that were impossible just a decade ago. As we’ve added these enhancements, our expectation (more…)

28 Aug 2014

Server 2003: Lessons Learned in Microsoft Life Cycle Support

With its end of life looming, it’s time now to consider upgrading server software

Brent_v2Brent Moore, Director of Client Services | Safe Systems

When Microsoft announced several years ago that it was ending its support of Windows XP effective April 8, 2014, it ended up being wakeup call for many in the banking industry. Most financial institution through the recession held on to hardware as long as possible, but no technology lasts forever. As time and product cycles march forward, the best thing we can do for our institutions is to keep up with the latest technology. If not for compatibility’s sake, then to keep our systems protected from malware and viruses that could lead to a modern day heist.

Now that the Windows XP end of life date has come and gone, it’s a great time to review how we handled it as an industry, and turn our attention to the next major product Microsoft plans to phase out: Windows Server 2003.

Lessons Learned

As a trusted technology partner to more than 600 bank and credit unions, Safe Systems supports more than 26,000 devices. Our NetComply managed services suite helps bankers monitor and maintain networked devices across their networks. In early 2013, Safe Systems began its initiative to prepare financial institution clients for the end of support for Windows XP. At the start of that project, we were managing around 9,000 Windows XP devices. We worked to educate clients on the date of expiration of support from Microsoft, and our professional services team helped many clients replace thousands of these devices.   The regulators also pushed institutions to upgrade from Windows XP with both formal documentation in exam findings and alerts and notifications. However, by the time April 8, 2014 rolled around, over a thousand Windows XP machines in our customer base were still running XP. According to some reports, those institutions were not alone – globally between 15% and 25% of PCs were still running XP as of April 8. While that percentage was significantly lower among Safe Systems clients, some financial institutions fell behind on upgrades.

What happened? In some cases, institutions didn’t take Microsoft’s announcement seriously. This included not scheduling enough time to get the upgrades completed, not having adequate funds allocated to the project, and not realizing that companies like Safe Systems’ professional services calendars were booked out past the April 8, 2014 date.

As the date approached, Microsoft made it clear XP would no longer receive important patches and security updates. That put a squeeze on everyone to begin upgrades in the final months leading up to XP’s end of life. Getting an upgrade of that nature done can put a big strain on internal staff, and there are only so many providers who are capable of helping within a limited timeframe.

Server 2003 is Next

Microsoft Server 2003 support ends on July 14, 2015. Like XP before it, Microsoft has been clear in reminding businesses that, once support ends, there will no longer be any security updates or patches.

Replacing your workstations is one thing. Upgrading servers is an additional order of magnitude and complexity. When one or two workstations are down, business keeps going. It’s a different story when it comes to business critical network resources. According to data collected by Safe Systems, about 34% of banks and credit unions are still running Server 2003.

Financial institutions should begin preparations to replace any remaining servers that are running Microsoft Server 2003 as soon as possible. For those who found it difficult to line up resources during the replacement of Windows XP, planning ahead can help avoid some headaches. Upgrading sooner can help reduce costs, ensure availability and give you the necessary time to line up installation services.

As a reminder, end of support means Microsoft will no longer provide security updates or technical support for these operating systems.  The discontinuation of security updates is the most notable change. It effectively means Microsoft will no longer patch vulnerabilities exploited by malware, which leaves these devices susceptible to attack.  In addition, the inability to receive paid support could leave you in a precarious situation if a device has downtime and it provides a critical function.

The FFIEC release a joint statement on October 7, 2013 regarding end of support for Windows XP and although not specific to Server 2003 it can be applied to both.  In this statement, the FFIEC wrote: “Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized addition deletions, and changes of data. Additionally, financial institutions and Technology Service Providers that are subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and continue to use XP after April 8, 2014, may no longer be compliant.”

The statement goes on to reference the risk management guidance documented in the FFIEC IT Examination Handbook which recommends you should perform a risk assessment, select appropriate mitigations, conduct appropriate planning, and ongoing monitoring/reporting of the effectiveness of such controls reported to Senior Management or Board of Directors.  Although the FFIEC doesn’t explicitly say replace these devices, you can effectively read between the lines and come to the conclusion that the risk is too great not to.  You can review the entire statement at the following URL: http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf.

Next Steps

Technology has come a long way since Server 2003 first rolled out. If you’re upgrading, consult with your consultants and your vendors to gauge what’s changed and how it can affect or enhance your institution’s network.

As a trusted advisor exclusively serving financial institutions, Safe Systems is available to help every step along the way. Whether you seek consultation on server hardware and software or assistance installing and configuring your network, Safe Systems’ experts are available to help. We have worked with more than 600 financial institutions and monitor more than 25,000 devices, and we understand the many considerations that go into providing secure, reliable IT.

The end of support for existing software and hardware is an opportunity to reevaluate your institution’s technology and how it supplements your mission as a bank or credit union.  Each institution is different. Safe Systems’ experts work directly with your team to better understand and tailor a solution specific to your needs.

 

 

25 Aug 2014

RIP TrueCrypt

CharlesCharles Copland, Quality Assurance Analyst

TrueCrypt is no longer secure. Just ask its makers.

As of May 2014 TrueCrypt’s official website began redirecting visitors to a SourceForge page with the ominous message “WARNING:  Using TrueCrypt is not secure as it may contain unfixed security issues.”  For anyone who is not familiar with TrueCrypt these words may barely register, but for a large population of security-minded organizations, analysts, and personal users this announcement was an unwelcome surprise. TrueCrypt was a hugely popular open source freeware application that provided encryption options to protect the data housed on a computer’s disks. Industries that are charged with protecting personal information, including the financial industry, embraced the software enthusiastically.  TrueCrypt was a major player in the encryption world, so what happened? (more…)

12 Aug 2014

Email Hoarder? Here Are Some Tips to Manage Outlook

Jamie_v2Jamie Davis, VP, Education, Product Management and Quality Control | Safe Systems

Are you an email hoarder?  Do thousands of emails fill your inbox?  Is every message you ever received still in your inbox “just in case” you need it one day?  Or do you find a full inbox suffocating?  Do more than 20 emails make you feel stressed or overwhelmed?

Email and email management habits epitomize personality traits.  It’s similar to how someone manages their closets.  Is everything sorted, color coded and in its proper place? Or are clothes on the floor, in a hamper and only on a hanger if they came from the cleaners?  Just as different people’s closets exist in varying degrees of organization, their Outlook inboxes vary just as widely.  Some people naturally keep their Outlook tidy, while others choose to let messages stack up unchecked.  If you would like to hold employees to a standard, then you’ve got to set rules for email usage.  But if no one enforces these rules, expect a lot of unruly inboxes. Changing the way that people use email can ruffle some feathers, so you may be wondering if the effort is worth the reward.

Here are a few reasons why you and your employees should care about clean Outlook:

(more…)

07 Aug 2014

Why Bankers Should Attend Vendor Conferences

Matt Gunn, Managing Editor | TechComply

It’s no secret that vendor management has been a hot topic among regulators. That trend doesn’t appear to be going away any time soon.

One way to keep informed of vendor updates and activities is to participate in user groups and attend vendor conferences, suggests Tom Hinkel, VP of Compliance at Safe Systems.

“It would be very difficult to say that you’re doing everything you should do to monitor and oversee a vendor — particularly a critical vendor — if you don’t participate in the user groups when they have them,” Hinkel says. “It’s a very important thing. Obviously you still have to do the rest of your oversight and due diligence. You still have to do your SOC reports, audit reports, financial statements, etc. But if it’s a critical vendor and they have a user group, participate.”

Watch the video above for the Compliance Guru’s thoughts on user group attendance.

Many critical vendors, such as core systems providers, have regional user groups which meet regularly and hold educational conferences for members. Safe Systems’ own user conference, NetConnect, is taking place Sept. 23-25 in Chattanooga, Tenn. While registration is limited, spots are still available. Visit the NetConnect conference website for more information.

26 Jun 2014

TrueCrypt No Longer Secure for Encryption

Gunn2Matt Gunn, Managing Editor | TechComply

The group behind TrueCrypt in May announced that the popular encryption software is no longer secure and may contain unfixed security issues. The announcement came in May, less than one month after Microsoft ceased its support for Windows XP.

Up until its demise, TrueCrypt had been considered among the best in free, open-source encryption software. It has also been fairly popular with financial institutions. A quick survey by Safe Systems indicated TrueCrypt was installed on more than 400 devices at community banks and credit unions. If yours is one of the institutions still using TrueCrypt, now might be a good time to start looking for alternative encryption software. (more…)

28 May 2014

78% of Institutions Say Procedures Count in Regulatory Exams: Survey

Gunn2Matt Gunn, Managing Editor | TechComply

Written policies and procedures are important. Few financial institution officers will argue that. However, in the eyes of an IT examiner, it isn’t enough to simply have written policies in place. Examiners increasingly want to know that the institution follows its own rules.

Policies, procedures and practices form the three pillars of compliance.  All three must be present, and ideally, in perfect alignment with one another.  Policies clearly state what you will do; protect customer information, recovery critical processes, oversee third-party relationships, etc.  Procedures describe, step by step, how you will accomplish your policy goals.  Your practices are what you actually do.

More than three-quarters of financial institutions (78%) indicate their examiners were more interested in (more…)