Tag: ISO

05 Aug 2022
The Importance of Succession Planning

The Importance of Succession Planning to IT and Information Security Resiliency

The Importance of Succession Planning

Change can be challenging—especially when it involves the transition of IT management and other key personnel. That’s why it’s imperative for banks and credit unions to be proactive about succession planning.

While regulators expect institutions to have a formal succession plan for key leadership roles, having a strategy for filling critical positions is a matter of practicality. If an IT administrator or information security officer (ISO) is not in place, or not available to complete the tasks, reports, and other responsibilities of these roles, then it could lead to cyberattacks and other security issues. This, in turn, can have dire consequences on a financial institution’s operations, risk-profile compliance, and reputation.

Succession Planning Strategies

Institutions can ensure IT and information security resiliency by having an effective plan for managing the absence of key security-related personnel. Depending on their size, type, and goals, they can adopt any of these approaches to succession planning:

  • Proactively assess internal talent and then orient the most suitable individual to serve as an alternate or backup for various IT admin or ISO responsibilities. The ISO alternate, for instance, should train with the existing ISO, attend ISO oversight meetings, and present appropriate information to executive management and the board. If the ISO leaves, the backup individual should be equipped to assume the role temporarily or even for the long term if necessary. Training a staff member to perform IT or information security duties is not only pragmatic, but it complies with regulatory guidance.
  • Implement an internal committee or team approach to managing IT and information security during a temporary or permanent personnel change. The committee can facilitate the IT and information security program in several ways. It can maintain processes until an outside replacement is installed or support an internal successor who is transitioning into the position. The committee can also provide coaching to keep the replacement from becoming overwhelmed by the complexity and assortment of tasks required.
  • Partner with a trusted third party to obtain the additional expertise needed to meet IT and information security benchmarks. This approach provides an accountability partnership role and a regular framework that clearly defines key responsibilities and streamlines processes. This strategy can ensure institutions have suitable resources to ease the transition of key personnel to enhance IT and information security resiliency.

Leveraging a Virtual ISO

A virtual ISO can be an ideal solution for institutions seeking to enhance IT and information security resiliency. This third-party service can not only support succession planning, but it can also serve as an extension of the internal ISO providing an external layer of oversight and an objective point of view — which allows institutions to approach risk more strategically and proactively.

ISOversight from Safe Systems, for instance, is a complete solution that makes it easier for community banks and credit unions to master information security and compliance online. This virtual ISO solution—which is especially for financial institutions—offers valuable access to applications and resources, cyber risk reporting, and compliance experts. With ISOversight, banks and credit unions can be confident that all their ISO-related requirements are completed on time, documented properly, and reported to the appropriate parties. Learn more about how to enhance your institution’s security posture during tough times. Read our white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

09 Jun 2022
Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

With the rise in cybercrimes and increased regulatory scrutiny, having a board-approved IT Strategic Plan is often not enough to ensure cyber resiliency. It’s essential for financial institutions to develop a robust IT management and information security infrastructure. The following excerpts from our recent white paper on “Building IT and Information Security Resiliency in Chaotic Times,” show how institutions can strengthen and support these key management roles to make better technology and security decisions, improve visibility, and reduce vulnerability. In addition, institutions can use strategic partners and risk management solutions to bolster resources they already have in place and enhance their overall cyber resilience.

1. Separating ISO Duties

Examiners have a strong interest in the IT administrator and ISO roles, which are interconnected and integral to an institution’s safety and soundness. However, many community banks and credit units still struggle with meeting the FFIEC requirements for segregating these positions. The importance of separating ISO duties relates to creating additional oversight to verify activities and maintain accountability to management and the board. Separating these functions also helps to build a clear audit trail to ensure risk is being accurately assessed and reported to senior management. While the ISO functions in an oversight capacity of the IT administrator, the ISO also relies heavily on the administrator to share data that can be used to recommend steps to improve the institution’s security posture. Therefore, the IT admin-ISO relationship must also be cooperative to ensure their daily activities support the organization’s policies and procedures.

2. Being Proactive about Succession Planning

Regulators expect financial institutions to have a formal succession plan for the ISO, IT administrator, and other key leadership roles, as indicated by the uptick in exam findings related to this issue. Depending on their size, type, and goals, institutions may employ different approaches for succession planning. They can identify and train someone to serve as an alternate or “backup” for various IT or ISO responsibilities, incorporate an internal committee or team approach for managing IT and information security, or use the support of a trusted third party to maintain IT and information security standards.

3. Partnering with a Trusted Third Party

An outside expert can provide an objective perspective that can help institutions think beyond the day-to-day issues and consider risk more proactively and strategically. Bringing in a technology partner on the front end—when things are going well—can also position institutions to be stronger and more successful in the future. For instance, a virtual information security officer (VISO) can expand an internal ISO’s capabilities and increase the likelihood that all ISO-related tasks are completed in a timely and efficient manner. A VISO can also provide an external layer of oversight to enable the required separation of duties.

ISOversight®, our virtual ISO service, makes it easier for financial institutions to master information security and manage compliance online. ISOversight is a comprehensive solution with a full suite of applications and resources, cyber risk reporting, and dedicated compliance specialists. It’s uniquely designed to help banking institutions enhance their strategies to improve IT management, information security, and compliance. With ISOversight, community banks and credit unions can ensure that no information security issues fall through the cracks—especially during challenging times.

For more information about how to enhance your institution’s security posture, read the full white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

19 May 2022
The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

IT administrators (IT admins) and information security officers (ISOs) have independent yet interdependent roles that are critical to their financial institution’s security, regulatory compliance, and overall success. Both individuals must maintain a separation of duties yet work closely together to achieve a common goal: ensuring their organization’s day-to-day activities appropriately support its policies and procedures.

ISO Responsibilities

ISOs oversee everything from network security (including cybersecurity) to vendor management, to strategic alignment of IT initiatives, to general information security regulatory compliance, all of which require having on-demand access to relevant, timely, and actionable information.

ISOs rely heavily on IT administrators to share data about the network, so they can translate that data into the information that will allow them to perform their duties effectively. Therefore, reports are an integral aspect of the IT admin-ISO relationship. ISOs depend on the data provided by IT admins to complete the enterprise-wide thinking and strategic planning that is needed to protect the bank’s information and other assets.

For example, an IT admin might extract data about the number of devices that have been updated with the latest patches and report this information to the ISO. The ISO would certainly be interested in the status of all devices but would most keenly be interested in the exceptions—the devices that have not been patched—as even a single unpatched device could represent a significant risk to the organization. In addition, the ISO must further evaluate the root cause behind the exceptions: do they represent a predictable lag between patch rollout and installation that will be resolved during the normal course of reboots; or do they represent a procedural deviation or deficiency? If the latter, the ISO could make a recommendation to revisit patch management procedures and practices

IT Admin Responsibilities

IT administrators are responsible for a variety of tasks, including managing computer systems, IT personnel, information systems, data backups, and network security—and providing ISOs with essential information on all those activities. Since IT admins may have a small staff—or might be the only IT person in the department—and have privileged access to the network, institutions must closely oversee their position. According to the FFIEC Information Security Handbook, Section II.C.7(c) Segregation of Duties:

“System administrators, for instance, have the most powerful role in the user access process and have unlimited access to an institution’s information assets and technology. Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.”

The ISO in combination with the IT Steering Committee provides an important checks-and-balances process to ensure all systems are being effectively managed and maintained, and that status reporting is reliable.

ISO and IT Admin Cooperation

It’s important to remember that although the ISO and IT admin roles must be independent, they are also complementary since both entities are responsible and accountable for making sense of the vast amount of data flowing through their institution.

Because ISOs must utilize the information supplied by IT admins to produce the reporting necessary to periodically update senior management and the Board, and to authoritatively interact with IT auditors and IT examiners, this relationship must be cooperative. By maintaining a close working relationship, ISOs and IT administrators can make sure their actions support the institution’s IT strategic plan. Done properly, a successful ISO- IT admin relationship should in no way be adversarial, it should be mutually beneficial to both parties, as well as to the institution as a whole.

Obtaining Third-Party Support

Regulators place a high priority on the continuity and consistency of leadership for effective information security. At times, financial institutions will have ISOs and IT administrators leave their position either temporarily or permanently. When this happens, it can be beneficial to employ an internal committee/team or a trusted third party to help manage IT and information security.

A third-party partner can provide additional support while the ISO position is vacant, help a new employee transition into the role, or simply provide another set of eyes and an external layer of oversight to supplement what they already have in place. Collaborating with an external information security expert cannot only help the institution think more objectively, strategically, and proactively about risk during a time of transition but also when things are running smoothly. This can prevent problems later and position the institution to be stronger and more successful in the future.

Financial institutions can take advantage of a wide range of external resources designed to support the ISO and IT administrator roles. For example, ISOversight™, our virtual ISO service, offers community banks and credit unions a complete solution to help them master information security and manage compliance online. With ISOversight, institutions can make sure nothing gets overlooked, so they stay on track—which is vital with the complexities and constant changes in the technology and security environments.

30 Dec 2021
Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

Subscribe to our blog


08 Dec 2021
5 Compliance Lessons Learned in 2021 to Bring into the New Year

5 Compliance Lessons Learned in 2021 to Bring into the New Year

5 Compliance Lessons Learned in 2021 to Bring into the New Year

As the challenges presented by the COVID-19 pandemic persist, there are important compliance trends and new regulatory guidance that financial institutions should consider to ensure they are well prepared to begin the New Year.

Accounting for Operational Risk

During the pandemic, banks and credit unions have made necessary adjustments that have increased their operational risk. Two prime examples are switching to a remote workforce and accommodating a more remote customer base. Having employees work remotely extends an institution’s network out to that endpoint and, in effect, broadens security considerations to that point as well. Serving a remote customer base—including expanding e-banking and implementing electronic signatures—creates a similar risk. Security implications multiply as more employees and customers access services electronically.

Rapid changes in operational practices and increases in fraud and cyberthreats can cause a heightened operational risk environment if not properly managed. Examiners will want an account of how institutions determined what changes were necessary, how those modifications were implemented, whether those changes were temporary or permanent, and if controls (primary and compensating) have been adjusted for any resulting operational risk increases. They will review the steps management has taken to evaluate and adjust controls for new and modified operational processes. For instance, for permanent changes, did the institution factor in the operational risk of downtime relating to the new processes?

As a measure of governance effectiveness, examiners will also very likely:

  • Assess actions that management has taken to adapt fraud and cybersecurity controls to address the heightened risk associated with the altered operating environment.
  • Review management’s post-crisis efforts to assess the controls and service delivery performance capabilities of third parties.
  • Consider how imprudent cost-cutting, insufficient staffing, or delays in implementing necessary updates impacted the control environment.

Temporary vs. Permanent Changes

For the most part, because we are still dealing with the impact of the virus and its variants, institutions have chosen to maintain many of the temporary measures they implemented during the pandemic. So, because they may have rolled out the changes anticipating an eventual rollback, it may be necessary to “backfill” some documentation to address what is now permanent. Examiners will want to know if the changes were properly risk-assessed prior to implementation, including any new processes and interdependencies. Institutions should be able to provide a report to regulators if they ask—and ensure their board is appropriately updated. This could be a matter of going back and reviewing previous board reports to ensure that any gaps in their risk management reporting were addressed and properly reported to the board.

Ransomware Self-Assessment Tool (R-SAT)

With the pervasive occurrence of cyberattacks, regulators are increasingly concerned about cybersecurity, particularly reducing ransomware. Consequently, regulators in some states are more aggressive than others about having institutions fill out the Ransomware Self-Assessment Tool (R-SAT), which is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. However, most state regulators we’ve spoken with are not going to make completing the R-SAT compulsory—although they may recommend it. If they do, the majority of what is asked by the 16-question tool should already be in place in the institution’s existing incident response and business continuity plans. Your decision to complete or not should be based on a self-assessment of your existing efforts in this area.

Regulatory Updates

New Architecture, Infrastructure, and Operations (AIO) Booklet

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) revamped its Information Technology Examination Handbook series with a new Architecture, Infrastructure, and Operations booklet. The revised guidance provides examiners with fundamental examination expectations about architecture and infrastructure planning, governance and risk management, and operations of regulated entities. Credit unions, banks, and non-financial, third-party service providers are expected to comply with the new guidance, which replaces the original “Operations” booklet issued in July 2004.

The FFIEC indicates that the release of the updated booklet is warranted because of the close integration between institutions’ architecture, infrastructure, and operations. “Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems,” explains a June 2021 FFIEC press release.

An important component of the new booklet is the resilience and proactive measures that must be built into an institution’s AIO components. Importantly, the handbook also recognizes special treatment for smaller or less complex entities, which is reasonable because examiners are starting to indicate that smaller entities will often implement these concepts differently from large, multinational, multi-regional financial organizations, while still achieving the same objectives. The refreshed guidance also takes a different approach to data classification; it factors in value, along with criticality and sensitivity. However, (and this is consistent with all FFIEC Handbooks released in the past 3 years) the new booklet states that it does not impose requirements on entities; instead, it describes principles and practices examiners will review to assess an entity’s AIO functions. (Of course, we have always found that anything an examiner may use to evaluate, or grade, your practices becomes in effect a de facto requirement.) A much deeper dive into the booklet is here.

New Cyber Incident Notification Rules

Another big update that will impact 2022 and beyond, the new cyber incident notification rules. Officially called “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, they were proposed and submitted for comment in early 2021, approved in November 2021, and become effective in April 2022. Visit our partner site, ComplianceGuru.com, to read the latest post and gain an understanding of how these rules will impact both you and your third-party providers going forward.

To learn more about these and other critical compliance topics, listen to our webinar on “2021 Hot Topics in Compliance: Mid-Year Update.”

22 Jul 2021
How Financial Institutions Can Enhance Board Reporting and Governance with Technology

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

As financial institutions face greater expectations for corporate accountability from regulators, effective board reporting and governance are becoming even more essential in the banking sector. While board members aren’t generally involved in the day-to-day operations, they are ultimately responsible for the success of their institution. Proper reporting can enable the board to make decisions without having to be involved in routine activities, and technology can help institutions enhance their board reporting and, in the process, help directors exercise the care, skill, and diligence required for good governance.

Five Essential Elements of Reporting

Board members need access to a range of financial and non-financial information relating to their organization’s products and services. In order to function effectively as a feedback tool for the board and senior management, the FFIEC Management Handbook states that information systems reporting should meet five essential elements:

  • Timeliness: To facilitate prompt decision-making, an institution’s information systems should be capable of providing and distributing current information to appropriate management or staff
  • Accuracy: A sound system of automated and manual internal controls should exist to ensure the validity of the information and should include appropriate editing, balancing, and internal control checks
  • Consistency: To be reliable, data should be processed and compiled uniformly. Variations in data collection and reporting methods can distort information and trend analysis
  • Completeness: Reports should contain the necessary information to inform decision-makers without voluminous detail
  • Relevance: Information systems should provide current, applicable, and actionable information

Reporting that contains the essential elements above can provide decision-makers with facts that support and enhance the overall decision-making process and can also “…improve job performance throughout an institution.” At the board and senior management level, information systems reporting provides the data and information to help the board and management make strategic decisions. At other levels, information systems reporting allows management to monitor the institution’s activities and distribute information to staff, customers, and members of management.

Applying Technology

Advances in technology have increased the volume of data and information available to management and directors for planning and decision-making. Converting that data into actionable knowledge is essential for the board to provide a “credible challenge” to management, which involves being actively engaged, asking thoughtful questions, and exercising independent judgment. Integrating technology into their InfoSec efforts, institutions can create a comprehensive system to generate, collect, and analyze data to support a more effective process for board reporting and a more knowledgeable board.

Heather Helms, CFO and Information Security Officer of Mount Vernon Bank, knows firsthand the importance of having an application that supports board reporting. “Before we started our partnership with Safe Systems, we were not up to par with the industry standards of reporting. Since redoing our Information Security Program and moving away from a paper-based model to automated applications, we’ve seen noticeably better results in our board reporting and regulatory updates,” said Helms. “When trying to wear numerous hats within a small community bank and stay on top of a topic so huge in a regulatory world, solutions like Safe Systems’ Information Security Program makes all of the difference.”

There are several advantages to financial institutions using technology solutions to automate and optimize board reporting and governance. The primary advantage is the ability to generate on-demand reporting on all aspects of information security management; from managing projects, to risk assessments (including risk appetite), to managing critical vendors, to mitigating operational risk through business continuity planning. Reporting should allow just enough detail to enable the board to fulfill their responsibilities, but not be so detailed that they struggle to comprehend. Ideally, technology should support high-level reporting, with the ability to “drill down” as necessary. The emphasis should be on quality, not quantity.

Another potential advantage of technology in reporting is the ability to aggregate business intelligence from multiple sources enterprise-wide. This not only gives the board a more complete picture of risk but can also stimulate internal collaboration and deeper insights, giving directors more meaningful information for analysis. The importance of timely, accurate, relevant, complete, and consistent information cannot be overstated, as the success or failure of management is often defined by the decisions they make. As the FDIC states, “The extreme importance of a bank director’s position is clearly emphasized by the fact that bank directors can, in certain instances, be held personally liable.” By having a comprehensive system in place for optimal decision-making, institutions can improve the quality of the information flowing from management to the board, and then from the board to other internal and external stakeholders—helping directors not only improve governance, but also enhance regulatory compliance and possibly even reduce lawsuits, monetary fines, and other negative consequences from inadequate board reporting.

Technology not only optimizes board reporting and decision-making but also makes it easier for directors to access the information they need to perform their due diligence and oversight obligations. It all boils down to implementing technology to exercise better accountability—ensuring sound policies are in place to promote strategic objectives and regulatory compliance.

Safe Systems offers a wide range of compliance-centric, innovative solutions that can help financial institutions take advantage of technology to improve their board reporting and governance.

01 Jul 2021
Benefits of Integrating Technology into Your InfoSec Program

Benefits of Integrating Technology into Your InfoSec Program

Benefits of Integrating Technology into Your InfoSec Program

Information security (InfoSec) is a critical aspect of keeping an organization’s computers, networks, sensitive information, and users safe from potential threats. Integrating technology into a financial institution’s InfoSec program can make it easier to manage risk and protect their information and infrastructure assets. Institutions can utilize automation to capitalize on a variety of other benefits, including:


Banking is a complex business. Banks and credit unions maintain a wide assortment of information technology devices, systems, and applications to support their operations. They also have multiple personnel, partners, and third-party providers spread across different geographic areas. The interconnectivity of their operations can make it even harder for institutions to protect the hundreds (and in some cases, thousands) of assets they must maintain. An automated system can make it easier for institutions to inventory and classify their assets—without having to create enormous, time-consuming spreadsheets. It provides a centralized solution for tracking the criticality, location, and risk exposure level of each asset. Identifying the source of risk is the essential first step to effective risk management. Technology and various Software as a Service (SaaS) applications can greatly simplify the process of inventorying assets, assessing the risk, and selecting controls. Technology can also create automatic updates to ensure that all policies and procedures are current and based on industry standards and regulatory requirements. Additionally, on-demand stakeholder reporting can be generated to provide the requisite documentation to management committees, board of directors, and regulatory authorities, respectively.

Completeness and Transparency

Integrating technology can help financial institutions get a clearer sense of their security posture, so they can develop a more complete InfoSec program. Automation makes it easier to identify and categorize each asset, along with its related risks, threats, and controls. This can enable institutions to make a more accurate assessment of where their security risks actually lie. With enhanced transparency, institutions can determine the most appropriate level of protection for each of their assets. As a result, they can more effectively use, manage, and secure these assets. Proactively identifying risks, threats and controls can also better position them to minimize the impact of security incidents in the future.

Better Intelligence and Insights

Some financial institutions rely on manual spreadsheets to manage the vast amount of information and other assets in their InfoSec program. But manual spreadsheets are not always the most effective tracking and reporting mechanism. People can inadvertently feed the wrong data into spreadsheets and produce unreliable results (“garbage in, garbage out”). Plus, since creating spreadsheets is such a repetitive and time-consuming process, information may be infrequently updated—which can make it less timely and thus less useful. However, integrating technology can help institutions enhance the accuracy of the intelligence that supports their InfoSec program. In turn, their board and management can have better insights into the important issues that impact the information security of their organization, which in turn empowers them to make better decisions.

Enhanced Reporting

To make the best decisions for their institution and perform their fiduciary oversight duties, boards and management committees need accurate, relevant, and timely information. By incorporating technology in their InfoSec program, institutions can put an efficient process in place to generate, collect, and analyze data to support board and committee reporting. This can enhance the overall quality of the information being reported to the board, shareholders, and auditors, and regulators. Optimized, on-demand reporting can improve governance, foster compliance, and potentially reduce negative consequences from inadequate board reporting.

Resource Collaboration and Augmentation

InfoSec resources are limited at many financial institutions, and most community banks and credit unions do not have a dedicated InfoSec specialist in-house. Additionally, information security officers (ISOs) tend to wear multiple hats and are often stretched thin by their broad range of responsibilities. An automated application can create a centralized solution that creates a multi-user approach to allow the ISO to leverage internal resources wherever and whenever possible. For example, a department head or process owner can be a valuable internal resource for assessing vendors impacting the department’s functionality. Similarly, the process owner (and not necessarily the ISO) would be the most logical choice to perform the process Business Impact Analysis. In this way, InfoSec becomes an “all hands on deck” operation, with all personnel sharing ownership of the process. Outsourcing additional aspects of InfoSec via a virtual ISO solution can provide an institution with additional subject matter expertise and solutions to further support their designated ISO and the overall security of their systems and information.

Read more about the benefits of integrating technology into your information security. Download our white paper on “How Financial Institutions Can Use Technology to Build an Automated, FFIEC-compliant Information Security Program.”

24 Jun 2021
Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program: How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Working with paper-based information security policies can be limiting for financial institutions. Automation allows banks and credit unions to take their policies off the shelf and move them online to reap multiple benefits.

There are 2 major challenges to having a static, paper-based information security program; the first is making sure policies accurately reflect the financial industry’s current guidance and best practices, and the second is making sure they accurately reflect your institution’s specific practices. Often new paragraphs and sections get added to cover additional policies while almost nothing gets expunged. Or a revision in one section of the program might not be properly updated in all other related areas.

These twin challenges are the primary cause of disconnects between policies, procedures, and practices —and compliance-related findings from IT auditors and examiners. Today examination auditors are scrutinizing documents far more closely, and they expect to see documentation that proves institutions are doing what their policies say they are. And unfortunately, policy disconnects and lack of adequate documentation in IT often reflect poorly on management. It is not unusual for us to see weaknesses in the IT area pull down the CAMELS management component in other areas. In a study conducted by the OCC earlier this year, researchers found that:

“… both the CAMELS composite and Management component ratings have significant predictive power for features of the distribution of banks’ return on assets (ROA), non-performing loans (NPL), stock returns, stock return volatilities, and market-to-book ratios.”

Advantages of Automation

Leveraging technology for an information security (InfoSec) program offers significant benefits by addressing both challenges. A key advantage is that it places all InfoSec related documents in one place where personnel can easily access them. Having a digitally enhanced program makes it easier to minimize exam findings related to inconsistencies between policies (what you say you’re going to do) and procedures (how you say you’re going to do them). Automation streamlines the process of updating policies and documenting the corresponding procedures that are in place to support them.

As another advantage, automation promotes personnel collaboration and engagement in the information security process. Having a web portal where staff can access the policies and procedures related to their area of focus enables collaboration, encourages engagement, and generally helps generate buy-in. As a result, personnel becomes better informed and more engaged in the information security program.

Automation also supports change management by facilitating periodic, detailed reporting to update various stakeholders about the status of the information security program. Reports can focus on a specific area or be customized for different stakeholders who may need more specialized reporting. They may be high-level summaries, or highly detailed. Most importantly, as regulatory guidance and best practice evolve, automation can allow policy updates to happen with the click of a button.

Our Unique Approach

At Safe Systems, we took a unique and comprehensive approach when creating our new Information Security Program solution. The program includes a comprehensive set of policies and a process-based risk assessment. It’s also structured around the Information Security and Management handbooks by Federal Financial Institution Examination Council (FFIEC). And it features a detailed, easy-to-navigate table of contents that will look familiar to auditors and examiners. The idea is to make it as easy as possible for IT auditors and examiners to find what they’re looking for, so they can move on to other areas!

Another way our approach is unique is that our methodology starts with enterprise modeling: We find out everything about the institution’s departments, processes, functions, and required interdependencies. That data then flows directly into the risk assessment and links to other areas that may be added later, such as business continuity management or vendor management. All of these areas will “talk” to the model to support automatic updating whenever global changes are made.

Positive Feedback

Our Information Security Program—which has been years in the making and incorporates everything we’ve learned about what does and doesn’t work—is effectively simplifying an inherently complex process for institutions of all types and sizes. So far, we’ve heard great feedback from auditors, examiners, and customers. (In fact, the risk assessment was developed in close collaboration with IT auditors.) Customers are finding our information security program much easier to manage than having multiple disjointed policies in Word documents and PDFs strewn across disparate folders. They can access policies without worrying if they have the most current version. And our broad and deep understanding of financial institution risk management allows us to start with a pre-filled set of policies, which are then customized to each institution. This greatly accelerates the onboarding process. Customers also like being able to work one-on-one with our team to build a process-based risk assessment model, being able to customize policy language as needed, and not worrying about what changes to make, or where to make them.

For more details, listen to our webinar on “Automating Your Information Security Program: How Technology Can Get Policies Off The Shelf.”

01 Apr 2021
The Security Evolution Featured Blog Image

The Security Evolution: The Integration of Security and Technology in Your Bank’s Infrastructure

The Security Evolution Featured Blog Image

Financial institutions and other organizations face a head-spinning number of information security risks—and the threats are becoming more complex and difficult to detect. In 2020, the FBI’s Internet Crime Complaint Center received a record number of complaints: 791,790, with reported losses exceeding $4.1 billion. The complaints—many of which included sophisticated phishing emails, business email compromise, and ransomware—represented a 69-percent increase in total from 2019, according to the FBI 2020 Internet Crime Report. In almost every case, a financial institution was involved; either as the direct target, a payment intermediary, or the account holder (victims) source of funds.

Importance of Resilience

With IT security, one of the primary goals for financial institutions is to minimize operational risk by limiting downtime; a process also referred to as “resilience”. Formally defined as the “…ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions…”, resilience also includes the ability to withstand and recover from deliberate attacks or naturally occurring disasters.

Resilience extends beyond after-the-fact recovery capabilities to incorporate proactive measures for mitigating the risk of a reasonably anticipated disruptive event in the overall design of operations and processes, including IT infrastructure. Resilience strategies, including maintaining security standards, should extend across the entire business, including outsourced activities. Because of the constantly changing threat environment, banks and credit unions should be regularly refining their security strategies. But it can be challenging for institutions to effectively manage the resources required to create a resilient infrastructure, including the staff, hardware, software, facilities, utilities, and other resources required to support operations. This monumental task encompasses everything from technology and telecommunications infrastructure to the critical dependencies provided by third-party service providers.

With so much complexity, having integrated security controls that coordinate and communicate with each other can make it easier for institutions to detect and prevent an incident before it happens, and to respond and recover afterward. Integration involves blending separate technology and controls into a single system that simplifies the work of short-staffed, time-strapped IT departments. The integration of security technology can ensure that financial institutions have a more manageable—and sustainable—approach to addressing the increasing volume and sophistication of security threats that they encounter.

Compliance and IT Security Integration

Of course, the rationale for integrating security and technology goes beyond the practical need to safeguard an institution’s information, infrastructure, and other assets, as it’s also a matter of compliance.

Information security should be embedded within the institution’s culture, according to the Federal Financial Institution Examination Council (FFIEC), and an institution’s security culture contributes to the effectiveness of its information security program. In fact, the FFIEC IT Handbook’s Information Security booklet indicates that “an institution with a stronger security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications.”

Financial institutions should have a robust and effective information security program that supports their IT risk management process, according to FFIEC guidelines. Based on the FFIEC IT Handbook’s Information Security booklet, an effective IT program should:

  • Identify threats, measure risk, define information security requirements, and implementing control
  • Integrate with lines of business and support functions in which risk decisions are made
  • Integrate third-party service provider activities with the information security program

Third-party Management

Integrating third-parties into your security program is not just accepted by the regulators, it’s expected. According to the FFIEC, “In many situations, outsourcing offers the institution a cost-effective alternative to in-house capabilities…without the various expenses involved in owning the required technology or maintaining the human capital required to deploy and operate it.” However, the FFIEC goes on to recommend that institutions who elect to outsource technology, line of business activities, and support functions, ensure the integration of these activities with their information security program through an effective third-party service provider (vendor) management program. The FFIEC IT Handbook’s Information Security booklet asserts that: “Effective integration of these programs is evident when the institution creates and enforces expectations that align with the internal information security program in such a way that the combined activities of the institution and its third-party service providers result in an acceptable level of risk.”

Security threats will always be a constant challenge, but successfully integrating security and technology within an institution’s banking infrastructure can help institutions win the fight. Safe Systems provides banks and credit unions with an array of compliance-focused IT services to help them improve their overall security posture. Our proven experience, paired with our compliance-focused technology and security solutions, enables financial institutions to significantly strengthen their resilience by seamlessly aligning compliance and security.

11 Mar 2021
Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s essential that banks and credit unions maintain segregation of duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the overall health of their operations.

From a regulatory standpoint, the separation (or segregation) of the ISO’s duties is the corrective action to a concentration of duties finding. Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet. The booklet states: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”

The FFIEC also provides guidance on this matter in the IT Handbook’s Management booklet. “The institution should separate information security program management and monitoring from the daily security duties of IT operations. The IT department should have personnel with daily responsibility for implementing the institution’s security policy,” the booklet explains. “Responsibility for making changes and granting exceptions to policy should be segregated from the enforcement of the controls.”

Oversight Is the Key Issue

The importance of isolating the ISO’s duties comes down to oversight as separating the functions of the ISO and network administrator helps to create a clear audit trail and ensures that risk is being accurately assessed and reported to senior management. Without proper oversight reporting, financial institutions and their Boards lack a clear picture of their information security posture and can face other negative repercussions, such as downgrades in their Management IT component.

If, for instance, the ISO shares administrative duties and an administrator account, oversight dynamics can be undermined. As an example, the admin may have day-to-day responsibility for patch deployment, but the ISO is ideally suited to monitor and validate the overall patch management program—not the network administrator. The ISO has a higher-level, enterprise perspective of the impact of day-to-day activities; whereas the admin is at the ground level and may not always be capable of accurately assessing the full impact of performing, or not performing, a particular task. In addition, the definition of “oversight” is basically having another set of eyes validate the actions of someone else.

Understanding the Role and Duties of the ISO

The ISO’s oversight role primarily serves to ensure the integrity of a financial institution’s information security program. In essence, by segregating the admin/ISO duties, ISOs are the “other set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders.

The responsibilities of the ISO are clearly outlined in the FFIEC’s Information Security and IT Management booklets. Some of the ISO’s key duties include responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.

However, in fulfilling these obligations, ISOs are expected to continually meet a high standard of information privacy and security. It’s imperative for institutions to not only assign the proper responsibilities to the ISO but to also select the right individual to assume the role.

Banks and credit unions often have difficulty designating an ISO with the appropriate technical and regulatory compliance expertise. Institutions in rural or small communities—where the talent pool is meager—might even have their chief financial officer or chief operations officer wear the hat for this “part-time” job. Regardless of these challenges, community institutions are expected to maintain the same level of segregation of duties as larger institutions. Size and complexity considerations may allow for some leeway in the timing of the separation, but not the ultimate outcome.

Leveraging a Virtual ISO

For every responsibility, there is an associated piece or set of documentation that must be provided to demonstrate adherence to and alignment with your formal written procedures. Not having an ISO with the requisite knowledge and/or time to effectively manage the assigned responsibilities of the position can result in control failures—and possibly policy or procedure non-compliance. In some cases, financial institutions may have a separation of duties “on paper”, but not so in practice. Again, the absence or presence of oversight is the key.

In fact, feedback from examiners indicates that because of the lack of oversight, there is a certain level of concentration of duties that cannot be adequately addressed internally. But institutions can remedy this problem by engaging a third-party, virtual ISO to add assurance that all responsibilities are being successfully addressed. A virtual ISO can provide another set of eyes and an independent layer of oversight on top of what the institution already has in place internally.

Virtual ISO services from Safe Systems, a national provider of fully compliant IT and security services, can be the ideal solution for community banks and credit unions. Safe Systems has proven experience in providing institutions with dependable technical expertise to ensure there is adequate separation of ISO-related duties within their organization—enhancing network security and significantly increasing regulatory compliance.

04 Mar 2021
5 ISO Duties that Can Be Automated for FIs

5 ISO Duties that Can Be Automated for FIs

5 ISO Duties that Can Be Automated for FIs

Information security officers (ISOs) at financial institutions typically have myriad responsibilities on their plates, and each of those responsibilities comes with one or more forms of documentation to verify the actions taken. While these duties relate to the main categories of network security and regulatory compliance, there are a host of functions that fall under the ISO’s oversight role.

Fortunately, many ISO responsibilities can be automated in some areas to facilitate the management of the institution’s information security program. Here are five of them:

1. Business Continuity Management (BCM)

ISOs are responsible for overseeing and coordinating BCM, providing detailed guidance on how to recover from a business interruption, and ensuring that the appropriate people, processes, and technology components that make up the network of interdependencies are also restored. Automation can make it easier for the ISO to identify the interdependencies, complete the annual updates, and conduct the training exercises and testing required. Automation can also enable alerts for tasks due by process owners, and generate reminders for annual plan board approval, and report the test results to the board. While the tests for BCP cannot be automated, the documentation and reporting of the tests can—something that can significantly streamline the ISO’s oversight responsibilities and make it much easier to locate these documents at audit and examination time.

2. Updates to the Information Security Program and Information Security Risk Assessment

Automation can provide alerts to help ISOs keep abreast of updates from regulators. Then the ISO can easily pull reports on the revised areas to present them for board approval. Essentially, it’s plan maintenance that can be automated—although some interpretation is needed to support the process. Automation can prevent an institution’s information security program from becoming out-of-date (which can happen easily when an ISO is relying on manual processes for management) as failing to make an important update can have significant, negative consequences. For instance, if management misses a major BCP update, or an annual test, or board reporting, auditors may construe this as a general weakness in management, and scrutinize other areas more closely, such as lending practices or financial reporting. Automation can help institutions avoid inadvertent missteps and resulting hassles within their information security program.

In addition, many recent examination findings relate to inconsistencies between the institution’s policies (what they say they do) and their procedures (how they say they will do them). Automation, when combined with integration between applications, can greatly reduce this probability by easily propagating policy and procedural changes throughout all elements of your information security program. For example, sometimes financial institutions will update their BCM plan but might be lax with other policies—something that can result in a disconnect between different policies. In this case, one policy may refer to a process that is no longer being used; or a policy may contain conflicting references for a process that has been updated. These and other kinds of inconsistencies are virtually impossible to catch without automation and integration.

3. Tracking Audit Exam Findings

Unresolved, or “repeat” findings are usually treated very harshly by regulators. Making sure that all audit and exam issues are resolved in a timely manner is crucial. Automation can rate the severity, assign them to a responsible party, assign a due date for resolution, and sending “ticklers” and reminders as the dates come due. At the end of the process, the ISO can quickly generate reports to provide to the institution’s board, examiners, and other stakeholders. Alerts and on-demand reporting can enhance accountability for addressing each of the findings to improve internal controls and other areas.

4. Managing Third-party Relationships

Financial institutions are required to manage the risks of their third-party vendors and the responsibility to assure this is done falls squarely on the shoulders of the ISO. Institutions can use automation in every aspect of their vendor relationship management, including alerting and tracking of periodic updates to the risk assessments, annual updates to the control reviews, contracts, and contract renewals. With automation, the ISO can instantly identify required tasks and produce the necessary documentation related to its vendor management activities.

5. Cybersecurity

Cybersecurity is an important sub-component of information security, and automation can significantly enhance the ISO’s multiple oversight efforts in this area. An automated system can remind ISOs to verify that crucial assessments are completed, including the annual Cybersecurity Assessment Tool (CAT) and the Ransomware Self-Assessment Tool (R-SAT). Alerts can be scheduled to prompt ISOs to conduct annual incident response tests, a gap analysis, and cybersecurity training for employees and the board. And on-demand reporting can keep all stakeholders informed on the progress of your cybersecurity efforts.

One final thought about automation; when the application is combined with a provider familiar with, and dedicated to, the regulatory environment of the financial institution, you do not have to worry about a non-compliant policy or procedure. All necessary regulatory and best practice updates are built-in to the automation.

As a national provider of fully compliant IT and security services, Safe Systems offers a variety of innovative solutions that can help financial institutions automate some of the important responsibilities of their ISO.

03 Sep 2020
The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The ISO is tasked with multiple simultaneous activities; supervising the financial institution’s business continuity planning, project management, vendor management, cybersecurity, exams and audits, and information security, which can be an overwhelming responsibility for one person to manage. This presents operational and compliance challenges for the institution if there is no second-in-command should the ISO become suddenly unavailable. For this reason, the Federal Financial Institution Examination Council (FFIEC) in their Management booklet outlines the importance of succession planning for key roles within the institution, including the ISO.

The Challenge

Effective succession planning involves proactively identifying alternate personnel and initiating proper cross-training for critical roles well in advance. A case in point is Billy Peele, who has worked with Iva, South Carolina-based The Peoples Bank for 45 years, and who has plans to retire by the end of 2020. Overseeing the bank’s IT and InfoSec departments, Peele has also functioned as the institution’s ISO. With a succession plan in place, the bank selected Jill Seymore and Addrian Wilson to jointly assume the title and responsibilities of the ISO in preparation of Peele’s departure.

Although highly skilled in banking operations, Seymore and Wilson initially lacked the level of ISO related experience necessary to fulfill the role. Specifically, the pair wanted a better grasp on the IT reports and to learn best practices in reviewing these reports from the ISO perspective. This learning curve could have been overwhelming for the new ISOs, but The Peoples Bank decided to implement a proven virtual ISO solution to give Seymore and Wilson the tools to become more confident in the new role.

The Solution

Too often, new ISOs do not receive a detailed hand-off document from the predecessor and may not know where to start to complete key responsibilities. Fortunately this was not the case for The Peoples Bank as Safe Systems’ ISOversight Virtual ISO Solution formalized all responsibilities into a structured framework for Seymore and Wilson, allowing for methodical review of all tasks on a monthly, quarterly, and annual basis to ensure continuity for the bank.

ISOversight serves as a risk management tool designed to support the role of the ISO by augmenting existing personnel and ensuring that all tasks and related activities are completed on time and properly reported to the various stakeholders. ISOversight helped ease Seymore and Wilson into the ISO position by grouping all of the various responsibilities into a unified platform to effortlessly manage compliance and security activities. Not only did this clearly outline key requirements of the ISO, but it also educated Peele’s successors on how to effectively perform the role.

The Results

ISOversight gave Seymore and Wilson the confidence that allowed them to trust the bank’s IT department while verifying all interrelated activities are running smoothly and securely. Reviewing reports and receiving alerts with the assistance of the VISO helps the new ISOs extract relevant, actionable information to determine if there are anomalies or exceptions that they should be aware of and act on.

The key to succession planning is to find ways to standardize and maintain the consistency and continuity of the responsibilities of the ISO. In this case, the bank can be confident that information is secure, tasks are being completed on time, and documentation is shared with auditors, examiners, and the board. At The Peoples Bank, ISOversight provided a seamless transition for Seymore and Wilson, while laying a solid foundation for future ISO activities.

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

06 Aug 2020
Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Of the many roles within a financial institution, the information security officer (ISO) is the most critical for the protection of confidential and nonpublic personal information and maintaining compliance with federal regulations. In fact, the Federal Financial Institution Examination Council (FFIEC) goes so far as to mandate that all financial institutions have one or more individuals dedicated to the position of ISO.

Safe Systems held a webinar last week outlining the most common challenges for ISOs and some helpful ways that they can better identify, perform, and document their regulatory responsibilities. In this blog post, we’ll highlight two of the most important elements of the ISO role and outline 8 key regulatory responsibilities all ISOs should focus on to meet examiner expectations.

Key Elements

For ISOs, everything ultimately hinges on responsibility (specific tasks the ISO must perform) and accountability (specific documentation ISOs must provide to key internal and external stakeholders). In fact, these terms are referenced multiple times within the FFIEC guidance:

“The ISO is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. – FFIEC Management Handbook

“Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.” – FFIEC Information Security Handbook

Individuals in the ISO role must effectively demonstrate both elements to adequately meet regulatory expectations.

Maintaining Compliance

The ISO must not only be able to perform key responsibilities of the role, but he or she must also provide proper documentation to specific stakeholders to satisfy the accountability requirements. The FFIEC’s Management Handbook outlines 8 key responsibilities of the ISO role including:

  1. Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks
  2. Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks
  3. Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information
  4. Monitoring emerging risks and implementing mitigations
  5. Informing the board, management and cybersecurity risks and the role of staff in protecting information
  6. Championing security awareness and training programs
  7. Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats
  8. Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate

When performing these key responsibilities, the ISO must reference the institution’s policies (what you say you do); procedures (how you say you’ll do them); and actual practices (what you actually do and are able to document). In our experience, we’ve seen that there is often a gap between procedures and practices, which often results in the majority of audit and exam findings for financial institutions.

To address this issue, many community banks and credit unions are turning to virtual ISO solutions. A virtual ISO platform serves as a risk management solution that addresses the regulatory expectations and important tasks that the ISO must oversee. The solution helps financial institutions augment their internal ISO role, streamline responsibilities, and ensure the institution’s procedures and practices are properly aligned. Most importantly, a virtual ISO can make sure that all stakeholders; Board, committee, auditor, and regulator, have the appropriate reports to document that alignment.

To learn more about the information security officer role, the 3 virtual ISO delivery models, and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

16 Jul 2020
The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

  • “Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
  • “Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

  • When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
  • Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
  • How do you plan to continue providing services in the event of the loss of key employees?
  • Have you been in communication with your critical third-party providers?
  • Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

14 Jul 2020
The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

According to the Federal Financial Institution Examination Council’s (FFIEC) Information Technology Examination Handbook, “ISOs are responsible for responding to security events by coordinating actions to protect the institution and its customers from imminent loss of information, managing the negative effects on the confidentiality, integrity, availability, or value of information, and minimizing the disruption or degradation of critical services.”

When faced with an operational crisis such as the current Covid-19 Pandemic, potential disruption of critical services is the primary concern. Since the information security officer (ISO) acts as the “quarterback” over the many different departments and functions within the institution, they must make sure all routine tasks are still being completed, in addition to ensuring that the institution has adapted to the unique circumstances of the crisis.

The FFIEC Management Handbook lists 8 broad categories of responsibilities for ISO’s. We’ve identified a few of those areas that should be of particular focus during a crisis:

Working With The IT Steering Committee

During any crisis, the ISO must work closely with the IT Steering Committee to ensure that the institution minimizes the risks to the security and confidentiality of non-public information and financial transactions. As difficult as this is during normal operations, it may be even more of a challenge during a crisis. Key considerations include:

  • The IT Steering Committee should still perform their normal duties and maintain a normal schedule. Phone /video conferences can suffice if in-person meetings are not an option.
  • Attention to on-going and planned IT project road map/initiatives. Timelines and all supporting activities must still be tracked, project plans updated, and all stakeholders informed.
  • Review the Remote Access Policy and the Remote User / Acceptable Use Acknowledgement with IT and HR as your current situation may include unique risks that have not been previously addressed. For example, some employees may have to use their personal devices to access the FI’s network to do their job. Take particular note of the Remote Access and Use of Remote Devices sections of the FFIEC Information Security Handbook and any other related best practices and/or guidance initiatives. Trusted third parties can also be an important resource for this effort.
  • Document all actions taken and lessons learned during the crisis so far. Then, incorporate them into your next round of policy updates.
  • Continue to report the status of all IT and information security activities to the Board.

Managing Incident Response, BCP/IRP, and Cyber Responsibilities during an Adverse Event

The ISO is typically the Incident Response Team Coordinator and may determine whether or not to activate the formal Incident Response Plan (IRP). The declaration of a pandemic or other adverse operational event does not in itself require the IRP to be invoked, however, any disruption of normal business services may create vulnerabilities that a cyber attacker could take advantage of.

The ISO will also likely be involved with general business continuity planning and recovery efforts. The criteria for activating the Business Continuity Plan will vary by institution, but the ISO is typically one of the few key individuals tasked with evaluating whether the event is likely to negatively impact the institution’s ability to provide business products and services to customers beyond recovery time objectives (RTOs).

In adverse situations, cyber awareness should be heightened. For example:

  • The institution could have key personnel out, and alternate personnel may not be adequately trained or have the same level of cyber awareness as the primary staff members.
  • The institution may be implementing workarounds for new software or devices when trying to accommodate customers affected by the event. In the interest of expediency for customers, the institution may take shortcuts that it normally wouldn’t or otherwise fail to follow normal procedures.
  • The institution could run into issues with the critical vendors that perform or support its perimeter security, compromising real-time alerting for the organization. This is known as “cascading impact”, where a product or service provided by a third-party is degraded, which in turn affects you.
  • The institution could experience secondary disruptions where hackers may attempt a cyber-attack against perceived weakened defenses.

The ISO must anticipate all of these risks and should communicate with critical third parties to ensure they have a plan in place to keep the NPI and financial transactions secure and provide critical operational services at acceptable levels of risk.

Addressing Auditor and Examiner Expectations

Although a pandemic, as a crisis event, was de-emphasized in the 2019 BCM Handbook, financial institutions should expect regulators to issue additional joint statements in the post-pandemic phase due to the shear impact and duration of this event. ISOs should expect examiners to ask about the specific actions the institution has taken in response to COVID-19, including:

  • Succession plans – ISOs should be prepared to share the institution’s succession plans, how these plans were implemented during the pandemic, and any key updates to the plan post-pandemic.
  • Cross-training efforts – the ISO (if also the BCP Coordinator) should explain the institution’s plans for cross-training and how these plans were implemented during the pandemic.
  • Remote access controls – the ISO should address all of FFIEC requirements for remote access and document any updates or changes that occur.
  • Third-party/supply chain issues – the ISO should communicate with all critical vendors to ensure there are no interruptions to critical services, and he or she should have contingency plans in place if a third-party provider can no longer provide adequate service.

Information security officers ultimately must be able to show auditors and examiners exactly how the institution withstood the pandemic, maintained compliance, kept all non-public information secure, and kept all stakeholders informed, all of which is no small task during normal operations!

For more information on responding to crisis events, view our pandemic resources.

09 Apr 2020
American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

With ongoing cybersecurity threats; increased use of third-party providers; and constantly evolving regulatory and reporting requirements, the role of the information security officer (ISO) is even more important in today’s complex banking environment than ever before. However, community bank and credit union ISOs often struggle to keep up with the growing number of responsibilities this role requires – often forced to manage critical tasks with limited resources and a lack of segregation of duties.

The Challenge

Nicole Rinehart, Chief Operations Officer at American Pride Bank, ran into this very issue as the sole IT admin at American Pride Bank. Managing all of the ISO responsibilities, including critical activities such as Board reporting and the production of comprehensive reports for examiners, was difficult to manage due to the many manual processes required.

During a regulatory examination, an examiner recommended the bank focus on having more independence within its ISO duties. The Federal Financial Institution Examination Council (FFIEC) states that all financial institutions must have separation of duties for the ISO role. To accomplish this, the bank began evaluating solutions to help streamline processes and ensure complete oversight of all information security activities.

The Solution

Get a CopyImplementing a Virtual ISO to Improve Compliance Posture  Complimentary White Paper

After consideration, American Pride Bank decided to partner with Safe Systems and implement its ISOversight virtual ISO solution. The service includes a suite of applications and programs to help institutions streamline management of key compliance duties including the CAT, BCP, Vendor Management and Information Security.

In this case, the bank was already leveraging individual components of ISOversight. By converting to the virtual ISO service, they gained additional tools, reports, and expert compliance support. An important part of the solution includes monthly meetings with the Safe Systems compliance team to assess the bank’s information security activities and provide guidance.

The Results

With ISOversight, American Pride Bank has improved its overall preparation and communication of the information security program. All key stakeholders in the bank have access to ISO-related items in real-time, and the information security program is more organized and streamlined, enabling the bank to save time on monitoring and reporting.

“The ISOversight solution has been a game-changer for our bank because now we have a robust process in place working with Safe Systems and a full committee of our team members to ensure all tasks are completed accurately and nothing slips through the cracks,” said Rinehart. “It’s so important to have a process like this, especially when you have limited resources. Safe Systems has truly become an extension of our internal team, helping us to stay on track with ISO responsibilities and ensuring we comply with all regulatory requirements.”

To learn more, read the full case study, “American Pride Bank Streamlines Processes and Improves Compliance Reporting with Safe Systems’ ISOversight Virtual ISO Solution.”