ISOversight Archives - Safe Systems

08 Sep 2022

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

05 Aug 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The Importance of Succession Planning to IT and Information Security Resiliency

The Importance of Succession Planning

Change can be challenging—especially when it involves the transition of IT management and other key personnel. That’s why it’s imperative for banks and credit unions to be proactive about succession planning.

While regulators expect institutions to have a formal succession plan for key leadership roles, having a strategy for filling critical positions is a matter of practicality. If an IT administrator or information security officer (ISO) is not in place, or not available to complete the tasks, reports, and other responsibilities of these roles, then it could lead to cyberattacks and other security issues. This, in turn, can have dire consequences on a financial institution’s operations, risk-profile compliance, and reputation.

Succession Planning Strategies

Institutions can ensure IT and information security resiliency by having an effective plan for managing the absence of key security-related personnel. Depending on their size, type, and goals, they can adopt any of these approaches to succession planning:

Proactively assess internal talent and then orient the most suitable individual to serve as an alternate or backup for various IT admin or ISO responsibilities. The ISO alternate, for instance, should train with the existing ISO, attend ISO oversight meetings, and present appropriate information to executive management and the board. If the ISO leaves, the backup individual should be equipped to assume the role temporarily or even for the long term if necessary. Training a staff member to perform IT or information security duties is not only pragmatic, but it complies with regulatory guidance.
Implement an internal committee or team approach to managing IT and information security during a temporary or permanent personnel change. The committee can facilitate the IT and information security program in several ways. It can maintain processes until an outside replacement is installed or support an internal successor who is transitioning into the position. The committee can also provide coaching to keep the replacement from becoming overwhelmed by the complexity and assortment of tasks required.
Partner with a trusted third party to obtain the additional expertise needed to meet IT and information security benchmarks. This approach provides an accountability partnership role and a regular framework that clearly defines key responsibilities and streamlines processes. This strategy can ensure institutions have suitable resources to ease the transition of key personnel to enhance IT and information security resiliency.

Leveraging a Virtual ISO

A virtual ISO can be an ideal solution for institutions seeking to enhance IT and information security resiliency. This third-party service can not only support succession planning, but it can also serve as an extension of the internal ISO providing an external layer of oversight and an objective point of view — which allows institutions to approach risk more strategically and proactively.

ISOversight from Safe Systems, for instance, is a complete solution that makes it easier for community banks and credit unions to master information security and compliance online. This virtual ISO solution—which is especially for financial institutions—offers valuable access to applications and resources, cyber risk reporting, and compliance experts. With ISOversight, banks and credit unions can be confident that all their ISO-related requirements are completed on time, documented properly, and reported to the appropriate parties. Learn more about how to enhance your institution’s security posture during tough times. Read our white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

16 Jun 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Choosing a Virtual ISO (VISO)

The ISO’s role is becoming increasingly more complex and challenging due to growing cyber security threats, the ever-changing technology environment, and expanding regulatory expectations. It can be difficult for banks and credit unions to stay on top of information security issues. That’s why today even the smallest institutions often engage a trusted third party for help. A virtual information security officer (VISO) service can help institutions effectively manage information security so that nothing gets missed or falls through the cracks.

Common Types of VISO

The most common types of virtual ISO solutions available to institutions are the “do-it-yourself” (DIY), “hybrid,” and “offload” models. The DIY option is designed for institutions that have a solid grasp of the ISO’s job functions and just need some basic tools and limited consultation to enhance their efforts. This model is the least expensive but also requires more of a time commitment from your internal resources. The hybrid model may typically include an assortment of apps, templates, pre-configured reports, and other tools, along with a broader and deeper level of consultation. Resource requirements from the institution side are greatly reduced compared to DIY, but typically greater than offload. Accordingly, costs for a hybrid approach are somewhere between the two other models. The hybrid model also tends to be the most flexible and is designed to evolve with the changing needs of the institution. Finally, the offload approach attempts to provide a “turn-key” solution wherein the virtual ISO partner effectively assumes most or all the responsibilities of your internal ISO. This approach requires the least involvement from your institution (which could introduce other challenges…see the “Examiner Support” section below), but it is usually also the most expensive. As this model is the most inclusive, the knowledge and experience of the third-party provider are your most important consideration. The offload approach typically includes unlimited consultation, on-demand reporting, participation in committee meetings, etc.

Key Factors to Consider

When choosing a virtual ISO, there are some important aspects to consider to ensure your institution selects the best option. Keep in mind that each virtual ISO model comes with a certain level of flexibility and engagement for a specific price. The key is to carefully balance the service and costs against your specific internal resource gaps to determine the best solution for your situation. Ideally, whatever solution you choose should have the flexibility to dial up or down the level of service, depending on how your situation may change in the future.

Whatever virtual ISO solution you opt for, it should provide documentation and reporting in a form that the various stakeholders can understand. Each one of the many ISO responsibilities has one or more reports or documents that support the requirement to hold the ISO accountable for its responsibilities. The board of directors, the steering committee, the IT auditors, and examiners, all have different perspectives and comprehension levels and may require different degrees of detail for the same information. For instance, boards and examiners might require higher-level data, whereas steering committees and IT auditors might require more detailed documentation for their purposes. You should have access to on-demand reporting with relevant, actionable, up-to-date information that matches the level of engagement for the various stakeholder groups.

The regulatory guidance on ISO responsibilities includes terms such as “engaging with” and “working with” management in the individual lines of business to understand the risks of various initiatives. They also expect the ISO to “implement” the information security strategy as defined by the board, and to periodically “inform” the board and senior management on the status of the program. In the case of a virtual ISO, your hybrid or offload third-party partner needs to have an excellent understanding of enterprise-wide strategic objectives, and a good working relationship with management in all lines of business and within the different departments within your organization.

Remember, as with all outsourced activities, even though you can delegate some (or even most) of the heavy lifting to a virtual ISO, you cannot outsource responsibility. Your institution still must maintain a strong oversight effort to ensure that all ISO duties are completed, documented, and reported appropriately. Higher levels of third-party reliance require correspondingly higher levels of oversight. According to the Federal Financial Institutions Examination Council’s Outsourcing Technology Services booklet you are obligated to oversee all activities, whether you perform them, or a third-party performs them on your behalf.

Examiner Support

The examiner feedback we have seen to date strongly supports the idea of financial institutions implementing a virtual ISO solution “…as long as it’s done correctly.” That means focusing on all the responsibilities and accountabilities of the role and making sure sufficient documentation and appropriate oversight and reporting are built-in. Doing it correctly also means making sure the in-house ISO is not so detached from the processes and procedures that they cannot authoritatively explain them to a stakeholder, which can be the primary downside of the “offload” model. The decision-making process is the most important concern for regulators. Your solution should allow you to offload enough to make the ISO’s job easier and more organized, but not so much that they become disconnected and lose operational awareness of their current threat and control environment.

In conclusion, choosing the right type of virtual ISO service allows institutions to provide the appropriate level of insight and oversight for their in-house ISO. This can help them to be better equipped to manage information security activities, meet evolving industry standards, and adjust to tightening regulatory requirements, all in an increasing cyber threat environment.

At Safe Systems, we offer a virtual ISO service based on the above-described hybrid model. ISOversight™, is a VISO service that is flexible to accommodate the changing needs of community banks and credit unions. The ISOversight service includes a full suite of applications to manage everything from vendors to business continuity, along with all associated information security policies and risk assessments. This is a cost-effective, comprehensive, and flexible solution that makes information security management much more efficient. For more insight about the most common virtual ISO models and how to determine which one may be right for you, view our webinar on “Is a Virtual ISO Right for You?”

09 Jun 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Planning for Safety, Soundness, and Resiliency

With the rise in cybercrimes and increased regulatory scrutiny, having a board-approved IT Strategic Plan is often not enough to ensure cyber resiliency. It’s essential for financial institutions to develop a robust IT management and information security infrastructure. The following excerpts from our recent white paper on “Building IT and Information Security Resiliency in Chaotic Times,” show how institutions can strengthen and support these key management roles to make better technology and security decisions, improve visibility, and reduce vulnerability. In addition, institutions can use strategic partners and risk management solutions to bolster resources they already have in place and enhance their overall cyber resilience.

1. Separating ISO Duties

Examiners have a strong interest in the IT administrator and ISO roles, which are interconnected and integral to an institution’s safety and soundness. However, many community banks and credit units still struggle with meeting the FFIEC requirements for segregating these positions. The importance of separating ISO duties relates to creating additional oversight to verify activities and maintain accountability to management and the board. Separating these functions also helps to build a clear audit trail to ensure risk is being accurately assessed and reported to senior management. While the ISO functions in an oversight capacity of the IT administrator, the ISO also relies heavily on the administrator to share data that can be used to recommend steps to improve the institution’s security posture. Therefore, the IT admin-ISO relationship must also be cooperative to ensure their daily activities support the organization’s policies and procedures.

2. Being Proactive about Succession Planning

Regulators expect financial institutions to have a formal succession plan for the ISO, IT administrator, and other key leadership roles, as indicated by the uptick in exam findings related to this issue. Depending on their size, type, and goals, institutions may employ different approaches for succession planning. They can identify and train someone to serve as an alternate or “backup” for various IT or ISO responsibilities, incorporate an internal committee or team approach for managing IT and information security, or use the support of a trusted third party to maintain IT and information security standards.

3. Partnering with a Trusted Third Party

An outside expert can provide an objective perspective that can help institutions think beyond the day-to-day issues and consider risk more proactively and strategically. Bringing in a technology partner on the front end—when things are going well—can also position institutions to be stronger and more successful in the future. For instance, a virtual information security officer (VISO) can expand an internal ISO’s capabilities and increase the likelihood that all ISO-related tasks are completed in a timely and efficient manner. A VISO can also provide an external layer of oversight to enable the required separation of duties.

ISOversight^®, our virtual ISO service, makes it easier for financial institutions to master information security and manage compliance online. ISOversight is a comprehensive solution with a full suite of applications and resources, cyber risk reporting, and dedicated compliance specialists. It’s uniquely designed to help banking institutions enhance their strategies to improve IT management, information security, and compliance. With ISOversight, community banks and credit unions can ensure that no information security issues fall through the cracks—especially during challenging times.

For more information about how to enhance your institution’s security posture, read the full white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

08 Dec 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 Compliance Lessons Learned in 2021 to Bring into the New Year

As the challenges presented by the COVID-19 pandemic persist, there are important compliance trends and new regulatory guidance that financial institutions should consider to ensure they are well prepared to begin the New Year.

Accounting for Operational Risk

During the pandemic, banks and credit unions have made necessary adjustments that have increased their operational risk. Two prime examples are switching to a remote workforce and accommodating a more remote customer base. Having employees work remotely extends an institution’s network out to that endpoint and, in effect, broadens security considerations to that point as well. Serving a remote customer base—including expanding e-banking and implementing electronic signatures—creates a similar risk. Security implications multiply as more employees and customers access services electronically.

Rapid changes in operational practices and increases in fraud and cyberthreats can cause a heightened operational risk environment if not properly managed. Examiners will want an account of how institutions determined what changes were necessary, how those modifications were implemented, whether those changes were temporary or permanent, and if controls (primary and compensating) have been adjusted for any resulting operational risk increases. They will review the steps management has taken to evaluate and adjust controls for new and modified operational processes. For instance, for permanent changes, did the institution factor in the operational risk of downtime relating to the new processes?

As a measure of governance effectiveness, examiners will also very likely:

Assess actions that management has taken to adapt fraud and cybersecurity controls to address the heightened risk associated with the altered operating environment.
Review management’s post-crisis efforts to assess the controls and service delivery performance capabilities of third parties.
Consider how imprudent cost-cutting, insufficient staffing, or delays in implementing necessary updates impacted the control environment.

Temporary vs. Permanent Changes

For the most part, because we are still dealing with the impact of the virus and its variants, institutions have chosen to maintain many of the temporary measures they implemented during the pandemic. So, because they may have rolled out the changes anticipating an eventual rollback, it may be necessary to “backfill” some documentation to address what is now permanent. Examiners will want to know if the changes were properly risk-assessed prior to implementation, including any new processes and interdependencies. Institutions should be able to provide a report to regulators if they ask—and ensure their board is appropriately updated. This could be a matter of going back and reviewing previous board reports to ensure that any gaps in their risk management reporting were addressed and properly reported to the board.

Ransomware Self-Assessment Tool (R-SAT)

With the pervasive occurrence of cyberattacks, regulators are increasingly concerned about cybersecurity, particularly reducing ransomware. Consequently, regulators in some states are more aggressive than others about having institutions fill out the Ransomware Self-Assessment Tool (R-SAT), which is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. However, most state regulators we’ve spoken with are not going to make completing the R-SAT compulsory—although they may recommend it. If they do, the majority of what is asked by the 16-question tool should already be in place in the institution’s existing incident response and business continuity plans. Your decision to complete or not should be based on a self-assessment of your existing efforts in this area.

Regulatory Updates

New Architecture, Infrastructure, and Operations (AIO) Booklet

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) revamped its Information Technology Examination Handbook series with a new Architecture, Infrastructure, and Operations booklet. The revised guidance provides examiners with fundamental examination expectations about architecture and infrastructure planning, governance and risk management, and operations of regulated entities. Credit unions, banks, and non-financial, third-party service providers are expected to comply with the new guidance, which replaces the original “Operations” booklet issued in July 2004.

The FFIEC indicates that the release of the updated booklet is warranted because of the close integration between institutions’ architecture, infrastructure, and operations. “Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems,” explains a June 2021 FFIEC press release.

An important component of the new booklet is the resilience and proactive measures that must be built into an institution’s AIO components. Importantly, the handbook also recognizes special treatment for smaller or less complex entities, which is reasonable because examiners are starting to indicate that smaller entities will often implement these concepts differently from large, multinational, multi-regional financial organizations, while still achieving the same objectives. The refreshed guidance also takes a different approach to data classification; it factors in value, along with criticality and sensitivity. However, (and this is consistent with all FFIEC Handbooks released in the past 3 years) the new booklet states that it does not impose requirements on entities; instead, it describes principles and practices examiners will review to assess an entity’s AIO functions. (Of course, we have always found that anything an examiner may use to evaluate, or grade, your practices becomes in effect a de facto requirement.) A much deeper dive into the booklet is here.

New Cyber Incident Notification Rules

Another big update that will impact 2022 and beyond, the new cyber incident notification rules. Officially called “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, they were proposed and submitted for comment in early 2021, approved in November 2021, and become effective in April 2022. Visit our partner site, ComplianceGuru.com, to read the latest post and gain an understanding of how these rules will impact both you and your third-party providers going forward.

To learn more about these and other critical compliance topics, listen to our webinar on “2021 Hot Topics in Compliance: Mid-Year Update.”

11 Oct 2021

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

Employee training to ensure adequate, effective, and safe practices
Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

25 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The ISO in 2021: New Challenges and Expectations Require a New Approach

The ISO in 2021 Featured Image

One of the key lessons financial institutions learned from the COVID-19 pandemic is that regardless of new challenges and seemingly constant change, they were expected to ensure their customers and members continued to receive products and services uninterrupted. The past 13 months (and counting) have been a live exercise in operational resilience.

The current crisis—perhaps more than any even prior—has underscored the true scope of the Information Security Officer’s job. Technically, there are only eight broad areas of responsibility for ISOs outlined in the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Management booklet. But the actual scope of ISO accountability spans at least 36 elements. One of the key challenges and responsibilities of the ISO is stakeholder reporting, which is intricately linked to accountability. The relationship between responsibility and accountability is that while the ISO is responsible for making sure critical InfoSec tasks are completed, they are also accountable to the various stakeholder groups, which requires providing documentation that a task is being completed a certain way, with a certain group, or with a certain frequency.

To meet their accountability obligations, because information security is pervasive, ISOs must be engaged at all levels across the enterprise and in all lines of business. This requires understanding every place that data is stored, processed, or transmitted—whether it involves a customer or member, employee, or vendor. The ISO also needs to be aware of the latest emerging risks and be able to implement an effective mitigation strategy. Ultimately, ISOs need to be effective at translating information to the board, management committee, and IT auditors and examiners, in a manner in which these various stakeholders are best able to consume and comprehend it.

The expectations for ISOs also extend beyond the traditional area of ensuring the confidentiality, integrity, and availability of data. ISOs are also responsible for minimizing the disruption or degradation of critical services—which has emerged as the more urgent necessity during recent pandemic and cyber events.

Some of the early challenges ISOs faced during the pandemic ranged from the technical, such as securing virtual private network access, to the administrative, such as ensuring that employees have signed acceptable-use policies and remote-access agreements. Fortunately, we’ve found that most institutions adjusted well to the initial hiccups, resulting in minimal degradation in their services. However, cybersecurity promises to keep that pressure on for the foreseeable future, even post-pandemic.

Predictably, financial institutions are now seeing more exam scrutiny in three areas.

Business Continuity Management (BCM)

When the FFIEC implemented a BCM update in 2019, it created new terminology and new expectations that are finally beginning to emerge in exam findings.

Strategic Planning

The expectation for additional strategic planning is calling for more formal project management procedures. On the IT examination side, FIs are receiving requests for “pre-initiative” risk assessments, meaning that ISOs are expected to assess the risks of a project or initiative before they even agree to move forward and select a vendor. The FFIEC’s Development and Acquisition Handbook states that “Poor planning often contributes to projects failing to meet expectations.” This early stage is referred to as the “initiation” or “feasibility” phase of the project. Once the project clears this phase and moves forward, a vendor or vendors are selected, and vendor due diligence and on-going management can proceed. As the project proceeds to completion, management should be kept informed.

Board and Committee Reporting

Which is now focusing on not just what gets reported, but the frequency of the reporting as well. Suffice to say that the traditional annual updates won’t get it done going forward.

A New Approach to Virtual ISO Services

With ISOs being forced to wear multiple hats, some institutions are choosing to leverage a virtual ISO solution. Whether outsourced, insourced, or a hybrid virtual ISO model, each offers varying levels of service, flexibility, and support. Further still, several FIs are leveraging technology in tandem with security expertise to support their ISOs.

Safe Systems’ ISOversight is a proven risk management solution that provides complete and comprehensive accountability for the responsibilities of the ISO position. This third-party solution assigns a dedicated ISO oversight lead who understands the details of the institution’s environment and provides institutions with expert guidance and access to additional resources. ISOversight is an ideal asset for new (or frankly, overwhelmed) ISOs that may be struggling to keep up with the complex responsibilities of their position. And now with federal and state examiners tightening their level of scrutiny, ISOversight is proving even more crucial for institutions that need to enhance their information security expertise.

To learn more about how Safe Systems is supporting ISOs in the industry, listen to our webinar on “The ISO in 2021: A New Approach to New Challenges and Expectations.”

03 Sep 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The ISO is tasked with multiple simultaneous activities; supervising the financial institution’s business continuity planning, project management, vendor management, cybersecurity, exams and audits, and information security, which can be an overwhelming responsibility for one person to manage. This presents operational and compliance challenges for the institution if there is no second-in-command should the ISO become suddenly unavailable. For this reason, the Federal Financial Institution Examination Council (FFIEC) in their Management booklet outlines the importance of succession planning for key roles within the institution, including the ISO.

The Challenge

Effective succession planning involves proactively identifying alternate personnel and initiating proper cross-training for critical roles well in advance. A case in point is Billy Peele, who has worked with Iva, South Carolina-based The Peoples Bank for 45 years, and who has plans to retire by the end of 2020. Overseeing the bank’s IT and InfoSec departments, Peele has also functioned as the institution’s ISO. With a succession plan in place, the bank selected Jill Seymore and Addrian Wilson to jointly assume the title and responsibilities of the ISO in preparation of Peele’s departure.

Although highly skilled in banking operations, Seymore and Wilson initially lacked the level of ISO related experience necessary to fulfill the role. Specifically, the pair wanted a better grasp on the IT reports and to learn best practices in reviewing these reports from the ISO perspective. This learning curve could have been overwhelming for the new ISOs, but The Peoples Bank decided to implement a proven virtual ISO solution to give Seymore and Wilson the tools to become more confident in the new role.

The Solution

Too often, new ISOs do not receive a detailed hand-off document from the predecessor and may not know where to start to complete key responsibilities. Fortunately this was not the case for The Peoples Bank as Safe Systems’ ISOversight Virtual ISO Solution formalized all responsibilities into a structured framework for Seymore and Wilson, allowing for methodical review of all tasks on a monthly, quarterly, and annual basis to ensure continuity for the bank.

ISOversight serves as a risk management tool designed to support the role of the ISO by augmenting existing personnel and ensuring that all tasks and related activities are completed on time and properly reported to the various stakeholders. ISOversight helped ease Seymore and Wilson into the ISO position by grouping all of the various responsibilities into a unified platform to effortlessly manage compliance and security activities. Not only did this clearly outline key requirements of the ISO, but it also educated Peele’s successors on how to effectively perform the role.

The Results

ISOversight gave Seymore and Wilson the confidence that allowed them to trust the bank’s IT department while verifying all interrelated activities are running smoothly and securely. Reviewing reports and receiving alerts with the assistance of the VISO helps the new ISOs extract relevant, actionable information to determine if there are anomalies or exceptions that they should be aware of and act on.

The key to succession planning is to find ways to standardize and maintain the consistency and continuity of the responsibilities of the ISO. In this case, the bank can be confident that information is secure, tasks are being completed on time, and documentation is shared with auditors, examiners, and the board. At The Peoples Bank, ISOversight provided a seamless transition for Seymore and Wilson, while laying a solid foundation for future ISO activities.

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

27 Aug 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.
– FFIEC Information Security Handbook

Information security officers (ISO) have a wide range of responsibilities and navigating them can be quite challenging, especially with increased scrutiny from examiners on alignment of policies, procedures, and practices. Adding to that challenge is the associated element of accountability; the premise that unless your practices are properly documented and reported to the various stakeholder groups, there may be doubt in the mind of the examiner as to whether or not they actually happened.

As a result of this responsibility + accountability challenge, many financial institutions are turning to virtual information security officer (VISO) solutions to support the role of the ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time; are following approved procedures; and are properly reported to the various stakeholders.

In a recent webinar, Safe Systems outlined the three virtual ISO delivery models available to community banks and credit unions today and discussed key considerations when implementing each.

1. Outsource All Activities

In this model, the financial institution hires a third-party provider to take on all of the responsibility and accountability tasks of the ISO role. Outsourcing these activities minimizes your staff’s involvement, potentially freeing up time to focus on more revenue generating activities, but this approach is typically more expensive because the third-party provider is doing all of the heavy lifting.

Another important consideration is that outsourcing everything can also isolate key personnel from important procedures and practices. If the institution isn’t involved in the day-to-day information security activities, when IT auditors and examiners question your personnel, they may not have the necessary day-to-day procedural knowledge to answer their questions. For example, there will likely be activities the outsourced provider is doing that the ISO is unaware of or they are using procedures not familiar to your personnel. This could lead to audit and examination observations or findings, as the ISO is expected to have comprehensive knowledge and understanding of all information security activities

Outsourcing information security tasks is best for financial institutions with neither the time, expertise, nor inclination to perform the duties of the role. However, it comes at a higher cost, both in terms of capital outlay and also in the possibility of ISO disassociation from actual procedures and practices. The FFIEC Management Handbook uses terms such as “engaging with…,” and “working with…,” and “participating in…,” and “informing…,” to describe the typical responsibilities of the ISO. This level of involvement may be more difficult under the “outsource all” model.

2. Toolset only (Apps, Checklists, Templates, etc.)

Another option is to select a model where there’s a toolset provided to accomplish ISO tasks. The toolset could consist of applications, checklists, or templates that may be prefilled or partially filled. With this model, you’re given the tools to manage ISO responsibilities without the support. There’s less human interaction, which typically means the service is less expensive.

However, the toolset model requires more effort from staff and requires the financial institution to rely on internal resources for information security expertise and guidance. Without this guidance, this model may also introduce some inconsistencies between the institution’s policies and procedures. For example, if you specify something in one area of your policies and you reference something that may conflict with that in another area, auditors are likely going to notice and question you on it, and that could cause them to dig deeper into other areas. Policy/procedure consistency is one of the most important indicators of strong infosec governance.

This model may include access to compliance guidance and expertise, but it would be reactive instead of proactive. It is best for institutions that have the necessary internal expertise, but they just need the additional structure a toolset provides to ensure all activities are completed in a timely manner.

3. Hybrid (Toolset + Consultation)

Finally, a hybrid model combines the first two models to provide a toolset plus additional expertise, proactive guidance, and consultation. It typically has better integration between various ISO practices because it’s all under one umbrella. As a result, the institution gains consistency and better coordination within and among its policies for business continuity, vendor management, incident response, project management, and information security. However, because of the tight integration, financial institutions that do not adopt all of the tools that support this model may not see the maximum benefit. Also, because of the increased level of ISO engagement, it may be more resource intensive initially, especially if the institution is behind on key ISO tasks. However, once tasks are brought up to date, ongoing maintenance is simpler due to the integrated toolset. This model is also quite flexible and can easily adapt to the evolving needs of the institution.

This is the model we decided to adopt for our virtual ISO solution, ISOversight. We’ve found this model is best for institutions that desire the advantages of regular active involvement with outside expertise, plus a toolset and reporting to ensure the ISO remains fully engaged. The price point is somewhere between the other two models; less than a complete outsource, but a bit more than toolset only.

ISOversight is a risk management solution that provides accountability for all of the responsibilities of the ISO. We have monthly touch point meetings, and we tailor the service to meet each institution’s unique requirements.

To learn more about the information security officer role and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

13 Aug 2020

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with Safe Systems’ Virtual ISO Solution

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Mergers and acquisitions can present significant operational challenges for information security officers (ISO) who are tasked with ensuring a smooth transition of the information security program. Often, some key responsibilities of the ISO may be overlooked as other tasks related to the merging of the two institutions take precedence, overextending the ISO as they work to manage the information security program effectively and stay on top of regulations.

The Challenge

Eric Nadeau, chief financial officer at One Florida Bank, faced this very issue when his bank acquired another bank in Florida to expand the institution’s reach across the state. Nadeau wore many hats at the bank serving as the information security officer, chief financial officer, head of accounts payable, and director of both HR and IT. Although Nadeau understood the role and responsibilities of the ISO, he simply lacked the necessary time required to develop a formal program to efficiently complete all ISO-related tasks.

After acquiring the other bank’s charter and then merging the two institutions, Nadeau knew that his bank’s existing compliance management practices would not be enough to accommodate the rapid growth and continue to satisfy the regulators. While he needed assistance in managing the information security program, the institution was not yet ready to make the investment to expand personnel by adding a dedicated ISO.

The Solution

Following the merger, the bank needed a strong operational structure in place to get the now larger institution up and running and meet regulatory expectations quickly. During the acquisition process, Nadeau was introduced to Safe Systems’ ISOversight VISO (Virtual Information Security Officer) solution. The institution One Florida Bank acquired was already a Safe Systems customer using its network management services. After learning more about the VISO and compliance program, Nadeau performed his due diligence and made the decision to implement the ISOversight solution to streamline the bank’s information security processes.

A VISO serves as an extension of the in-house ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time and are all properly documented and reported to the various stakeholders. ISOversight’s integrated approach to vendor management, business continuity planning, cybersecurity, strategic planning, and information security influenced Nadeau to implement a VISO strategy.

“We had a very aggressive growth plan and I was wearing many hats. I couldn’t cobble together a bunch of Excel-based risk assessments and manual tasks into a formal process within an acceptable time frame,” said Nadeau. “I needed a support structure that I could leverage very quickly to sustain our bank’s strong and rapid growth plan and ISOversight provided that.”

The Results

While Nadeau expected the bank to grow, he did not anticipate that the bank would become a $690M institution in just 18 months. With ISOversight, Nadeau was able to quickly implement new operational structures for the institution amidst this rapid growth.

ISOversight combines all the various risk assessments into one centralized portal with ease, eliminating the use of multiple spreadsheets and numerous documents. The VISO enabled the bank to create a new compliance infrastructure with easy-to-read summaries of all ISO activities, as well as establish a new fully compliant business continuity management plan, a robust vendor management program, and comprehensive project and audit/exam tracking. ISOversight provides an integrated approach to all these initiatives as they all work hand in hand.

“The first year after the acquisition required a massive amount of work, but ISOversight allowed our bank to prioritize and complete tasks until we reached a smooth and successful integration,” said Nadeau. “Even examiners have commented on the progress we’ve made and recognized the value that the integrated platform provided to our management.”

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

06 Aug 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Of the many roles within a financial institution, the information security officer (ISO) is the most critical for the protection of confidential and nonpublic personal information and maintaining compliance with federal regulations. In fact, the Federal Financial Institution Examination Council (FFIEC) goes so far as to mandate that all financial institutions have one or more individuals dedicated to the position of ISO.

Safe Systems held a webinar last week outlining the most common challenges for ISOs and some helpful ways that they can better identify, perform, and document their regulatory responsibilities. In this blog post, we’ll highlight two of the most important elements of the ISO role and outline 8 key regulatory responsibilities all ISOs should focus on to meet examiner expectations.

Key Elements

For ISOs, everything ultimately hinges on responsibility (specific tasks the ISO must perform) and accountability (specific documentation ISOs must provide to key internal and external stakeholders). In fact, these terms are referenced multiple times within the FFIEC guidance:

“The ISO is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. – FFIEC Management Handbook

“Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.” – FFIEC Information Security Handbook

Individuals in the ISO role must effectively demonstrate both elements to adequately meet regulatory expectations.

Maintaining Compliance

The ISO must not only be able to perform key responsibilities of the role, but he or she must also provide proper documentation to specific stakeholders to satisfy the accountability requirements. The FFIEC’s Management Handbook outlines 8 key responsibilities of the ISO role including:

Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks
Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks
Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information
Monitoring emerging risks and implementing mitigations
Informing the board, management and cybersecurity risks and the role of staff in protecting information
Championing security awareness and training programs
Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats
Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate

When performing these key responsibilities, the ISO must reference the institution’s policies (what you say you do); procedures (how you say you’ll do them); and actual practices (what you actually do and are able to document). In our experience, we’ve seen that there is often a gap between procedures and practices, which often results in the majority of audit and exam findings for financial institutions.

To address this issue, many community banks and credit unions are turning to virtual ISO solutions. A virtual ISO platform serves as a risk management solution that addresses the regulatory expectations and important tasks that the ISO must oversee. The solution helps financial institutions augment their internal ISO role, streamline responsibilities, and ensure the institution’s procedures and practices are properly aligned. Most importantly, a virtual ISO can make sure that all stakeholders; Board, committee, auditor, and regulator, have the appropriate reports to document that alignment.

To learn more about the information security officer role, the 3 virtual ISO delivery models, and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

16 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

“Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
“Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
How do you plan to continue providing services in the event of the loss of key employees?
Have you been in communication with your critical third-party providers?
Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

14 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

According to the Federal Financial Institution Examination Council’s (FFIEC) Information Technology Examination Handbook, “ISOs are responsible for responding to security events by coordinating actions to protect the institution and its customers from imminent loss of information, managing the negative effects on the confidentiality, integrity, availability, or value of information, and minimizing the disruption or degradation of critical services.”

When faced with an operational crisis such as the current Covid-19 Pandemic, potential disruption of critical services is the primary concern. Since the information security officer (ISO) acts as the “quarterback” over the many different departments and functions within the institution, they must make sure all routine tasks are still being completed, in addition to ensuring that the institution has adapted to the unique circumstances of the crisis.

The FFIEC Management Handbook lists 8 broad categories of responsibilities for ISO’s. We’ve identified a few of those areas that should be of particular focus during a crisis:

Working With The IT Steering Committee

During any crisis, the ISO must work closely with the IT Steering Committee to ensure that the institution minimizes the risks to the security and confidentiality of non-public information and financial transactions. As difficult as this is during normal operations, it may be even more of a challenge during a crisis. Key considerations include:

The IT Steering Committee should still perform their normal duties and maintain a normal schedule. Phone /video conferences can suffice if in-person meetings are not an option.

Attention to on-going and planned IT project road map/initiatives. Timelines and all supporting activities must still be tracked, project plans updated, and all stakeholders informed.

Review the Remote Access Policy and the Remote User / Acceptable Use Acknowledgement with IT and HR as your current situation may include unique risks that have not been previously addressed. For example, some employees may have to use their personal devices to access the FI’s network to do their job. Take particular note of the Remote Access and Use of Remote Devices sections of the FFIEC Information Security Handbook and any other related best practices and/or guidance initiatives. Trusted third parties can also be an important resource for this effort.

Document all actions taken and lessons learned during the crisis so far. Then, incorporate them into your next round of policy updates.

Continue to report the status of all IT and information security activities to the Board.

Managing Incident Response, BCP/IRP, and Cyber Responsibilities during an Adverse Event

The ISO is typically the Incident Response Team Coordinator and may determine whether or not to activate the formal Incident Response Plan (IRP). The declaration of a pandemic or other adverse operational event does not in itself require the IRP to be invoked, however, any disruption of normal business services may create vulnerabilities that a cyber attacker could take advantage of.

The ISO will also likely be involved with general business continuity planning and recovery efforts. The criteria for activating the Business Continuity Plan will vary by institution, but the ISO is typically one of the few key individuals tasked with evaluating whether the event is likely to negatively impact the institution’s ability to provide business products and services to customers beyond recovery time objectives (RTOs).

In adverse situations, cyber awareness should be heightened. For example:

The institution could have key personnel out, and alternate personnel may not be adequately trained or have the same level of cyber awareness as the primary staff members.

The institution may be implementing workarounds for new software or devices when trying to accommodate customers affected by the event. In the interest of expediency for customers, the institution may take shortcuts that it normally wouldn’t or otherwise fail to follow normal procedures.

The institution could run into issues with the critical vendors that perform or support its perimeter security, compromising real-time alerting for the organization. This is known as “cascading impact”, where a product or service provided by a third-party is degraded, which in turn affects you.

The institution could experience secondary disruptions where hackers may attempt a cyber-attack against perceived weakened defenses.

The ISO must anticipate all of these risks and should communicate with critical third parties to ensure they have a plan in place to keep the NPI and financial transactions secure and provide critical operational services at acceptable levels of risk.

Addressing Auditor and Examiner Expectations

Although a pandemic, as a crisis event, was de-emphasized in the 2019 BCM Handbook, financial institutions should expect regulators to issue additional joint statements in the post-pandemic phase due to the shear impact and duration of this event. ISOs should expect examiners to ask about the specific actions the institution has taken in response to COVID-19, including:

Succession plans – ISOs should be prepared to share the institution’s succession plans, how these plans were implemented during the pandemic, and any key updates to the plan post-pandemic.

Cross-training efforts – the ISO (if also the BCP Coordinator) should explain the institution’s plans for cross-training and how these plans were implemented during the pandemic.

Remote access controls – the ISO should address all of FFIEC requirements for remote access and document any updates or changes that occur.

Third-party/supply chain issues – the ISO should communicate with all critical vendors to ensure there are no interruptions to critical services, and he or she should have contingency plans in place if a third-party provider can no longer provide adequate service.

Information security officers ultimately must be able to show auditors and examiners exactly how the institution withstood the pandemic, maintained compliance, kept all non-public information secure, and kept all stakeholders informed, all of which is no small task during normal operations!

For more information on responding to crisis events, view our pandemic resources.

09 Apr 2020

Banks, Compliance, Credit Unions Christine Ray 0 comment

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

With ongoing cybersecurity threats; increased use of third-party providers; and constantly evolving regulatory and reporting requirements, the role of the information security officer (ISO) is even more important in today’s complex banking environment than ever before. However, community bank and credit union ISOs often struggle to keep up with the growing number of responsibilities this role requires – often forced to manage critical tasks with limited resources and a lack of segregation of duties.

The Challenge

Nicole Rinehart, Chief Operations Officer at American Pride Bank, ran into this very issue as the sole IT admin at American Pride Bank. Managing all of the ISO responsibilities, including critical activities such as Board reporting and the production of comprehensive reports for examiners, was difficult to manage due to the many manual processes required.

During a regulatory examination, an examiner recommended the bank focus on having more independence within its ISO duties. The Federal Financial Institution Examination Council (FFIEC) states that all financial institutions must have separation of duties for the ISO role. To accomplish this, the bank began evaluating solutions to help streamline processes and ensure complete oversight of all information security activities.

The Solution

After consideration, American Pride Bank decided to partner with Safe Systems and implement its ISOversight virtual ISO solution. The service includes a suite of applications and programs to help institutions streamline management of key compliance duties including the CAT, BCP, Vendor Management and Information Security.

In this case, the bank was already leveraging individual components of ISOversight. By converting to the virtual ISO service, they gained additional tools, reports, and expert compliance support. An important part of the solution includes monthly meetings with the Safe Systems compliance team to assess the bank’s information security activities and provide guidance.

The Results

With ISOversight, American Pride Bank has improved its overall preparation and communication of the information security program. All key stakeholders in the bank have access to ISO-related items in real-time, and the information security program is more organized and streamlined, enabling the bank to save time on monitoring and reporting.

“The ISOversight solution has been a game-changer for our bank because now we have a robust process in place working with Safe Systems and a full committee of our team members to ensure all tasks are completed accurately and nothing slips through the cracks,” said Rinehart. “It’s so important to have a process like this, especially when you have limited resources. Safe Systems has truly become an extension of our internal team, helping us to stay on track with ISO responsibilities and ensuring we comply with all regulatory requirements.”

To learn more, read the full case study, “American Pride Bank Streamlines Processes and Improves Compliance Reporting with Safe Systems’ ISOversight Virtual ISO Solution.”

10 Oct 2019

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

5 Things Community Banks and Credit Unions Should Budget for in 2020

The final months of the year signal the beginning of many traditions. For community banks and credit unions, the Fall marks the start of budget season. Financial institutions use this time to assess the year’s performance, make necessary adjustments—or full upgrades—for 2020 and beyond.

As you know, technology and security are constantly evolving, and compliance continues to be a moving target, so it’s time to consider important areas your institution needs to budget for in the next year. To ensure that your institution heads into 2020 on an upward trajectory, here are five key items to include on your list.

Hardware

Every year hardware should be evaluated to see if it is under warranty; in good working condition; and that the operating system hasn’t reached end of life.

Two dates to be aware of:

SQL Server 2008 R2 reached end of life on 7/9/2019

Windows Server 2008 and 2008 R2 reach end of life on January 14, 2020

These items will need to be upgraded or replaced as soon as possible with supported software. If the decision is to replace a server based on these products being end of life, there are options to consider as covered in number 2 in this article.

Cloud vs. In-house Infrastructure

Moving internal infrastructure out of the office is the new trend. This move feels similar to the move to virtualization, in that everyone agrees this is the next logical step in the evolution of computing. You should be asking the same question about cloud infrastructure as you did about virtualization—when is the right time for your institution to make the move and what are the pros and cons of this move? When the time comes to replace pieces of your infrastructure, start to gather information about the benefits of moving to the cloud and the costs associated with it. Remember, each server has both direct and indirect costs.

Direct:

Server Hardware

Warranty

Software

Indirect:

Electricity

Cooling

Storage/physical space

Maintenance

Backup

Disaster Recovery

Each year as hardware becomes outdated and needs to be replaced, evaluate whether moving that server to the Cloud makes sense. Be sure that the functions of the server can be accomplished in a cloud environment. Once a presence in the cloud is established, future growth and changes become much easier and quicker.

Firewalls

Firewalls continue to evolve as network and cybersecurity threats evolve and change. Ten years ago, adding intrusion prevention systems (IPS) to firewalls became commonplace in the industry. Now there are a host of new features that can be added to your firewall to improve your institution’s security posture. Many of these fall under products using the term next-gen firewalls. A few key features to consider include:

Secure Sockets Layer, or SSL, is the industry standard for transmitting secure data over the internet. The good news is most websites on the internet now use SSL to secure the traffic between the PC and the website. The bad news is, your firewall may be protecting your institution from fewer sites than ever before. Google researchers found that 85% of the websites visited by people using the Chrome browser are sites encrypted with SSL. This means that for many firewalls, 85% of web traffic cannot be inspected by the firewall. Many firewalls can perform SSL inspection but may require a model with more capacity; a new license to activate the feature; and configuration changes to enable this feature to work.

Sandbox analysis is a security mechanism used to analyze suspect data and execute it in a sandbox environment to evaluate its behavior. This is a great feature to introduce to your infrastructure because it provides more testing and insight into the data coming into your institution.

Threat intelligence feeds (like FS ISAC), built-in network automation, and correlation alerting are also important features that can help you keep track of emerging security threats; automate key processes; and improve your institution’s cybersecurity posture.

Consider enhancing your firewall features or upgrading to a next-gen firewall to ensure the traffic traversing your firewall is truly being evaluated and inspected.

Virtual Information Security Officer (VISO)

A newer service that has grown in popularity over the last year is the Virtual ISO or VISO role. While services like this have been available for a while, this is the first year we have heard so much talk from community financial institutions. As the job of Information Security Officer (ISO) has become more involved the expertise needed has grown as well. These VISO services offer a way to supplement the internal staff with external expertise to accomplish the tasks of the ISO. Budgeting for a service like this becomes critical if one of the following is true:

No one else in the institution has the needed knowledge base and finding this knowledge set in your area is difficult or expensive;

Your current ISO does not have a background in the field or is wearing too many hats to do it well;

Your current ISO is likely to retire or leave due to predictable life change events; or

The role of ISO and Network Administrator or other IT personnel do not provide adequate separation of duties at the institution.

Disaster Recovery (DR)

Many institutions do not have a fully actionable or testable disaster recovery process. A verified DR process is a critical element of meeting business continuity planning (BCP) requirements. Therefore, this can be a significant reputational risk for the financial institution, if not done correctly. If your institution hasn’t completed a thorough and successful DR test in the last 12 months, it is time to evaluate your current DR process. Using a managed site recovery service can ensure you have the proper technology and support to thoroughly test your DR plan and recover quickly in the event of a disaster.

Budget season is a time to address needs and wants, but also a time to seek improvement or evaluate key changes for the new year and beyond. For example, moving your infrastructure to the cloud may not make sense for the coming year, but the insight gained by evaluating it this budget season improves your knowledge-base for when it is time to make that decision. As we conclude 2019, we hope these insights position your institution for a productive budget season and a successful 2020.

08 Aug 2019

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Maintaining Bank Compliance: Understanding the Regulatory Expectations of the Information Security Officer

The information security officer (ISO) plays an integral role in helping organizations meet regulatory expectations, compliance requirements, and other obligations. In a broad sense, the ISO is charged with keeping the IT programs of an organization safe from internal and external threats. This entails creating enforceable policies and processes to protect the institution’s computer infrastructure, networks and data as well as satisfying regulatory compliance requirements.

More specifically, the ISO is responsible for a wide range of duties, from ensuring appropriate software is installed to thwart viruses, spyware, and other harmful threats to facilitating IT security training and communicating security strategies to senior management. These tasks are critical because an information security breach can cause substantial problems, including the loss of sensitive corporate or customer data; interruption to the business and financial loss; and damage to the company’s reputation and brand.

ISO Regulatory Requirements and Expectations

Financial institutions are highly regulated organizations; therefore, the ISO fills a unique role in maintaining compliance to these regulations. Much of the ISO’s role started with the Gramm-Leach-Bliley ACT (GLBA) of 1999. GLBA, for example, broadly dictates that institutions implement the necessary security measures to safeguard their sensitive information and that of their customers. This involves ensuring information is effectively protected whenever it is being accessed, processed, and stored. The statements in the GLBA outlining information security have been expanded over the years by the Federal Financial Institutions Examination Council (FFIEC) into a set of booklets that in turn define the ISO role.

The FFIEC covers various issues related to information security in great detail, including the expectations and requirements for the ISO. According to the FFIEC IT Examination Handbook’s Information Security booklet, financial institutions should have at least one person who is dedicated to serving as an in-house ISO. The handbook specifically explains: “Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. Information security management responsibilities may be distributed across various lines of business depending on where the risk decisions are made and the institution’s size, complexity, culture, nature of operations, or other factors.”

Ensuring Bank Compliance

In this role, the ISO must have the appropriate authority, stature within the organization, knowledge, background, training, and independence to complete the assigned duties successfully. To ensure the proper separation of duties, that individual should be independent of the IT operations staff and should not report to IT operations management. The ISO is responsible for overseeing and coordinating security efforts such as information technology, human resources, communications, legal, finance management, and other groups. The ISO must lead risk assessment efforts that guide security initiatives and standards throughout the entire organization as well as consult on the IT budget; performance management; professional development and training; and participate in planning activities while also working with auditors, both internal and external, to test and validate controls. The ISO should be able to point to documentation that acts as evidence of the institution’s practices, including reports, logs, meeting minutes, completed checklists, etc. This is the most time-consuming element of the ISO role, but it’s the only way to prove that all compliance areas are aligned and working as intended.

Meeting all these expectations and requirements can be challenging for an ISO, especially one employed by a smaller institution with fewer resources. However, financial institutions can capitalize on the services of a third-party, virtual ISO (VISO). A VISO platform serves as a risk management solution that addresses the regulatory expectations and responsibilities of the ISO. While a virtual ISO cannot replace the need for an actual ISO at a financial institution, it can certainly help manage the responsibilities and streamline the local ISO’s duties. A VISO does not only provide additional technical knowledge, but it can give institutions the peace of mind of knowing an expert will always be available to help the internal ISO meet regulatory requirements, bank compliance, and other responsibilities.

01 Aug 2019

Banks, Credit Unions Tom Hinkel 0 comment

3 Reasons to Consider Using a Virtual ISO (VISO) Solution

Today, community banks and credit unions face a constant barrage of challenges: growing cybersecurity threats, expanding technological requirements, and ever-evolving government regulations and expectations.

Meeting these and other demands can be quite challenging for information security officers (ISOs) at many financial institutions. In fact, smaller community financial institutions often struggle with a lack of segregation of duties; time constraints; over reliance on third parties; and inadequate expertise. This can strain internal resources and potentially undermine the security of the institution’s operation. ISOs typically juggle a mounting list of duties, from network security issues to cybersecurity to business continuity and regulatory compliance. Therefore, the ISO has one of the most valuable roles in a financial institution. In fact, it is one of the few positions that are required by guidance.

All of this serves to illustrate the usefulness of a virtual ISO (VISO) to assist with understanding and addressing the multitude of ISO responsibilities. A VISO platform serves as a risk management solution that addresses the regulatory expectations and important tasks the ISO must oversee. Because of this, the concept of a virtual ISO has gained popularity lately in the banking and credit union space, as well as other industries. Here are three key reasons community banks and credit unions should consider augmenting and enhancing their Information Security team with a virtual ISO:

Separation/Segregation of Duties

Separation of duties is a common examination finding and addressing this issue should be a major consideration for banks and credit unions. The FFIEC addressed this very topic in the Management Handbook, stating: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”

The “concentration (or separation) of duties” requirement stems from a legitimate concern that the ISO must serve in an oversight role to the network administrator. This oversight dynamic is compromised if the ISO has administrative capabilities, which can often be the case with smaller financial institutions. Outsourcing the responsibility for maintaining the ISO checklist of responsibilities is a viable solution for banks and credit unions that lack the internal resources to keep up with these multiple activities. In short, a virtual ISO can help financial institutions provide the appropriate “arms-length” separation of duties between the ISO and the IT staff roles.

Succession Planning

Succession planning is vital to ensuring the longevity of a community financial institution, particularly whenever and wherever there is overreliance on key personnel. Since the ISO plays a vital role in any bank or credit union, one of the biggest benefits to staff augmentation through outsourcing is continuity, or more specifically, succession planning. Making sure the many critical functions of the ISO will continue uninterrupted in the event the in-house ISO is unable to perform their duties is key to a successful information security program.

A VISO can address this issue by effectively augmenting an existing ISO, making sure that all responsibilities are addressed and properly documented. And continuity is never an issue with VISOs because they don’t take vacations, get sick, or wear multiple hats like their in-house counterparts. Consequently, a virtual ISO can help an institution ensure that all information security related concerns are continually addressed—regardless of the availability of the in-house ISO.

Stakeholder Reporting

ISO’s have accountability to several separate and distinct stakeholders; the IT Steering Committee, the Board, and the IT auditors and examiners, and each stakeholder group has unique reporting requirements. The level of granularity required for the IT Committee is different from the detail required for the Board. The committee needs a “ground-level” summary of all information security related activities on an on-going basis, while the Board may only require a single, annual, high-level snapshot. Additionally, any ISO can tell you that pre-audit questionnaires and pre-exam questionnaires are completely different as well. Understanding what to report to each stakeholder, and how best to report it, is another way the VISO can help the in-house ISO.

In summary, the FFIEC states that “A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success.” Virtual ISO services are intended to enhance and augment your existing ISO capabilities by assuring that all responsibilities are addressed and properly documented, and that all stakeholders are kept properly informed. Ultimately, virtual ISO services can ensure greater accountability for the diverse responsibilities of the individual filling this critical role, while demonstrating a high level of information security maturity.