Tag: ISP

27 Jul 2022
Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

  • BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
  • CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
  • Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
  • Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
  • Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
  • NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
  • Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
  • V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

30 Mar 2022
Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

As of April 1st, financial institutions are expected to comply with new cyber incident notification requirements for banking organizations and their third-party service providers. The Computer-Incident Notification Rule, as it’s officially called, is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The final rule—approved last November by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC)—takes effect on April 1, 2022, with full compliance extended to May 1, 2022. (To date, the NCUA has not adopted the new rule, although it’s possible they may at some point. Credit Unions should check with their regulator for notification expectation specifics.)

Understanding the Regulations

To meet the upcoming deadline, financial institutions need to be well versed in the intricacies of the new rule. The rule has two components:

  1. The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incidentthat rises to the level of a “notification incident.”
  2. The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Focusing on the financial institution expectations under the final rule, a couple of definitions must be understood.

  • A computer-security incident” could include almost anything: a hardware or software failure, an innocent mistake by an employee, or a malicious act by a cybercriminal. However, the incident must result in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
  • A “notification incident” is defined as a significant computer-security incident that has materially disrupted or degraded a banking organization in at least one of these areas:
  • its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base in the ordinary course of business
  • its business line(s), including associated operations, services, functions, and support that, upon failure would result in a material loss of revenue, profit, or franchise value
  • its operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

In the event an incident rises to the level of a “notification incident,” the banking organization’s primary federal regulator must receive this notification as soon as possible, and no later than 36 hours after the banking organization determines that a notification incident has happened.

Recognizing the Gray Areas

The words “material” and “materially” are key terms; so much so that they are used 97 times in the 79-page guidance about the ruling. But beyond an “enterprise-wide” impact, the regulation does not precisely define these concepts, so financial institutions will need to specify what this term means to their organization as a whole. And since a determination of materiality is a prerequisite to starting the 36-hour “clock” for notification, they should do so ahead of time. The undefined nature of “material” to each organization creates a gray area open for interpretation that not only allows institutions some flexibility in this area but also opens the door for differences in opinion between an institution and its regulator.

In another gray area, the rule does not impose any specific recordkeeping requirements, which is a reduced burden. However, we strongly recommend keeping at least basic documentation in case the examiners ever question why your institution did or did not decide to escalate an event from a computer-security incident to a notification incident, and why it started the “clock” when it did.

Preparing for the Unknowns

At this stage, there are some unknowns about the implications of the new cyber incident notification requirements. One of the unknowns discussed in our recent webinar was related to an official contact person and method for each primary federal regulator. This has since been addressed and we recommend incorporating the following verbiage into the regulator notification section of your Incident Response Plan:

FDIC institutions:

  • Notification can be made to the case manager (primary contact for all supervisory-related matters), to any member of an FDIC examination team if the event occurs during an examination, or if the primary contact is unavailable, the FDIC may be notified by email at: incident@fdic.gov.

OCC Institutions:

  • Notification may be done by emailing or calling the OCC supervisory office. Communication may also be made via the BankNet website, or by contacting the BankNet Help Desk via email (BankNet@occ.treas.gov) or phone (800) 641-5925.

Federal Reserve Institutions:

  • Notification may be made by communicating with any of the Federal Reserve supervisory contacts or the central point of contact at the Board either by email to incident@frb.gov or by telephone to (866) 364-0096.

Another unknown as of the date of this post: Will the State banking regulators also require notification if a federal regulator is notified? The unofficial initial indication we have received is ‘Yes,’ but it would be good practice for institutions to check with their state regulator. Chances are regulators will request this, but whether or not it will be a requirement is still unknown.

Steps to Take Now

There are additional steps financial institutions can take now to be better prepared to address the requirements of the computer-Security Incident Notification Rule.

  • Our primary recommendation is for institutions to expand the notification section of their incident response plan to include the criteria for determination of a notification incident, and to add the regulator contact information above.
  • Institutions should also define “materially” for their organization and predetermine the meaning of “materially disrupted or degraded,” or what constitutes a “material portion” of their customer base.
  • Third-party contracts should contain verbiage obligating them to notify your institution under certain circumstances as required by the new rule. We also strongly advise designating an official contact person within your institution — whether it’s the CEO, CIO, or ISO — who should receive incident notifications from your third parties. It’s also prudent to specify a backup contact person—and make sure vendors know who the primary and alternate contacts are to ensure a smooth notification process.

For more information about this important topic, access our webinar on “New Cyber Incident Notification rules: How to Get Prepared”, or this recent blog post from Compliance Guru.

05 Nov 2021
Minimize Examiner Scrutiny by Automating Compliance Processes

Minimize Examiner Scrutiny by Automating Compliance Processes

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

09 Aug 2021
Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Implementing a technology-enhanced information security program doesn’t have to be a daunting task. Working with a third-party expert can make the process easier and smoother than managing all the requirements completely in house.

Effective information security (InfoSec) allows organizations to safeguard key IT assets, business processes and data from potential threats. It involves the broad measures that ensure the confidentiality, integrity and availability of the information being processed and stored by computer systems. Most financial institutions, especially those with limited IT resources, can benefit from having an outside vendor provide additional technical expertise and solutions to enhance their existing InfoSec program.

First State Bank Improves InfoSec with Safe Systems

First State Bank of Blakely, Ga. is a prime example of how a financial institution was able to tap external resources to expand its InfoSec program. The bank, which has about 100 employees and 10 branches, was handling most of its InfoSec requirements in house. But when First State Bank’s InfoSec consultant retired, the bank opted to expand its vendor management relationship with Safe Systems to include information security.

Safe Systems made the implementation quick and easy, recommending strategic tweaks that significantly streamlined the process. Consequently, First State Bank was able to avoid “reinventing the wheel” by importing some of its existing information. And since the program elements are web-based and accessible through any internet browser, it will be easy for the bank to make future edits.

First State Bank’s IT Manager, William Barnes, specifically references Safe Systems’ expertise, saying: “The knowledge and experience of the experts I worked with during implementation were very helpful. It is good to know they are there to consult with. I think overall, we are in a good place with the new information security program.”

In addition, the program provides an easy-to-follow guide for securing the First State Bank’s operations and processes. The program is reviewed at least annually, which serves as a reminder of important security requirements. “It helps us stay on top of the risks within the bank and has all the available forms that we need for most policies and procedures,” Barnes says.

Benefits of Technology-Enabled InfoSec

Having a technology-enabled InfoSec program offers a host of benefits for institutions like First State Bank. In general, an automated security program can help banks better support the hardware, software, policies, procedures, and information assets needed to accomplish their business objectives. More specifically, incorporating technology can simplify an InfoSec program; it can streamline the process of identifying and classifying the vast number of assets institutions often have scattered across multiple branches and geographic locations. And a built-in risk assessment tool can provide pre-determined default risks for different assets based on commonly known threats and vulnerabilities.

All of this can reduce the need to create huge spreadsheets to maintain the amount of data typically required for an InfoSec program. As a result, financial institutions can have more accurate security-related information, enhanced board reporting, and better decision making and governance.

Consulting with a trusted vendor like Safe Systems allows institutions to immediately expand their information security expertise and resources. Safe Systems includes three applications in their service including Risk Assessment, Policy Manager, and Enterprise Modeling, to help banks and credit unions centralize and automate their InfoSec program. These powerful applications can make it easier for institutions to enhance their processes for assessments, notifications, reporting, policy/procedure updates and regulatory compliance so they can optimize their security posture.