Tag: regulatory compliance

11 Mar 2021
Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s essential that banks and credit unions maintain segregation of duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the overall health of their operations.

From a regulatory standpoint, the separation (or segregation) of the ISO’s duties is the corrective action to a concentration of duties finding. Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet. The booklet states: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”

The FFIEC also provides guidance on this matter in the IT Handbook’s Management booklet. “The institution should separate information security program management and monitoring from the daily security duties of IT operations. The IT department should have personnel with daily responsibility for implementing the institution’s security policy,” the booklet explains. “Responsibility for making changes and granting exceptions to policy should be segregated from the enforcement of the controls.”

Oversight Is the Key Issue

The importance of isolating the ISO’s duties comes down to oversight as separating the functions of the ISO and network administrator helps to create a clear audit trail and ensures that risk is being accurately assessed and reported to senior management. Without proper oversight reporting, financial institutions and their Boards lack a clear picture of their information security posture and can face other negative repercussions, such as downgrades in their Management IT component.

If, for instance, the ISO shares administrative duties and an administrator account, oversight dynamics can be undermined. As an example, the admin may have day-to-day responsibility for patch deployment, but the ISO is ideally suited to monitor and validate the overall patch management program—not the network administrator. The ISO has a higher-level, enterprise perspective of the impact of day-to-day activities; whereas the admin is at the ground level and may not always be capable of accurately assessing the full impact of performing, or not performing, a particular task. In addition, the definition of “oversight” is basically having another set of eyes validate the actions of someone else.

Understanding the Role and Duties of the ISO

The ISO’s oversight role primarily serves to ensure the integrity of a financial institution’s information security program. In essence, by segregating the admin/ISO duties, ISOs are the “other set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders.

The responsibilities of the ISO are clearly outlined in the FFIEC’s Information Security and IT Management booklets. Some of the ISO’s key duties include responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.

However, in fulfilling these obligations, ISOs are expected to continually meet a high standard of information privacy and security. It’s imperative for institutions to not only assign the proper responsibilities to the ISO but to also select the right individual to assume the role.

Banks and credit unions often have difficulty designating an ISO with the appropriate technical and regulatory compliance expertise. Institutions in rural or small communities—where the talent pool is meager—might even have their chief financial officer or chief operations officer wear the hat for this “part-time” job. Regardless of these challenges, community institutions are expected to maintain the same level of segregation of duties as larger institutions. Size and complexity considerations may allow for some leeway in the timing of the separation, but not the ultimate outcome.

Leveraging a Virtual ISO

For every responsibility, there is an associated piece or set of documentation that must be provided to demonstrate adherence to and alignment with your formal written procedures. Not having an ISO with the requisite knowledge and/or time to effectively manage the assigned responsibilities of the position can result in control failures—and possibly policy or procedure non-compliance. In some cases, financial institutions may have a separation of duties “on paper”, but not so in practice. Again, the absence or presence of oversight is the key.

In fact, feedback from examiners indicates that because of the lack of oversight, there is a certain level of concentration of duties that cannot be adequately addressed internally. But institutions can remedy this problem by engaging a third-party, virtual ISO to add assurance that all responsibilities are being successfully addressed. A virtual ISO can provide another set of eyes and an independent layer of oversight on top of what the institution already has in place internally.

Virtual ISO services from Safe Systems, a national provider of fully compliant IT and security services, can be the ideal solution for community banks and credit unions. Safe Systems has proven experience in providing institutions with dependable technical expertise to ensure there is adequate separation of ISO-related duties within their organization—enhancing network security and significantly increasing regulatory compliance.

14 Jan 2021
Looking Ahead to 2021: A Regulatory Compliance Update

Looking Ahead to 2021: A Regulatory Compliance Update

Looking Ahead to 2021: A Regulatory Compliance Update

As we mentioned in our previous blog, the Pandemic dominated the regulatory landscape early in 2020, and cybersecurity dominated the last few months of the year. This double-whammy forced financial institutions to quickly make operational adjustments to their procedures and practices. In the previous post, we explored the Pandemic. In this post, we’ll summarize the regulatory focus on cybersecurity in 2020, and look ahead to 2021.

Focus on Ransomware

The escalation of ransomware attacks (also referred to as destructive malware) has prompted a greater focus on addressing this aspect of cybersecurity. On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies about possible sanctions for facilitating ransomware payments. Financial institutions should be aware that they (and their cybersecurity insurance provider) could be in violation of OFAC regulations should they decide to pay a ransom to anyone on the Specially Designated Nationals (SDN) list. This would place the institution on the hook for payments made by themselves, or by any third-party on their behalf. Institutions should address this issue during incident response testing by including their cyber insurance company and making sure they know that paying a ransom could trigger penalties or sanctions.

The heightened emphasis on ransomware also led to the release of a new Ransomware Self-Assessment Tool (R-SAT) in October 2020. Developed by the Bankers Electronic Crimes Taskforce (BECTF), the U.S. Secret Service, and state bank regulatory agencies, the R-SAT follows established best practices to help financial institutions reduce their risk of ransomware. We have reports from several banks around the country that their State examiners are requesting completion of the R-SAT prior to their examination. Unlike the CAT, the 16-question tool only allows “Yes” or “No” responses, it does not give users the option to answer “Yes with compensating controls”. This lack of flexibility does not work in the favor of smaller, less complex financial institutions, which may have informal practices in place that still accomplish the same objectives as the more formal practices of the larger institutions.

Nonetheless, the yes/no response format should not be an issue if institutions have already taken steps to address ransomware and, more broadly, cybersecurity. They can simply point regulators to relevant supporting details, (completed CAT assessments and incident response plans and tests for example) and that should be sufficient to demonstrate compliance. It’s also important to note that what we’ve heard from state regulators is that they are not strictly requiring institutions to employ the R-SAT, only that they intend to use the assessment as a starting point for further discussion. Increased discussion surrounding shared cyber threats facing financial institutions is never a bad thing!

Finally, the OCC released their semi-annual Risk Perspective in November and singled out cybersecurity as a key operational risk. While they point out that overall banks have adequate cybersecurity systems, they have seen some weaknesses related to IT, change management, and information security. We can expect increased scrutiny in these areas, and cybersecurity generally, for the foreseeable future.

What to Expect in 2021

One common denominator between the Pandemic and cybersecurity is the concept of resilience. Resilience, or the ability to withstand and recover from unplanned and unanticipated events, is all about proactive as opposed to reactive measures. It equates to implementing procedures ahead of time—rather than just responding to past events—to reduce the risk of operational downtime. Granted, the impromptu procedures established during the COVID-19 pandemic, or following a cyber-attack, are reactive in nature. But, once firmly in place and tested in the real world, they become the proactive resilience measures ready for when the next event occurs.

One additional factor common to both Pandemic and cybersecurity is proper management and oversight of third-parties. We expect that examiners will scrutinize how institutions manage the third-party lifecycle; from the initial decision to engage the third-party, to assessing and controlling on-going risk, to disengagement at the end of the relationship. Among the elements attracting attention are whether you are tracking the complementary user entity controls for critical vendors. These are found in the SOC 2 reports and list the controls expected of you by the vendor. Be aware of these vendor expectations, and document how you’ve addressed them.

In summary, take extra precautions in 2021 relating to cybersecurity (particularly ransomware), another potential Pandemic event, and third-party management. Document everything you’ve done or plan to do (e.g., resilience measures), and most of all stay flexible. If we’ve learned anything from 2020, it’s to expect the unexpected!