Virtual ISO Archives - Safe Systems

08 Feb 2024

Banks, Compliance, Credit Unions Safe Systems 0 comment

The Importance of the ISO Role in 2024

The role of the Information Security Officer (ISO) in financial institutions continues to increase in responsibility and accountability year over year. The security challenges of community banks and credit unions are expanding as data breaches, targeted attacks, and cybersecurity threats become more pervasive. ISOs must be equipped to guide their institution through the complexities of addressing security threats in the current environment. The ISO job function—which should exist as a separate role within the institutions—should go beyond focusing on overall policy development, risk management, and working with high-level executives to also include visibility and accountability for technical activities on internal systems and with technology service providers (TSPs). This ensures that all security strategies are being implemented and managed according to organizational objectives.

Regulatory Expectations and Requirements

While the role can vary among different financial institutions, today’s ISO has leadership responsibilities that involve crucial areas like cyber risk assessment, regulatory compliance, business continuity planning, and incident response. Other key duties include the technology committee and board reporting and preparing for and responding to audits and exams.

In terms of regulatory expectations and requirements, today’s ISO is responsible for proving its institution has met all relevant regulatory requirements and is protecting all the data, records, and personal information of its customers/members. In addition, the Federal Financial Institutions Examination Council (FFIEC) requires all institutions to have a designated ISO that is responsible and accountable for implementing and monitoring the information security program. Although general information security management duties may be shared among various business lines, the ISO is responsible for providing stakeholders and decision-makers with sufficient information to support their oversight efforts.

Augmenting the ISO Role

As today’s ISOs expand their focus beyond conventional information security issues and duties, they will need more expertise and advanced tools to protect their institution against ever-changing cyber threats. The ISO will need to address more complex challenges relating to cloud security, artificial intelligence, and other technological advancements. Many ISOs with community FIs do not have the time, experience, or technology expertise to organize and manage these responsibilities. The good news is that financial institutions can augment any lack of expertise with a Virtual ISO (VISO) solution. A VISO does not remove the need for a resident ISO at the institution, but it can provide valuable expertise, perspective, and assurance that all periodic responsibilities are adequately addressed. Safe Systems’ virtual ISO solution, ISOversight™, offers access to a suite of applications, resources, reporting, and dedicated risk and compliance specialists to help community banks and credit unions manage the myriad of risk management and FFIEC Compliance responsibilities including accountability and visibility for anomalies and exceptions for technology and IT (Information Technology) security activities that could negatively affect non-public information and financial transactions.

Safe Systems is dedicated to sharing knowledge and providing training around this critical role. Our IT and Information Security Compliance experts have hosted numerous “ISO 101” classes and webinars that focus on the requirements of the role within today’s regulatory framework and the accountability factors among the various stakeholders. Our next webinar, “Protect, Detect and Respond: Prioritizing Cybersecurity Management in 2024” will discuss the regulatory trends we saw in 2023 and share real-life experiences to help you enhance cybersecurity management efforts and build resiliency. Join us on Wednesday, February 14 at 2:00 PM ET.

30 Nov 2023

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

According to the IC3 2022 Internet Crime Report, the FBI received 2,385 complaints identified as ransomware with adjusted losses of more than $34.3 million. Moreover, 870 of these complaints indicated that organizations belonging to a critical infrastructure sector, such as financial services, were victims of a ransomware attack. This makes it imperative for banks and credit unions to employ a variety of measures to protect themselves against the growing threat of ransomware attacks. Yet many financial institutions that are leveraging anti-malware solutions are not using advanced features that can help protect against ransomware threats. According to Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions, advanced features for anti-malware/anti-ransomware solutions such as root cause analysis, advanced machine learning algorithms, and sandbox analysis only received 12% or less of the answers among the survey participants.

With advanced features, financial institutions can more effectively monitor security threats on endpoints and ascertain the source and extent of an attack. Institutions that want to enhance their ability to detect and respond to threats might consider expanding their cybersecurity budget to increase spending on advanced anti-malware and endpoint protection features.

Recovery Strategies

As part of their recovery strategies, more than one-third of 144 survey respondents say they have implemented notification measures, including notifications to customers, regulators, and applicable insurance carriers. This is critical given the recently finalized interagency Computer-Security Incident Notification Rule. It requires banking organizations to notify their primary federal regulator about any significant “computer-security incident” as soon as possible after a cyber incident happens. (A computer-security incident, as defined by the rule, is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.) Nearly 30% also leverage other important recovery strategies such as monitoring for the early detection of potential incidents and eliminating intruder access points.

Other Key Security Issues

In addition to shedding light on how institutions use advanced features for anti-malware/anti-ransomware solutions, our comprehensive survey highlights several other security issues, including Microsoft 365 services, email infrastructure, advanced firewall features, vulnerability and patch management, and more. Banks and credit unions must effectively address all of these areas to stay ahead of the constantly evolving cybersecurity landscape.

Download a copy of our latest white paper to read the complete survey findings, which can provide a deeper understanding of current cybersecurity concerns and best practices to enhance your institution’s security posture.

16 Nov 2023

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

As cyber threats become more complex, aggressive, and prevalent, implementing cybersecurity mitigation strategies is becoming more critical in the financial services sector. Not surprisingly, cyber preparedness and budget restraints are the top security challenges for more than half of the financial institutions that responded to the Safe Systems survey, 2023 Cybersecurity Outlook for Community Banks and Credit Unions.

Our analysis presents input from approximately 160 participants who responded to 55 questions (including multiple-choice) based on how relevant each query was to their organization.* In addition to focusing on the top security challenges, the survey highlights respondents’ input on several other critical areas, including:

Prevention and Detection Security Layers: Modern operating environments require a more robust security strategy that goes beyond implementing a basic firewall or anti-malware solution to protect their information and infrastructure from the growing number of cyber threats. Survey respondents are implementing multiple security layers, including firewall, patch management, anti-malware, email encryption, employee training and testing, vulnerability monitoring, and security log monitoring. However, less than 50% of all respondents use every security layer listed in the survey, which indicates they can do more to protect themselves against cyberattacks.
Employee Security Awareness Training and Testing: 95% of all cybersecurity issues can be linked to mistakes made by individuals, with 43% of breaches attributed to insider threats, according to the 2022 Global Risk Report by the World Economic Forum, making employee security awareness training and testing critical for financial institutions. Accordingly, survey respondents are deploying multiple types of security training, including simulated phishing attacks, self-service online training and exercises, interactive classroom training, and more. Of the 144 participants responding to this question, 60% indicate they conduct individual training based on need, which is notable because this method of instruction normally requires more time and resources.
Advanced Firewall Features: A majority of the participants responding to this question indicate that they are using one or more advanced firewall (or next-gen firewall) features, such as intrusion prevention or detection systems (IPS/IDS), transport layer security (TLS)/secure socket layers (SSL), and Geo-IT filtering. Whether managed in-house or through an outside provider, these expanded capabilities can help institutions protect their network and institution against a broad array of threats. Sandboxing, for example, provides a safe, isolated environment to execute and observe potentially malicious code from unverified programs, files, suppliers, users, or websites. Out of 135 respondents, only 24% indicate they have sandboxing despite its ability to identify threats.
Cybersecurity Preparedness: Examiners recognize the increasing volume and sophistication of cyber threats and have an increased focus on cybersecurity preparedness in assessing the effectiveness of an institution’s overall information security program. Out of 128 respondents, 52% confirm that the focus on information security, including cybersecurity, has increased during their IT audits and exams. IT examiners and auditors are also reviewing whether institutions have completed any of the common cybersecurity assessments (e.g., CAT, ACET, or CRI/NIST), and they are using them to evaluate institutions’ security posture during an exam. According to the same respondents, 43% say they had their cybersecurity assessment reviewed and used as part of their latest IT exam, and 39% indicate that they received recommendations based on it.

To access the complete survey and gain valuable peer-to-peer insights that can help your institution enhance its cybersecurity decision-making process, read “2023 Cybersecurity Outlook for Community Banks and Credit Unions“.

* The number of respondents varies per question. For multiple-choice questions, the Percent (Respondents) is calculated by dividing each answer count by the total unique respondents, and the Percent (Answers) is calculated by dividing each answer count by the total counts collected.

06 Oct 2023

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

2024 Budgeting for Technology and Cybersecurity in Community Banks and Credit Unions

In the modern banking landscape, technology and cybersecurity are not just optional extras but fundamental necessities. For community financial institutions—which often operate with more limited resources than their larger counterparts—budgeting wisely in these areas is critical. Failure to properly invest could not only compromise efficiency and customer service but also expose institutions to potentially devastating cyber threats.

There are three categories that community banks and credit unions should consider when allocating budgets: cybersecurity, compliance along with its associated regulatory technology (RegTech), and general technology. Here are important considerations for each of these areas:

Cybersecurity

Cyber threats are ever-evolving, and no financial institutions are immune. Measures such as firewalls, encryption, and intrusion detection systems are basic requirements. Financial institutions also need to go further by investing in regular security audits and employee training. In today’s threat landscape, allocating a sufficient budget for cybersecurity measures is non-negotiable.

The best technology and cybersecurity measures are only as good as the people who use them. Community banks and credit unions should set aside funds for regular training programs to ensure staff are up to date with the latest technologies and security protocols. There are some great tools available that provide training and testing and run phishing simulations to see which employees may be your weakest links.

The odds are that at this point, your institution has an account in Microsoft’s cloud solution, Azure. OneDrive, Exchange Online, and many other Microsoft solutions are connected to Azure and may even be part of your Microsoft license. It is important to review the Azure tenant or management console to ensure you are dictating your security settings and not Microsoft. You can accomplish this through various ways including implementing conditional access policies (CAPS), which is the buzzword of 2023. If you are not using CAPs, you should immediately find out how to implement them and identify which ones are critical to your security. Also, Azure is a cloud-based management console, so if it is compromised, the ramifications can be detrimental. Monitoring key reports, accounts, and settings is critical for the long-term security of your institution.

Below are some real-life events and numbers that illustrate just how critical this type of management can be. (We discovered these events last year in our review of a small number of community financial institutions.)

Event:	Number of Times:
Successful sign-in from outside the US:	674 times
Sign in from outside the US (valid password but MFA failed):	37 times
Mailbox settings like (access to email, send on behalf of, forwarded) changed:	1,970 times
OneDrive files shared externally:	708 times
Administrative roles assigned to user:	1,607 times
Large number of failed sign-in attempts for a user:	11,116 times

While some of the numbers above represent actual intentional changes, the sheer volume indicates that a large number of these events are not approved/intended actions made by the institution. Obviously, criminals are targeting these accounts. Hence, there is no option but to be proactive in monitoring and managing the security of your account with the appropriate settings, reports, alerts, and management. Also, note the multifactor authentication (MFA) stat. It only happened 37 times, but this signifies that there were 37 times MFA was the difference between protection and compromise. This underscores the urgent need to implement and maintain MFA.

Lastly, evaluate your firewalls. At this point, a next-generation firewall (NGFW) is a must. According to Gartner, NGFW are firewalls that have moved past just port/protocol inspection and have added application-level inspection. Advanced firewalls also have integrated intrusion prevention built into the solution, along with the ability to bring in intelligence from outside the firewall. A prime example of this is the FS-ISAC intelligence feed. Other advanced features may include sandboxing, SSL inspection, and other more advanced features to improve your cybersecurity posture. If you have an older firewall not based on NGFW, you simply may not have all of the features you need to effectively protect your network.

Compliance and RegTech

Regulatory requirements are becoming increasingly complex, and failing to meet them can affect both the institution and the people in charge of managing these risks. Investing in RegTech can automate and streamline compliance processes, making it easier for community banks and credit unions to adhere to pertinent laws.

These investments may take the form of a virtual information security officer (VISO) service, which has become extremely popular lately. The workload and expectations of an ISO have intensified in recent years. Many community financial institutions are looking for a virtual solution to augment the ISO responsibilities and processes. A benefit of VISO services is they provide continuity if and/or when there is a personnel change in this critical position inside the institution.

In June of 2023, regulatory agencies released new guidance for managing third-party risk, formally or often referred to as vendor management. Expect 2024 to be a year when the agencies expect these guidelines to be implemented at financial institutions. If you manage your vendor management/third-party risk management in-house, you could have some work to do to implement these changes. It may be time to consider an application to manage these ever-changing requirements for you. If you already use an application to manage third-party risks, be sure the needed changes have been updated and you are trained on how to use them.

General Technology

A key focus for technology today concerns what to move to the Cloud and when. Moving infrastructure to the Cloud is often a trade-off between operational versus capital expenditures as well as the benefits versus the perceived risks of the Cloud. Moving servers to the Cloud in 2024 will make sense for a lot of institutions. However, it is more likely that many institutions will receive their solutions via a cloud service provider. Most services and applications vendors have found it easier to manage the server themselves and offer the solution through the Cloud rather than have it installed on different hardware across their customer base. Expect this consolidation and movement to cloud-based solutions to continue and budget accordingly. If the vendor is transferring responsibility from you and your employees to themselves by hosting the service, expect the licensing or price to increase. Even if the licensing cost goes up, you may still gain a net benefit as you no longer have to maintain, upgrade, and manage hardware.

Another technology to consider moving to the Cloud is disaster recovery. There are very few solutions that allow for redundancy, recovery time, minimization of management/ownership challenges, etc., which is why cloud-based disaster recovery is an excellent option. A fully managed cloud recovery process can decrease your recovery time objectives by significant amounts and remove a lot of duplicated hardware. If your disaster recovery solution isn’t in the Cloud or if you are not convinced that what you have in place is as robust as you need it to be, consider the Cloud as a viable alternative.

Conclusion

Budgeting for technology and cybersecurity is a complex task that requires a keen understanding of current needs, future trends, and emerging threats. By allocating resources wisely across these critical areas, community banks and credit unions can secure their operations, enhance customer experience, and stay ahead in a competitive marketplace.

02 Jun 2023

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The Virtual ISO: Best Practices for Maximum Effectiveness

The concept of a virtual information security officer (VISO) has been gaining more traction with regulators and financial institutions. In the past, regulators have said very little about institutions using a virtual ISO. But recently, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and Federal Reserve System have expressed at least conditional approval of the idea. They indicated that virtual ISOs can be a viable option—as long as their activities are subject to the same oversight requirements as in-house ISOs.

These regulators caution financial institutions to be careful when considering the risks and benefits of using a virtual ISO. They advise institutions to do their due diligence prior to choosing an external ISO partner, just as they would before selecting any other key vendor or critical service provider. These and other best practices can help institutions strategically leverage a third-party solution to maximize the effectiveness of the virtual ISO role for their organization.

Approaches to Implementation

There are three broad approaches to implementing a virtual ISO solution: do-it-yourself (DIY), hybrid, and off-load. These models come with specific benefits and responsibilities that institutions should carefully consider. Here is a summary of each approach:

DIY: This model typically provides some apps, tools, checklists, templates, and other pre-packaged components that allow institutions to fill in the blanks. One-on-one consultation with a human would be relatively limited and likely provided for an extra charge.
Hybrid: This approach often includes a complete set of tools: apps, templates, pre-configured reports, and sometimes pre-configured policies. Some consultation is also provided, which makes this model better suited to institutions that require a higher level of support.
Off-load: With this model, the virtual ISO vendor does most of the heavy lifting, providing extensive consultation, on-demand reporting, and other ISO requirements. However, as is the case with the hybrid model, the financial institution remains responsible for understanding and approving all actions taken by the vendor on behalf of the institution.

Our Virtual ISO Model

At Safe Systems, we offer a hybrid virtual ISO model—ISOversight™—that supports regulatory guidance on the ISO’s role as prescribed by the Federal Financial Institutions Examination Council (FFIEC). Our model is a moderately priced, middle-ground solution that is ideal for community banks and credit unions with limited internal resources. It combines a suite of integrated compliance apps with a dedicated lead consultant, allowing institutions to benefit from the expertise of our entire compliance department. What’s more, ISOversight provides institutions with a more objective, arms-length perspective on information security. The FFIEC Management Handbook states that “To ensure independence, the CISO/ISO should report directly to the board, a board committee, or senior management and not IT operations management.” Having these two critical roles formally separated makes it easier for the network administrator to be in more of a support function for any resident or virtual ISO, which can minimize audit or exam findings related to a possible “conflict of interest” or “concentration (or separation) of duties.”

Although the apps are useful tools that assist institutions with day-to-day tasks, the key to ISOversight’s effectiveness is the consultive and advisory piece provided by the ISOversight lead consultant. Our consultants are all information security subject matter experts, with decades of experience. We know what tasks need to be completed, with what frequency, and by what groups or individuals. We hold regular touchpoint meetings with the ISO, and often the network administrator and other third-party consultants, to ensure institutions stay on track. After each touchpoint, we also provide a comprehensive point-in-time summary report on the current status of their information security processes that the ISO can then present to the steering committee and the Board.

In addition, our consultants will often engage with clients as they prepare for and respond to an audit or exam, but it’s not unusual for us to consult directly with the auditor and examiner during the engagement. We encourage this, as it helps ensure the FI is providing auditors and examiners with exactly what they are requesting (no more and no less), which avoids unnecessary confusion, possible issue escalation, and over (or under) commitment by management. In addition to the advisory piece, the ISOversight apps keep things organized, making it easier for customers to manage their policies and procedures and all the associated documentation, and provide customizable email alerts when tasks come due.

To date, we have found that ISOversight has proven to be a great fit for many institutions and for many different reasons. For example, it is extremely helpful in situations where the IT administrator or ISO has recently left or has transitioned to a new role. Another good application for the virtual ISO role is when the size and complexity of the institution make the day-to-day information security responsibilities too burdensome, or when the institution just wants to free the existing admin or ISO from the uncertainty of the rapidly evolving regulatory landscape.

Whether it’s third-party risk management, business continuity management, cybersecurity, or strategic planning, guidance is clear that ISO’s have very specific responsibilities and should be held accountable for their completion. ISOversight assures all tasks the ISO is responsible for are addressed in a timely manner, that all current regulatory guidelines and best practices are met, and just as importantly that on-demand, stakeholder-specific documentation is available to confirm all related activities. Ultimately, selecting the right virtual model and the right vendor can often translate into “cleaner” audits and exams, resulting in a less stressful, more productive staff, a more compliant and more secure environment, and a better-informed management team.

To learn more about this topic, listen to our webinar on “The Virtual ISO: Best Practices for Maximum Effectiveness.”

20 Apr 2023

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Best Practices for a Successful ISO Transition

It can be challenging for financial institutions to lose an information security officer (ISO)—particularly for smaller community banks and credit unions. Since ISOs have broad responsibilities relating to data security and other vital areas¹, they play a critical role within the organization. Therefore, institutions must have a well-defined plan in place to keep an ISO’s transition or departure from adversely affecting their security posture.

There are many reasons an ISO may leave—retirement, a transfer to another role within or outside of the organization, or perhaps an unanticipated health issue. Whichever the circumstance, the reason for departure can significantly impact the transition process. For instance, if the position was vacated due to a planned retirement or staff reorganization, there can be a smooth transfer of duties between the outgoing and incoming ISOs. However, a sudden job change can result in a more complicated process.

There are two main facets of the ISO’s role that are critical to focus on during a transition: access to data and applications, and the continuity of the processes and responsibilities that the position encompasses.

1) Ensuring that access to data and applications is properly revoked, modified, and/or reallocated during an ISO transition is very similar to what happens when an IT Administrator leaves a financial institution. Although the IT and ISO roles (and their respective data access requirements) are different, the steps outlined in this article can help ensure information is protected when either role departs.

2) Some of the key areas of responsibility that must continue during an ISO transition include:

Infosec compliance, including regulatory guidance, written policies, written procedures, and documented practices
Oversight and coordination of data security efforts, including protecting the privacy and security of sensitive information belonging to the institution and its customers and members
Business continuity management and incident response programs, including exercises and tests
Third-party risk management (TPRM)
Cybersecurity assessments, gap analysis, action plans, and
Lead for steering committee meetings
Information security program status updates to the board of directors
IT audit and exam preparation, participation, and response

Planning Ahead

There are a number of strategies institutions can proactively implement to make an ISO’s job transition as successful as possible. A primary step to take is succession planning. This should be considered whether or not an ISO departure is anticipated. Regulators expect institutions to have a formal succession plan for all key leadership positions, and few roles are more critical than the ISO, as failing to maintain infosec continuity can leave an institution exposed and potentially more vulnerable to security issues.

Succession planning is often more problematic for smaller community banking institutions where employees typically wear multiple hats. Regulatory guidance requires that the ISO exist as a separate role within the institution. And while it is easy to designate an ISO successor on paper, an institution with limited staff may not have an employee with the appropriate knowledge, experience, and availability ready to step into the role. In addition, because of the potentially smaller talent pool in the geographic areas that community institutions serve, our experience is that smaller institutions often have difficulty finding good candidates.

However, if a solid succession plan is in place that includes both internal and external resources, the incoming ISO should at least have access to adequate experience and subject matter expertise to seamlessly step into the new role with minimal disruption. In a situation where there is seamless continuity, at least one of the following usually applies:

The employee replacing the ISO has been given sufficient prior notice and preparation, including cross-training and job shadowing.
Ideally, the incoming ISO has gained previous experience at a financial institution of similar size and complexity, or at minimum, managed information security in a regulated environment.
The institution has partnered (or can partner) with a third-party provider to augment the role with a virtual ISO (vISO) solution.

Getting Help to Ensure a Seamless Transition

To be clear, transitioning between ISOs can be challenging whether the institution grooms an internal successor, hires a seasoned outsider, or partners with a third party (or a combination of the three). In all cases, there will be some type of learning curve. Either a promoted employee will need time to build proficiency in the position, or a hired replacement (individual or third-party provider) will need time to get familiar with the institution. Inevitably, the probability of security gaps will increase during this transition period, and IT auditors and examiners know this too. For this reason, employing a third-party provider is often an effective way to maintain infosec continuity during a transition, and ensure that all IT and information security tasks and related activities are completed on time and properly reported to the various stakeholders.

The bottom line: ISO transitions are inherently challenging—and seamless continuation is critical as they directly impact a financial institution’s audit and exam success as well as overall security posture. Whether the job change is planned or unexpected, institutions can apply effective succession planning to minimize the disruption. They can also address any deficiencies in their own internal knowledge and expertise by partnering with a third-party provider like Safe Systems. As an example, a bank in South Carolina used Safe Systems’ Virtual ISO service, ISOversight, to support succession planning for its retiring ISO. This resulted in multiple benefits, including an interrupted security posture, improved business continuity management, third-party management, and strategic planning.

¹ISO responsibilities may consist of strategic planning, quality assurance, project management, InfoSec risk assessments, infrastructure and architecture security, end-user computing, and regulatory and legal compliance

08 Sep 2022

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

16 Jun 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Choosing a Virtual ISO (VISO)

The ISO’s role is becoming increasingly more complex and challenging due to growing cyber security threats, the ever-changing technology environment, and expanding regulatory expectations. It can be difficult for banks and credit unions to stay on top of information security issues. That’s why today even the smallest institutions often engage a trusted third party for help. A virtual information security officer (VISO) service can help institutions effectively manage information security so that nothing gets missed or falls through the cracks.

Common Types of VISO

The most common types of virtual ISO solutions available to institutions are the “do-it-yourself” (DIY), “hybrid,” and “offload” models. The DIY option is designed for institutions that have a solid grasp of the ISO’s job functions and just need some basic tools and limited consultation to enhance their efforts. This model is the least expensive but also requires more of a time commitment from your internal resources. The hybrid model may typically include an assortment of apps, templates, pre-configured reports, and other tools, along with a broader and deeper level of consultation. Resource requirements from the institution side are greatly reduced compared to DIY, but typically greater than offload. Accordingly, costs for a hybrid approach are somewhere between the two other models. The hybrid model also tends to be the most flexible and is designed to evolve with the changing needs of the institution. Finally, the offload approach attempts to provide a “turn-key” solution wherein the virtual ISO partner effectively assumes most or all the responsibilities of your internal ISO. This approach requires the least involvement from your institution (which could introduce other challenges…see the “Examiner Support” section below), but it is usually also the most expensive. As this model is the most inclusive, the knowledge and experience of the third-party provider are your most important consideration. The offload approach typically includes unlimited consultation, on-demand reporting, participation in committee meetings, etc.

Key Factors to Consider

When choosing a virtual ISO, there are some important aspects to consider to ensure your institution selects the best option. Keep in mind that each virtual ISO model comes with a certain level of flexibility and engagement for a specific price. The key is to carefully balance the service and costs against your specific internal resource gaps to determine the best solution for your situation. Ideally, whatever solution you choose should have the flexibility to dial up or down the level of service, depending on how your situation may change in the future.

Whatever virtual ISO solution you opt for, it should provide documentation and reporting in a form that the various stakeholders can understand. Each one of the many ISO responsibilities has one or more reports or documents that support the requirement to hold the ISO accountable for its responsibilities. The board of directors, the steering committee, the IT auditors, and examiners, all have different perspectives and comprehension levels and may require different degrees of detail for the same information. For instance, boards and examiners might require higher-level data, whereas steering committees and IT auditors might require more detailed documentation for their purposes. You should have access to on-demand reporting with relevant, actionable, up-to-date information that matches the level of engagement for the various stakeholder groups.

The regulatory guidance on ISO responsibilities includes terms such as “engaging with” and “working with” management in the individual lines of business to understand the risks of various initiatives. They also expect the ISO to “implement” the information security strategy as defined by the board, and to periodically “inform” the board and senior management on the status of the program. In the case of a virtual ISO, your hybrid or offload third-party partner needs to have an excellent understanding of enterprise-wide strategic objectives, and a good working relationship with management in all lines of business and within the different departments within your organization.

Remember, as with all outsourced activities, even though you can delegate some (or even most) of the heavy lifting to a virtual ISO, you cannot outsource responsibility. Your institution still must maintain a strong oversight effort to ensure that all ISO duties are completed, documented, and reported appropriately. Higher levels of third-party reliance require correspondingly higher levels of oversight. According to the Federal Financial Institutions Examination Council’s Outsourcing Technology Services booklet you are obligated to oversee all activities, whether you perform them, or a third-party performs them on your behalf.

Examiner Support

The examiner feedback we have seen to date strongly supports the idea of financial institutions implementing a virtual ISO solution “…as long as it’s done correctly.” That means focusing on all the responsibilities and accountabilities of the role and making sure sufficient documentation and appropriate oversight and reporting are built-in. Doing it correctly also means making sure the in-house ISO is not so detached from the processes and procedures that they cannot authoritatively explain them to a stakeholder, which can be the primary downside of the “offload” model. The decision-making process is the most important concern for regulators. Your solution should allow you to offload enough to make the ISO’s job easier and more organized, but not so much that they become disconnected and lose operational awareness of their current threat and control environment.

In conclusion, choosing the right type of virtual ISO service allows institutions to provide the appropriate level of insight and oversight for their in-house ISO. This can help them to be better equipped to manage information security activities, meet evolving industry standards, and adjust to tightening regulatory requirements, all in an increasing cyber threat environment.

At Safe Systems, we offer a virtual ISO service based on the above-described hybrid model. ISOversight™, is a VISO service that is flexible to accommodate the changing needs of community banks and credit unions. The ISOversight service includes a full suite of applications to manage everything from vendors to business continuity, along with all associated information security policies and risk assessments. This is a cost-effective, comprehensive, and flexible solution that makes information security management much more efficient. For more insight about the most common virtual ISO models and how to determine which one may be right for you, view our webinar on “Is a Virtual ISO Right for You?”

19 May 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The Relationship Between the ISO and IT Administrator

IT administrators (IT admins) and information security officers (ISOs) have independent yet interdependent roles that are critical to their financial institution’s security, regulatory compliance, and overall success. Both individuals must maintain a separation of duties yet work closely together to achieve a common goal: ensuring their organization’s day-to-day activities appropriately support its policies and procedures.

ISO Responsibilities

ISOs oversee everything from network security (including cybersecurity) to vendor management, to strategic alignment of IT initiatives, to general information security regulatory compliance, all of which require having on-demand access to relevant, timely, and actionable information.

ISOs rely heavily on IT administrators to share data about the network, so they can translate that data into the information that will allow them to perform their duties effectively. Therefore, reports are an integral aspect of the IT admin-ISO relationship. ISOs depend on the data provided by IT admins to complete the enterprise-wide thinking and strategic planning that is needed to protect the bank’s information and other assets.

For example, an IT admin might extract data about the number of devices that have been updated with the latest patches and report this information to the ISO. The ISO would certainly be interested in the status of all devices but would most keenly be interested in the exceptions—the devices that have not been patched—as even a single unpatched device could represent a significant risk to the organization. In addition, the ISO must further evaluate the root cause behind the exceptions: do they represent a predictable lag between patch rollout and installation that will be resolved during the normal course of reboots; or do they represent a procedural deviation or deficiency? If the latter, the ISO could make a recommendation to revisit patch management procedures and practices

IT Admin Responsibilities

IT administrators are responsible for a variety of tasks, including managing computer systems, IT personnel, information systems, data backups, and network security—and providing ISOs with essential information on all those activities. Since IT admins may have a small staff—or might be the only IT person in the department—and have privileged access to the network, institutions must closely oversee their position. According to the FFIEC Information Security Handbook, Section II.C.7(c) Segregation of Duties:

“System administrators, for instance, have the most powerful role in the user access process and have unlimited access to an institution’s information assets and technology. Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.”

The ISO in combination with the IT Steering Committee provides an important checks-and-balances process to ensure all systems are being effectively managed and maintained, and that status reporting is reliable.

ISO and IT Admin Cooperation

It’s important to remember that although the ISO and IT admin roles must be independent, they are also complementary since both entities are responsible and accountable for making sense of the vast amount of data flowing through their institution.

Because ISOs must utilize the information supplied by IT admins to produce the reporting necessary to periodically update senior management and the Board, and to authoritatively interact with IT auditors and IT examiners, this relationship must be cooperative. By maintaining a close working relationship, ISOs and IT administrators can make sure their actions support the institution’s IT strategic plan. Done properly, a successful ISO- IT admin relationship should in no way be adversarial, it should be mutually beneficial to both parties, as well as to the institution as a whole.

Obtaining Third-Party Support

Regulators place a high priority on the continuity and consistency of leadership for effective information security. At times, financial institutions will have ISOs and IT administrators leave their position either temporarily or permanently. When this happens, it can be beneficial to employ an internal committee/team or a trusted third party to help manage IT and information security.

A third-party partner can provide additional support while the ISO position is vacant, help a new employee transition into the role, or simply provide another set of eyes and an external layer of oversight to supplement what they already have in place. Collaborating with an external information security expert cannot only help the institution think more objectively, strategically, and proactively about risk during a time of transition but also when things are running smoothly. This can prevent problems later and position the institution to be stronger and more successful in the future.

Financial institutions can take advantage of a wide range of external resources designed to support the ISO and IT administrator roles. For example, ISOversight™, our virtual ISO service, offers community banks and credit unions a complete solution to help them master information security and manage compliance online. With ISOversight, institutions can make sure nothing gets overlooked, so they stay on track—which is vital with the complexities and constant changes in the technology and security environments.

25 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The ISO in 2021: New Challenges and Expectations Require a New Approach

The ISO in 2021 Featured Image

One of the key lessons financial institutions learned from the COVID-19 pandemic is that regardless of new challenges and seemingly constant change, they were expected to ensure their customers and members continued to receive products and services uninterrupted. The past 13 months (and counting) have been a live exercise in operational resilience.

The current crisis—perhaps more than any even prior—has underscored the true scope of the Information Security Officer’s job. Technically, there are only eight broad areas of responsibility for ISOs outlined in the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Management booklet. But the actual scope of ISO accountability spans at least 36 elements. One of the key challenges and responsibilities of the ISO is stakeholder reporting, which is intricately linked to accountability. The relationship between responsibility and accountability is that while the ISO is responsible for making sure critical InfoSec tasks are completed, they are also accountable to the various stakeholder groups, which requires providing documentation that a task is being completed a certain way, with a certain group, or with a certain frequency.

To meet their accountability obligations, because information security is pervasive, ISOs must be engaged at all levels across the enterprise and in all lines of business. This requires understanding every place that data is stored, processed, or transmitted—whether it involves a customer or member, employee, or vendor. The ISO also needs to be aware of the latest emerging risks and be able to implement an effective mitigation strategy. Ultimately, ISOs need to be effective at translating information to the board, management committee, and IT auditors and examiners, in a manner in which these various stakeholders are best able to consume and comprehend it.

The expectations for ISOs also extend beyond the traditional area of ensuring the confidentiality, integrity, and availability of data. ISOs are also responsible for minimizing the disruption or degradation of critical services—which has emerged as the more urgent necessity during recent pandemic and cyber events.

Some of the early challenges ISOs faced during the pandemic ranged from the technical, such as securing virtual private network access, to the administrative, such as ensuring that employees have signed acceptable-use policies and remote-access agreements. Fortunately, we’ve found that most institutions adjusted well to the initial hiccups, resulting in minimal degradation in their services. However, cybersecurity promises to keep that pressure on for the foreseeable future, even post-pandemic.

Predictably, financial institutions are now seeing more exam scrutiny in three areas.

Business Continuity Management (BCM)

When the FFIEC implemented a BCM update in 2019, it created new terminology and new expectations that are finally beginning to emerge in exam findings.

Strategic Planning

The expectation for additional strategic planning is calling for more formal project management procedures. On the IT examination side, FIs are receiving requests for “pre-initiative” risk assessments, meaning that ISOs are expected to assess the risks of a project or initiative before they even agree to move forward and select a vendor. The FFIEC’s Development and Acquisition Handbook states that “Poor planning often contributes to projects failing to meet expectations.” This early stage is referred to as the “initiation” or “feasibility” phase of the project. Once the project clears this phase and moves forward, a vendor or vendors are selected, and vendor due diligence and on-going management can proceed. As the project proceeds to completion, management should be kept informed.

Board and Committee Reporting

Which is now focusing on not just what gets reported, but the frequency of the reporting as well. Suffice to say that the traditional annual updates won’t get it done going forward.

A New Approach to Virtual ISO Services

With ISOs being forced to wear multiple hats, some institutions are choosing to leverage a virtual ISO solution. Whether outsourced, insourced, or a hybrid virtual ISO model, each offers varying levels of service, flexibility, and support. Further still, several FIs are leveraging technology in tandem with security expertise to support their ISOs.

Safe Systems’ ISOversight is a proven risk management solution that provides complete and comprehensive accountability for the responsibilities of the ISO position. This third-party solution assigns a dedicated ISO oversight lead who understands the details of the institution’s environment and provides institutions with expert guidance and access to additional resources. ISOversight is an ideal asset for new (or frankly, overwhelmed) ISOs that may be struggling to keep up with the complex responsibilities of their position. And now with federal and state examiners tightening their level of scrutiny, ISOversight is proving even more crucial for institutions that need to enhance their information security expertise.

To learn more about how Safe Systems is supporting ISOs in the industry, listen to our webinar on “The ISO in 2021: A New Approach to New Challenges and Expectations.”

03 Sep 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The ISO is tasked with multiple simultaneous activities; supervising the financial institution’s business continuity planning, project management, vendor management, cybersecurity, exams and audits, and information security, which can be an overwhelming responsibility for one person to manage. This presents operational and compliance challenges for the institution if there is no second-in-command should the ISO become suddenly unavailable. For this reason, the Federal Financial Institution Examination Council (FFIEC) in their Management booklet outlines the importance of succession planning for key roles within the institution, including the ISO.

The Challenge

Effective succession planning involves proactively identifying alternate personnel and initiating proper cross-training for critical roles well in advance. A case in point is Billy Peele, who has worked with Iva, South Carolina-based The Peoples Bank for 45 years, and who has plans to retire by the end of 2020. Overseeing the bank’s IT and InfoSec departments, Peele has also functioned as the institution’s ISO. With a succession plan in place, the bank selected Jill Seymore and Addrian Wilson to jointly assume the title and responsibilities of the ISO in preparation of Peele’s departure.

Although highly skilled in banking operations, Seymore and Wilson initially lacked the level of ISO related experience necessary to fulfill the role. Specifically, the pair wanted a better grasp on the IT reports and to learn best practices in reviewing these reports from the ISO perspective. This learning curve could have been overwhelming for the new ISOs, but The Peoples Bank decided to implement a proven virtual ISO solution to give Seymore and Wilson the tools to become more confident in the new role.

The Solution

Too often, new ISOs do not receive a detailed hand-off document from the predecessor and may not know where to start to complete key responsibilities. Fortunately this was not the case for The Peoples Bank as Safe Systems’ ISOversight Virtual ISO Solution formalized all responsibilities into a structured framework for Seymore and Wilson, allowing for methodical review of all tasks on a monthly, quarterly, and annual basis to ensure continuity for the bank.

ISOversight serves as a risk management tool designed to support the role of the ISO by augmenting existing personnel and ensuring that all tasks and related activities are completed on time and properly reported to the various stakeholders. ISOversight helped ease Seymore and Wilson into the ISO position by grouping all of the various responsibilities into a unified platform to effortlessly manage compliance and security activities. Not only did this clearly outline key requirements of the ISO, but it also educated Peele’s successors on how to effectively perform the role.

The Results

ISOversight gave Seymore and Wilson the confidence that allowed them to trust the bank’s IT department while verifying all interrelated activities are running smoothly and securely. Reviewing reports and receiving alerts with the assistance of the VISO helps the new ISOs extract relevant, actionable information to determine if there are anomalies or exceptions that they should be aware of and act on.

The key to succession planning is to find ways to standardize and maintain the consistency and continuity of the responsibilities of the ISO. In this case, the bank can be confident that information is secure, tasks are being completed on time, and documentation is shared with auditors, examiners, and the board. At The Peoples Bank, ISOversight provided a seamless transition for Seymore and Wilson, while laying a solid foundation for future ISO activities.

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

27 Aug 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.
– FFIEC Information Security Handbook

Information security officers (ISO) have a wide range of responsibilities and navigating them can be quite challenging, especially with increased scrutiny from examiners on alignment of policies, procedures, and practices. Adding to that challenge is the associated element of accountability; the premise that unless your practices are properly documented and reported to the various stakeholder groups, there may be doubt in the mind of the examiner as to whether or not they actually happened.

As a result of this responsibility + accountability challenge, many financial institutions are turning to virtual information security officer (VISO) solutions to support the role of the ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time; are following approved procedures; and are properly reported to the various stakeholders.

In a recent webinar, Safe Systems outlined the three virtual ISO delivery models available to community banks and credit unions today and discussed key considerations when implementing each.

1. Outsource All Activities

In this model, the financial institution hires a third-party provider to take on all of the responsibility and accountability tasks of the ISO role. Outsourcing these activities minimizes your staff’s involvement, potentially freeing up time to focus on more revenue generating activities, but this approach is typically more expensive because the third-party provider is doing all of the heavy lifting.

Another important consideration is that outsourcing everything can also isolate key personnel from important procedures and practices. If the institution isn’t involved in the day-to-day information security activities, when IT auditors and examiners question your personnel, they may not have the necessary day-to-day procedural knowledge to answer their questions. For example, there will likely be activities the outsourced provider is doing that the ISO is unaware of or they are using procedures not familiar to your personnel. This could lead to audit and examination observations or findings, as the ISO is expected to have comprehensive knowledge and understanding of all information security activities

Outsourcing information security tasks is best for financial institutions with neither the time, expertise, nor inclination to perform the duties of the role. However, it comes at a higher cost, both in terms of capital outlay and also in the possibility of ISO disassociation from actual procedures and practices. The FFIEC Management Handbook uses terms such as “engaging with…,” and “working with…,” and “participating in…,” and “informing…,” to describe the typical responsibilities of the ISO. This level of involvement may be more difficult under the “outsource all” model.

2. Toolset only (Apps, Checklists, Templates, etc.)

Another option is to select a model where there’s a toolset provided to accomplish ISO tasks. The toolset could consist of applications, checklists, or templates that may be prefilled or partially filled. With this model, you’re given the tools to manage ISO responsibilities without the support. There’s less human interaction, which typically means the service is less expensive.

However, the toolset model requires more effort from staff and requires the financial institution to rely on internal resources for information security expertise and guidance. Without this guidance, this model may also introduce some inconsistencies between the institution’s policies and procedures. For example, if you specify something in one area of your policies and you reference something that may conflict with that in another area, auditors are likely going to notice and question you on it, and that could cause them to dig deeper into other areas. Policy/procedure consistency is one of the most important indicators of strong infosec governance.

This model may include access to compliance guidance and expertise, but it would be reactive instead of proactive. It is best for institutions that have the necessary internal expertise, but they just need the additional structure a toolset provides to ensure all activities are completed in a timely manner.

3. Hybrid (Toolset + Consultation)

Finally, a hybrid model combines the first two models to provide a toolset plus additional expertise, proactive guidance, and consultation. It typically has better integration between various ISO practices because it’s all under one umbrella. As a result, the institution gains consistency and better coordination within and among its policies for business continuity, vendor management, incident response, project management, and information security. However, because of the tight integration, financial institutions that do not adopt all of the tools that support this model may not see the maximum benefit. Also, because of the increased level of ISO engagement, it may be more resource intensive initially, especially if the institution is behind on key ISO tasks. However, once tasks are brought up to date, ongoing maintenance is simpler due to the integrated toolset. This model is also quite flexible and can easily adapt to the evolving needs of the institution.

This is the model we decided to adopt for our virtual ISO solution, ISOversight. We’ve found this model is best for institutions that desire the advantages of regular active involvement with outside expertise, plus a toolset and reporting to ensure the ISO remains fully engaged. The price point is somewhere between the other two models; less than a complete outsource, but a bit more than toolset only.

ISOversight is a risk management solution that provides accountability for all of the responsibilities of the ISO. We have monthly touch point meetings, and we tailor the service to meet each institution’s unique requirements.

To learn more about the information security officer role and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

13 Aug 2020

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with Safe Systems’ Virtual ISO Solution

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Mergers and acquisitions can present significant operational challenges for information security officers (ISO) who are tasked with ensuring a smooth transition of the information security program. Often, some key responsibilities of the ISO may be overlooked as other tasks related to the merging of the two institutions take precedence, overextending the ISO as they work to manage the information security program effectively and stay on top of regulations.