Are We Covered? 12 Critical Areas Directors Should Question

A breach in any of the following IT areas could cause catastrophic risk to the institution, but asking a few key questions ahead of time may save enormous headaches later on.

An estimated 500 million records containing nonpublic personal information of U.S. residents were either lost or stolen within the last five years. In addition to data loss, IT threats include monetary loss, regulatory sanctions, and significant reputational damage. While few directors can be expected to be IT security experts, most can enhance their institution’s risk profile by asking a few insightful questions about the multiple security layers designed to ensure the integrity, confidentiality, reliability, and availability of bank information systems.

1. Data loss

The Gramm Leach Bliley Act (GLBA) requires financial institutions to safeguard customer information from unauthorized access or use. According to the Office of Thrift Supervision (OTS), common causes of data loss include:

u2022 internal compromises

u2022 ineffective security awareness training

u2022 unencrypted data

u2022 unsecured website programming

u2022 point of sale security weaknesses

u2022 unpatched systems.

Many IT security experts believe that knowledgeable insiders, both willful and negligent, pose the greatest risk from data loss. Has your bank identified the employees who can query and download large quantities of data? Consider the realistic possibility that bulk customer data could be misappropriated without detection via e-mail, CD, USB thumb drive, or paper. Has software been installed to detect/prevent suspicious data movement by volume, keyword, or account number? Are USB ports on laptops and desktops disabled either physically or logically? Is software in place to detect and block simple e-mailing of data outside the bank, and if so, who monitors the reporting? Question any use of common e-mail for external distribution of proprietary data, such as quarterly financial results. External e-mails should never be considered secure. Does the IT Department provide a secure website for directors, auditors, and regulators to receive data and reports?

2. Credentials and staffing

What are the relevant credentials of bank IT, security, and audit personnel? Expect recognized certifications such as CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), as well as security expertise at the executive level. Determine whether budgets allow for continuing education to maintain credentials and enhance skills. Are comprehensive criminal background checks performed on all IT personnel? Are they refreshed periodically? Ask whether background checks include more states than the one of current residence, as many do not. Do all employees receive information security training at least annually? Ensure budgets are sufficient to engage subject matter experts as warranted.

Confirm that internal audit tracks the timely remediation of issues identified by auditors, examiners, and consultants. A lack of communication and cooperation between IT and internal audit is a concern. Consider asking the CIO and the chief audit executive individually about the relationship. Ask the CIO if security protocols are universally applied and enforced across all levels of employees and departments. Inquire whether end-to-end encryption has been implemented across critical transactional systems to protect both data in motion and data at rest.

3. Penetration/intrusion testing

Also known as ethical or “white hat” hacking, penetration testing should be performed at least annually by a qualified provider to test firewall and network security. Does the scan include all routers and switches within the network or only Internet-facing devices? Inquire whether the scope of the work includes internal testing, as though the hacker were a trusted insider on the network. Does the consultant scan for unauthorized wireless connections, which could create an unauthorized point of access to the network? Engage consultants to perform “social engineering” to test employee willingness to provide compromising information. Inquire whether internal “white-box” scans are run in-house by staff. Some experts believe these results are highly reliable, as false positives can be readily eliminated and vulnerabilities can be correlated and validated against network documentation. Ask to see a remediation report from the most recent scan. Periodic rotation of providers will bring fresh eyes and different skills to the task.

Some bank CIOs assert that network intrusion detection is an unnecessary control due to other security layers. If this is the case, question the underlying assumptions. Intrusion detection can be useful at both the network level and on individual critical (host) devices. How is the network monitored and who is responsible for acting on alerts? Typically, a vendor will monitor the network activity and alert IT personnel, via a pager or text message, to any unusual activity. A combination of external and internal monitoring is best. Ask the CIO if au2002data warehouse has been implemented to manage data from system logs and to capture a complete picture of all enterprise IT activity.

4. Wire transfer and ACH fraud

Wire and ACH fraud are on the increase. As customer systems are breached, victims seek indemnification from their banks and increasingly resort to litigation. Financial institutions can be responsible for ACH frauds if reported by commercial customers within two days, and for consumer ACH frauds, up to 60 days. During 2009, at least one financial institution, Dwelling House Savings and Loan, failed as a direct result of ACH fraud. Directors might consider cyber crime and business interruption insurance in addition to confirming the adequacy of D&O coverage.

Does the bank assist e-banking customers with IT security, and do contracts include sufficient language to insulate the bank from insecure customer e-banking systems? Due diligence should be performed annually on all ACH customers to include the setting of limits, enforcement of limits, and appropriate controls on high-dollar and high-volume overrides. Consider that if a bank overrides a preestablished limit, and the transaction turns out to be fraudulent, the bank may be liable. Both the wire transfer and ACH functions should be audited at least annually and be a designated “high risk” in the internal audit’s risk assessment. Be aware that NACHA can assess substantial penalties for not performing annual ACH audits. Ensure also that the audit plan includes the emerging risks of remote deposit capture and mobile banking.

5. Business continuity planning

Directors should require assurance about preparedness from both business process owners and IT. Systems availability, while fundamental, does not guarantee recovery of customer service or the performance of critical functions. An overly optimistic and complacent CIO is an indication that business process owners should be queried about participation in business continuity testing and validation. Confirm that a comprehensive business impact analysis, validated by senior management, is the foundation of the plan.

Ascertain whether the recovery site is an adequate distance from the primary site-preferably in another city. Does the recovery site have sufficient capacity for the minimum critical staff, and have the critical functions been appropriately identified? Has the plan been tested from the recovery site?

Once systems are restored, how will employees gain access? How many employees have remote (VPN) access? Is multifactor authentication required to connect remotely, such as a password-generating token device in addition to a user ID and password? Does the continuity plan include pandemic preparedness planning?

Contingency planning should also address an appropriate and timely response to a breach and loss of sensitive customer information. Various state and federal laws, including GLBA, require, at a minimum, prompt customer notification. The OTS reports that following the Heartland Payment Systems breach, one institution decided not to reissue compromised cards at a cost of $100,000. Ultimately, fraud associated with the cards cost more than $1 million. Following the breach, Heartland suffered a 50% drop in market capitalization and $32 million in fraud-related expenses, according to the Federal Reserve Bank of Philadelphia.

6. Vendor management

Do all critical vendors provide an annual Service Auditor’s Report (SAS 70 Type 2)? The SAS 70 is an audit report for use by the bank’s audit and security personnel. Who within the bank reviews and documents responses to the report’s client/user considerations? If your bank does not receive a SAS 70 for a critical vendor, does your contract provide audit rights at the vendor site? If the vendor is sufficiently critical, consider performing audits at the vendor location. Outsourcing does not absolve the bank of responsibility for information security.

7. System development

Have you asked if the business model truly requires the development of custom software? If adequate software is not commercially available, determine if IT auditors are part of the project team from the beginning. Does the development team follow any recognized security standards, like ISO 17799? Ask who validates compliance prior to release of code into production. If consultants are used, has your consulting vendor provided documentation of adequate background checks? Consider that many smaller organizations lack the scale to perform development work effectively, on-budget, and with adequate controls.

8. Patching

Software vendors continuously discover and attempt to remediate potential security flaws with small software releases known as patches. Unpatched systems are a significant point of exposure and often result in breaches many years after patches are released by vendors for known vulnerabilities. Some IT departments are reluctant to install patches immediately due to potential unintended consequences. Determine whether your bank has a policy on patching, whether it is reasonable (i.e., testing is performed and patches are installed within 60 days of issuance), and whether it is followed. If critical or emergency patches are issued, is there a fast-track process to protect Internet facing-devices? How quickly are critical systems patched after testing?

9. Antivirus

Are all bank servers, laptops, and desktops covered by continuously updated anitvirus (AV) software? AV software can be another line of defense in preventing data loss from malware. How are employees’ home systems, which connect to bank systems, monitored and validated to ensure adequate AV software and firewalls prior to every connection? Because this is difficult to do, the bank should consider disallowing the use of employee-owned systems to connect with bank systems, as they can introduce malware or unauthorized access into the bank network via an unprotected connection.

10. Laptops and PDAs

Without exception, all bank-owned laptops should be encrypted. If laptops are not encrypted, under no circumstances should employees be permitted to store customer data on laptop hard drives. What processes are in place to assure compliance? If laptops permit employees to install software, then question why. Among other concerns, the bank is at risk for propagating pirated software. As mobile device applications proliferate, request an assessment of the risk to bank systems from potential malware downloaded to the devices.

11. Physical security

Physical safeguards and vigilant employees are also IT security controls. Ask what would prevent or detect an unauthorized person from occupying an office or conference room and plugging into the network? Could someone posing as a vendor walk out with a server? What additional controls are in place in high-risk areas, such as wire transfer? With ATM skimming devices proliferating, ask who routinely inspects ATM machines.

12. IT examination

IT examiners focus on identifying the risks that threaten the safe and sound operation of insured financial institutions, such as catastrophic disaster, IT hardware/software failures, security breaches, and flawed contracts with critical technology service providers. To identify and remediate vulnerabilities, require regular IT audits well in advance of scheduled IT exams. Speak directly with the auditors to confirm that the scope of the IT audits has not been unduly restricted. Ask if vendor management audits are performed regularly? Examiners consider these to be essential IT-related audits.

Conclusion

IT risk oversight begins with inquiries based on common principles of internal control, such as tone at the top, risk assessment, and monitoring. Directors will meet their due diligence requirements by asking informed questions, ensuring IT controls are in place, and reviewing reports of assessment and remediation. Regular presentations from the CIO, IT security personnel, and external consultants are essential. Also consider inviting the audit and IT professionals to attend executive sessions, as much can be learned by simply asking: “How do we know we are covered?” Finally, document the above actions in appropriate meeting minutes and remain vigilant to the continuously evolving IT risks.

Kenneth L. Glascock is senior vice president of Internal Audit at United Western Bancorp and James F. Gaulke is an IT consultant & former bank chief information officer.