Post on 06-May-2015
transcript
Garland Group University
Brad Garland
CEO
The Garland Group
A regulatory perspective
The Garland Group
What are we doing here?
Where FIs & IT meet
Regulators & What they do
Technology Controls Review Process
Goal: Provide better service to your clients
The Garland Group
Introductions
Name
Position
Tenure at CalTech
Previous Experience
The Garland Group
The Garland Group
The Garland Group
Compliance, Security & Web Services firm
Founded in 1981
Based out of Dallas, Texas
Over 75 clients
The Garland Group
Our Services
FFIEC Technology Audits
Risk Assessments
Penetration Testing / Vulnerability Assessments
Social Engineering
Bank Core System Selections
The Garland Group
Sizing up a Financial Institution
< $25 Million - Small Community Bank
Start-up or Denovo Status
Couple of branches
No IT staff
$25 - $250 Million - Midsize Community Bank
Normally still local footprint
1-10 branches
Maybe 1 IT person
The Garland Group
$250 - $1 Billion - Medium Bank
More Regional
5-15 branches
Maybe 1-2 IT staff
> $1 Billion - Large Bank
May cross state lines
Lots of branches
Normally dedicated IT staff
Sizing up a Financial Institution
The Garland Group
FI Infrastructures
What’s out there?
What kind of support do these systems get? Internal/External?
Where do we fit in?
The Garland Group
InfrastructuresWindows, Novell, Unix, Mac and hybrid environments
Fat clients or Thin clients?
Communications
T1 Hub/Spoke
MPLS
VoIP
Security
Development Shops
The Garland Group
Infrastructures
Check/Item Processing
E-Banking / Websites
Document Imaging
Merchant Capture
Mobile Payments
How do you help to support:
The Garland Group
Core Processors
The Garland Group
Core Processors
Run on variety of mainframe-like systems
AS/400
Unix
Linux
The Garland Group
Core ProcessorsWhat’s a core processor do?
In-house or Outsourced install?
Who supports it?
User Mgmt.
Updates/Patches
Backups
Regulatory Hurdles
The Garland Group
Core from an Audit perspective
User Lists
Not just from an application level
Who controls ‘root’? QSECOFR?
Who monitors...
System-level changes? ALLOBJ authority?
Access Logs?
The Garland Group
What’s the best setup for a bank?
Which ‘Core’?
Inhouse/Outsourced?
Fat/Thin Clients?
T1’s / MPLS?
Dedicated IT staff?
Development?
The Garland Group
The Regulatory Agencies
Federal Reserve
‘The State’
FDIC
OCC
OTS
NCUA
The Garland Group
Who Regulates Who?
FDIC - State chartered banks
OCC - Nationally chartered banks
OTS - Savings Bank
NCUA - Credit Unions
The Garland Group
Our Technology Controls Review Process
Review of all booklets of the FFIEC
Generate ‘Recommendations’ based off of gaps
Bank Mgmt. responds
Final Report
Executive SummaryFFIEC ReportIT Risk Assessment
The Garland Group
FFIECFormal Interagency Council
Consists of all regulatory bodies
Creates guidance for topics such as:
Mortgages
Bank Secrecy Act/AML
Info. Technology
Federal Financial Institutions Examination Council
The Garland Group
FFIEC IT Exam Handbooks12 Booklets
Does not just cover IT
2001 edition replaced the previous 1996 version
All have been updated since 2003 or later
Ongoing Development
The Garland Group
FFIEC Handbooks
Audit
Business Continuity Planning
Development & Acquisition
E-Banking
FedLine
Information Security
Management
Operations
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers
Wholesale Payment Systems
The Garland Group
Audit
Major items in this section are:
Audit Schedule
Audit Committee Minutes
Risk Assessments Conducted
Proper Audit Follow-up
Interim IT Audit work
The Garland Group
ManagementMajor items in this section are:
Reviewing BoD/ IT Steering Minutes
Policy/Procedure Approvals by BoD
Succession Planning
Strategic Planning
IT Budgeting
Contract/Insurance Review
The Garland Group
Board Reporting
Most FI's have IT Steering and Audit Committee
These committees should drive functions and make decisions
They also are the vessel to report to the Board on the status of the bank
You may be asked to participate in these committees
The board has ultimate responsibility for everything within the bank
The Garland Group
IT Steering Committee
Approve major vendors (Core providers, IT support, etc.)
Approve major purchases, usually over a set dollar limit
Review logs and reports from the network
Approve IT audits, Penetration tests, Vulnerability Scans
Sometimes serve as a project management committee
The Garland Group
Audit Committee
Review all audit reports from IT, BSA, Teller, Regulators, etc.
Approve audit frequencies, scopes and methodologies
Usually all Board members on the committee
Approves audit vendors
The Garland Group
Business Continuity PlanMajor items in this section include:
Review of BCP/DR Plan
Backup Procedures
Shutdown Procedures
Offsite Storage
DR Agreements & Testing
The Garland Group
OperationsMajor items in this section include:
Item Processing workflow process
Inhouse/Outsourced?
Branch/Teller Capture?
Daily Run Sheets
Physical Security
Training
Courier Agreements
The Garland Group
Development & AcquisitionMajor items in this section include:
D&A Policy/Procedures
Project Management Methodology
Change Management
Source Code Escrow Agreements
Programming Methodology
Development Meeting Minutes
The Garland Group
Outsourcing IT Services
Vendor Management
Updated Contracts with each vendor
GLBA Wording in Contracts
Proper ‘Due Diligence’ performed on critical vendors
The Garland Group
E-Banking
Major items in this section include:
Policy/Procedures
Security Reports / What’s reviewed? Who see’s it?
Website Change Management
Proper Privacy Statements & Logos on website
The Garland Group
Retail Payment SystemsMajor items in this section include:
ATM Balancing / Reconciliation processes
Agreements for 3rd party ATM vendors
ACH Policy/Procedures
Review ACH Originators & Agreements
Submitting ACH payments (via Web or FedAdvantage)
The Garland Group
FedLine/FedAdvantage
Major items in this section include:
Proper control of users who access the Fed System
Segregated Duties / Enter & Verify
How they receive Wire requests
Approval / Callback Procedures
The Garland Group
Information Security
Major items in this section include:
Information Security Program
User Administration Rules
Password Policy
System Policy
Screensaver Policy
The Garland Group
Information Security - Cont.Network Diagram - Up to date?
Recent Security Testing / Breaches
Security Monitoring
Hardware/Software Inventory & Licenses
Use of Laptops? Secured? How?
Remote Access
What logs are kept?
Wireless
The Garland Group
Technology Service Provider
Major items in this section include:
Review of vendor agreements
Any major planned projects/development?
Financial Stability of Vendor
SAS 70s
The Garland Group
Wholesale Payment System
Major items in this section include:
Large bank-to-bank transactions
Proper agreements in place between FIs
CHIPS procedures
Large Payment System owned by many FIs to transfer large payment orders
The Garland Group
Other Regulatory Guidance
Graham-Leach Bliley Act (GLBA)
Sarbanes - Oxley (SOX)
Control Objectives for Information and related Technology (CobiT)
ISO17799
The Garland Group
Preparing for Exam/IT Audit
What they going to be needing from you:
Help with producing documentation for their examiners/auditors
Network Diagrams
Password Policy (Active Directory)
User Lists
Firewall/Router Configs
The Garland Group
Security Services
Penetration Testing
Vulnerability Assessments
Social Engineering
The Garland Group
Penetration Testing
Required by ‘some’ examiners
Testing normally done annually
Scan ports and for any major exploits
The Garland Group
Vulnerability AssessmentsTesting done internal to the network
Scanning for unauthorized access points, mesh networks, exposed/exploited systems
Done at least annually
The Garland Group
Social Engineering
Our scope includes:
Internet Recon.
Dumpster Diving
Phone Testing
Email Testing
In-Person Testing
The Garland Group
Social Engineering (Cont.)
Done at least annually
Ensure an adequate sample size for testing
Ensure scope is up to today’s standards
The Garland Group
Common Mistakes in IT Mgmt.Lack of good documentation
No BoD/Upper Mgmt. involvement
Succession Issues
Reactionary Environment
Proper Backup Procedures
The Garland Group
Examiner ‘Requests’Closed-loop documentation process
Board sign-off/approval
Annual IT Audits
Updated BCPs/BSA risk assessments
Penetration tests?
The Garland Group
Reminders
We’re here to help!
Don’t jump into new tech. head first
Ensure adequate cross-training
Document Everything!
The Garland Group
If you have any questions feel free to contact me:
Our Blog: http://blog.thegarlandgroup.net
Banktastic: http://banktastic.com
Brad GarlandCEO972.429.8200
Thanks for the time.