Last week, I hosted a complimentary webinar for members of the Community Bankers Association of Kansas, and feedback showed that top industry concerns were monitoring and compliance demands. Training and resources regarding due diligence, cybersecurity, IT management and risk management can help banks with oversight and accountability regarding confidentiality and the integrity of their data.
Consider the following policies and strategies to better protect what’s yours.
Your financial institution must perform proper due diligence on all its vendors. This includes a vendor management strategy that evaluates all vendors and assesses the risk they pose. Review our recent blog post on de-risking your IT services supply chain, and take it a step further by collecting the following information for your vendors:
- SSAE16/18 or SOC Audit
- Exam Results
- Business Continuity Testing
- Privacy Agreements
- Incident Response
- Follow-up to any regulatory letters issued about the vendor
- Follow-up to any open vendor-related audit or exam related findings
Do your due diligence to know who you are working with.
Cybersecurity matters now more than ever. Ensure the confidentiality and integrity of your information is kept secure by protecting your networks, devices, and data from unauthorized access and criminal use. Questions to ask to gauge the effectiveness of your network include:
- Network Security – Are the devices protecting the bank’s network properly configured to protect bank assets?
- Information Security – Are proper controls in place to protect information whether in-house or third-party?
- Access Management – Is access to applications and infrastructure limited to only those needing access? (Least privilege)
- Planning and Testing – Have adequate plans been put into place for areas such as business continuity and incident response? Have those plans been tested through tabletop or other types of testing?
- Audit – Does the bank engage a third party to evaluate the security posture of the bank? Are penetration tests, vulnerability scans and operations considered in the scope?
- Training – Does the bank conduct awareness training for employees and board members?
The proper management of policies and applications will also keep your business safe. Consider the following when discussing IT management:
- Antivirus Software
- Asset Inventory
- Audit & Exam Tracking
- Backup Management
- Business Continuity Planning
- Capacity Management
- Cyber Attack Monitoring
- Data Loss Prevention
- IDS/IPS Monitoring
- Log Management
- Network Changes
- Patch Management
- Policies & Risk Assessments
- Remote Access
- SPAM Filtering
- Security Information and Event Management (SIEM) Solution
Basic risk management includes identifying potential threats and the likelihood of impact, as well as mitigating controls. Your risk assessment should include both inherent and residual risk ratings. Consider the following:
- Information Security
- Disaster Recovery
- Multifactor Authentication
We’ve created a complimentary risk assessment tool to help financial leaders understand their organization’s current level of risk and the biggest areas of opportunity. Email BankOnIT to inquire.
Sharon Bracken, CISA, is the Senior Audit and Regulatory Manager at BankOnIT. BankOnIT provides comprehensive information technology services for financial institutions across the USA. www.BankOnITUSA.com.