Pub. 2 2012-2013 Issue 4

16 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S Common IT Audit Findings A common axiom in the world of infor- mat ion secur ity is that convenience and security are inversely related, or in other words, as security increases, convenience decreases. You have, no doubt, experienced this in your bank as well as in your personal life. From a banking standpoint, annual IT audits and exams are probably not the most convenient use of your time, but they should be testing current controls and showing you controls to add, thereby increasing your physical and logical security. Below are some of themost common security issues I see in banks. Local Administrators: It is highly common for me to see users granted administrator privi- leges for their local workstations. It’s convenient for installing programs or updates, but also less secure, as most malicious software requires local admin privileges in order to install on a workstation. Limiting user privilege on work- stations will remedy a high percentage of the malicious software introduced on your network. One obstacle to limiting local admin privileges might be some of the bank software you use, but this is a security issue worth discussing with your vendors. Passwords: You have probably enforced password complexity requirements on your network. In spite of that, it’s not uncommon for me to see complex passwords that are not necessarily strong passwords. One classic example is Password1. This satisfies Windows complexity requirements, but is a very simple password and can only be avoided by training your users. Encourage the use of passphrases instead of passwords, and you’ll take care of these simple passwords in the process. Pass- phrases can be song lyrics or favorite quotes. “From a banking standpoint, annual IT audits and exams are probably not the most convenient use of your time, but they should be testing current controls and showing you controls to add, thereby increasing your physical and logical security.” FEATURE ARTICLE STEPHANIE CHAUMONT CISACISSP, Security+