Pub. 3 2013-2014 Issue 2

14 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S Service Provider Oversight We cannot just abdicate responsibility for information secu - rity to our vendors; instead we must be proactive and manage the relationship. Questions to ask about your vendor relation- ships include: 5. Do we have a formal due diligence process for service providers? 6. Do we have confidentiality agreements with all third- parties that have access to our customer information? 7. Do we have a vendor oversight program to review/monitor applicable information such as contracts, SLAs, financials, SSAE 16 reports, audit or security testing reports, business continuity plans and/or tests, etc.? Business Continuity The ability to recover from even a minor disaster situation is paramount in maintaining long term business viability. An organized and prioritized recovery plan ensures we are ready to implement recovery measures to maintain business opera- tions at the primary location (if operable) or secondary location with only minimum business and operational interruptions. In regards to your IT business continuity planning (BCP), ask: 8. Have we conducted a Business Impact Analysis (BIA) within the past year? 9. Are backup and recovery procedures documented and approved? 10. Do we have a BCP test plan? If so, does it adequately cover technology, processes and people? 11.Has BCP training taken place within the past year? 12. Does the BCP include Pandemic Planning? 13. Does the plan provide effective guidance to assist management under a disaster situation? Security Awareness In a hearing with the US Senate Committee in 2000, Kevin Mitnick, a notorious hacker, stated “Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.” In regards to your employees, ask yourself: 14. Has Security Awareness Training (SAT) been conducted within the past year? 15. Did training include acceptable use policies and social engineering tactics? 16. Are employees required to sign an Acceptable Use Policy (AUP) on an annual basis? 17. Do we conduct social engineering tests? Oversight The FFIEC IT ExaminationHandbook, Information Security Booklet states, “The board of directors, or an appropriate com - mittee of the board, is responsible for overseeing the develop- ment, implementation, and maintenance of the institution’s information security program, andmaking senior management accountable for its actions.” Evaluate oversight by answering these questions: 18. Is the status of the information security program reported to the Board at least annually? Does the report address issues such as: risk assessments; risk management and control decisions; service provider arrangements; results from testing; security breaches or violations, and management’s responses; and recommendations for changes to the program? 19. Do we have an Information Security Officer? 20.Do we have an IT Strategic Plan? 21. Is there a committee (Security, IT Steering, etc.) that oversees IT? If so, does it meet on a regular basis and include appropriate management? Closing It is necessary to evaluate your bank’s information security. The above list of questions should not be considered exhaustive. Instead, use these questions as a starting point to help you gauge your bank’s information security posture. Each bank should use the appropriate personnel to conduct audits, assessments, penetration tests, and/or security assessments periodically. A good resource to assist in management, audit and oversight of information security is the FFIEC IT Examination Handbook InfoBase (http://ithandbook.ffiec.gov/ ). n Russ Horn is the president for CoNetrix. CoNetrix is a provider of information secu- rity consulting, IT/GLBA audits and security testing, Aspire cloud hosting, and the developer of tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit CoNetrix at www.conetrix.com .  Information Security – continued Each bank should use the appropriate personnel to conduct audits, assessments, penetration tests, and/or security assessments periodically.