FFIEC Regulatory Training

Slideshow Transcript

1. Slide 1: Garland Group University A regulatory perspective Brad Garland CEO The Garland Group
2. Slide 2: What are we doing here? Where FIs & IT meet Regulators & What they do Technology Controls Review Process Goal: Provide better service to your clients The Garland Group
3. Slide 3: Introductions Name Position Tenure at CalTech Previous Experience The Garland Group
4. Slide 4: The Garland Group Compliance, Security & Web Services firm Founded in 1981 Based out of Dallas, Texas Over 75 clients The Garland Group
5. Slide 5: Our Services FFIEC Technology Audits Risk Assessments Penetration Testing / Vulnerability Assessments Social Engineering Bank Core System Selections The Garland Group
6. Slide 6: Sizing up a Financial Institution < $25 Million - Small Community Bank Start-up or Denovo Status Couple of branches No IT staff $25 - $250 Million - Midsize Community Bank Normally still local footprint 1-10 branches Maybe 1 IT person The Garland Group
7. Slide 7: Sizing up a Financial Institution $250 - $1 Billion - Medium Bank More Regional 5-15 branches Maybe 1-2 IT staff > $1 Billion - Large Bank May cross state lines Lots of branches Normally dedicated IT staff The Garland Group
8. Slide 8: FI Infrastructures What’s out there? What kind of support do these systems get? Internal/External? Where do we fit in? The Garland Group
9. Slide 9: Infrastructures Windows, Novell, Unix, Mac and hybrid environments Fat clients or Thin clients? Communications T1 Hub/Spoke MPLS VoIP Security Development Shops The Garland Group
10. Slide 10: Infrastructures How do you help to support: Check/Item Processing E-Banking / Websites Document Imaging Merchant Capture Mobile Payments The Garland Group
11. Slide 11: Core Processors The Garland Group
12. Slide 12: Core Processors Run on variety of mainframe-like systems AS/400 Unix Linux The Garland Group
13. Slide 13: Core Processors What’s a core processor do? In-house or Outsourced install? Who supports it? User Mgmt. Updates/Patches Backups Regulatory Hurdles The Garland Group
14. Slide 14: Core from an Audit perspective User Lists Not just from an application level Who controls ‘root’? QSECOFR? Who monitors... System-level changes? ALLOBJ authority? Access Logs? The Garland Group
15. Slide 15: What’s the best setup for a bank? Which ‘Core’? Inhouse/Outsourced? Fat/Thin Clients? T1’s / MPLS? Dedicated IT staff? Development? The Garland Group
16. Slide 16: The Regulatory Agencies Federal Reserve ‘The State’ FDIC OCC OTS NCUA The Garland Group
17. Slide 17: Who Regulates Who? FDIC - State chartered banks OCC - Nationally chartered banks OTS - Savings Bank NCUA - Credit Unions The Garland Group
18. Slide 18: Our Technology Controls Review Process Review of all booklets of the FFIEC Generate ‘Recommendations’ based off of gaps Bank Mgmt. responds Final Report Executive Summary FFIEC Report IT Risk Assessment The Garland Group
19. Slide 19: FFIEC Federal Financial Institutions Examination Council Formal Interagency Council Consists of all regulatory bodies Creates guidance for topics such as: Mortgages Bank Secrecy Act/AML Info. Technology The Garland Group
20. Slide 20: FFIEC IT Exam Handbooks 12 Booklets Does not just cover IT 2001 edition replaced the previous 1996 version All have been updated since 2003 or later Ongoing Development The Garland Group
21. Slide 21: FFIEC Handbooks Audit Management Business Continuity Operations Planning Outsourcing Technology Development & Acquisition Services E-Banking Retail Payment Systems FedLine Supervision of Technology Service Providers Information Security Wholesale Payment Systems The Garland Group
22. Slide 22: Audit Major items in this section are: Audit Schedule Audit Committee Minutes Risk Assessments Conducted Proper Audit Follow-up Interim IT Audit work The Garland Group
23. Slide 23: Management Major items in this section are: Reviewing BoD/ IT Steering Minutes Policy/Procedure Approvals by BoD Succession Planning Strategic Planning IT Budgeting Contract/Insurance Review The Garland Group
24. Slide 24: Board Reporting Most FI's have IT Steering and Audit Committee These committees should drive functions and make decisions They also are the vessel to report to the Board on the status of the bank You may be asked to participate in these committees The board has ultimate responsibility for everything within the bank The Garland Group
25. Slide 25: IT Steering Committee Approve major vendors (Core providers, IT support, etc.) Approve major purchases, usually over a set dollar limit Review logs and reports from the network Approve IT audits, Penetration tests, Vulnerability Scans Sometimes serve as a project management committee The Garland Group
26. Slide 26: Audit Committee Review all audit reports from IT, BSA, Teller, Regulators, etc. Approve audit frequencies, scopes and methodologies Usually all Board members on the committee Approves audit vendors The Garland Group
27. Slide 27: Business Continuity Plan Major items in this section include: Review of BCP/DR Plan Backup Procedures Shutdown Procedures Offsite Storage DR Agreements & Testing The Garland Group
28. Slide 28: Operations Major items in this section include: Item Processing workflow process Inhouse/Outsourced? Branch/Teller Capture? Daily Run Sheets Physical Security Training Courier Agreements The Garland Group
29. Slide 29: Development & Acquisition Major items in this section include: D&A Policy/Procedures Project Management Methodology Change Management Source Code Escrow Agreements Programming Methodology Development Meeting Minutes The Garland Group
30. Slide 30: Outsourcing IT Services Vendor Management Updated Contracts with each vendor GLBA Wording in Contracts Proper ‘Due Diligence’ performed on critical vendors The Garland Group
31. Slide 31: E-Banking Major items in this section include: Policy/Procedures Security Reports / What’s reviewed? Who see’s it? Website Change Management Proper Privacy Statements & Logos on website The Garland Group
32. Slide 32: Retail Payment Systems Major items in this section include: ATM Balancing / Reconciliation processes Agreements for 3rd party ATM vendors ACH Policy/Procedures Review ACH Originators & Agreements Submitting ACH payments (via Web or FedAdvantage) The Garland Group
33. Slide 33: FedLine/FedAdvantage Major items in this section include: Proper control of users who access the Fed System Segregated Duties / Enter & Verify How they receive Wire requests Approval / Callback Procedures The Garland Group
34. Slide 34: Information Security Major items in this section include: Information Security Program User Administration Rules Password Policy System Policy Screensaver Policy The Garland Group
35. Slide 35: Information Security - Cont. Network Diagram - Up to date? Recent Security Testing / Breaches Security Monitoring Hardware/Software Inventory & Licenses Use of Laptops? Secured? How? Remote Access What logs are kept? Wireless The Garland Group
36. Slide 36: Technology Service Provider Major items in this section include: Review of vendor agreements Any major planned projects/development? Financial Stability of Vendor SAS 70s The Garland Group
37. Slide 37: Wholesale Payment System Major items in this section include: Large bank-to-bank transactions Proper agreements in place between FIs CHIPS procedures Large Payment System owned by many FIs to transfer large payment orders The Garland Group
38. Slide 38: Other Regulatory Guidance Graham-Leach Bliley Act (GLBA) Sarbanes - Oxley (SOX) Control Objectives for Information and related Technology (CobiT) ISO17799 The Garland Group
39. Slide 39: Preparing for Exam/IT Audit What they going to be needing from you: Help with producing documentation for their examiners/auditors Network Diagrams Password Policy (Active Directory) User Lists Firewall/Router Configs The Garland Group
40. Slide 40: Security Services Penetration Testing Vulnerability Assessments Social Engineering The Garland Group
41. Slide 41: Penetration Testing Required by ‘some’ examiners Testing normally done annually Scan ports and for any major exploits The Garland Group
42. Slide 42: Vulnerability Assessments Testing done internal to the network Scanning for unauthorized access points, mesh networks, exposed/exploited systems Done at least annually The Garland Group
43. Slide 43: Social Engineering Our scope includes: Internet Recon. Dumpster Diving Phone Testing Email Testing In-Person Testing The Garland Group
44. Slide 44: Social Engineering (Cont.) Done at least annually Ensure an adequate sample size for testing Ensure scope is up to today’s standards The Garland Group
45. Slide 45: Common Mistakes in IT Mgmt. Lack of good documentation No BoD/Upper Mgmt. involvement Succession Issues Reactionary Environment Proper Backup Procedures The Garland Group
46. Slide 46: Examiner ‘Requests’ Closed-loop documentation process Board sign-off/approval Annual IT Audits Updated BCPs/BSA risk assessments Penetration tests? The Garland Group
47. Slide 47: Reminders We’re here to help! Don’t jump into new tech. head first Ensure adequate cross-training Document Everything! The Garland Group
48. Slide 48: Thanks for the time. If you have any questions feel free to contact me: Our Blog: http://blog.thegarlandgroup.net Banktastic: http://banktastic.com Brad Garland CEO 972.429.8200 The Garland Group