Articles

It can be tricky to separate the concepts of risk and significance when it comes to vendor management. Are they just two paths to say the same thing? Does one depend on the other? How does due diligence play into those ratings? If you've asked those questions before, or if this is your first time to see them, you've come to the right place. Let's explore this idea.

First, let's define vendor significance. Significance is about how much you rely on the vendor. How significant are they to your operations? A vendor could be insignificant, significant, or even critical. For example, a vendor would be critical if you absolutely needed their services for your business to survive, like your core provider. A vendor would be insignificant if their failure would have minimal effect on your business, such as your office supplies vendor. You could get by with a little bit of help from Amazon or Walmart until you got a new vendor in place.

Well, maybe it used to be the question, but it is no longer a question to be asked. Scanning your network is an essential part of your security protocol to ensure that customer information is secured. So, since I need to scan my systems for vulnerabilities, where do I start?

There are many good products on the market to test for system vulnerabilities. The best method is to review different products and decide which product will take care of your needs. Not only does the product need to give you information on what vulnerabilities exist on your network, but it also needs to provide you with reporting that is easy for you to read and understand. A report is only good if you can take the information and make decisions on how to remediate the findings that it observes.

You may be thinking, I do not have the expertise to conduct these scans and read the reports, so what do I do now? This is where you will have to rely on a network vendor or third party to conduct your scanning. You also need to ensure you have a contract and have conducted your due diligence with this vendor because they will need an administrative account on your network to perform an administrative vulnerability scan. User accounts can be used to scan the systems but will not give you a full representation of all your vulnerabilities. The goal is to mitigate as many vulnerabilities as possible, and a good administrative scan will help you reach this goal.

Now that I have all this information, what do I do? REMEDIATE and DOCUMENT. Yes, those two words you always love to hear that strike fear in the hearts of man. Most, if not all, scanning software will rate the criticality of each vulnerability that is found on the network. Always start with the most critical and work your way down the list. Findings will require a knowledge of the systems you are running and an understanding of how to remediate the vulnerability. If you do not have the expertise to take care of these issues, a network vendor will need to be used at this point. Some findings require changes in Active Directory, registry settings, or Group Policy. When changing these settings, making the wrong move can cause tremendous damage to your network. If one of these settings needs to be changed, it is always a good practice to change the setting for one computer and test the change to ensure it does not cause issues with existing applications.

Sometimes settings cannot be changed due to the harm it causes in the system. If this is the case, document, document, document. Documentation needs to be completed that reveals the issue when you will resolve the issue, how the issue was resolved, and then verify that the issue was resolved.

Verification of the resolution is a critical part of the process. If a change is made in Active Directory, how do I know that the change has happened? If there is a change in Group Policy, how do I know if it has propagated to all the systems with the vulnerability? There are multiple ways to verify different vulnerabilities have been remediated, but the best way is to rerun a scan against the system.

So how often do I need to run this scan? The frequency of the scan will be determined by your risk assessment and the size and complexity of your system. Sound familiar? Sounds like a statement that may come from your regulator or through guidance, doesn't it? If my system is not that complex, I would not have to scan frequently, but if it is complex, open to the outside world, and includes multiple users, I would need to scan more frequently.

New vulnerabilities are being developed all the time, and a system that is scanned and is secure one day may be the target of a new vulnerability the next day. When you are between scans, be sure and keep yourself aware of any new vulnerabilities that may arise, especially those vulnerabilities that target your systems. Keep up to date by receiving emails from publications, vendors, and regulators, and attending webinars and seminars that deal with information technology. Sound like a full-time job? It is!

So, to scan or not to scan can never be the question again.

To have an effective Business Continuity Plan (BCP), recovery plans must be based on a Business Impact Analysis (BIA). According to the FFIEC's Business Continuity Management booklet, BIA is "the process of identifying the potential impact of disruptive events to an entity's functions and processes." There are a lot of elements to capital BIA, but for the purpose of this article, we are going to focus on the conceptual lower-case business impact analysis. This analysis will help you make informed decisions about when certain processes can be restored and help you determine appropriate Recovery Time Objectives (RTO).

Prepare the Definitions

We all love our mobile devices. If you look around in any restaurant, walking down the street, even while driving (not a safe idea), you will see people glued to their mobile phones.  In the past few years, the line has blurred between our personal mobile devices and business devices.  Especially now, as a large part of the workforce is working from home due to the COVID-19 pandemic, personal mobile device use is the norm for millions of people. We must be prepared that many employees may want to continue using their personal mobile devices as they transition back to the workplace.

There you are, working diligently at your computer when you receive the dreaded email.  You are invited (required) to attend the upcoming annual Employee Security Awareness Training session.  Oh no, has it already been a year?  Please, please don't make me sit through that long, boring training and waste an hour or more of my day, AGAIN.  Sound familiar?

We all know that Employee Security Awareness Training is a key aspect of your Information Security Program.  In fact, the FFIEC IT Examination Booklet Information Security 2016 states, "Training should support security awareness and strengthen compliance with security and acceptable use policies. Management should educate users about their security roles and responsibilities and communicate them through acceptable use policies."  We even know that training should focus on important issues such as end-point security, log-in requirements, and password administration guidelines.  But still, the question remains, "Do we really have to do Employee Security Awareness Training, again?" The answer is Yes, and here's why.

As technology has advanced, it has grown to a place where employees are able to stay connected to their work, even after clocking out for the day. Employees can use their laptops, phones, and tablets to continue working or to respond to emails. This is a great aspect for better communication and increasing productivity; however, the security of these devices can get overlooked.

A small percentage of companies supply mobile devices for their employees, but a vast majority of employees bring their own devices. The challenge many companies face is how to secure those devices to protect the sensitive information that is stored on the device or is accessible on it.

Do you have outsourced technology services? If so, are you getting a copy of their business continuity plans?  More importantly, do you know what you're looking for when you review them? Due diligence document gathering and reviewing is a critical part of outsourcing. While the service is provided by another company, your institution still maintains responsibility, and ultimate accountability, to your customers. That's where due diligence documents come into play.

First, what is an outsourced technology service? This is a service that provides technology solutions for your bank. This doesn't necessarily include all vendors who use technology to deliver their service to you, but instead those providing solutions to your technology needs. Ask this question to help determine if something is a technology service, "Would the bank be significantly affected if the vendor's services were temporarily unavailable?" I take "significantly affected" to mean: irreparable damage to the bottom line or customer confidence due to service disruption from any cause. Only if the answer to this question is yes are you likely looking at an outsourced technology service.

In the course of reviewing a financial institution's information security program, we will invariably come to the point of assessing the organization's business continuity plan. In doing so, it's not uncommon to need to provide clarification as to the difference between business continuity planning, disaster recovery preparations, and incident management and response.

There is certainly a degree of overlap or redundancy among each of these three strategies, but each has its place in an organization's planning and preparing regimen, and each addresses its own collection of unique considerations. Those responsible for maintaining their financial institution's information security program must have a clear understanding of each of these aspects of continuity planning, recognize their similarities and differences, and be able to integrate each into a comprehensive strategy for addressing interruptions in their organization's processes.

Account passwords are required for security and accountability but are often despised by users that must remember them and network administrators that must reset them when users ultimately forget after a long weekend or a donut-infused sugar coma. While recommendations have changed slightly over the years, the base settings remain the same: sufficient length to prevent easy guessing or cracking (currently around 14 characters), complexity levels to discourage the use of names and dictionary words (3 of 4 types of characters – uppercase, lowercase, numbers, or special characters), and password change cycles to force new passwords that are fully up-to-date with policy settings and not used anywhere else (30 – 90 days, typically).