The Colorado Banker Feb. 2016

If you have ever been in a field that involves customer service, you learn to expect certain questions. You may
even be able to predict some. For example, if you are demonstrating a product, one question you can typically count on is: "How long does it take to do this?" And, as you probably suspect, the tried-and-true answer is, "It depends."

The same question and answer routine is understandable. We all want to know what everyone else is doing. I am a software support specialist and I am frequently asked, "How do you see other banks handling issue XYZ?" We depend on each other to understand the world around us. We want to know, what are other people doing to get it right?

In the spirit of that question, I'd like to give you some insight into what other institutions are struggling with most in light of the recent Cybersecurity Assessment Tool released by the FFIEC. Some of the key issues highlighted by the assessment are areas of non-compliance. In the tool, if a Baseline statement is answered "No," then the bank is considered non-compliant, since each Baseline statement is already required by guidance and regulation.

In response to the FFIEC's PDF document, CoNetrix developed a free, online automated tool that can help banks perform and report on their cybersecurity assessments. The free tool features an optional peer analysis to allow financial institutions to anonymously share and view information about how other banks are doing in the field of cybersecurity. An aggregation of anonymous peer responses from more than 250 financial institutions across the United States identified a common theme. Here are the top three items currently causing banks to receive non-compliant results from the assessment:

Data flow diagrams are in place and document information flow to external parties. (FFIEC Information Security Booklet, page 10)
This declarative statement is the third item in the Connections component of the External Dependency Management domain. According to the FFIEC Information Security Booklet (as referenced on the statement):

"A financial institution's outsourcing strategy also should be considered in identifying relevant data flows and information processing activities. The institution's system architecture diagram and related documentation should identify service provider relationships, where and how data is passed between systems, and the relevant controls that are in place."

More simply stated, your data flow diagram (or system architecture diagram) should identify at what point(s) data is passed to service providers. What are the ways service providers obtain access to your data?

Customer transactions generating anomalous activity alerts are monitored and reviewed. (FFIEC Wholesale Payments Booklet, page 12)
This declarative statement is the second item in the Anomalous Activity Detection component of the Cybersecurity Controls domain. According to the FFIEC Wholesale Payments Booklet, banks should:

"Monitor and log access to funds transfer systems, maintaining an audit trail of all sequential transactions; and incorporate the funds transfer controls into the organization's information security program to ensure the integrity and confidentiality of customer information."

In layman's terms, you should have a product or method in place to recognize abnormal transactions, and a plan to review the abnormal transactions. This will reduce potential damage of foul play.

Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. (FFIEC Information Security Work Program, Objective II: M-9)
This declarative statement is the third item in the Event Detection component of the Cybersecurity Controls domain. According to the FFIEC Information Security Work Program, banks should have:

"Appropriate detection capabilities [for] Network related anomalies [and] Host-related anomalies."

For this statement, you need to identify or initiate a process to monitor any unauthorized users, devices, connections, or software that may arise on the network. Documentation of this process can be part of many of your information security policies, including Removable Media and Data Transfer, User Access Control, and Hardware/Software Inventory.

So, if you have already conducted the Cybersecurity Assessment, you may want to go back and see how you answered these three statements. If you answered them as "No," you are not alone. If you answered them as "Yes," then congratulations! If you haven't conducted the assessment yet, then be sure to keep these things in mind and good luck.


Leticia Saiid is a Security+ certified Tandem Software Support specialist for CoNetrix. Tandem is a security and compliance software suite designed to help financial institutions develop and maintain their Cybersecurity Assessments and overall Information Security Program. To learn more about how CoNetrix can help you with these areas, visit our website at or email