Articles

The Federal Financial Institutions Examination Council (FFIEC) recently released proposed guidance on social media. The proposed guidance, titled Social Media: Consumer Compliance Risk Management Guidance, identifies risk management expectations that could surprise bank personnel who are not very familiar with the scope of social media. Generally, you perform a risk assessment for services you offer. But social media is a completely different monster of its own. I would categorize it more with tornados and floods. In other words, risk from social media is inevitable even if your bank specifically chooses not to use it. With inevitability in mind, it’s important to perform a risk assessment and establish controls for social media, regardless of your level of involvement.

Vendor management is a crucial element of a bank's information security program. Proper due diligence includes, but is not limited to, an evaluation of the vendor's financial statements, business continuity planning and testing, legal and regulatory obligations, history and reputation, and independent audit reports. Typically, this evaluation is performed when selecting a new vendor and then periodically throughout the vendor relationship. A complete vendor management program should also include ongoing oversight of the vendor.

Vendor oversight is a commonly neglected element. In fact, it is not unusual to see a company place too much trust in a vendor's security practices, and the nature of the relationship itself is often a contributing factor. Typically, vendors are contracted to do work that bank personnel either lack the time or expertise to complete. As a result, ongoing oversight and follow-up verification are often ignored.

The Federal Financial Institutions Examination Council (FFIEC) recently released proposed guidance on social media. The proposed guidance, titled Social Media: Consumer Compliance Risk Management Guidance, doesn't express any new obligations for banks, but instead is intended to help financial institutions understand the risks associated with social media and the risk management expectations.

The key stages of managing the overall risk of social media presented in the proposed guidance are suspiciously similar to the risk management of other information systems. Basically, it suggests integrating knowledge from multiple departments by consulting with on-staff technology, legal, and marketing experts to:

Once upon a time there was a man who liked to help people. He was good at helping people reach their dreams in business and in their personal lives. He decided to open a bank so he could make good honest loans to good honest people.

He bought all the necessities to make a bank work. But his biggest investment was the people he hired to help him.

Soon, however, he had to start buying computers. Then he had to buy servers. Then he had to find a room to put the servers in.

In January, the Federal Financial Institutions Examination Council (FFIEC) released proposed guidance titled, Social Media: Consumer Compliance Risk Management Guidance.  According to the FFIEC, the proposed guidance "is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks, such as reputation and operational risks associated with the use of social media, along with expectations for managing those risks."

Definition:

The term "social media" can mean many different things to different people.  For the purposes of the guidance, the FFIEC defined social media as "a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video."  They also included the following examples of social media:

Does your bank have a social media risk management program?  If you answered "no" to the previous question then you might have some work to do.  Your financial institution faces risks associated with social media whether it is officially using social media as a communication channel or not.  A risk management program should be implemented to identify, measure, monitor, and control the risks related with social media.  There is now some information from the FFIEC that can assist you with controlling social media risks.

A common axiom in the world of information security is that convenience and security are inversely related, or in other words, as security increases, convenience decreases. You have, no doubt, experienced this in your bank as well as in your personal life. From a banking standpoint, annual IT audits and exams are probably not the most convenient use of your time, but they should be testing current controls and showing you controls to add, thereby increasing your physical and logical security. Below are some of the most common security issues I see in banks.

Holistic medicine has always made more sense to me than the more popular modern approach of taking away your symptoms so you can be comfortable as whatever it was that caused your disease still exists. Holism is related to or concerned with wholes or complete systems rather than with the analysis of, treatment of, or dissection into parts. As more and more of our favorite security controls have proven themselves less effective than we thought and hoped, I believe a successful security program has to be more holistic in nature.

Sometime in the last twelve months has someone at your bank said...

"We have to cut IT costs!"

The problem is multi-faceted. Whether you need to add another IT professional, re-model and expand the server room, upgrade your servers or buy new software technology – IT has grown like a monster in the closet.

That's when someone brings up "the cloud."

The FFIEC defines cloud computing as "a migration from owned resources to shared resources". For the first time since you bought your first server, the cloud has presented a real solution to stop the ever-expanding nature of bank IT and bank IT costs.

So how do you go about leveraging the power and savings of the cloud?