Blog: Financial Institutions

Many organizations are adopting Microsoft 365 (formerly Office 365) and businesses nationwide are seeing the benefits of improved productivity through its email and collaboration solution. Organizations of all sizes can benefit from a seamless user experience between mobile and on-premise environments.

While Microsoft 365 offers great flexibility, it mostly focuses on infrastructure management rather than data management. Meaning: You are responsible for your data.

Some businesses who have migrated their workloads to Microsoft 365 do not realize that the same reasons they had for backing up and protecting that data on-premises applies even in the cloud.

If you are still considering Microsoft 365 for office productivity and collaboration, this article may be for you: Microsoft 365: Is it the right choice for your business?

Without proper backup and recovery, your data is at risk, because Microsoft isn't providing complete protection. It's important to create a backup and recovery strategy to ensure you avoid permanently losing your critical data.

It's important to understand the difference in responsibilities of Microsoft and Microsoft 365 user organizations. Microsoft hosts the infrastructure, but you are responsible for your data.

What is Microsoft's Responsibility?

Cloud Infrastructure Uptime — Microsoft focuses on the infrastructure management rather than data management. By focusing on infrastructure, Microsoft ensures its cloud service is online and operational. Guaranteed uptime is based on your agreement level and outlined in the availability SLA (Service Level Agreement).

Basic Data Replication — Microsoft provides basic data replication with datacenter-to-datacenter geo redundancy, and limited retention for short-time data recovery.

Data Processing Compliance — Compliance and controls for data processing are limited to the processor, not the data itself. Microsoft ensures data privacy, regulatory controls, and industry certifications for compliance are in place and maintained for the infrastructure of its cloud service.

Physical Infrastructure Security — Security functions for Microsoft 365 are limited to physical infrastructure, not data. It includes app-level security, logical security, and access controls for users and administrators.

What is the Customer's Responsibility?

Business Data in Microsoft 365 — The customer is the owner of the data that resides in the Microsoft 365 data centers. As the owner, the customer controls the data and who can access the data. All responsibility of the data is on the user to ensure data security, privacy, and retention.

Enterprise-grade Backup and Long-Term Data Retention — Implementing an enterprise-grade backup solution for Microsoft 365 can give businesses confidence to recover from security breaches, compliance exposure, and data loss. With enterprise-grade backup, a copy of the data is stored outside the environment. In the event of an incident, it provides granular and point-in-time recovery options.

Data Owner Compliance — As the data owner, the customer has the ultimate responsibility of data for internal legal and compliance teams. The customer answers to the demands from corporate and industry regulations.

Security Functions to Protect Data — Protection of data is the responsibility of the user, not Microsoft. Security controls must be implemented to protect the data from internal threats, such as accidental deletion, insider threat, and disgruntled employees, and external threats, such as malware, ransomware, and rogue applications.

What happens when Microsoft 365 is used without backup?

Microsoft only provides basic and limited retention. If you don't implement a backup strategy outside of Microsoft's native capabilities, you are opening up your business for unnecessary risk. Lack of a Microsoft 365 backup plan is a risky data strategy.

Without proper backup and recovery, your organization can expose itself to the following risks:

  • Data loss from accidental deletions
  • Ransomware attacks and security breaches
  • Insufficient retention time for regulatory compliance policies
  • Lack of data control due to potential SaaS lock-in

Organizations investing in productivity and collaboration tools should also consider their backup and retention needs as a factor in efficiency and productivity. Considering a third-party backup solution is critical for data loss avoidance.

What is the best strategy for Microsoft 365 backup?

Your data is your business. By taking a data-driven approach to your backup strategy, you recognize the critical importance of your data for your business stability.

Make Microsoft 365 Backup a Key Priority

Backup for cloud services (SaaS), such as Microsoft 365, is imperative for security and data control. Full oversight and control of data is a boardroom priority. Without backup, organizations do not have an exit strategy or freedom from SaaS lock-in because they are not in complete control of their data. Backup should be part of the conversation when buying SaaS and not an afterthought.

Consider Enterprise-grade Data Protection

When investing in backup solutions, consider integration between the Microsoft 365 environment and your existing data protection environment. Evaluate automation, security, and integration between systems when comparing enterprise-grade data protection and recovery features. Integrating SaaS into enterprise data protection can help unify data management.

What to look for in a Microsoft 365 backup solution

1) Freedom to use existing on-premise capacity for Microsoft 365 backup, or the ability to leverage another cloud for cloud backup.
2) Basic features provided, such as incremental backups, granular recovery, automation, and policy-based retention capabilities.
3) A solution capable of managing and protecting hybrid deployments and the ability to ease the full adoption of SaaS.
4) Integration between Microsoft 365 and the customer's existing data protection environment.
5) Advanced security features such as access control, SaaS usage metrics, and multifactor authentication for additional security.
6) Ability to scale up or down as business and data demand changes and as SaaS is rolled out more widely within the company.

Investing in productivity tools and the corresponding backup is an exciting adventure. When you are ready for a guide, we are here to help. We can advise on and implement a solution that fits your business needs. Contact us today to schedule a consultation.


Microsoft has been emphasizing Office 365 (now Microsoft 365) subscription services since the public introduction in 2011. As a result, the popularity of these services has grown to over 155 million active users as of October 2018, and is gaining new users at over 3 million seats per month. With this growth, on-going marketing, and the increasing acceptance of public cloud services, many businesses and financial institutions are starting to look at Microsoft 365.

In this article, we will highlight several pros and cons of Office 365 you should consider to determine if it's right for your business.

Microsoft 365 (formerly Office 365) encompasses several different products and services, but in this article, we will address these services in two primary areas: user applications and back-end services.

Microsoft 365 User Applications

Most Microsoft 365 subscription plans include Office applications like Word and Excel running on Windows, macOS, and portable devices running iOS and Android. Applications are also available through a web browser but most customers are interested in Microsoft 365 applications as a possible replacement for traditional Office licensing.

What are the primary differences between Microsoft 365 and traditional on-premise Office applications?
  • Microsoft 365 is an annual subscription per user or seat. Each user is entitled to run the Microsoft 365 applications on up to 5 devices for the term of the subscription. As long as you continue to pay the annual subscription, you are covered for the Office applications included in your plan.
  • Office applications through Microsoft 365 are designed to be downloaded from the O365 portal. There is no license key to determine if you have a valid license. After installation the applications routinely "check in" to the M365 (formerly O365) portal to ensure there is an active account. Because of this check-in process IT administrations must use a specific procedure for mass deployment of M365 applications. Additionally, installation on multi-user servers like Remote Desktop Services and Citrix requires a new approach.
  • Microsoft 365 applications are designed to install features and security updates directly from Microsoft when they are released. Legacy patch management solutions like Windows Server Update Services (WSUS) and 3rd party solutions will not work with M365. This can create a challenge for regulated customers who are required to report on patch status. Scanning tools used by auditors to determine patch levels will need the ability to recognize the differences between M365 and traditional Office applications. The M365 update process could also create an issue for Office-integrated applications if a hotfix is released that affects the compatibility of those applications, as there will be no option to block that update from being installed.
  • Microsoft 365 applications utilize a feature called Click to Run. This feature, which was originally introduced with Office 2016, provides a streaming method for installing features and patches for Microsoft 365 and Office 2019 applications. Our experience is that Click to Run can use a significant amount of bandwidth if you are installing Office applications or large updates on multiple systems simultaneously.
Is licensing through Microsoft 365 less expensive than traditional licensing?

For most customers the biggest question is: "Is licensing through Microsoft 365 less expensive than traditional licensing?" The answer is "It depends!" Microsoft 365 licensing could be financially attractive if:

  • Your business always updates to the latest release of Office.
  • You want the flexibility of per user licensing.
  • You want to take advantage of the licensing of up to 5 devices for multiple systems, mobile devices, home use, etc.
  • You need a simplified update process that works anywhere the PC has Internet connectivity.
  • You need to use the browser-based applications for a specific function or employee role.
  • You plan to implement one of the Office 365 back-end services.

Microsoft 365 Back-End Services

Microsoft provides several cloud server applications through Microsoft 365 including Exchange Online (email), Skype for Business (voice and messaging collaboration), SharePoint (file collaboration), and OneDrive (file storage and sharing). These back-end services can be implemented individually, or as part of a bundle with or without the Office applications depending on the plan. However, Exchange Online vs. Exchange on-premise is receiving the most attention from our customers.

What should I look for when performing due diligence?

The security and compliance of back-end Microsoft 365 services is not significantly different than any other cloud-based application or service. The areas to research include:

  • External audit attestation – SSAE 18 or similar
  • Data location residency – production and failover scenarios
  • Data privacy policies - including encryption in transit and at rest
  • Contracts and licensing agreements
  • Intellectual property rights
  • Service Level Agreements – service availability, capacity monitoring, response time, and monetary remediation
  • Disaster recovery and data backup
  • Termination of service
  • Technical support – support hours, support ticket process, response time, location of support personnel
A few more things to consider...

As a public cloud service, Microsoft 365 has several challenges that need specific attention:

  • The business plans listed on the primary pricing pages may include applications or services that you don't need. All of the various features can be confusing and it's easy to pick the plan that is close enough without realizing exactly what's included and paying for services you will never use.
  • Most of the back-end M365 services can integrate with an on-premise Active Directory environment to simplify the management of user accounts and passwords. This provides a "single sign-on" experience for the user with one username and password for both local and M365 logins. Microsoft has several options for this integration but there are significant security implications for each option that should be reviewed very carefully.
  • Microsoft has published several technical architecture documents on how to have the best experience with Microsoft 365. The recommendations are especially important for larger deployments of 100+ employees, or customers with multiple physical locations. One of the notable recommendations is to have an Internet connection at each location with a next-generation firewall (NGFW) that can optimize Internet traffic for M365 applications. Redundant Internet connections are also strongly recommended to ensure consistent connectivity.
  • The default capabilities for email filtering, encryption, and compliance journaling in Exchange Online may not provide the same level of functionality as other add-on products you may be currently using. Many vendors now provide M365-integrated versions of these solutions, but there will be additional costs that should be included in the total.
  • Microsoft OneDrive is enabled by default on most Microsoft 365 plans. Similar to other public file sharing solutions like Dropbox, Box, and Google Drive, the use of OneDrive should be evaluated very carefully to ensure that customer confidential data is not at risk.
  • Several other vendors provide Microsoft 365 add-on products that provide additional functionality which may be useful for some businesses. Netwrix Auditor for Microsoft 365 can provide logging and reporting for security events in your M365 environment. Veeam Backup for Microsoft 365 can create an independent backup of your data to ensure it will always be available. Cloud Access Security Brokers (CASB) such as Fortinet FortiCASB and Cisco Cloudlock can provide an additional layer of security between your users and cloud services such as M365.

Discover why the default retention policies of Microsoft 365 can leave your business at risk.

It is certainly a challenge to research and evaluate cloud solutions like Microsoft 365. Financial institutions and other regulated businesses with high-security requirements have to take a thorough look at the pros and cons of any cloud solution to determine if it's the best fit for them.

CoNetrix Aspire has been providing private cloud solutions for businesses and financial institutions since 2007. Many of the potential security and compliance issues with the public cloud are more easily addressed in a private cloud environment when the solution can be customized for each business.

The combination of Office application licensing with back-end services like Exchange Online can be a good solution for some businesses. The key is to understand all of the issues related to Microsoft 365 so you can make an informed decision.

Contact CoNetrix Technology at if you want more information about the differences between Aspire private cloud hosting and Microsoft 365.


"You need a pen test. This is a vulnerability assessment. Have you considered Red Team testing?"

You might have been told this by a regulatory examiner, your IT vendor, a senior partner, a Board member, or read it in an article. It's a common statement in the penetration testing space these days and with good reason. The scope and methodology of penetration tests is not standardized or regulated, so each provider can create their pen test service as they see fit. This puts more responsibility on you, the customer, to determine if they are meeting your needs.

In this article:

We covered these topics in our webinar Choosing Pen Tests & Real-Life Horror Stories. In this webinar we discussed:

  • The different types of penetration tests available
  • The pros and cons of different penetration tests
  • How to choose the best penetration test for your organization
  • Stories of real-world exploits
  • How to make the most of your penetration testing budget

What is Penetration Testing?

Many terms are used to describe penetration testing…

Red Team, Physical Intrusion, Gray Box Testing, Phishing, Reconnaissance, Privilege Escalation, Precision Strike, War Dialing, Black Box Testing, Social Engineering, Capture the Flag, Web Application Testing, Purple Team, White Box Testing, Blue Team, Pivoting, Internal Testing, External Testing

They overlap, they conflict, they can be misleading.

What is Penetration Testing?

So, what is pen testing?

Whether it's physical, logical, or human, pen testing shows you how an attacker would look at your organization. They look for holes and possibilities to disrupt the way you work.

Penetration testers look for holes and vulnerabilities that could disrupt the way you work.

According to the FFIEC IT Exam Handbook for financial institutions, there are many types of penetration tests . . . and management should determine the level and types of tests employed to ensure effective and comprehensive coverage.* The regulators are giving you the responsibility for figuring out what level and type of pen test you need.

So, what terms mean something, and what is terminology fluff? What should you look for when determining the pen test you need and what vendor to use?

Choosing and understanding penetration test vendors and knowing the terminology is important. Our aim in this article is to help remove some of the mystery around pen testing and help you feel confident in determine the best solution for your company.

What type of Pen Test do you need?

What is the type or level of penetration testing that you need?
Let's go back to the regulation:
"A penetration test subjects a system to real-world attacks selected and conducted by the testers." - FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016 (emphasis added)

Essentially you are choosing what you want tested, you are not telling them how you want them to test it. That should be up to the penetration tester. The reason is, the penetration tester should have the expertise to know what the attackers are doing, and they are going to choose the real-world attacks that the attackers would choose. They have done the research, gone through the certifications and the training to know what types of methods to use. So it's important to know you're not telling them how to do the test, you're telling them what you want tested.

You figure out WHAT you need tested and the penetration tester will figure out HOW to test it.

Here is a simple definition of penetration testing that doesn't use any of the fancy marketing terms. Let's start here.

At its core, penetration testing should show you how an attacker would see you and describe specific attacks they would choose to use against you. That means you don't need to tell the pen testers HOW to do the testing. You just need to tell them WHAT to test and ensure their METHODOLOGY meets your needs and keeps you safe.

So, how do you determine WHAT you need?

Start with a Risk Assessment

When done correctly, a risk assessment will inform you of what you need to do for security testing.

Let's use an example to illustrate. Here is a simple risk assessment.

Simple Risk Assessment

  • What attacks do we hear about from IT, in the news, etc.?
    • Phishing!
    • Ransomware
    • Website attacks
  • What assets do those attacks target for us?
    • Employees
    • Corporate email and perimeter defenses
    • Web servers
  • What testing do we need?
    • Email social engineering for ALL employees
    • Internet perimeter testing for ALL of our public IP addresses

In this sample risk assessment, we are showing that as a company that offers services via the Internet our top concern is cybersecurity; but more specifically, we are concerned with phishing, ransomware, and website attacks.

So how do those threats apply to us? Phishing relies on our employees to click a link or open an attachment, so testing our people is important. Ransomware is typically introduced from the outside, so our corporate email defenses and perimeter defenses, such as firewalls, are important. Website attacks target our webservers directly, so those are also important targets.

Translate your Risk Assessment

After you perform a risk assessment, you will need to translate the results to answer the questions "What" to test and "Why" test it. The penetration test company will figure out "How" to test it.

For our sample risk assessment illustrated above, here is what we would choose:

  1. What to test? — Internet exposed systems
    Why test it? — These are our most exposed systems. They are what our attackers are going to hit first.
  2. What to test? — Employee responses to social engineering, because our employees are the ones who will protect us from phishing attacks.
    Why test it? — Phishing attacks are frequent and successful. They are hurting other people and happen all the time.

TIP: Test against common attacks. Attackers stick with what works. We're tempted to say "It's so common, let's look for the next big thing instead." Attackers will stick with what works as long as it works. So if you're hearing about things in the news, like ransomware and you're worried about it, then that is a valid threat to test against. It will continue to happen until it's no longer profitable for the attacker.

Test against common attacks. Attackers stick with what works as long as it works.

Whether your risk assessment is a formal or informal process is not as important as the results. You need to identify the areas where you are exposed, where your most critical assets are, and where attacks are most likely to occur. These decisions come from knowing your organization and knowing what types of attacks are common. We see these attacks in the news and other places all the time.

Determine the testing you need

Going back to our simple risk assessment example, we can take the assets we identified in the first step and translate them into the type of testing we need. In this case, we decided on email social engineering for all employees and Internet perimeter testing for all of our public IP addresses.

Be specific!

It is important to be very specific when communicating to your penetration testing company what type of testing you want performed. In a minute, we will look at what could happen if we don't communicate clearly.

Choosing a Pen Test Provider

Now that we know what we want to test, we need to define the scope of the testing. Do we want to test just our web servers or our entire Internet exposure? Do we want to test a specific group of employees or are we specifically concerned about a certain department that performs risky tasks – maybe they initiate wire transfers for our company.

In this example, we will define the scope as:

  • All public IP addresses
  • All employees

TIP: Include ALL external IP addresses, active and inactive. You never know when an inactive IP address might become active. Mistakes and misconfigurations happen and attackers are looking for them.

This scope can be modified over time. Maybe we want to test all employees the first time and then focus on a risky department the next time.

What can happen if you don't communicate clearly?

Check out what happened when pen testing services were requested by Iowa State Court Officials. As reported in this news article, the scope of testing was defined as "test the security of the court's electronic records . . . through various means." Not specific enough! It only defined an asset, not what the organization was worried about or what they wanted tested. The result: two pen testers were arrested in Adel, Iowa for attempting to physically break into the court house. The State's response: "[we] did not intend, or anticipate, those efforts to include the forced entry into a building."

In other words, if we want our employees tested against phishing and our Internet perimeter tested against a remote attacker, we don't want the pen testers to do this to our front door:

Unrelated to the Iowa incident, this gentlemen is well-known for his pen testing of physical controls, but would you want this sort of testing when you are concerned about ransomware coming in through phishing emails?

Set the Rules of Engagement

The final step in our pen test selection process is to set the boundaries for our pen testers to follow. Remember that we get to choose WHAT they target, but they get to choose the attacks that would be most effective – what the real attacker might choose. By settings boundaries on those attacks or rules of engagement, we can ensure the pen test won't go too far and cause harm.

In this step you will agree on:

  • What the pen testers WILL attempt
  • What the pen testers WON'T attempt

"The test mimics a threat source's search for and exploitation of vulnerabilities to demonstrate a potential for loss." - FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016 (emphasis added)

Going back to our regulatory reference, these boundaries are stated as "demonstrating the potential for loss." Notice it doesn't say "demonstrating the loss," but rather the potential for loss. This is an important word to highlight because it identifies the need for pen test boundaries. We want our pen test firm to show us how an attack could happen and how it could negatively impact our organization, but we don't want them to go so far as to actually cause loss or have a significant negative impact.

Here's an example set of the rules of engagement that CoNetrix will use. Because we typically test live, operational systems, we put certain rules into place to make sure the testing stays within bounds.

Rules of Engagement
  • Do no harm. It's not a good penetration test if the penetration test company leaves you more vulnerable than you were when you started. What would that look like? If they went into a system and they installed malware and left that malware sitting there and didn't tell you they installed it. That malware may be opening a door to the internet that you didn't have before. If the pen testers create new exposure, then it would leave you worse off than when you started.
  • No significant customer impact. You don't want customers calling in saying: "I can't get into my internet banking account," "I can't log in to this website," "the website is down." The penetration test company needs to be very aware of who your customers are and how they use your systems. They need to make sure that everything they do does not impact the customer. Some tests can't be performed unless there is some customer impact. How would a penetration company handle that? The way it should go is: 1) Identify the vulnerability and the potential exploit for that vulnerability. 2) Contact the customer and let them know about it. If they would like us to perform the exploit, inform them it may cause some downtime and it might affect their customers. 3) Coordinate with the customer on when to perform the exploit testing. Maybe we do it after hours. Or it may be they are great with just knowing the vulnerability exists and don't need the exploit performed due to the possible negative impact.
  • No unplanned operational impact. A penetration test company may discover that your system or website is extremely vulnerable to a certain kind of denial of service attack. If exploited, it could be taken down for hours on end. That's great to know, but the penetration test company should not exploit that vulnerability without coordinating with you first. That would cause unplanned operational impact and now your IT department is scrambling and your customers or your internal staff are upset because they can't do their job or access your services.
  • Limited system recovery time/money. This is an important one and not always obvious. If you're not careful, a penetration tester that is not very good at what they're doing could say "well, we could do this and they would just have to restore from backup". That's easy for the penetration tester to say, but they aren't the ones who have to do the work to restore from backup. A lot of times restoring from backup can be a complicated process and can take a while. It might cost a lot of time and money, and that may not be obvious to a penetration tester. Just having a dedicated person to go recover a system can be a big impact to other projects and tasks you have going on. If an exploit is going to take significant effort or money to recover from, then that needs to be out of bounds, unless you have coordinated about it ahead of time.
  • Attempted exploits need to provide value. Penetration testing can be flashy and glamorous. It shows up in movies, TV shows, YouTube, etc. Make sure that the exploits that are being performed are providing value. Flashy and glamorous is fine for the movie screen, but real world pen testing must provide value to your company by helping improve your security posture.
  • If an exploit might break the rules, report the vulnerability. A penetration test company may say they found this vulnerability, but if exploiting it is going to break the rules, then it would be better to just report the vulnerability and say what needs to be fixed. It's better to do that than to cause your customers and staff a lot of grief. The vulnerability can be talked about and remediated without causing problems.

These are the rules of engagement we practice here at CoNetrix when performing penetration tests.

Evaluate a Pen Test Provider

So let's wrap up how to choose a pen test provider with some ways you can evaluate pen testers and then we'll move on to the fun stuff – the exploits!

  1. Know what you need tested and clearly communicate that in the project scoping and quoting process. We talked about identifying what you need tested. Make sure the pen test company's expertise matches with what you need tested. As we saw earlier, some pen testers excel in physical security testing. Others excel at Internet-based testing. Some are industry-specific such as SCADA pen testers. Make sure you find out what their strengths are.
  2. Make sure their report is understandable and well-organized. Many pen testers are great at successfully demonstrating attacks. After all, that's the fun part – the part that gets put into the movies. Buy many don't put as much effort in communicating what they did and how you can improve your defenses. Make sure the format of the report and the way information is communicated in the report is going to help you improve your security. Is it actionable for you and your IT/security staff?
  3. Check out their certifications on top of experience. Certifications are a great way of making sure a pen test company has the knowledge and skills necessary. Some examples include Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and any certification that shows they have knowledge of the area you need tested.
  4. Make sure the penetration test company will help you understand the report. We believe security testing is most useful when it is a partnership, not a stand-alone service. Ask how the pen test company will help you understand what the issue is and what you can do about it. Do they review their results with you? Do they provide remediation recommendations? Or do they drop a bunch of results on you and wish you good luck.

Phases of Pen Testing

So now let's talk about the fun side of pen testing—exploitation. It's good to know that exploitation is part of the process. Many times it is because of this process that a penetration test report may look like a vulnerability assessment. Every pen test process follows a similar process—identify how the target is exposed—identify vulnerabilities that could be attacked—exploit those vulnerabilities—report both the vulnerabilities and any successful exploits.
But what if no exploits were possible—at least not within the rules of engagement? In that case, the report would only identify vulnerabilities and could look a lot like a vulnerability assessment. But through your pen test selection process, you made sure the firm would exploit vulnerabilities when safe and possible and their documented methodology should reflect that approach.
Phases of Pen TestingOne of the best things you can do when evaluating a pen test company is ask them for examples of what they have done. See how they did it and whether you're comfortable with the things they are capable of doing.

One of the best ways to evaluate a pen test company is to ask for some examples of their successful exploits.

*FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
**This blog post is for information purposes only. Evaluate your risks before acting on any ideas presented in this article.


On Wednesday, November 14th, the Federal Financial Examination Council (FFIEC) released an updated version of the Business Continuity Management Booklet. One of the changes is related to business continuity and disaster recover exercises and tests. In the new booklet, the FFIEC redefines the testing methods and introduces more delineation between a BCP exercise and a BCP test.

What is a BCP Exercise?

According to the new booklet, "an exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures" (p. 37). Each exercise can look different depending on the scope, goals, and objectives of the test. Some exercises can be discussion only (i.e. tabletop discussion) while others could be comprehensive (i.e. full-scale exercise).

What is a BCP Test?

The new booklet defines a test as a "type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment" (p. 37). Tests typically focus on a system or set of systems. An example of a test might be verifying back on a server is functions or verifying recovery time objectives (RTOs) are acceptable for a system. The big difference according to the booklet is, "exercises address people, processes, and systems whereas tests address specific aspects of a system" (p. 38).

How are the testing methods different in the new booklet?

Examples of testing methods from the older 2015 Business Continuity Planning Booklet included (p. 18):

  • Tabletop Exercise Structured Walk-Through Test. "[The tabletop exercise structured walk-through tests] primary objective is to ensure that critical personnel from all areas are familiar with the BCP and that the plan accurately reflects the financial institution's ability to recover from a disaster."
  • Walk-Through Drill/Simulation Test. "A walk-through drill/simulation test is somewhat more involved than a tabletop exercise/structured walk-through test because the participants choose a specific event scenario and apply the BCP to it."
  • Functional Drill/Parallel Test. "Functional drill/parallel testing is the first type of test that involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the BCP."
  • Full-Interruption/Full-Scale Test. "In a full-scale test, a real-life emergency is simulated as closely as possible."

The new testing methods introduced in the 2019 Business Continuity Management Booklet map closely to its predecessor; however, they are renamed and have slight differentiators (pp. 42-44).

  • Full-Scale Exercise. "A full-scale exercise simulates full use of available resources (personnel and systems) prompting a full recovery of business processes."
  • Limited-Scale Exercise. "A limited-scale exercise is a simulation involving applicable resources (personnel and systems) to recover targeted business processes."
  • Tabletop Exercise. "A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation."
  • Tests. "Management uses tests to verify the quantifiable performance and reliability of system resilience."

What does this mean for me?

The new FFIEC guidance highlights the "people and processes" aspects of your organization's BCP. This is a shift in focus from the 2015 BCP booklet in which testing guidance more heavily emphasized testing IT systems and system components. This change can be seen in the definitions of the testing methods. Personnel are specifically included in all four of the "exercise" definitions whereas the definition of "tests" is only concerned with validating system resilience.

What hasn't changed is BCP exercises and tests are used to validate one or more aspects of an enterprise-wide BCP. Financial institutions should incorporate a variety of exercises and tests into their overall BCP test program in order to ensure the institution can restore operations and recover from business interruptions. While the test program will be different based on each institution's size and complexity, strong test plans include strategies to evaluate all aspects of the institution's BCP, including people and processes as well as IT systems.


For more information about the updated booklet, visit:



This article was updated on August 28, 2019. See below for the updates.

What is the FSSCC Cybersecurity Profile?

The FSSCC Cybersecurity Profile was published on October 25, 2018 by the Financial Services Sector Coordinating Council (FSSCC). The FSSCC is a private entity comprised of 70 members from financial services organizations. Their cybersecurity profile has multiple tiers, which allow users to answer a scalable set of questions. This scaling is designed to provide an expedited assessment of the user's organization's cybersecurity preparedness.

In addition to the tool's claims of efficiency, the tool's development is largely credited to organizations familiar to the financial services industry. The Press Release includes names such as the American Bankers Association, Bank Policy Institute, the Institute of International Bankers, and more.

Beyond this, the FSSCC has made multiple appeals to the Cybersecurity Profile's usefulness in regulatory examinations, going so far as to claim, "The numerous and substantial benefits [of using the FSSCC Cybersecurity Profile] to the financial services sector are: […] Supports tailored supervision, examinations, and collaboration among state, federal, and international supervisors," per the FSSCC Overview and Users Guide.

What is the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool (CAT) was initially published on June 30, 2015, and updated May 31, 2017. The CAT was designed by the Federal Financial Institutions Examination Council (FFIEC), a formal interagency body, comprised of members from the FRB, FDIC, NCUA, OCC, CFPB, and SLC. The CAT is standardized, which allows users to answer a specific set of questions, designed to provide a thorough assessment of their organization's cybersecurity preparedness.

The FFIEC CAT includes 494 cybersecurity maturity statements, which has resulted in some complaints. However, it is not only designed to provide a detailed assessment of a financial institution's current state of cybersecurity preparedness, it also enables targeted and long-term planning for growth and improvement.

With regard to examinations:

• The FDIC continues to heavily rely on the InTREx Work Program. While InTREx does state financial institutions are not required to use the FFIEC CAT to assess cybersecurity preparedness, the program also states FDIC examiners will reference the CAT's Appendix A when performing examinations.

• The NCUA is currently implementing the Automated Cybersecurity Examination Tool (ACET). The ACET is based on the FFIEC CAT, with a document request list to help credit unions understand, gather, and organize the documents needed for the examination. Read our blog on FAQs about the ACET

• In their Spring 2018 Semiannual Risk Perspective, the OCC announced they had "implemented the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) into its examination process." In addition, an OCC representative at the 2019 CoNetrix KEYS Conference Examiner Panel indicated the OCC is piloting their own segmented version of the FFIEC CAT, to be fully completed on a three-year cycle.

August 2019 Update: In July 2019, the OCC replied to a comment from the FSSCC in the Federal Register. The FSSCC asked the agencies to "make a clear statement that other methodologies, such as NIST Cybersecurity Framework and the FSSCC Cybersecurity Profile, are acceptable inputs into the examination process." The OCC replied that financial institutions "may choose to use the [FFIEC CAT], the NIST Cybersecurity Framework, or any other risk assessment process or tool to assess cybersecurity risk."

• The FRB's supervisory letter about the tool, SR 15-9, indicated the CAT's planned use in examinations, and the FRB was a contributor in the May 2017 update of the tool, per their 2017 Annual Report. Additionally, a list of Information Technology Guidance was published, including the FFIEC CAT as a "Policy Letter."

Will the FSSCC Cybersecurity Profile Replace the FFIEC Cybersecurity Assessment Tool?

While the FSSCC Cybersecurity profile has fewer questions, and the FSSCC has expressed interest in seeing the tool used during regulatory examinations, the federal banking agencies have not yet expressed the same interest.

In addition, while completing the FFIEC CAT is not required, four years into the CAT's implementation, examiners are now familiar with the tool and the agencies continue to supplement and reference the CAT in their own examination programs. In light of this, using the CAT to assess cybersecurity preparedness could help expedite the examination process, as the tool may be used during an exam.

At this point in time, it is not clear what the future holds for the FSSCC Cybersecurity Profile. Due to the thorough nature and widespread adoption of the FFIEC CAT, it is difficult to imagine the CAT will be replaced by any tool in the foreseeable future.

August 2019 Update: In August 2019, the FFIEC published a press release encouraging a standardized approach to assessing cybersecurity preparedness. While the press release lists the FFIEC CAT, NIST Cybersecurity Profile, Center for Internet Security Controls, and FSSCC Cybersecurity Profile as references to "support institutions in their self-assessment activities," the press release reiterates that "the FFIEC does not endorse any particular tool" and the "tools are not examination programs."

Does CoNetrix have anything that can help with assessing cybersecurity preparedness?

Yes. The Tandem Cybersecurity module took the FFIEC CAT PDF content and streamlined it into an easy-to-use web-based application. With email reminders, charts and graphs, presentation documents, optional peer comparison, and tools for the NCUA's ACET, you can put the FFIEC CAT to work for you. Get started for free with Tandem Cybersecurity.



Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

  • The vulnerability doesn't have access to your systems
  • Operating system or application weaknesses are patched
  • Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

  1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.

  2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.

  3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).

  4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.

  5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.


On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).



Today the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness.  The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.

The FFIEC tool consists of pdf documents including an Overview for Chief Executive Officers and Boards of Directors, a User's Guide, an Inherent Risk Profile, a Cybersecurity Maturity, and some Additional Resources.

CoNetrix is working on a FREE online, interactive tool to assist banks and credit unions in completing the new FFIEC cybersecurity assessment.  This easy to use SaaS will allow financial institutions to answer questions provided in the FFIEC documents, view and analyze inherent risk and cybersecurity maturity, and run various reports.  To learn more about the new Tandem Cybersecurity tool, visit



The ".bank" domain registration will open into general availability on June 24, 2015 at 00:00:00 UTC or June 23 at 8:00pm Eastern, 7:00pm Central, 6:00pm Mountain, & 5:00pm Pacific.  According to fTLD, during the initial sunrise regstration period, there were more than 700 applications made for ".bank" domains.  Domains will be awarded on a first-come, first-served basis in all registration periods.  To learn more, read the article Dot Bank by Leticia Saiid of CoNetrix published in the Spring 2015 issue of The Community Banker or visit


Registration for the new “.bank” domains is coming up soon. These domains could be prime Internet names in the future. A few quick notes: [more] 

  • Early “sunrise” registration will be May 18, 2015 with general availability on June 24th.
  • Registration will be limited to domain names with corresponding trademark, trade name, service mark, or bank name. 
  • There will be a verification procedure to ensure these domain names are only issued to valid financial institutions.
  • Banks should consider registering a trademark now to be able to register the associated domain during the sunrise registration period. 
  • Registration will be on a “first come, first serve” basis, so if a bank with similar names want the good domains, they need to register early.
  • More information is available at