Blog: Financial Institution

By: (CISA, CISSP)

Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

  • The vulnerability doesn't have access to your systems
  • Operating system or application weaknesses are patched
  • Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

  1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.

  2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.

  3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).

  4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.

  5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.

 

By: (Security+)

Ideally, reviewing a SOC Report will take you 15 minutes or less (once you get the hang of it). If you are a financial institution and you have vendors, then you have plenty of SOC Reports to review every year.

This blog will tell you what to review in SOC Reports, and nothing more.

You Don't Have to Know It All

I could tell you all sorts of information about SSAE 18 and SOC Reports! Here's one: SSAE 18 is the rule book and SOC is the engagement and report name, so you don't get a SSAE 18 from your vendor, you get a SOC Report. But what you actually want/need is a quick way to get your job done, not a dissertation on the inner working of SOC audits.

Other people may try to make the SOC Report review process seem big and complex so that you will rely on them to do the reviews for you… Don't let them scare you. You are capable of reviewing a SOC Report just as well as any expert. Really! I believe in you.

Admittedly, SOC Reports are complex and they are full of important information, but finding the information you need from it is really quite simple.

You Just Need the Important Parts

Think about this: If your vendor has a SOC Report, then that means an outside party has reviewed the vendor on your behalf. The outside party has verified the vendor is operating effectively. Thanks to this outside party, you don't have to comb over every detail of a SOC report. This means you can primarily read the cliff-notes version in the "Auditor's Report" section and trust the outside party's judgment.

SOC reports are completely standardized. They share a basic structure and even include some of the exact same sentences. This means you can grab what you need from a few specific places, then be on your way.

Let's Get To It

Here is a quick list of the information you need to find in a vendor's SOC report and note in your review. Section names won't be exact, but they're pretty close.

Look at the Cover Page to compile a profile for this SOC report. Find the company being reviewed, the auditing firm, SOC #, and Type #.

Look at the Scope subsection of the Auditor's Report section to find when the audit was done.

Now, this is one of the two most important parts of your review, so focus with me here. Look at the Scope subsection of the Auditor's Report section to see if complementary user entity controls are employed. If so, go to the Description of Systems section to find all of the details about the complementary user entity controls. And obviously, make sure you are doing those things.

Look at the Scope subsection of the Auditor's Report section to see if subservice provider controls are employed. If so, go to the Description of Systems section to find out what the vendor is doing to monitor the subservice provider controls.

Look at the Limitations subsection of the Auditor's Report section to see if anything happened during the audit that limited the auditor's ability to check everything.

This is the other of the two most important parts of your review. Look at the Opinion subsection of the Auditor's Report section to see if the auditor found anything problematic. Also note their official "opinion." If the auditor noted significant issues, find the Other section. Management should provide some kind of response to the significant issues found.

If this was a Type 2 engagement, look at the Test Results section to find any and all exceptions encountered during testing. This may include some that were not considered significant enough for the auditor to mention in the Opinion subsection.

And that's it. While it's pretty simple, why not make it easier? We created a downloadable PDF with the above checklist so that you can easily and efficiently review your SOC reports.


 

In September 2016, the Federal Financial Institutions Examination Council (FFIEC) released an updated Information Security Booklet as part of the IT Examination Handbook. Among other contemporary concepts, the FFIEC placed an increased emphasis on the role of Information Security Officers (ISOs) in financial institutions. In section I.B Responsibility and Accountability (Page 5), the FFIEC provides a list of six key qualities of the ISO role. Here are the six qualities and a brief interpretation of how this can be applied in your organization.

1. Sufficient Authority

Each ISO should have sufficient authority to perform their assigned tasks. While the ISO ultimately reports to the board or senior management, they must also be a trusted employee (or group of employees) who is authorized to make organization-altering decisions on their own. In short, your ISO should be someone you can, and will, trust.

2. Stature within the Organization

Each ISO should have stature within the organization to perform their assigned tasks. In addition to being a trustworthy part of the organization, the ISO should also be a respected part of the organization. The role of the ISO is a position that should be held with esteem. This is a tone that is set from the top. If the board and senior management respect the role of the ISO, the organization's employees will respect it, as well.

3. Knowledge

Each ISO should have knowledge to perform their assigned tasks. The ISO is tasked with oversight of the information security program. This is a broad-scoped topic which requires knowledge of the physical, technical, and administrative functions of the organization. If no one employee has sufficient knowledge to make decisions for each of these areas, it may be wise to consider appointing multiple individuals to fill the organization's ISO role as a committee.

Click here to find out more about a 6 part webinar training series created specifically for ISOs.

4. Background

Each ISO should have background to perform their assigned tasks. Similar to knowledge, the ISO should have a history that involves information security. An employee can be trustworthy, respectable, and have knowledge of information security, but be lacking a foundation of experience. Information security is an ever-changing field. Appointing an ISO who does not have experience in the field is a risk to the organization's information security.

5. Training

Each ISO should have continued training to perform their assigned tasks. Since the field is ever-changing, it should not be assumed that the ISO has all the training required to perform their duty. As the threat environment changes, as new controls are implemented, as the industry advances, the board and senior management should expect the ISO or members of the ISO team to further their education through training.

6. Independence

Each ISO should have independence to perform their assigned tasks. It would be best to avoid conflicts of interest when selecting an ISO. For example, while knowledge of information technology (IT) is important, the ISO should not be the person responsible for implementing the organization's IT function. For community financial institutions, this is not always practical. So, if your organization finds independence difficult, it may be beneficial to appoint individuals from various departments to fill the organization's ISO role as a committee.

In Summary…

While the FFIEC may not be very prescriptive when it comes to appointing an ISO, by ensuring your organization's ISO is trustworthy, respectable, knowledgeable, experienced, interested in learning, and independent of other functions in the organization, your organization can lay the foundation for an effective information security program.


 

The FBI, the U.S. Postal Inspection Service, and state and local authorities are investigating more than 60 threatening letters that have been received by Financial Institutions in Araizona, Caliofornia, Colorado, Georgia, Illinois, New Jersey, New York, Ohio, Oklahoma, Texas, Virginia, and Washington, D.C.  The letters began to be received on Monday, Oct. 20, 2008, and appear to all be originating from Texas - all have been postmarked in Amarillo, TX.  Most of these letters contain a powder substance with a threatening communication.  At this point, field and laboratory tests on the powder have been negative; however, additional testing is taking place.

To see a copy of one of the letters, visit http://www.fbi.gov/page2/oct08/threatletters_102308.html

 


 

We came across www.bankwide.com several weeks ago.  It appeared to be a growing site designed to provide a platform to share knowledge and resources with the banking community.  I began corresponding with Aiden Michaels (the founder and lead developer for bankwide.com) to find out a little more about Bankwide - below is a response I received from Aiden: [more]

"Bankwide.com is designed to help facilitate discussion between bankers, vendors, consultants and regulators.  Its primary goal is to provide an unbiased solution base for common banking problems through ”community intelligence".  It allows for organic growth and collaboration for anyone involved in the 'ever-changing' financial services industry.  Companies such as CoNetrix can benefit by reaching out and helping bankers and credit union personnel, and conversely bankers are exposed to services and solutions that they might not find otherwise.  We see it as a win-win situation.

With the explosion of social networking on today's internet, Bankwide felt that this type of collaboration was not only possible; it was needed in today's market.  I have always considered the fact that banks share strategic information as an anomaly.  HP doesn't share information with IBM!  Non competing banks however, will gladly open their door to another bank, talk about problems, strategies and more.

Bankwide aims to create this same atmosphere virtually.  Imagine thousands of bankers sharing thousands of ideas, documents, solutions and more.  With our soon to be released - "Bankwide Solutions" we will be able to focus efforts onto specific needs such as penetration testing, remote capture, equity building...the list is virtually unlimited. 

We have also decided to keep our membership free.  Our advertisers make all of this possible, they agree to burden the cost rather than pass it to bankers who are just looking for help.  We are also currently offering a "grandfathering" period for people that sign up for the site before June 1st.  Anyone who signs up, will be a permanent member of our community.  Membership after June 1st may require that you annually have to update your information.

Finally - we are extremely proud of our new "Bankwide Experts".  Bankwide has invited several people, including your own Russ Horn, to become community experts.  These people have not only demonstrated advanced knowledge in their areas of expertise such as bank technology or compliance, but an outgoing nature and a willingness to share their knowledge.  The days of soloing expertise has been replaced with the ability to share knowledge for the greater good."

We wish Aiden and Bankwide.com the best of luck!  If you would like to find out more about what Bankwide.com has to offer you, visit their website at www.bankwide.com