IT Examiner School, Seaside, CA

IT Examiner School Seaside, California October 29 ‐ November 2, 2018

ATTENDEES California Department of Business Oversight Delfino Aguilar

delfino.aguilar@dbo.ca.gov aileen.barlan‐gaspar@dbo.ca.gov marilyn.davis@dbo.ca.gov wilton.edwards@dbo.ca.gov john.fernandez@dbo.ca.gov linda.karim@dbo.ca.gov decarlton.kincy@dbo.ca.gov kevin.kwak@dbo.ca.gov curtis.leviton@dbo.ca.gov kyle.kim@dbo.ca.gov

415‐589‐0522 213‐576‐7510 916‐322‐4191 916‐903‐9122 916‐212‐6756 916‐767‐7883 213‐435‐4619 213‐435‐0467 213‐817‐2755 213‐435‐3829 415‐542‐6270 213‐247‐2647 213‐576‐7684 213‐760‐4252 916‐327‐8348 916‐324‐0279 619‐540‐6820 415‐263‐8518 213‐219‐7369 213‐797‐2635

Aileen Barlan‐Gaspar

Marilyn Davis Wilton Edwards John Fernandez

Linda Karim

Kyle Kim

Decarlton Kincy Kevin Kwak Curtis Leviton

Kerou Li Kevin Lin

kerou.li@dbo.ca.gov kevin.lin@dbo.ca.gov

Mehran Malekaghakhan Stephanie McClements

mehran.malekaghakhan@dbo.ca.gov stephanie.mcclements@dbo.ca.gov matthew.newman@dbo.ca.gov

Matt Newman Aman Pahwa Fernando Rico

aman.pahwa@dbo.ca.gov fernando.rico@dbo.ca.gov sean.sisser@dbo.ca.gov stacy.tang@dbo.ca.gov

Sean Sisser Stacy Tang

Daniel Yi

daniel.yi@dbo.ca.gov

Ohio Division of Financial Institutions JB Brooks

jb.brooks@com.state.oh.us

614‐728‐8400

Wyoming Division of Banking Jackie Kinstler

jackie.kinstler@wyo.gov

307‐777‐6481

INSTRUCTORS North Carolina Office of the Commissioner of Banks Henry Hallman Pennsylvania Department of Banking and Securities Chuck Martier cmartier@pa.gov ghallman@nccob.gov

919‐733‐3016

717‐783‐2251

Utah Department of Financial Institutions Bill Andrus CSBS EDUCATION FOUNDATION STAFF Kim Chancy

wandrus@utah.gov

801‐538‐8830

kchancy@csbs.org

202‐802‐9554

IT Examiner School Monterey, California October 29 – November 2, 2018

Monday, October 29 1:00 PM

Introduction and Welcome Bill Andrus, Henry Hallman, Chuck Martier

Technology/Network Overview Chuck Martier

2:00 PM

During this session, there will be a review of core IT infrastructure, key terms and IT systems risks. This session will provide an overview of networks and how information is protected. Additionally, key concepts will be learned for reviewing an entity’s network topology.

Break

3:15 PM 3:30 PM 4:30 PM

Technology/Network Overview Continued

Adjourn

Tuesday, October 30 8:30 AM

Technology/Network Overview Continued

Break

9:30 AM 9:40 AM

Disaster Recovery and Business Continuity Henry Hallman

Break

10:40 AM 10:50 AM

Audit Bill Andrus This module will cover key topics related to audits including risk assessment, schedule, scope, engagement and findings and resolution tracking.

Lunch

11:45 PM 1:00 PM 2:00 PM 2:15 PM

Audit Continued

Break

Support and Delivery Chuck Martier During this session, key concepts will be introduced regarding disaster recovery and business continuity planning and how to evaluate the adequacy of the program. In addition, a review of controls used to mitigate threats and vulnerabilities to a company’s operation security will be conducted.

Adjourn

4:30 PM

Wednesday, October 31 8:30 AM

Payment Systems and E-Banking (Wires) Henry Hallman

This module will provide an overview of the electronic funds transfers, ACH transactions and wires and potential risks and controls used to mitigate risks.

Break

9:30 AM 9:40 AM

Payment Systems and E-Banking continued (ACH) Henry Hallman

Break

10:50 AM 11:00 AM

Cybersecurity Incident Exercise Bill Andrus, Henry Hallman, Chuck Martier

Lunch

12:00 PM 1:00 PM

Management Chuck Martier

This session will provide key concepts with respect to laws and regulations including the Cybersecurity Assessment Tool, corporate account takeover, and identifying red flags. It also will focus on business decisions and their impact to IT

Break

2:30 PM 2:45 PM

IT Regulations and Guidance Bill Andrus, Henry Hallman, Chuck Martier

Adjourn

4:30 PM

Thursday, November 1 8:30 AM

Development and Acquisition Chuck Martier

Break

9:50 AM 10:00 AM

Outsourcing Technology Services (Vendor Management) Bill Andrus This session will review vendor management for outsourced IT activity and expected risk governance and due diligence. Developing Comments and Conclusions /Case Study Bill Andrus, Henry Hallman, Chuck Martier During this session, examiners will learn to develop comments and conclusions to be used in the Examination of Report. Break

11:00 AM 11:10 AM

Lunch

12:00 PM

Developing Comments and Conclusions /Case Study Continued During this session, examiners will learn to develop comments and conclusions to be used in the Examination of Report.

1:15 PM

Break

3:00 PM 3:15 PM 4:30 PM

Depository/Non-Depository Breakout

Adjourn

Friday, November 2 8:00 AM

Emerging Issues Bill Andrus, Henry Hallman, Chuck Martier This module will review emerging technologies that have been introduced and potential risks.

Course Summary and Key Takeaways Bill Andrus, Henry Hallman, Chuck Martier

10:00 AM

Adjourn

10:30 AM

CSBS Information Technology Examiner Course

Agenda

• Introduction • Course Objectives • Course Overview

• Importance of IT Examinations • Pre-Course Materials/Activities • Course Expectations • Course Materials • Course Ground Rules

Course Objectives

• Understand basic IT concepts and terminology

• Analyze an entity’s information security program

• Determine what risks may impact the entity

• Provide recommendations for improvement

• Develop conclusion

Course Overview

• Technology/Network Overview

• Develop Comments & Conclusions

• Conducting IT Examinations

• Emerging Technologies

IT Examination Importance

Pre-Course Activity

Course Expectations

Course “Rules”

• Some “ground rules”: – Please be prompt each morning – Please be prompt returning to class after breaks and lunch – Please silence your mobile devices – If you need to take a call, please step outside – If you need to text, please do so silently – Please be considerate of others while they are talking or asking a question

QUESTIONS?

Technology/Network Review

Objectives-Technology Review

• Discuss basic IT Infrastructure • Explore core systems

• Identify the risks associated with technology • Understand how data flows through a network • Review network topologies • Discuss network devices - what they do/how they function

Basic IT Infrastructure

• Core banking • Electronic funds transfer systems (EFTs) • E-banking • Imaging Systems • Wireless Systems/Devices

Core Systems

• Core (banking) systems - the critical systems that provide the basic account management features and information about customers and account holdings • Core systems are either in-house, serviced, or a combination of the two. • For depository institutions and trust companies: The term core processing generally refers to the general ledger, deposits, loans, and trust accounting systems.

Risks Associated with Core Systems

• Loss of support • Improper implementation of updates/releases • Password compromise • Successful social engineering to obtain access • Unauthorized physical access

Electronic Funds Transfer Systems (EFT)

• Automated Teller Machines (ATMs) • Automated Clearinghouse (ACH) Activities • Wire Transfer Systems • Person to Person; Business to Business • Messaging Systems

E-banking

Mobile Banking

Telephone Banking

Internet Banking

What is This????

Tech Bank Network Topology- MPLS

Remote dial- up connections

Connection to ATM Switch

Connection to Federal Reserve

Laptop

RAS Server

Laptop

Fedline Router

Hotspot

IDS

Fedline Advantage

Hotspot

Imaging ImageCapture

Server

MainOfficeLAN

Audit

LAN Server

IDS

Adm.

Internet

Core

PhoneBanking

IDS Hub

System

Tape UPS

Router

Router

BranchOfficeLAN

IPS

IDS

LeasedPhoneLine

Firewall

Switch Firewall

Hub

Web E-Mail E-banking Server Server Server

LAN Server

Hub

Hub

LoanApplicationServer

Backup

Laserprinter

Laserprinter

BranchWorkstations

Backup

LoanDept Workstations

Back Office Dept Workstations

Common Network Terminology • Packet – “frame” for containing all network traffic • Hub - echoes packets to all network segments (unintelligent) • Switch - forwards packets only to intended network segment (intelligent) • Router - routes packets between networks • Servers - computers providing network services – Applications, data, communications, etc.

Common Terminology (continued) • Firewall - filters and restricts packets

• Intrusion Detection/Prevention System (IDS/IPS) - Identifies unauthorized packets, may/may not stop packet • Multi-Protocol Label Switching (MPLS) - Allows various protocols to interoperate seamlessly within and between networks • Virtual Private Networks (VPNs)- creates a secure portal for remote user log-ins

Access Methods • PCs, laptops, mobile devices, etc.

• Remote log-in (e.g., IT Staff, Vendors, MSSP, etc.) • WAN connection - frame relay, leased/dedicated line, MPLS, etc. (across multiple FI sites) • Internet - from most anywhere by most anyone • World Wide Web- system of interlinked hypertext documents accessed via the Internet • Wireless - radio, infrared, WiFi, NFC, mobile, etc. • VPN - creates a secure portal

Time for a Video!!!

https://youtu.be/aeGN2WldqY4

Virtual Environment(s) aka VMs • Creating a virtual machine(s) aka “guests” that functions like a real computer • Run(s) on a “host” machine that manages the virtual environment(s) • Hypervisor (Virtual Machine Manager) is computer software that creates and operates virtual machine(s) • One to several virtual operating systems can run simultaneous on the host machine • Each operating system can run different applications without interfering with each other

Types of Virtual Environment(s) • Full Virtualization - almost complete simulation of the actual hardware to allow software to run unmodified • Partial Virtualization - some but not all of the target environment attributes are simulated. Some “guest” programs may require modifications to run in such environments • Storage Area Networks (SANs) - collection of computers and storage devices dedicated to store and protect data from across local and wide area networks How do businesses use VM? • Network Virtualization - combining available resources in a network by splitting the available bandwidth and channels • Storage Virtualization - pooling of physical storage from multiple network storage devices into what appears to be a single storage device, e.g. SAN(s) • Server Virtualization - using software to divide a physical server into multiple isolated virtual environments • Desktops Virtualization - essentially the same as server virtualization

10

The OSI Model Animation

https://www.youtube.com/watch?v=-6Uoku-M6oY

Common Types of Protocols • Transmission Control Protocol (TCP)

• Internet Protocol (IP) • Combination - TCP/IP • Hypertext Transfer Protocol (HTTP) • File Transfer Protocol (FTP) • Hypertext Transfer Protocol Secure (HTTPS)

Types of Firewalls

• What does a firewall do? – Restricts packets based on user defined rules – First line of defense, located at perimeter

• Types of Firewalls – Packet Filter – Stateful Inspection

– Application (Web application) – Next Generation (Next Gen)

What is a DMZ? • A DMZ is a computer network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet. • Also know as a – Data Management Zone

– Demarcation Zone – Perimeter Network

What is a DMZ? https://www.youtube.com/watch?v=MEs4RRUrX_0

DMZ Considerations • DMZ – “De-Militarized Zone” – Necessary for any Internet Services Provided – Firewalls (at each end) – Hardened Servers

– Back Ups – Monitoring – Incident Response

Intrusion Detection/Prevention Systems (IDS/IPS) • Functions include: – Monitoring/analyzing users and system activity – Analyzing system configurations/vulnerabilities

– Assessing system and file integrity – Ability to recognize patterns of attack – Analysis of abnormal activity patterns – Tracking user policy violations

IDS/IPS (Cont.) • Host-based - Resides on “host” computers and only detects activity on that host • Network-based - Monitors network traffic on segments of the LAN • Must be maintained, monitored, and updated to be effective • IT Survey has this information

Network Security Assessments • Crucial to determining if networks are safe or have potential for compromise • Two key methods (discussed in Audit): – Network Vulnerability Assessment – Penetration Test • Network scanning (active): – Identify active “hosts” on a network (authorized) – Alerts when unauthorized device is detected

Malware/Virus • Malware:

– Program of file considered harmful – Gathers information w/out permission – Includes - viruses, worms, Trojan horses, etc. • Virus:

– Code that replicates by being copied – Active immediately or lay dormant – Could be harmless and/or destructive – If it replicates itself as email attachment - it is referred to as a Worm

Malware/Virus (cont.) • Trojan Horse: – Program in which malicious code is contained within apparently harmless data – Gains control of a device or system – Can cause a chosen form of damage – Redistributed as part of a computer virus • Bot: – Short for “robot” – Program that operates as an agent for someone else – Turns infected computers into “Zombies” – Allows a remote user to use “Zombies” to attack other computers

Malware/Virus (cont.) • Financial entities can use: – Single or multiple vendor solutions – All FI devices should have anti-malware software, which should be run on a “regular” basis – Workstation and server files should be backed up for

restoration, if current files get infected – Written policies and procedures for malware protection, scanning, and updating activities – Incident response in case of “infection”

VPN (example)

Technology State Bank Network Topology

Connection to ATMSwitch

Connection to Federal Reserve

Remote dial-up connections

Laptop

RAS Server

3rd Party Network Support

Laptop

Modem

ATM

Modem

IDS

FedLine

Laptop

Modem

Proof / Capture Imaging Server

Main Office LAN

Audit

VPN

LAN Server

IDS

Adm.

Internet

Phone Banking

Mainframe

IDS

Hub

VPN

UPS

Tape

VPN

VPN

Router

Router

Branch Office LAN

IDS

IDS

Leased Phone Line

Firewall

Switch

Firewall

Hub

LAN Server

Web Server

E-Mail Server

E-banking Server

Hub

Hub

Loan Application Server

Modem

Laser printer

Laser printer

Modem

Branch Workstations

Deposit Department Workstations

Loan Department Workstations

29

VPN • Provides security by use of “tunnel protocols” via encryption • Confidentiality if an attacker “sniffs” network traffic at packet level • Authentication to prevent unauthorized users from accessing the VPN

• Message integrity to detect any instances of tampering

• Process for scrambling a message or data – In transit – At rest • Prevents ability to view messages or data except by authorized users • Uses a defined set of “keys” to encrypt info • Some states require confidential information to be encrypted • FFIEC IT Security Handbook has section on encryption Encryption

Wireless • Current protocols (least to most secure)

– Wireless Equivalent Privacy (WEP) – Wireless Application Protocol (WAP) – Wi-Fi Protected Access (WPA) – Wi-Fi Protected Access 2 (WPA2)

• If a financial entity is using wireless, they should be using the most secure protocol

Benefits/Risks of Wireless Technology • Benefits: – Low cost – Ease of use – Widespread use • Risks:

– Unauthorized access to the network – Improper wireless configurations

System Monitoring • System monitoring should include:

– System usage, capacity, and performance – Data traffic - peak usage and type of traffic – Auditing tools, e.g. employee access and from where, and access denials

System Monitoring (cont.) • System monitoring should include:

– Security Information and Event Management (SIEM) - logging and event tool – File Integrity Monitoring – Vulnerability Management – Security Configuration Management - automates hardening of devices, etc. – IDS/IPS

Risks Associated with Technology

Unauthorized access is the #1 Risk

Key Examination Points • Determine the following: – Adequacy of network assessments – Administration of network security devices – Remote user access - employees and vendors – Where sensitive data is stored and how transported within the network – Protection of data when it moves or is stored in the network

Module Key Points • Institutions use IT to:

– Perform core processing – Conduct payment systems activities – Offer E-banking services – Provide support for internal users • IT examinations – consist of reviews of both technology & bank operations. • Networks require appropriate security – Virus/Malware/Spyware protection – Segregation of key segments, e.g. DMZ; Remote access, e.g. VPN, etc. – Data encryption as per risk assessment & data classification(s)

Module Key Points (cont.) • Vulnerability Assessments and Penetration Tests should be performed annually • Networks handle key functions within an FI – Used for daily IT activities, e.g., email, etc. – Store Customer/FI data, e.g. databases, etc. – Link FI with Core Processor – Provide access to various applications, e.g., word, excel, etc. • Topologies take many forms & some are more complex than others • If you need assistance, contact an IT Specialist

Business Continuity Planning, Disaster Recovery, and Pandemic Planning

Objectives

• Evaluate the adequacy of an institution’s Disaster Recovery and Business Continuity Planning (DR/BCP) processes.

• Discuss typical steps taken by management to develop an institution’s DR/BCP program

• Identify and discuss various testing methodologies.

• Discuss interconnectivity and interdependencies between involved parties.

• Discuss Pandemic and Incident Response Planning

Key Terms • Disaster Recovery Planning – (DRP)

• Business Continuity Planning – (BCP)

• Emergency Preparedness Planning

• Business Impact Analysis – (BIA)

• Recovery Time Objectives – (RTO)

• Recovery Point Objectives – (RPO)

DR and BC Program Functions Lifecycle

Executive Management Support

Compliance and Audit Oversight

Risk Assessment and BIA

Testing and Maintenance of the plan

Alignment of Objectives with RTOs and RPOs

Plan Customization and Implementations

Employee Training and Awareness

Business Continuity and Disaster Recovery Planning Steps

Create a framework for the plan

Conduct a Business Impact Analysis (BIA) and Risk Assessment

Identify risk management strategies

Conduct risk monitoring and testing

Administer the plan

Create a Framework

General Information

Detailed/Specific Information

• Details for declaring a disaster, including delegating authority • Business impact analysis, and risk assessment • Risk management strategies and plan administration

• Goals and objectives • Plan scope and assumptions • Disaster recovery team organization chart

• A BIA identifies the potential impact of business disruptions. It should: Conduct a Business Impact Analysis (BIA) and Risk Assessment

o Prioritize all business functions and operations, not just IT.

o Determine maximum downtime for each function (recovery time objectives), minimum levels of service, and maximum tolerable financial losses.

o Establish minimum frequency in which backups must be made (recovery point objectives).

• A BIA should be developed based on goals for recovery based on customer expectations and operational needs, not on how rapidly or slowly recovery would actually take place.

Risk Assessment Considerations

• Location in a flood plain, hurricane/tornado/earthquake- prone area.

• Proximity to critical infrastructure, including power and telecommunication sources, transportation hubs.

• Services provided by the institution.

Identify Risk Management Strategies

• Develop processes to minimize disruptions of service to the institution’s customers and operations.

• Provide employee training.

• Ensure plans and agreements are in place with vendors.

Risk Management Strategies to Minimize Service Disruptions

• Identify an alternative or back-up site and/or subscribe to a disaster recovery service

• Detail backup and off-site storage procedures

• List applications to be brought up in given timeframes

• Ensure that sufficient resources are available to meet the timeframes

• Identify procedures for how the institution will exchange information with service providers and third parties from the backup location

• Ensure that sufficient resources are available to meet the timeframes

Provide Employee Training

• Conduct employee training at enterprise-wide level and business unit level

• Teach all employees about responsibilities and procedures to follow during and after recovery

• Include periodic simulation exercises for key employees

• Ensure that training is regularly scheduled and updated to address operational changes

Vendor Agreements

• Review the vendor’s plan to ensure that critical services can be restored within acceptable timeframes

• Establish provisions that address the vendor’s responsibility for maintaining and testing plans

• Ensure that the institution has identified how to adjust internal procedures if the vendor invokes its plan

Conduct Risk Monitoring

Test the plans to ensure they are viable. Tests should:

• Be commensurate with system complexity and criticality

• Involve audit/independent review personnel

• Include appropriate institution personnel to ensure they are familiar with the disaster recovery procedures

• Be conducted at least annually or more often if significant changes occur

• Be reported to the Board and Senior Management

• Be sufficiently documented

Testing Strategies

• Staffing – Demonstrate staff’s ability to support business processes, communication, and reconciliation of transactions.

• Technology – Data, systems, applications, network, and telecommunications necessary for supporting business activities.

• Facilities – Environmental controls, workspace recovery, and physical security.

Testing Methods

• Tabletop Exercise/Structured Walk-Through Test

• Walk-Through Drill/Simulation Test

• Functional Drill/Parallel Test

• Full-Interruption/Full-Scale Test

Administer the Plan

As a result of risk monitoring, management should update their BIA, BCP, and DRP.

What other triggers would require the plan to be updated?

Pandemic Planning

• Two significant repercussions of a pandemic are:

– Greatly reduces the number of available personnel to perform tasks, and the potential that the personnel may not be sufficiently trained to maintain operations.

– Limitation of direct access to facilities due to quarantine or minimization of contact to prevent spread of illness.

• Guidance for bankers can be found in FIL-6-2008 Interagency Statement on Pandemic Planning Guidance for Minimizing a Pandemic’s Potential Adverse Effects .

Incident Response Plan - Procedures

At a minimum an incident response program should contain procedures for the following:

• Assess the nature and scope of an incident, identify what customer information systems and types of customer information have been accessed or misused.

• Notify primary Federal regulator.

• File Suspicious Activity Report ("SAR") as required.

• Take appropriate steps to contain and control the incident to prevent further unauthorized access.

• Notify customers when warranted.

Incident Response Plan - Components

Communication Paths – Employees and Customers

Senior Leadership Involvement

Responsibilities and Duties

Recovery Strategies: Critical Systems, Apps, and Data

Process to Classify, Log, and Track Incidents

Escalation Procedures

Response and Recovery

Address Incidents at Third-Parties

Periodic Testing

Tabletop Exercise!

1. What activities must be executed to resolve this incident? 2. Identify the roles/teams that will be involved during this incident? 3. Identify the plans and procedures that should be used during this incident? 4. What pieces of information are key to resolve this event? 5. Other concerns?

InTREx DR/BCP Procedures

InTREx DR/BCP Procedures (cont.)

InTREx DR/BCP Procedures (cont.)

InTREx DR/BCP Procedures (cont.)

Key Points

• The primary goals of disaster recovery and business continuity plans are to:

– Protect personnel and customers

– Minimize damage to resources

– Resume operations as quickly as possible in an orderly, preplanned manner

• Items identified as critical on the disaster recovery plan should be consistent with the BIA and risk assessment

Key Points (continued)

• To assess the adequacy and effectiveness of an institution's plan, assess:

Management Support

Risk Management Strategies

Business Impact Analysis

Risk Monitoring/Testing

Backup Location

Training

Update the Plan

Objectives

• Provide tools to assess the effectiveness of the IT Audit Program

• Types of IT Audits/Reviews

• IT Auditor Expertise

• IT Audit Component Rating

Audit/Independent Review

• Performed by independent personnel • Conducted by knowledgeable individuals • Based on risk assessment/complexity • Findings/recommendations are documented • Results are reported to the Board/Committee • Conducted separately or all at once • IT scope & frequency based on inherent or residual risk

FFIEC specifies that high risk areas should be audited/reviewed at least annually.

Assessment Areas for IT Audits

The following areas should be assessed for the IT Audit Program: • Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and IT activities • Quality of written IT reports • Audit independence • IT auditor qualifications • IT findings and recommendations reporting and follow-up

Guidance for IT Audit

• FFIEC IT Examination Audit Handbook

• Federal Agency Rules and Regulations

– Interagency Policy Statement on the Internal Audit Function and its Outsourcing – Interagency Policy Statement on External Auditing Program of Banks and Savings Associations – Interagency Guidelines Establishing Standards for Safety and Soundness – Interagency Guidelines Establishing Information Security Standards (GLBA)

• Information Systems Audits and Control Association (ISACA)

IT Audit Engagement

• Should be engaged by and signed by an individual or committee that is not responsible for IT operations. – Preferably be signed by a member of the Board or Audit Committee.

• Expectations and responsibilities for both parties

• The scope, timeframes, and cost of work to be performed by the outside auditor

• Institution access to audit workpapers

Review the engagement letters for any current outsourced IT audits. Refer to the Interagency Policy Statement on the Internal Audit Function and its Outsourcing for provisions typically included in engagement letters.

IT Audit Risk Assessment and Scope

• Identifies the items/areas to be reviewed - consistent with risk assessment including risk level • Describes how the audit/review will be performed and tools to be used • Provides the timeframe for completing the audit/review

Firms may also provide an engagement letter specifying this information (including costs)

IT Audit Coverage

• IT General Controls • Information Security Program • Wire Transfers • ACH (controls and NACHA Compliance Audit) • Remote Deposit Capture

• Compliance with safeguarding customer information guidelines • Regulation GG/Unlawful Internet Gambling Enforcement Act * • Identity Theft Red Flags Program* • Penetration Testing and Vulnerability Assessment

*If applicable to the financial institution.

IT Audit Coverage

• Information Security, including compliance with the Interagency Guidelines Establishing Information Security Standards • Incident Response • Cybersecurity • Network Architecture, including firewalls and intrusion detection/prevention systems (IDS/IPS) • Security Monitoring, including logging practices

• Change Management • Patch Management • Third-party Outsourcing • Social Engineering

• Funds Transfer • Online Banking • Business Continuity Planning

Written IT Audit Reports

• Describe the scope and objectives • Identifies the deficiencies/weaknesses – Should be by significant issues • Suggests corrective action(s) • Include management’s response/timing for corrective action(s) • Provides information on prior audit findings – Identifies any repeat findings • Complies with the audit plan and schedule – Was this audit performed as scheduled?

Types of IT Audits

• Internal Audits/ Certifications • IT General Controls • Penetration Tests

• Vulnerability Assessments • Statement on Standards for Attestation Engagements (SSAE-18)

IT General Controls (ITGC)

The most common ITGCs: • Logical access controls over infrastructure, applications, and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back-up and recovery controls • Computer operation controls

ITGCs should be performed annually

Wire Transfer/ACH Audits

• These services are critical to many financial entities

• Usually included in with ITGC audit – Particularly in small to medium community banks, CUs, and MTs

• Can be a separate audit – Could occur in financial entities with significant wire/ACH activity (all sizes) – Usually in large community financial entities

Vulnerability Assessment vs Penetration Tests

High-level comparison:

• Vulnerability Assessments- identify where facilities or networks are at risk

• Penetration Tests- subject a network(s) to “real life” cyber events internally and externally

Both should be performed, at least, annually.

Note: Some audit firms refer to the above as internal and external network. *Refer to the scope of the test.

Vulnerability Assessments Testing:

• Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Basic Vulnerability Assessment description: • Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural catastrophes

Vulnerability Assessment vs. Risk Assessment

• Cataloging assets and capabilities (resources) in a system • Assigning quantifiable value and importance to a resource • Identifying the vulnerability or potential threat(s) to each resource • Assist in mitigating or eliminating vulnerabilities for key resources

Entity will sometimes use vulnerability assessment to aid in completing the risk assessment process

Penetration Test (Pen Test)

Pen Test “tests” a system to find and exploit known vulnerabilities that an attacker could exploit

• Determine if there are weaknesses and if able to access system functionality and data • Are intrusive as actual “attack” tools are used • Require a high degree of skill to perform • Require management’s knowledge & consent • Pen Test report will describe any weaknesses as “high”, “medium” or “low”

Pen Test Strategies

• Targeted Testing - performed by the entity’s IT team and external testing team

• External Testing - targets externally visible servers or devices (seen by anybody on Internet) to see if they can get into internal systems and how far

• Internal Testing - mimics an insider attack by an authorized user with standard access privileges (what can happen with a disgruntled employee)

Pen Test Value

• Ascertain the likelihood of gaining system access • Likelihood of exploiting a low risk vulnerability to gain higher level access • Detecting vulnerabilities not easily found using standard system protective means • Measure of risk for a cyber attack • List of vulnerabilities needing patching • Ability of current security methods to detect or repel an attack • Additional efforts needed to protect the network(s)/system(s)

Service Organization Control (SOC) Reports

There are two types of Service Organization Control (SOC) Reports: • Type I – Describes the servicer’s descriptions of controls at a specific point in time – Auditor performs no testing of servicer’s controls- attesting to controls based on servicer’s account of controls- no opinion • Type II (preferred) – Includes information from a Type I Report – Detailed testing of the servicer’s controls over a minimum consecutive six month period – Auditor expresses an opinion based on their testing

Service Organization Control (SOC) Reports

Report Contents

Type I

Type II

(Information from SSAE 16.com)

Independent service auditor’s report (e.g. opinion)

Included

Included

Servicer organization’s description of system (including controls)

Included

Included

Information provided by the independent service auditor; includes a description of the service auditor’s tests of operating effectiveness and the results of those tests

Optional

Included

Other information provided by the service organization (e.g. glossary of terms)

Optional

Included

Statement on Standards for Attestation Engagements SSAE 18 • Statement on Standards for Attestation Engagements Number 18 (SSAE 18) – Replaced an earlier standard (SAS 70) and (SSAE 16)

• Authoritative guidance for service organizations as of May 2017

• International & US standard for reporting a service organization’s controls

• Financial entities should request an SSAE 18 from IT servicers as part of vendor management (in Management Module)

Audit Reporting/Follow-up

Similar to Safety & Soundness:

• IT Audit reporting channels- what is being reported and to whom

• Senior Management Responses- are they reasonable and corrective timeframe is appropriate

• Exception Tracking- show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)

Auditor Independence & Qualifications Independence: • Whether or not there are conflicting duties, e.g. involved in auditing areas they have responsibilities or oversight • Auditor should be reporting to Board or Audit Committee • Whether or not the Auditor has a debt with the entity (may have some influence) Qualifications: • Type of IT experience and training – Some IT audits require specific skill sets • Current IT certifications the auditor maintains – Various known organizations, e.g. ISACA, Microsoft, Cisco, etc. provide specialized certificates and/or training • List of references from entities with similar IT activities

These qualifications provide some assurances, but don’t guarantee a quality audit

IT Audit Review

Audit Reports should have:

• Audit scope and objectives

• Pertinent areas for improvement based on results of testing

• Reasonable and appropriate recommendations

• Findings and observations consistent with your examination results

Audit Report Review

Signs of a questionable audit:

• Be wary of auditors who rely solely on checklists

• Using only regulatory workprograms is not an audit

• Absence or lack of workpapers could indicate a poorly performed audit – Especially if there are no workpapers showing how ITGCs were reviewed/tested

Audit Findings Tracking and Resolution

• A formal tracking system that assigns responsibility and target date for resolution • Timely and formal status reporting • Tracking and reporting of changes in target dates or proposed corrective actions to the Board or Audit Committee • Process to ensure findings are resolved • Independent validation to assess the effectiveness of corrective measures

Issues and corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner.

Auditor Interview

Areas to focus on with auditor interview (if still not satisfied with workpapers):

• Knowledge of the IT environment and risks • Understanding of systems they are reviewing

• Understanding of the basic controls (of these systems) • Verify training and/or certifications (as necessary)- certifications require specific training and number of hours/year (usually 40) • Why auditor used a checklist or FFIEC IT work-program and audit work didn’t fit entity’s activity

InTREx PROCEDURES

InTREx - Audit

InTREx – Audit

Compliance

What alternatives are available to management if compliance with audit schedule not achieved?

• Hire additional resources

• Contract for additional audit support

• Provide internal resources for the audit team – Knowledgeable individuals – Familiar with the area – Not involved in day-to-day activities Infrequent/poorly prepared/incomplete audit reports diminishes management’s ability for proper oversight of IT activities

Audit Component Rating

Areas to focus on when rating IT Audit component adequacy: • Independence and quality of oversight • Audit risk analysis methodology/resources applied to IT Audit • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and audit trails • Audit plan in providing appropriate coverage of IT risks

Audit Component Rating

Areas to focus on when rating IT Audit component adequacy (cont.): • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditor and staff performing internal certifications • Timely and formal follow-up and reporting on management’s resolution of identified issues or weaknesses • Quality and effectiveness of internal and external audit activity related to IT controls

Conclusion

• Learned the basics for IT Audit and reviews • Minimum scope in risk focused examination process- must review the entity’s audit program • If audit program is deficient or lacking – Don’t need to dig deeper – Describe the deficiencies and record them in your WP – Notify the Safety & Soundness EIC • If audit program is satisfactory – Can risk focus areas recently audited

Support and Delivery

Information Security/Operations - Objective

Assess the effectiveness of an institution’s operations security and risk management practices

• Quality of processes and programs monitoring capacity and performance • Adequacy of data controls • Adequacy of controls and ability to monitor controls at service providers • Quality of physical and logical security • Adequacy of firewall and security connections

Information Security/IT Operations

IT Operations

Oversight and Support

 Adequacy of resources  Technology support  Employee Training  Problem Resolution

Information Security/IT Operations

IT Operations

Operational Risks and Controls  Monitoring tools o System problems/capacity o Error handling  Disposal of equipment/Media  Master file maintenance/changes  Supervisory reviews o Dual Controls o Separation of Duties

Information Security Security Monitoring

• Networks • Systems • Applications

Access

• Authorized and Unauthorized

Information Security

Detection/prevention • Removal of data/loss prevention • Unauthorized software/devices

Adequacy/frequency

• Vulnerability assessment • Penetration tests

Information Security Adequacy of managing

• Network security devices o Firewalls o IDS o VPN o Wireless – configuration/monitoring • Log monitoring programs o Automated tools – Security monitoring tools – Policy enforcement

– Reporting of exceptions (mgmt./committee/board)

Information Security Program Management

An effective information security program includes: • Risk identification • Risk measurement • Risk mitigation • Risk monitoring and reporting

Information Security - Risk Identification

• Threat - natural occurrence, technology or physical failure – Threat identification conducted in the risk assessment process • Vulnerabilities - a weakness in an information system, system security procedure, internal control, or implementation exploited by a threat source. • Supervision of Cybersecurity Risk and Resources for Cybersecurity Preparedness

Information Security - Risk Measurement

• Develop risk measurement processes that evaluate the inherent risks.

• Determine the risk associated with different threats.

• Measure the risks to guide recommendations for and use of mitigating controls.

Information Security - Risk Mitigation

• Policies and Procedures • Control Types/implementation • Inventory and Classification of Assets • User Security Controls • Physical Security • Change Management Within IT Environment • End-of-Life Management

• Application Security • Database Security • Encryption • Log Management • Malware Mitigation

Information Security – Policies and Procedures

Board approved Written Policies (Required by GLBA) • Address key areas such as personnel, physical and logical security, change management, strategic planning, and business continuity. • Depth and coverage of IT operations policies will vary based on institution size and complexity. Procedures describe the processes used to meet the requirements of the institution's IT policies. • Do not need to be formally Board approved. • Written for consistency and continuity. • Regularly updated as processes, systems, and threats change.

Layered Security

• Layered security , also known as layered defense , describes the practice of combining multiple mitigating security controls (preventive, detective, and corrective) to protect resources and data.

• The more layers of controls that exist, the better the protection against threats.

Controls

What are three common types of controls?

Technical (or Logical) Controls

Physical Controls

Administrative Controls

Technical Controls

Technical (or logical) controls involve hardware and application or OS software.

• Access controls/logical access controls, • System configuration/hardening standards (minimize the probability of exploitation of known or unknown vulnerabilities) • Firewalls • Anti-spyware/malware • Encryption

Physical Controls Protect against environmental, human, and systemic threats. • inventory logs • restricting access to areas or data Additional physical controls includes: • Implementing dual controls • Adequate redundancy for systems • Adequate distance between primary processing facility and the backup data and alternate processing facility. • Physical controls for controlling removable media.

Physical Controls

• Computer room o Access o Alarms o HVAC

o Sufficient UPS/Generators o Fire Suppression o Security cameras o Environmental Sensors • Telecommunication closet • Facilities

Administrative Controls

Support the classic management responsibilities of planning, directing, and organizing.

Organizational structure controls include: • Having separation/segregation of duties. • Implementing independent monitoring. • Having qualified personnel.

Control Applications

Different stages of control include:

• Preventative

• Detective

• Corrective

User Access Rights

• Process – add, delete, change access rights • Remove/restrict access (AD – Active Directory) • Periodic reviews/ re-approval based on changes (promotion, demotion, job function) • Assignment of user rights (based on Job Function) • Time of day/ day of week restrictions • Prohibit shared privileged access by multiple users • Authentication based on user profile • Logging/review of privileged access (administrator access)

Authentication Controls Passwords • Complexity • Expiration period • Re-use/history

• Failed login settings • Automatic timeout • Screen saver passwords • Reset procedures • Use of tokens/Biometric solutions

Corruption of Data

Virus/Malware detection practices • Frequency/scope of scans • Updates to detection applications

Automated tools to filter • Email • Web traffic

Separation of Duties

Principal concept of separation of duties?

Potential control mechanisms includes: • Principle of least privilege

• Rotation of duties

• Independent review

• Dual review

Training

• Must include ALL employees of the institution. • Must be conducted annually. • The institution should collect signed acknowledgments of the employee acceptable use policy.

Operational Controls and Processes • Monitoring tools - detect and preempt system problems or capacity issues • Daily processing issue resolution and appropriate escalation procedures • Secure handling, distribution, and disposal of equipment, media, and output (electronic and physical) • Independent review of master file input and file maintenance changes (e.g., new loan and deposit accounts, address changes, due dates) • Independent review of global parameter changes (e.g., interest rate for loans and deposits, fee structure, service charges)

Patch Management • Policies/procedures – Current and updated • Responsible party – Management /committee • Tests patches prior to implementation • Review vendor-supplied patches • Validation of system security configuration

Encryption Standards

Evaluate the institution’s use of encryption for sensitive institution and customer data

• At rest and/or in transit • Current industry standards • Updates and reviews by IT management

Item Processing Check processing • Controls over teller/branch imaging • Security over the capture, storage, and transmission of images • Controls over the destruction of source documents after being scanned • Dual control or independent review over the processing of reject, re-entry, and unposted items • Physical controls over negotiable items • Controls over cash letters (e.g., reconcilements, segregation of duties)

Remote Access

Authenticate, Monitor, & Control

• Disable remote communications • Controlling access • Implement control over configurations at both ends • Logging and monitoring all remote access communications. • Secure remote access devices. • Restrict remote access during specific times. • Limit the applications available for remote access. • Use robust authentication methods for access and encryption to secure communications.

System Configuration/ Access

• Configuration based on standards o Industry/vendor • Configuration standards approvals o Senior mgmt., committee, board • Disable unnecessary ports/services • Change/disable default passwords/accounts • Automated tools used to enforce secure configuration

Privileged/Admin Access

• “Skeleton Key”- all access key • Access to key functions such as add, delete, and change. • Control over employee rights and permissible activities. • Access to key controls such as auditing, logging, etc. that would record a cyber event • Permit “root” access which allows them to change operating system controls.

VOIP

• Physical / Logical controls • Patch management/ operating system updates • Network segmentation • Security testing