IT Examiner School, Palm Springs, CA

IT Examiner School Palm Springs, California June 17 - 21, 2019

ATTENDEES California Department of Business Oversight Bobby Benavidez

bobby.benavidez@dbo.ca.gov

213-393-0609 213-435-4562 213-415-4501 916-531-5289 213-435-3863 213-897-3459 916-531-5269 916-708-3353 213-760-2374 213-435-4559 916-531-5109 213-435-3884 415-542-6303 213-435-3925

Juliet Chang

julia.chang@dbo.ca.gov

Michael De La Riva

michael.delariva@dbo.ca.gov richelle.doyle@dbo.ca.gov sean.duniven@dbo.ca.gov cecilia.fuentes@dbo.ca.gov

Richelle Doyle Sean Duniven Cecilia Fuentes

Jason Hunt

jason.hunt@dbo.ca.gov

Timothy Levernier

timothy.levernier@dbo.ca.gov

Yilung Lu

yilung.lu@dbo.ca.gov

Yolanda Mirizian

yolanda.mirzaian@dbo.ca.gov scott.novak@dbo.ca.gov dana.racu@dbo.ca.gov jack.romans@dbo.ca.gov radostina.stoica@dbo.ca.gov

Scott Novak Dana Racu Jack Romans

Radostina Stoica

Federal Deposit Insurance Corporation Daniel Kuhnert Hawaii Division of Financial Institutions Xiaohong Kozel

dkuhnert@fdic.gov

972-761-2479

xkozel@dcca.hawaii.gov

808-586-2820

Illinois Division of Banking Renee Skibinski

renee.skibinski@illinois.gov

312-793-4363

Indiana Department of Financial Institutions Gage Russell

grussell@dfi.in.gov

317-232-3955

Texas Department of Banking Makenna Carson

makenna.carson@dob.texas.gov humberto.gonzalez@dob.texas.gov

512-475-1300 512-475-1300 512-475-1300 512-475-1300 512-475-1300

Humberto Gonzalez

Zane Gray

zane.gray@dob.texas.gov

Christopher Rains

christopher.rains@dob.texas.gov robert.smith@dob.texas.gov

Robert Smith

Texas Department of Savings and Mortgage Lending Susanna Blevins

sblevins@sml.texas.gov abrock@sml.texas.gov

512-475-0614 512-475-0614

Aaron Brock

Debra DuPont

ddupont@sml.texas.gov ahenderson@sml.texas.gov

512-475-0614 512-475-0614 713-854-7573 512-475-0614

Andrea Henderson

Landon Odle

lodle@sml.texas.gov

Keith Zimmerman

kzimmerman@sml.texas.gov

Washington Department of Financial Institutions Anya Tabb

anya.tabb@dfi.wa.gov

360-725-7847

INSTRUCTORS Pennsylvania Department of Banking and Securities Chuck Martier cmartier@pa.gov

717-783-2251

Utah Department of Financial Institutions Bill Andrus

wandrus@utah.gov

801-538-8830

CSBS EDUCATION FOUNDATION STAFF Kim Chancy

kchancy@csbs.org

202-802-9554

IT Examiner School Palm Springs, California June 17 - 21, 2019

Monday, June 17, 2019 1:00 PM

Introduction and Welcome Bill Andrus, Matthew Fujikawa, Chuck Martier

Technology/Network Overview Chuck Martier

2:00 PM

During this session, there will be a review of core IT infrastructure, key terms and IT systems risks. This session will provide an overview of networks and how information is protected. Additionally, key concepts will be learned for reviewing an entity’s network topology.

Break

3:15 PM 3:30 PM 4:30 PM

Technology/Network Overview (continued)

Adjourn

Tuesday, June 18, 2019 8:30 AM

Technology/Network Overview (continued)

Break

9:30 AM 9:45 AM

Disaster Recovery and Business Continuity Planning Matthew Fujikawa

Break

10:45 AM 11:00 AM

Audit Chuck Martier This module will cover key topics related to audits including risk assessment, schedule, scope, engagement and findings and resolution tracking.

Lunch

11:45 PM 1:00 PM 2:00 PM 2:15 PM

Audit (Continued)

Break

Support and Delivery Bill Andrus

During this session, key concepts will be introduced regarding disaster recovery and business continuity planning and how to evaluate the adequacy of the program. In addition, a review of controls used to mitigate threats and vulnerabilities to a company’s operation security will be conducted.

Break

3:15 PM 4:30 PM

Adjourn

Wednesday, June 19, 2019 8:30 AM

Electronic Funds Transfers (Wires and ACH) Bill Andrus

This module will provide an overview of the electronic funds transfers, ACH transactions and wires and potential risks and controls used to mitigate risks.

Break

9:30 AM 9:45 AM 10:45 AM 11:00 AM

Electronic Funds Transfers (continued)

Break

Cybersecurity Incident Response Exercise Chuck Martier

Lunch

12:00 PM 1:00 PM

Management Bill Andrus

This session will provide key concepts with respect to laws and regulations including the Cybersecurity Assessment Tool, corporate account takeover, and identifying red flags. It also will focus on business decisions and their impact to IT

Break

2:15 PM 2:30 PM 3:00 PM 3:10 PM

Management (continued)

Break

Cybersecurity Matthew Fujikawa

Break

3:50 PM 4:00 PM

IT Regulations and Guidance Chuck Martier

Adjourn

4:30 PM

Thursday, June 20, 2019 8:30 AM

Development and Acquisition Bill Andrus

Break

9:50 AM 10:00 AM

Outsourcing Technology Services (Vendor Management) Matthew Fujikawa This session will review vendor management for outsourced IT activity and expected risk governance and due diligence.

Break

11:00 AM

Developing Comments and Conclusions/Case Study Chuck Martier During this session, examiners will learn to develop comments and conclusions to be used in the Examination of Report.

11:10 AM

Lunch

12:00 PM 1:15 PM

Developing Comments and Conclusions/Case Study Continued During this session, examiners will learn to develop comments and conclusions to be used in the Examination of Report.

Break

3:00 PM 3:15 PM

Depository/Non-Depository Breakout Bill Andrus, Matthew Fujikawa, Chuck Martier

Adjourn

4:30 PM

Friday, June 21, 2019 8:00 AM

Emerging Issues Chuck Martier This module will review emerging technologies that have been introduced and potential risks.

Course Summary and Key Takeaways Bill Andrus, Matthew Fujikawa, Chuck Martier

10:00 AM

Adjourn

10:30 AM

CSBS  Information  Technology  Examiner  Course

Agenda

Introduction Course Objectives

Course Overview Importance of IT Examinations

Pre‐Course Materials/Activities

Course Expectations

Course Materials

Course Ground Rules

Introductions

Course Objectives

Analyze an  entity’s  information  security program

Understand basic  IT concepts and  terminology

Determine what  risks may impact  the entity

Provide  recommendations  for improvement

Develop  conclusion

Course Overview

Technology/Network  Review Develop Comments &  Conclusions

Conducting IT  Examinations

Emerging Technologies

Course Expectations

Course “Rules”

QUESTIONS?

Technology/Network Review

Objectives-Technology Review

Basic IT Infrastructure

Explore Core systems

Identify the risks  associated with  technology Understand how data  flows through a  network Review Network  topologies Discuss network  devices ‐ what they  do/how they function

Basic IT Infrastructure

Core banking

Electronic funds transfer systems (EFTs)

E‐banking

Imaging Systems

Wireless Systems/Devices

Core Systems

• the critical systems that provide the basic  account management features and  information about customers and account  holdings

Core (Banking) systems ‐

• are either in‐house, serviced, or a  combination of the two.

Core systems ‐

• The term core processing generally refers to  the general ledger, deposits, loans, and trust  accounting systems. 

For Depository institutions  and Trust companies:

Risks Associated with Core Systems

Unauthorize d physical  access

Loss of  support

Password  compromise

Improper  implementation of  updates/releases

Successful  social  engineering  to obtain  access

Electronic Funds Transfer Systems (EFT)

Automated Teller  Machines (ATMs) Automated Clearinghouse  (ACH) Activities

Wire Transfer Systems

Person to Person;  Business to Business

Messaging Systems

E-banking

Mobile Banking

Telephone Banking

Internet Banking

What is This????

Tech Bank Network Topology- MPLS

Remote dial- up connections

Connection to ATM Switch

Connection to Federal Reserve

Laptop

RAS Server

Laptop

Fedline Router

Hotspot

IDS

Fedline Advantage

Hotspot

Imaging ImageCapture

Server

MainOfficeLAN

Audit

LAN Server

IDS

Adm.

Internet

Core

PhoneBanking

IDS Hub

System

Tape UPS

Router

Router

BranchOfficeLAN

IPS

IDS

LeasedPhoneLine

Firewall

Switch Firewall

Hub

Web E-Mail E-banking Server Server Server

LAN Server

Hub

Hub

LoanApplicationServer

Backup

Laserprinter

Laserprinter

BranchWorkstations

Backup

LoanDept Workstations

Back Office Dept Workstations

Common Network Terminology

Packet – “frame” for containing all network traffic

Hub ‐ echoes packets to all network segments (unintelligent) 

Switch ‐ forwards packets only to intended network segment (intelligent) 

Router Routes packets between networks

Servers ‐ computers providing network services.  Applications, data, communications, etc.

Common Terminology (continued)

Intrusion  Detection/Prevention  System (IDS/IPS) ‐ Identifies unauthorized  packets, may/may not  stop packet

Firewall ‐ filters and  restricts packets 

Multi‐Protocol Label  Switching (MPLS) ‐ Allows various protocols  to interoperate  seamlessly within and  between networks

Virtual Private Networks  (VPNs)‐ creates a secure  portal for remote user log‐ ins

Access Methods

PCs, laptops, mobile devices, etc.

Remote log‐in (e.g., IT Staff, Vendors, MSSP, etc.)

WAN connection ‐ frame relay, leased/dedicated line, MPLS, etc. (across multiple FI  sites)

Internet ‐ from most anywhere by most anyone

World Wide Web‐ system of interlinked hypertext documents accessed via the Internet

Wireless ‐ radio, infrared, WiFi, NFC, mobile, etc.

VPN ‐ creates a secure portal

Time for a Video!!!

https://youtu.be/aeGN2WldqY4

Virtual Environment(s) aka VMs Creating a virtual machine(s) aka  “guests” that functions like a real  computer

Run(s) on a “host” machine that  manages the virtual environment(s)

Hypervisor (Virtual Machine Manager)  is computer software that creates and  operates virtual machine(s)

One to several virtual operating  systems can run simultaneous on the  host machine

Each operating system can run different  applications without interfering with  each other

Types of Virtual Environment(s)

Full Virtualization ‐ almost  complete simulation of the  actual hardware to allow  software to run  unmodified

Partial Virtualization ‐ some  but not all of the target  environment attributes are  simulated.  Some “guest”  programs may require  modifications to run in such  environments

Storage Area Networks (SANs)  ‐ collection of computers and  storage devices dedicated to  store and protect data from  across local and wide area  networks

How do businesses use VM?

Network Virtualization ‐ combining  available resources in a network by  splitting the available bandwidth and  channels Storage Virtualization ‐ pooling of  physical storage from multiple network  storage devices into what appears to be  a single storage device, e.g. SAN(s)

Server Virtualization ‐ using software to  divide a physical server into multiple  isolated virtual environments

Desktops Virtualization ‐ essentially the same as  server virtualization

10

The OSI Model Animation

https://www.youtube.com/watch?v=-6Uoku-M6oY

Common Types of Protocols

Hypertext  Transfer  Protocol  Secure  (HTTPS) 

Transmission  Control  Protocol  (TCP)

Hypertext  Transfer  Protocol  (HTTP)

File Transfer  Protocol  (FTP)

Internet  Protocol (IP)

Combination  ‐ TCP/IP

Types of Firewalls

• Restricts packets based on user defined rules • First line of defense, located at perimeter What does a firewall do?

Types of Firewalls

• Packet Filter • Stateful Inspection

• Application (Web application) • Next Generation (Next Gen)

What is a DMZ?

A DMZ is a computer network that sits between a trusted  internal network, such as a corporate private LAN, and an  untrusted external network, such as the public Internet. 

Data  Management  Zone

Demarcation  Zone

Perimeter  Network

Also know as a 

https://www.youtube.com/watch?v=MEs4RRUrX_0

DMZ Considerations

DMZ – “De‐Militarized Zone” Necessary for any Internet Services  Provided

Firewalls (at each end)

Hardened Servers

Back Ups

Monitoring

Incident Response

Intrusion Detection/Prevention Systems (IDS/IPS)

• Monitoring/analyzing users and  system activity • Analyzing system  configurations/vulnerabilities • Assessing system and file integrity • Ability to recognize patterns of attack • Analysis of abnormal activity patterns • Tracking user policy violations

Functions  include:

IDS/IPS (Cont.)

Host‐based ‐ Resides on  “host” computers and only  detects activity on that host

Network‐based ‐ Monitors  network traffic on segments  of the LAN •Must be maintained, monitored, and  updated to be effective

Network Security Assessments

Two key methods  (discussed in  Audit):

Crucial to  determining if  networks are  safe or have  potential for  compromise

Network scanning  (active):

Identify active  “hosts” on a  network  (authorized)

Network  Vulnerability  Assessment

Alerts when  unauthorized  device is detected 

Penetration Test

Malware/Virus

• Program of file considered harmful • Gathers information w/out permission • Includes ‐ viruses, worms, Trojan horses, etc.

Malware:

• Code that replicates by being copied • Active immediately or lay dormant • Could be harmless and/or destructive • If it replicates itself as email attachment ‐ it is  referred to as a Worm

Virus:

Malware/Virus (cont.) Trojan  Horse:

Bot:

Program in which  malicious code is  contained within  apparently harmless  data

Short for “robot”

Program that operates  as an agent for  someone else

Gains control of a  device or system

Can cause a chosen  form of damage

Turns infected  computers into  “Zombies”

Allows a remote user  to use “Zombies” to  attack other  computers

Redistributed as part  of a computer virus

Malware/Virus (cont.)

• Single or multiple vendor solutions • All FI devices should have anti‐malware  software, which should be run on a “regular”  basis • Workstation and server files should be backed  up for restoration, if current files get infected • Written policies and procedures for  • malware protection, scanning, and  • updating activities • Incident response in case of “infection”

Financial  entities  can use:

VPN (example)

Technology State Bank Network Topology

Connection to ATMSwitch

Connection to Federal Reserve

Remote dial-up connections

Laptop

RAS Server

3rd Party Network Support

Laptop

Modem

ATM

Modem

IDS

FedLine

Laptop

Modem

Proof / Capture Imaging Server

Main Office LAN

Audit

VPN

LAN Server

IDS

Adm.

Internet

Phone Banking

Mainframe

IDS

Hub

VPN

UPS

Tape

VPN

VPN

Router

Router

Branch Office LAN

IDS

IDS

Leased Phone Line

Firewall

Switch

Firewall

Hub

LAN Server

Web Server

E-Mail Server

E-banking Server

Hub

Hub

Loan Application Server

Modem

Laser printer

Laser printer

Modem

Branch Workstations

Deposit Department Workstations

Loan Department Workstations

VPN

Provides security by use of  “tunnel protocols” via  encryption Confidentiality if an attacker  “sniffs” network traffic at  packet level Authentication to prevent  unauthorized users from  accessing the VPN

Message integrity to detect 

any instances of tampering

Encryption

Process for scrambling a message or data • In transit • At rest Prevents ability to view messages or data except by authorized users

Uses a defined set of “keys” to encrypt info Some states require confidential information to be encrypted FFIEC IT Security Handbook has section on encryption

Wireless

Current protocols (least to most secure )

• Wireless Equivalent Privacy (WEP) • Wireless Application Protocol (WAP) • Wi‐Fi Protected Access (WPA) • Wi‐Fi Protected Access 2 (WPA2) • Wi‐Fi Protected Access 3 (WPA3)

If a financial entity is using wireless, they should be using the most secure protocol

Benefits/Risks of Wireless Technology

Risks: • Unauthorized  access to the  network • Improper  wireless  configurations

Benefits : • Low cost • Ease of use • Widespread  use

System Monitoring System monitoring  should include:

System usage, capacity,  and performance

Data traffic ‐ peak usage  and type of traffic

Auditing tools, e.g.  employee access and from  where, and access denials

System Monitoring (cont.)

System monitoring  should include:

•Security Information and  Event Management (SIEM) ‐ logging and event tool •File Integrity Monitoring  •Vulnerability Management •Security Configuration  Management ‐ automates  hardening of devices, etc. •IDS/IPS

Risks Associated with Technology

Unauthorized access is the #1 Risk

Key Examination Points Determine the following: • Adequacy of network assessments

• Administration of network security devices • Remote user access ‐ employees and vendors • Where sensitive data is stored and how  transported within the network • Protection of data when it moves or is stored in  the network

Module Key Points

•Perform core processing •Conduct payment systems activities •Offer E‐banking services •Provide support for internal users

Institutions use IT  to:

IT examinations 

•consist of reviews of both technology & bank operations. 

Networks require  appropriate  security

•Virus/Malware/Spyware protection •Segregation of key segments, e.g. DMZ; Remote access, e.g. VPN,  etc. •Data encryption as per risk assessment & data classification(s)

Module Key Points (cont.)

Vulnerability Assessments  and Penetration Tests should  be performed annually

• Used for daily IT activities, e.g., email, etc. • Store Customer/FI data, e.g. databases, etc. • Link FI with Core Processor • Provide access to various applications, e.g., word, excel, etc.

Networks handle key  functions within an FI

Topologies take many forms  & some are more complex  than others

If you need assistance,  contact an IT Specialist

Summary

Network topologies  should be updated  regularly or when  changes to the  network occur.

Risk assessments for  networks should be  performed annually

Vulnerability  Assessments and Pen  Tests should be  performed annually

Appropriate  monitoring deployed

Business Continuity Planning, Disaster Recovery, and Pandemic Planning

Objectives

Evaluate the adequacy of an institution’s  Disaster Recovery and Business Continuity  Planning (DR/BCP) processes.

Discuss typical steps taken by management to  develop an institution’s DR/BCP program

Identify and discuss various testing  methodologies.

Discuss interconnectivity and  interdependencies between involved parties.

Discuss Pandemic and Incident Response  Planning

Key Terms

Disaster Recovery Planning – (DRP) 

Business Continuity Planning – (BCP)

Emergency Preparedness Planning 

Business Impact Analysis – (BIA) 

Recovery Time Objectives – (RTO)

Recovery Point Objectives – (RPO)

DR and BC Program Functions Lifecycle Executive  Management  Support

Compliance and  Audit Oversight

Risk Assessment  and BIA

Testing and  Maintenance of  the plan

Alignment of  Objectives with  RTOs and RPOs

Plan Customization  and  Implementations

Employee Training  and Awareness

Business Continuity and Disaster Recovery Planning Steps

Create a framework for the plan

Conduct a Business Impact Analysis (BIA)  and Risk Assessment

Identify risk management strategies

Conduct risk monitoring and testing

Administer the plan

Create a Framework

General Information

Detailed/Specific  Information • Details for  declaring a 

disaster, including  delegating  authority • Business impact  analysis, and risk  assessment • Risk management  strategies and plan  administration

• Goals and  objectives • Plan scope and  assumptions • Disaster recovery  team organization  chart

Conduct a Business Impact Analysis (BIA) and Risk Assessment

•Prioritize all business functions  and operations, not just IT. •Determine maximum downtime  for each function (recovery time  objectives), minimum levels of  service, and maximum tolerable  financial losses. •Establish minimum frequency in  which backups must be made  (recovery point objectives).

A BIA identifies the  potential impact of  business disruptions.  It  should: 

A BIA should be  developed based on goals  for recovery based on  customer expectations  and operational needs,  not on how rapidly or  slowly recovery would  actually take place.  

Risk Assessment Considerations

Proximity to critical  infrastructure,  including power and  telecommunication  sources,  transportation hubs

Services provided by  the institution.

Location in a flood  plain,  hurricane/tornado/ear thquake‐prone area.

Identify Risk Management Strategies

Develop processes to minimize disruptions of  service to the institution’s customers and  operations.

Ensure plans and agreements are  in place with vendors.

Provide employee training.

Risk Management Strategies to Minimize Service Disruptions

Identify an alternative or back‐up site and/or subscribe to a disaster  recovery service

Detail backup and off‐site storage procedures 

List applications to be brought up in given timeframes

Ensure that sufficient resources are available to meet the timeframes

Create procedures for how the institution will exchange information  with service providers and third parties from the backup location

Vendor Agreements

Review the  vendor’s plan to  ensure that  critical services  can be restored  within 

acceptable  timeframes

Establish  provisions that  address the  vendor’s  responsibility for  maintaining and  testing plans

Ensure that the  institution has  identified how to  adjust internal  procedures if the  vendor invokes  its plan

Provide Employee Training

Conduct employee training at  enterprise‐wide level and  business unit level

Teach all employees about  responsibilities and procedures to follow  during and after recovery

Include periodic simulation exercises for  key employees 

Ensure that training is regularly scheduled and  updated to address operational changes

Conduct Risk Monitoring

Test the plans to ensure they are viable. Tests should:

• Be commensurate with system complexity and criticality. • Involve audit/independent review personnel. • Include appropriate institution personnel to ensure they are familiar with  the disaster recovery procedures.  • Be conducted at least annually or more often if significant changes occur. • Be reported to the Board and Senior Management. • Be sufficiently documented.  

Testing Strategies

Staffing – Demonstrate staff’s ability to  support business processes,  communication, and reconciliation of  transactions. Technology – Data, systems, applications,  network, and telecommunications  necessary for supporting business  activities.

Testing  Strategies

Facilities – Environmental controls,  workspace recovery, and physical  security.

Testing Methods

Tabletop  Exercise/Stru ctured Walk‐ Through Test

Walk‐ Through  Drill/Simulati on Test

Testing Methods

Full‐ Interruption/ Full‐Scale  Test

Functional  Drill/Parallel  Test

Administer the Plan

As a result of risk monitoring,  management should update their BIA,  BCP, and DRP.

What other triggers would require  the plan to be updated?

Pandemic Planning

Two significant repercussions of a  pandemic are:

Greatly reduces the number of  available personnel to perform tasks,  and the potential that the personnel  may not be sufficiently trained to  maintain operations.

NOTE:  Guidance for bankers  can be found in FIL‐6‐2008  Interagency Statement on  Pandemic Planning  Guidance for Minimizing a  Pandemic’s Potential  Adverse Effects .   

Limitation of direct access to  facilities due to quarantine or  minimization of contact to prevent  spread of illness.

Incident Response Plan - Procedures

At a minimum an incident response program should contain  procedures for the following:

Assess the nature and scope of an incident, identify what customer  information systems and types of customer information have been accessed or  misused. Take appropriate steps to contain and control the incident to prevent  further unauthorized access.

File Suspicious Activity Report ("SAR") as required.

Notify customers when warranted.

Notify primary Federal regulator.

Incident Response Plan - Components

Communication  Paths – Employees  and Customers

Senior Leadership  Involvement

Responsibilities  and Duties

Recovery  Strategies: Critical  Systems, Apps, and  Data 

Process to Classify,  Log, and Track  Incidents

Escalation  Procedures

Response and  Recovery

Address Incidents  at Third‐Parties

Periodic Testing

Tabletop Exercise!

1. What activities must be executed to resolve this incident?  2. Identify the roles/teams that will be involved during this  incident?  3. Identify the plans and procedures that should be used during  this incident?  4. What pieces of information are key to resolve this event? 5. Other concerns?

InTREx DR/BCP Procedures

InTREx DR/BCP Procedures (cont.)

InTREx DR/BCP Procedures (cont.)

InTREx DR/BCP Procedures (cont.)

Key Points

• Protect personnel and customers. • Minimize damage to resources. • Resume operations as quickly as possible  in an orderly, preplanned manner.

The primary goals of  disaster recovery and  business continuity  plans are to:

Items identified as critical on the disaster recovery plan  should be consistent with the BIA and risk assessment.

Key Points (continued) • To assess the adequacy and effectiveness of an institution's plan, assess:

Management  Support

Risk Management  Strategies

Business Impact  Analysis

Risk  Monitoring/Testing

Backup Location

Training

Update the Plan

Objectives

Provide tools to assess  the effectiveness of the  IT Audit Program

Types of IT  Audits/Reviews

IT Auditor Expertise

IT Audit Component  Rating

Audit/Independent Review

Performed by independent personnel Knowledgeable individuals conduct risk assessment/complexity based Documented Findings/recommendations 

Board/Committee reported results Conducted separately or all at once IT scope & frequency based on inherent or residual risk

FFIEC specifies that high risk areas should be audited/reviewed at least annually.

Assessment Areas for IT Audits

The IT  Audit  program  should be  assessed  for the  following:

• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s  IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations  reporting and follow‐up 

Guidance for IT Audit

FFIEC IT Examination Audit  Handbook  Federal Agency Rules and  Regulations   Interagency Policy Statement on the  Internal Audit Function and its Outsourcing  Interagency Policy Statement on External  Auditing Program of Banks and Savings  Associations   Interagency Guidelines Establishing  Information Security Standards (GLBA) Information Systems Audits and  Control Association (ISACA)

IT Audit Engagement

Engaged and signed by  a individual or  committee not  responsible for IT  operations. • Preferably signed by a  member of the Board or  Audit Committee.

Expectations and  responsibilities

The scope, timeframes,  and cost of work to be  performed

Institution access to  audit workpapers

IT Audit Risk Assessment and Scope

Identifies areas  to be reviewed‐ consistent with  risk  assessment/risk  level

Describes how  the audit will  be performed  and tools to be  used

Provides the  timeframe for  completing  the audit

Firms may provide engagement letter  specifying this information including costs

IT Audit Coverage

IT General Controls

Information Security Program (GLBA)

EFT (ACH/Wires/RDC)

NACHA Compliance

Penetration Testing/Vulnerability Assessment

Identity Theft Red Flags Program

Regulation GG/Unlawful Internet Gambling  Enforcement Act

IT Audit Coverage

Business  Continuity  Planning

Change/Patch  management

Vendor  Management 

Cybersecurity

Internet/Online  Banking

Third‐party  outsourcing

Disaster Recovery

Network  Architecture  (Firewalls and  IDS/IPS)

BIA

Incident  Response

Social Engineering

Security  Monitoring

Written IT Audit Reports

Describe scope  and objectives

Identifies the  deficiencies/wea knesses

Suggests  corrective  action(s)

Management’s  response/timing  for corrective  action(s)

Provides  information on  prior audit  findings

•Identifies repeat findings

Complies with  audit plan and  schedule

Types of IT Audits

Internal Audits/ Certifications

IT General Controls

Penetration Tests

Vulnerability Assessments

Statement on Standards for Attestation  Engagements (SSAE‐16/18)

IT General Controls (ITGC)

• Logical access controls over  infrastructure, applications, and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back‐up and recovery  controls • Computer operation controls

ITGC:

ITGCs should be performed annually

Wire Transfer/ACH Audits These services are critical to many financial  entities

Usually included in with ITGC audit

• Particularly in small to medium community banks, CUs, and MTs

Can be a separate audit

• Could occur in financial entities with significant wire/ACH activity  • Usually in large community financial entities

Vulnerability Assessment vs Penetration Tests

High‐level comparison: • Vulnerability Assessments‐ identify where facilities  or networks are at risk • Penetration Tests‐ subject a network(s) to “real life” 

cyber events internally and externally Both should be performed, at least annually.

Vulnerability Assessments

Testing: • Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Basic Vulnerability Assessment description: • Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural  catastrophes

Vulnerability Assessment vs. Risk Assessment

Assist in  mitigating or  eliminating  vulnerabilities  for key  resources

Assigning  quantifiable  value and  importance to a  resource

Identifying the  vulnerability or  potential  threat(s) to  each resource

Cataloging assets  and capabilities  (resources) in a  system

FIwill sometimes usevulnerability  assessment toaid in completing the  risk assessment process

Penetration Test (Pen Test)

Pen Test “tests”  systems to find and  exploit known  vulnerabilities that an  attacker could exploit

Determine if  there are 

Pen Test report  will describe any  weaknesses as  “high”, “medium”  or “low”

Require  management’s  knowledge &  consent

Require a high  degree of skill to  perform

weaknesses and  if able to access  system  functionality and  data

Are intrusive as  actual “attack”  tools are used

Pen Test Strategies

Targeted  Testing

External  Testing

Internal Testing

mimics an insider  attack by an  authorized user  with standard  access privileges  (what can happen  with a disgruntled  employee)

targets externally  visible servers or  devices (seen by  anybody on  Internet) to see if  they can get into  internal systems  and how far

performed by the  entity’s IT team and  external testing  team

Pen Test Value

Ascertain the likelihood of gaining system access

Likelihood of exploiting a low risk vulnerability to gain higher level access

Detecting vulnerabilities not easily found using standard system protective means

Measure of risk for a cyber attack

List of vulnerabilities needing patching

Ability of current security methods to detect or repel an attack

Additional efforts needed to protect the network(s)/system(s)

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls  at a specific point in time • Auditor performs no testing of servicer’s  controls‐ attesting to controls based on  servicer’s account of controls‐ no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a  minimum consecutive six month period • Auditor expresses an opinion based on their  testing

There are  two types  of Service  Organizatio n Control  (SOC)  Reports:

Audit Reporting/Follow-up

Similar to Safety &  Soundness:

o IT Audit reporting channels  what is being reported and to whom o Senior Management Responses 

are they reasonable and corrective timeframe is appropriate

o Exception Tracking 

show all IT audit findings, both Internal and External, and  regulatory along with corrective action(s)

Auditor Independence & Qualifications

Whether or not there  are conflicting duties,  e.g. involved in  auditing areas they  have responsibilities  or oversight Type of IT experience  and training • Some IT audits  require specific skill  sets

Whether or not the  Auditor has a debt  with the entity (may  have some influence)

Auditor should be  reporting to Board or  Audit Committee

Independence :

Current IT  certifications the  auditor maintains

List of references from  entities with similar IT  activities

Qualifications :

These qualifications provide some assurances, but don’t guarantee a quality audit

IT Audit Review

• Audit scope and objectives • Pertinent areas for improvement  based on results of testing • Reasonable and appropriate  recommendations • Findings and observations  consistent with your examination  results

Audit  Reports  include:

Audit Report Review

• Be wary of auditors who rely solely  on checklists • Using only regulatory workprograms  is not an audit • Absence or lack of workpapers could  indicate a poorly performed audit  Especially if there are no  workpapers showing how ITGCs  were reviewed/tested

Signs of a  questionable  audit:

Audit Findings Tracking and Resolution

A formal tracking system that assigns responsibility and target date for  resolution 

Timely and formal status reporting 

Tracking and reporting of changes in target dates or  proposed corrective actions to the Board or Audit  Committee 

Process to ensure findings are resolved

Independent validation to  assess the effectiveness of  corrective measures

• Issues and corrective actions from internal audits and  independent testing/assessments are formally tracked to ensure  procedures and control lapses are resolved in a timely manner.

Auditor Interview

Areas to focus on with auditor  interview: • Knowledge of the IT environment  and risks • Understanding of systems they are  reviewing • Understanding of the basic controls  (of these systems) • Verify training and/or certifications  (as necessary)‐ certifications require  specific training and number of  hours/year (usually 40) • Why auditor used a checklist or  FFIEC IT work‐program and audit  work didn’t fit entity’s activity

InTREx - Audit

InTREx – Audit

Audit Component Rating

Areas to focus on when rating IT Audit component adequacy:

• Independence and quality of oversight • Audit risk analysis methodology/resources applied  • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and  audit trails • Audit plan in providing appropriate coverage of IT risks • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditors • Timely and formal follow‐up and reporting on management’s resolution of  identified issues/weaknesses • Quality and effectiveness of internal and external audit activity related to IT  controls

Conclusion

Learned basics for IT Audits

Minimum scope in risk focused examination  process‐ must review the entity’s audit program

If audit program is deficient or lacking • Don’t need to dig deeper • Describe the deficiencies and record them in your WP • Notify the Safety & Soundness EIC

If audit program is satisfactory • Can risk focus areas recently audited

Audit Case Study

Support and Delivery

Information Security/Operations - Objective

Assess the effectiveness of an institution’s operations security and risk management practices

• Quality of processes and programs monitoring capacity and performance • Adequacy of data controls • Adequacy of controls and ability to monitor controls at service providers • Quality of physical and logical security • Adequacy of firewall and security connections

Information Security/IT Operations

IT Operations

Oversight and Support

 Adequacy of resources  Technology support  Employee Training  Problem Resolution

Information Security/IT Operations

IT Operations

Operational Risks and Controls  Monitoring tools o System problems/capacity o Error handling  Disposal of equipment/Media  Master file maintenance/changes  Supervisory reviews o Dual Controls o Separation of Duties

Information Security Security Monitoring

• Networks • Systems • Applications

Access

• Authorized and Unauthorized

Information Security

Detection/prevention • Removal of data/loss prevention • Unauthorized software/devices

Adequacy/frequency

• Vulnerability assessment • Penetration tests

Information Security Adequacy of managing

• Network security devices o Firewalls o IDS o VPN o Wireless – configuration/monitoring • Log monitoring programs o Automated tools – Security monitoring tools – Policy enforcement

– Reporting of exceptions (mgmt./committee/board)

Information Security Program Management

An effective information security program includes: • Risk identification • Risk measurement • Risk mitigation • Risk monitoring and reporting

Information Security - Risk Identification

• Threat - natural occurrence, technology or physical failure – Threat identification conducted in the risk assessment process • Vulnerabilities - a weakness in an information system, system security procedure, internal control, or implementation exploited by a threat source. • Supervision of Cybersecurity Risk and Resources for Cybersecurity Preparedness

Information Security - Risk Measurement

• Develop risk measurement processes that evaluate the inherent risks.

• Determine the risk associated with different threats.

• Measure the risks to guide recommendations for and use of mitigating controls.

Information Security - Risk Mitigation

• Policies and Procedures • Control Types/implementation • Inventory and Classification of Assets • User Security Controls • Physical Security • Change Management Within IT Environment • End-of-Life Management

• Application Security • Database Security • Encryption • Log Management • Malware Mitigation

Information Security – Policies and Procedures

Board approved Written Policies (Required by GLBA) • Address key areas such as personnel, physical and logical security, change management, strategic planning, and business continuity. • Depth and coverage of IT operations policies will vary based on institution size and complexity. Procedures describe the processes used to meet the requirements of the institution's IT policies. • Do not need to be formally Board approved. • Written for consistency and continuity. • Regularly updated as processes, systems, and threats change.

Layered Security

• Layered security , also known as layered defense , describes the practice of combining multiple mitigating security controls (preventive, detective, and corrective) to protect resources and data.

• The more layers of controls that exist, the better the protection against threats.

Controls

What are three common types of controls?

Physical  Controls

Click here for more information.

Technical Controls

Technical (or logical) controls involve hardware and application or OS software.

• Access controls/logical access controls, • System configuration/hardening standards (minimize the probability of exploitation of known or unknown vulnerabilities) • Firewalls • Anti-spyware/malware • Encryption

Physical Controls Protect against environmental, human, and systemic threats. • inventory logs • restricting access to areas or data Additional physical controls includes: • Implementing dual controls • Adequate redundancy for systems • Adequate distance between primary processing facility and the backup data and alternate processing facility. • Physical controls for controlling removable media.

Physical Controls • Computer room

o Access o Alarms o HVAC o Sufficient UPS/Generators o Fire Suppression o Security cameras o Environmental Sensors • Telecommunication closet • Facilities

Administrative Controls

Support the classic management responsibilities of planning, directing, and organizing.

Organizational structure controls include: • Having separation/segregation of duties. • Implementing independent monitoring. • Having qualified personnel.

Control Applications

Different stages of control include:

• Preventative

• Detective

• Corrective

User Access Rights

• Process – add, delete, change access rights • Remove/restrict access (AD – Active Directory) • Periodic reviews/ re-approval based on changes (promotion, demotion, job function) • Assignment of user rights (based on Job Function) • Time of day/ day of week restrictions • Prohibit shared privileged access by multiple users • Authentication based on user profile • Logging/review of privileged access (administrator access)

Authentication Controls Passwords • Complexity • Expiration period • Re-use/history

• Failed login settings • Automatic timeout • Screen saver passwords • Reset procedures • Use of tokens/Biometric solutions

Corruption of Data

Virus/Malware detection practices • Frequency/scope of scans • Updates to detection applications

Automated tools to filter • Email • Web traffic

Separation of Duties

Principal concept of separation of duties?

Potential control mechanisms includes: • Principle of least privilege

• Rotation of duties

• Independent review

• Dual review

Training

• Must include ALL employees of the institution. • Must be conducted annually. • The institution should collect signed acknowledgments of the employee acceptable use policy.

Operational Controls and Processes • Monitoring tools - detect and preempt system problems or capacity issues • Daily processing issue resolution and appropriate escalation procedures • Secure handling, distribution, and disposal of equipment, media, and output (electronic and physical) • Independent review of master file input and file maintenance changes (e.g., new loan and deposit accounts, address changes, due dates) • Independent review of global parameter changes (e.g., interest rate for loans and deposits, fee structure, service charges)

Patch Management • Policies/procedures – Current and updated • Responsible party – Management /committee • Tests patches prior to implementation • Review vendor-supplied patches • Validation of system security configuration

Encryption Standards

Evaluate the institution’s use of encryption for sensitive institution and customer data

• At rest and/or in transit • Current industry standards • Updates and reviews by IT management

Item Processing Check processing • Controls over teller/branch imaging • Security over the capture, storage, and transmission of images • Controls over the destruction of source documents after being scanned • Dual control or independent review over the processing of reject, re-entry, and unposted items • Physical controls over negotiable items • Controls over cash letters (e.g., reconcilements, segregation of duties)

Remote Access

Authenticate, Monitor, & Control

• Disable remote communications • Controlling access • Implement control over configurations at both ends • Logging and monitoring all remote access communications. • Secure remote access devices. • Restrict remote access during specific times. • Limit the applications available for remote access. • Use robust authentication methods for access and encryption to secure communications.

System Configuration/ Access

• Configuration based on standards o Industry/vendor • Configuration standards approvals o Senior mgmt., committee, board • Disable unnecessary ports/services • Change/disable default passwords/accounts • Automated tools used to enforce secure configuration

Privileged/Admin Access

• “Skeleton Key”- all access key • Access to key functions such as add, delete, and change. • Control over employee rights and permissible activities. • Access to key controls such as auditing, logging, etc. that would record a cyber event • Permit “root” access which allows them to change operating system controls.

VOIP

• Physical / Logical controls • Patch management/ operating system updates • Network segmentation • Security testing

ATMs

•

Physical controls Logical security

• • • •

Patch management/operating system updates

Dual controls over cash

Card and pin issuance procedures

Identity Theft

• Board approved program • Committee reviews/ oversight • Periodic updates (policies/procedures) • Risk / controls mitigation • Training for staff ( implement/administer program) • Periodic reports to committee/ board

Ebanking Oversight • Authentication/Authorization o Process for customers • Transaction Risk o Detect, prevent. & respond o Fraudulent activity detection • Customer Awareness Training o Social engineering o Phishing scams o Anti-virus/ malware o Public internet access (free WiFi)

Ebanking Oversight

• Compliance Risk • Reputation Risk o Cyber attacks o Lack of availability • On-device data security (Mobile) o Customer education • Pin/Passwords/Authentication • Encryption

• Secure Wiping/Ability to deregister device if lost or stolen • Mobile device malware/ viruses • SMS based products –not secured & encrypted • Data transmission security –risk of public WiFi