IT Examiner School - November 2022
IT Examiner School
November 1-10 , 2022
@ www.csbs.org � @csbsnews
CONFERENCE OF STATE BANK SUPERVISORS 1129 20th Street NW / 9th Floor / Washington, DC 20036 / (202) 296-2840
IT Examiner School Live Virtual November 1 ‐ 10, 2022
Week 1 Tuesday, November 1, 2022 12:30 pm – 1:30 pm
Introduction & Pre ‐ Course Review/Terminology
Regulations/Guidance
1:30 pm – 2:15 pm
Break
2:15 pm –2:30 pm
Rating System/Exam Process
2:30 pm – 3:00 pm
Risk Assessment
3:00 pm – 4:00 pm
Wednesday, November 2, 2022 12:30 pm – 12:45 pm
Prior Day Review
Development & Acquisition
12:45 pm – 2:15 pm
Break
2:15 pm – 2:30 pm
Audit
2:30 pm – 4:00 pm
Thursday, November 3, 2022 12:30 pm – 12:45 pm
Prior Day Review
Third ‐ Party Risk
12:45 pm – 1:30 pm
Support & Delivery
1:30 pm – 2:30 pm
Break
2:30 pm – 2:45 pm
Support & Delivery
2:45 pm – 4:00 pm
Internal Use Only
Week 2 Tuesday, November 8, 2022 12:30 pm – 1:00 pm
Prior Day Review
Information Security Program Framework
1:00 pm – 2:00 pm
Break
2:00 pm – 2:15 pm
Business Continuity Planning/Disaster Recovery (BCP/DR)
2:15 pm – 3:15 pm
Cybersecurity
3:15 pm – 4:00 pm
Wednes day, November 9, 2022 12:30 pm – 12:45 pm
Prior Day Review
Management
12:45 pm – 2:00 pm
Break
2:00 pm – 2:15 pm
Management
2:15 pm – 2:45 pm
Composite Rating Discussion & Exercise
2:45 pm – 3:15 pm
Breakout Rooms
3:15 pm – 4:00 pm
Thursday , November 10, 2022 12:30 pm – 1:30 pm
Composite Rating Exercise Discussion
Non ‐ Depository/Depository Discussion
1:30 pm – 2:00 pm
Break
2:00 pm – 2:15 pm
Emerging Issues
2:15 pm – 3:30 pm
Final Assessment & Course Wrap Up
3:30 pm – 4:00 pm
Internal Use Only
Regulations & Guidance
1
Internal Use Only
Regulations & Guidance 16 CFR Part 314 of the FTC Rules and Regulations – Standards for Safeguarding Customer Information
2
Internal Use Only
Regulations & Guidance Appendix B, including Supplement, to Part 364 of the FDIC Rules and Regulations – Interagency Guidelines Establishing Information Security Standards
3
Internal Use Only
Regulations & Guidance Appendix A (“Guidelines for safeguarding member information”) & Appendix B (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) of 12 CFR 748 (“Security Program”)
4
Internal Use Only
Regulations & Guidance Appendix D-2, including Supplement, to Part 208 of the FR Rules and Regulations – Interagency Guidelines Establishing Standards for Safeguarding Customer Information
5
Internal Use Only
Take a Moment to Match the Regulation to the Institution
1. Appendix B, including Supplement, to Part 364 2. Appendices A & B to 12 CFR 748 3. 16 CFR Part 314 4. Appendix D-2, including Supplement, to Part 208
A. Non ‐ Depository
B. Credit Unions
C. State Banks (FRB)
D. Banks (FDIC)
6
Internal Use Only
Regulations & Guidance FFIEC IT Booklet Handbooks: Good reference, but remember the booklet does not specifically apply to FIs not regulated by the FFIEC
7
Internal Use Only
Regulatory Authority Examples: Depository Institutions
Regulators / Licensure
Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.
Type of Entity
Banks (state-member, national, state non-member, credit union)
FDIC, FRB, OCC, States, CFPB 12 CFR 364, Appendix B; Section 501(b) of GLBA; FFIEC; State Laws/Regulations (e.g., Part 500, CCPA)
Bank Holding Companies, Trust Companies, US Branches of FBOs
FRB, States
Generally, the same as banks (above)
Credit Unions (Federal or State)
NCUA, States
12 CFR 748 (Appendix A & B)
8
Internal Use Only
Regulatory Authority Examples: Non-Depository Institutions
Regulators / Licensure
Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.
Type of Entity
Mortgage Originators and Servicers CFPB, FTC, States
16 CFR 314; 501 and 505(b)(2) of GLBA; State Laws and Regulations (e.g., Part 500 and CCPA).
Money Service Businesses / Money Transmitters
FTC, States
Consumer Finance
CFPB, FTC, States
9
Internal Use Only
Examination Approach Examples: Depository Institutions
Type of Entity
IT Exam Approaches/Rating Systems
Banks
Information Technology Risk Examination (InTREx); UFIRS/CAMELS, FFIEC Uniform Rating System for IT (URSIT); CAMEL, where “M” includes a review of information systems
Credit Unions
Trust Companies
FFIEC Uniform Interagency Trust Rating System (UITRS)
Foreign Banking Organizations & Bank Holding Companies
FRB, States; ROCA Rating System – where “O” is operational controls
10
Internal Use Only
Examination Approach Examples: Non-Depository Institutions
Type of Entity
IT Exam Approaches/Rating Systems
Mortgage Originators and Servicers
FFIEC Uniform Interagency Consumer Compliance Rating System (CC Rating System)
Money Service Businesses / Money Transmitters
CSBS Non-Bank Cybersecurity Exam Program; MTRA Workprogram (multi-state exams); FILMS rating system
11
Internal Use Only
Share Your Exam Approach Experience!
• Tell us about the exam approaches and/or rating systems you use regularly
• Do you like using one approach more than the other? If so, please explain briefly?
12
Internal Use Only
Rating Systems & Exam Process
1
Internal Use Only
Components of CSBS Nonbank Cyber Exam Programs
Work Programs
Pre-Examination Resources
Baseline Nonbank Workprogram
Exam Notification Letter
Enhanced Nonbank Workprogram
Pre-Exam Document Request List (DRL)
2
Internal Use Only
Pre-Exam Document Request List Used for the Baseline Nonbank Cybersecurity Exam Program (V1.0) and the Enhanced Nonbank Cybersecurity Exam Program (V1.0 ) Covers 15 Different Program Areas and defines specific documents to be provided
Includes space for State specific requests
3
Internal Use Only
Nonbank Cybersecurity Exam Programs Baseline • Based on the pilot program released in December 2020 Enhanced • More comprehensive, for larger and more complex institutions
• Covers same content as pilot in a streamlined version (based on 2021 examiner feedback) • Easier to use and half the questions with no loss of coverage • Covers four URSIT component areas
• Includes all baseline questions (light blue shading) plus additional questions in areas requiring a deeper dive • Targeted for use by examiners with more specialized knowledge of IT & Cyber
Note: The Baseline and Enhanced Nonbank Cybersecurity Exam Programs were added to SES and are available for mortgage origination, mortgage servicing, and consumer finance exams.
4
Internal Use Only
Baseline Nonbank Cybersecurity Exam Program
Source: https://www.csbs.org/sites/default/files/2022 ‐ 08/Baseline%20Nonbank%20Exam%20Program%20V1.0.pdf
5
Internal Use Only
Enhanced Nonbank Cybersecurity Exam Program
Source: https://www.csbs.org/sites/default/files/2022 ‐ 08/Enhanced%20Nonbank%20Exam%20Program%20V1.0.pdf
6
Internal Use Only
Components of InTREx ITP
Work Program
Information Technology Profile
Core Modules Expanded Modules
Risk Profile
Qualitative Adjustment
Supplemental Workprograms
7
Internal Use Only
InTREx Workprogram Core Modules
Audit
Management
Development & Acquisition • Vendor Management (Acquisition)
Support & Delivery
• Risk Assessment • Vendor Management (Ongoing) • Information Security Standards (GLBA) • ID Theft Red Flags
• BCP • Information Security • Operations • Incident Response • Network Security (IDS, Firewall) • EFT/E-Banking
8
Internal Use Only
InTREx Framework
Based on URSIT components
ED Module concept used for each component
ED Module core decision factors were derived from URSIT assessment factors
9
Internal Use Only
InTREx Features Incorporates baseline cybersecurity into procedures Requires conclusion on cybersecurity preparedness Requires conclusion on GLBA Information Security Standards (Part 364 Appendix B) Enhances focus on transaction/control testing
Allows for tracking of deficiencies noted in any decision factor
10
Internal Use Only
InTREx Procedures
Core Modules Audit, Management, D&A, S&D • All procedures must be completed, but not all bullets need to be addressed • Do have flexibility to scope down, just not scope out
11
Internal Use Only
InTREx Procedures
Cybersecurity Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment
12
Internal Use Only
InTREx Procedures
Information Security Standards (GLBA) Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment
13
Internal Use Only
InTREx Additional Procedures
Expanded Modules • Available for Management and S&D
• Provide additional procedures for IT products/ services not covered in Core or that may need additional analysis
14
Internal Use Only
InTREx Additional Procedures Supplemental Workprograms (ED Modules/FFIEC IT Handbook) • ED Modules available for a variety of areas (EFT, Mobile Banking, Merchant Acquiring, etc.) • FFIEC IT Handbook provides in-depth procedures • FDIC Risk Advisories and Technical Examination Aids provide guidance • Should be completed to assess specific products not covered in the Core or Expanded Modules, or areas of higher complexity that require more in-depth review
15
Internal Use Only
InTREx Control Testing
Control Tests • Core Modules identify potential control tests • Control tests are marked with • Use discretion in determining which tests to perform • Not all control tests need to be performed, and conversely, examiners can do own control tests
16
Internal Use Only
InTREx Control Testing
Control Tests • If a control test was performed, the results should be noted in the comments to that procedure • May leverage control testing performed by internal and external auditors • Sufficient testing should be performed to validate the effectiveness of controls
17
Internal Use Only
Risk Assessment
1
Internal Use Only
Risk Assessment Overview • Purpose
• Risk Appetite • Risk Identification • Risk Assessment • Risk Response • Risk Monitoring
2
Internal Use Only
Why have a Risk Assessment? Helps organizations identify inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations • Without a Risk Assessment: • Not in compliance with GLBA (Appendix B of Part 364 of the FDIC Rules and Regulations) • Protection of information assets are not aligned with business objectives or regulatory requirements • Loss (or compromise) of critical information can be catastrophic • Loss of trust between a financial institution and its customers • Harms the safety and soundness of institution
3
Internal Use Only
Information Security “CIA TRIAD”
• Confidentiality. Only authorized entities, have access to the data. • Integrity. There are no unauthorized modifications of the data. • Availability. Authorized entities can access the data when and how they are permitted to do so.
4
Internal Use Only
IT & Cyber Risk are Business Risks • IT can provide significant benefits to an enterprise, but it also involves risk • IT provides value to enterprise • IT-related events could potentially impact the business • IT creates challenges in meeting strategic goals and objectives and uncertainty in the pursuit of opportunities • IT goals must align with business goals and objectives (Grow, Run, Change) • IT/Cyber risk is operational risk and should be treated like other key business risks • Other Operational Risks are people, process, external events, legal & compliance • Many executives tend to relegate IT risk to technical specialists outside the boardroom • Transfer responsibility
5
Internal Use Only
Risk Governance
Board of Directors
Risk Appetite
Senior Management
Risk Reporting
Risk Reporting
Risk Management
Business Units
Risk Guidance
Risk Monitoring
Business Operations & Processes
6
6
Internal Use Only
Risk Appetite
Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of its mission.
How much risk is an organization willing to accept to achieve its objectives?
Risk appetite is not just a part of risk and risk management discussions, it is a key component in strategic planning and day-to-day decision making.
7
7
Internal Use Only
Cycle of IT Governance
Test and Update: • Policies • Procedures • Controls
Identify and prioritize gaps: • Policies • Procedures • Controls
Risk Assessment: • Assets • Threats • Vulnerabilities • Mitigating controls
8
8
Internal Use Only
Question Who sets the Risk Appetite for the organization?
A. CEO B. The Board
C. CISO D. CRO
9
Internal Use Only
Risk Assessment Types & Methodologies
10
Internal Use Only
Risk Assessments Process used to identify and understand risks to the confidentiality, integrity, and availability of information and systems. Consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. Results are used to develop strategies to mitigate those risks.
11
Internal Use Only
Types of Risk Assessments
Gramm ‐ Leach ‐ Bliley Act (GLBA) / Information Security
Business Continuity Planning
Audit
Authentication
Encryption, Awareness Training, etc.
Automated Clearing House (ACH)
Cybersecurity
Third Parties
12
Internal Use Only
Risk Assessment Methodologies
Quantitative
Qualitative
• Based on Judgment • Simple to implement • Flexible, cover all business risks • Quick to identify risks • Subjective/Bias • Delphi technique/expert opinions • Decision trees • Probability/Consequence • Relies on organizational expertise
•Data Driven! •Objective and accurate •Realistic and measurable •Requires data for analysis •More complex = more time •Data can be difficult to collect
13
Internal Use Only
Question What are the drawbacks of conducting a Qualitative Risk Assessment ?
(Type in the chat)
14
Internal Use Only
Risk Assessment Process & Walkthrough
15
Internal Use Only
Risk Assessment Process
Identify and value information assets
Identify potential internal/external threats and/or vulnerabilities
Assess likelihood & impact of threats/vulnerabilities
Risk Response (Accept, Transfer, Reduce, Ignore)
Assess sufficiency of risk control policies, procedures, information systems, etc.
16
Internal Use Only
Risk Assessment Process
Identify and value information assets
Identify potential internal/external threats and/or vulnerabilities
Assess likelihood & impact of threats/vulnerabilities
Risk Response (Accept, Transfer, Reduce, Ignore)
Assess sufficiency of risk control policies, procedures, information systems, etc.
17
Internal Use Only
Identifying Assets Electronic (Network maps, hardware/software, systems, databases, computers, media) Paper ‐ Based (Policies, reports, contracts, financial records)
Outsourcing arrangements Cloud computing
18
Internal Use Only
Examples of Assets to be Protected
People • Expertise, corporate memory
Hardware • CPU, routers, drives
Software • OS, applications, source code
Data • Database, files, email, backups
Documentation • Loan & deposit documents • Disclosures • Signature cards
Third Parties • Processors • Aggregators
Cloud • AWS • Salesforce • Jira
19
19
Internal Use Only
Identifying Asset Sensitivity
Once the assets are identified, their criticality & sensitivity must be valued
It is critical to differentiate the importance of assets so that institutions can assign priorities & appropriate controls
It is the firm’s responsibility to provide definitions for the classifications they use in their risk assessment
Management should be able to define all terms used in the risk assessment
20
Internal Use Only
Example Bank Topology
21
21
Internal Use Only
Risk Assessment: Identification & Valuation
22
22
Internal Use Only
Risk Assessment: Identification & Valuation
• Institutions may value assets in a variety of ways. • Asset’s replacement value • Revenue loss • Reputation • Sensitivity of the data, etc. • No right or wrong way, but it makes sense and retain an internal consistency.
23
23
Internal Use Only
Risk Assessment Process
Identify and value Information assets
Identify potential internal/external threats and/or vulnerabilities
Assess likelihood & impact of threats/vulnerabilities
Risk Response (Accept, Transfer, Reduce, Ignore)
Assess sufficiency of risk control policies, procedures, information systems, etc.
24
Internal Use Only
Threats, Vulnerabilities, and Risks
Vulnerability
Risk
Threat
• Any circumstance or event with the potential to adversely impact organizational operations
• Hardware, firmware, or software flaw that leaves an information system open to potential exploitation • Weakness in automated procedures, controls, layout, etc., that could be exploited to gain unauthorized access or disrupt processing
• Level of impact on operations, assets, or individuals given the potential impact of a threat and the likelihood of that threat occurring
25
Internal Use Only
Types of Threats
26
Internal Use Only
What are you afraid of?
• Ransomware • Configuration errors • Spear Phishing
• Website Defacement • Social Engineering • Remote access risks • Bring Your Own Device • Third Parties • Employees “insider threats” • Regulators
27
27
Internal Use Only
Risk Assessment: Threats & Vulnerability & Risk
28
28
Internal Use Only
Question What is the first step in developing a risk assessment? A. Identify threats B. Identify assets C. Identify vulnerabilities D. Identify risk
29
Internal Use Only
Risk Assessment Process
Identify and value information assets
Identify potential internal/external threats and/or vulnerabilities
Assess likelihood & impact of threats/vulnerabilities
Risk Response (Accept, Transfer, Reduce, Ignore)
Assess sufficiency of risk control policies, procedures, information systems, etc.
30
Internal Use Only
Weighing Threats
• Institutions may choose between • Qualitative Assessment • Quantitative Assessment • Combination of both, but Qualitative
• Management may place more weight on one type of threat than another.
• When reviewing the institution's risk values, interact with management if something does not make sense.
31
31
Internal Use Only
Risk Assessment: Weighing Threats
32
32
Internal Use Only
Question Which of the following would be considered a vulnerability? A. Obsolete network servers B. Untrained personnel C. Export of customer data
33
Internal Use Only
Risk Assessment Process
Identify and value information assets
Identify potential internal/external threats and/or vulnerabilities
Assess likelihood & impact of threats/vulnerabilities
Risk Response (Accept, Transfer, Reduce, Ignore)
Assess sufficiency of risk control policies, procedures, information systems, etc.
34
Internal Use Only
Risk Assessment: Risk Response
35
35
Internal Use Only
Risk Mitigation is Not Risk Elimination!
• Impossible to eliminate threats 100%
• Risk response is to reduce the impact or consequence of the vulnerability
• Exposure is in line with Risk Appetite
• Board aware and agree to the outcomes
One needs a process to ensure you are implementing countermeasures that actually limit risk.
36
36
Internal Use Only
Risk Assessment Process
Identify and value information assets
Identify potential internal/external threats and/or vulnerabilities
Assess likelihood & impact of threats/vulnerabilities
Risk Response (Accept, Transfer, Reduce, Ignore)
Assess sufficiency of risk control policies, procedures, information systems, etc.
37
Internal Use Only
Risk Assessment: Control Testing
38
38
Internal Use Only
Risk Assessment: Control Testing
• Assurance testing or self assessments on controls if documented, demonstrates risk monitoring. • Metrics reporting provides evidence of conformance with policies and procedures. • Independent review to test controls reduce bias, increase capabilities, and increase knowledge about threats and technologies. • Independence gives credibility to the test results. • The reports generated from the tests should be prepared by individuals who similarly are independent.
39
Internal Use Only
Risk Assessment Review & Key Points
• Purpose • Risks • Risk Appetite
• Risk management • Risk Assessment
40
Internal Use Only
Risk Assessment Review
The risk assessment must identify: • Information and technology assets of the organization • Assess likelihood and impact of threats & vulnerabilities (inherent risk) • Risk Response (Accept, Transfer, Reduce, Ignore) • Audit controls/provide assurance
41
41
Internal Use Only
Plan to expand the depth when: A risk assessment has not been reviewed at least annually. There have been changes in management and/or environment. Risks identified do not incorporate Technical, Human, Environmental risks. The risk assessment has been completed with limited input from other departments. There are discrepancies between the services/ topology and assets identified in the risk assessment. Significant audit and independent review findings are evident. You are not confident in management's responses. Expanding the Depth of Review
42
42
Internal Use Only
Reducing the Depth of Review
May be able to significantly reduce the depth of the risk assessment review when: The risk assessment was recently reviewed by a qualified auditor and found to be adequate. There have been no changes in management or the environment since the last examination. The quality of the risk assessment process has been validated
43
43
Internal Use Only
Risk Assessment: Management Responsibilities Effective risk assessments are done by qualified personnel, have executive-level ownership & are enterprise-wide.
Risk assessments should be done annually or when significant changes occur.
An effective risk assessment process includes identification of assets, threats & vulnerabilities.
Management should be able to explain rationale for security devices they use and for not including devices that would further mitigate risk.
44
Internal Use Only
Risk Assessment: Board Responsibilities The Board is responsible for communicating their risk tolerance to management.
Board should review and approve the risk assessment annually.
Risk decisions (acceptance/exceptions) should be made at the Board and/or executive management level and be documented.
Board minutes should support for answers provided by management during discussions (approval/discussion of risk assessment findings, risk acceptance decisions, etc.).
45
Internal Use Only
46
Internal Use Only
Development and Acquisition
1
Internal Use Only
Module Objectives • Analyze an institution's project management process. • Understand the aspects of the development, acquisition, and maintenance activities. • Assess management’s ability to effectively deploy appropriate technology solutions from initial contract to end of life (EOL). • Identify weaknesses and draw meaningful conclusions about an institution's process and practices.
2
Internal Use Only
System Development Life Cycle • A project management technique that divides complex projects into smaller, more easily managed segments or phases. • Segmenting projects allows managers to verify the successful completion of
project phases before allocating resources to subsequent phases. • SDLC can be conveyed in 5-6-7 phases. • Phases may be divided differently depending on the organization involved.
3
Internal Use Only
SDLC: The glue that holds Development & Acquisition together
SDLC
Framework
Project Management
Process
Development
Acquisition
In ‐ house
Third Party
4
Internal Use Only
SDLC: The glue that holds Development & Acquisition together
• Initiation
• Planning & Analysis
• Initiation
1
1
1
• Planning
• Design
2
• Planning
2
2
• Design
3
• Development
3
• Development
• Execution
4
3
• Testing
4
• Testing
5
• Monitoring
4
• Deployment
• Implementation
5
6
• Closing
• Maintenance
• Maintenance
5
6
7
5
Internal Use Only
SDLC: The glue that holds Development & Acquisition together
Initiation
Planning
Design
Develop
Test
Implement
Maintenance
• Key tasks in initiation & planning include: – Begins when an opportunity to add, improve or correct a system is requested. A business need is identified (requires stakeholder involvement) – Feasibility study outlines scope, cost/benefit, functional requirements, Project factors. – Creation of Project Plan that refines initiation phases further identifying specific activities for the project. – Creation of Business Requirements Document – Key areas include Project Overview, Requirements, Roles and Responsibilities, Communication, Management, Budget, Testing, Deliverables.
6
Internal Use Only
SDLC: The glue that holds Development & Acquisition together
Initiation
Planning
Design
Develop
Test
Implement
Maintenance
• Key tasks in design & develop include: – Begins converting informational, functional, and network requirements into design that programmers can use to script an application. – Design document focuses on how to deliver the required functionality based on business requirements document (BRD). – Development starts when stakeholders agree on design, converting design specifications into an executable program. – Development includes, acquiring and installing system environment, databases, test case procedures, and coding.
7
Internal Use Only
SDLC: The glue that holds Development & Acquisition together
Initiation
Planning
Design
Develop
Test
Implement
Maintenance
• Key tasks in test & implement include: – Testing phase should test to ensure accuracy of programmed code, inclusion of expected functionality, and interoperability with other applications and network components. – Good Project management practices will have test plans & test environment prior to development – Various testing methodologies include acceptance testing, functional, integration, stress testing. – Implementation involves approving, installing or moving test code into production. (Separation of duties is key) .
8
Internal Use Only
SDLC: The glue that holds Development & Acquisition together
Initiation
Planning
Design
Develop
Test
Implement
Maintenance
• Key tasks in maintenance include: – Configuration Management with baselines versions or “gold image” of approved application or system. – Change Management documented procedures for ensuring all changes are approved and documented. – Procedures for Upgrades, patches, security fixes and emergency updates. – Decommissioning and End-of-Life.
9
Internal Use Only
Question 1 There are only five (5) phases in SDLC?
A. True
B. False
10
Internal Use Only
Question 2 What document is the most critical in order to design a system? A. Network Requirements B. Functional Requirements C. Business Requirements D. Informational Document
11
Internal Use Only
Project Management
12
Internal Use Only
Project Management • Project management is simply planning and completing a task which includes one-time or ongoing operational activities. • Project Management practices are formalized. • Characteristics of a project management include: • Roles and Responsibilities • Project Plans • Standards & Procedures
13
Internal Use Only
Roles and Responsibilities Key Roles Responsibilities Board of Directors (BoD)
Approve funding (major projects) and should understand project plans and monitor progress against plan. Set risk tolerance levels within which the project manager must operate. Establish and approve major project deliverables and coordinate activities. The committees often include the project manager, a board member, and executives from all organizational departments. Approve & promote projects within their authority and ensuring adequate resources are available to complete projects. Ensuring projects support business objectives, project goals and expectations are clearly defined, and project tasks are identified, scheduled, and completed. Project managers are also responsible for monitoring and reporting a project's status to senior management. Maintaining the technology resources used by project teams and assisting in the testing and implementation phases. User departments assist in defining and testing functional requirements (system features). End ‐ user involvement throughout a project is critical to ensuring accurate definitions and adequate tests. Identify and design security requirements and testing the features during development and after implementation. Validate project assumptions and ensure the quality of deliverables. Assurance personnel should be independent of the development process and use predefined standards and procedures. Identify system control requirements and testing the controls during development and after implementation.
Technology Steering Committee Senior Management Project Manager (PMO)
Technology Department
User Departments
Information Security Quality Assurance
Auditors
14
Internal Use Only
Project Plans
• Project plans are detailed with clearly defined expectations, realistic budgets, and communication structure ensures the organization's ability to manage projects successfully. • Boards, or board-designated committees, should formally approve project methodologies, and management should approve and document significant deviations from approved procedures. • Project Plans must be carefully managed to ensure they meet organizational needs on time and within budget. • Ineffectively managed projects often result in late deliveries, cost overruns, or poor- quality applications. • Regardless of the SDLC method used, it should be tailored to match a project's characteristics and risks.
15
Internal Use Only
Project Standards
Organizations should establish appropriate methodologies that govern project management activities:
• Configuration Management • Quality assurance • Risk management • Testing • Documentation
16
Internal Use Only
Project Management Tools
Management (PMs) should have appropriate tools to schedule and monitor project tasks and estimate project costs and completion dates.
• Project Trackers • Gannt Charts • Kanban (Agile tool) • Collaborative Software
Examiners should verify accuracy of trackers, charts and diagrams to assess the effectiveness of project management tools.
17
Internal Use Only
Project Management Process
Initiation
Planning
Execution
Monitoring
Closing
• Scope & Budget • Business Requirements Document • Work Breakdown Schedule • Gantt Chart
• Deployment • Upgrades • Infrastructure
• Tracking & Status • KPIs • Technology Steering Committee • BoD Reporting • Scope Creep
• Conclude activities • Policy & Procedures • Independent Review • BCP & DR Testing
• Business Need • Feasibility Study • Project Plan • Risk assessment
• Test Environment • Quality Assurance • Change requests • Updates to plan
Information Security & Audit
18
Internal Use Only
Project Management Communications Adequate level of oversight and support provided by management & the board relating to development, acquisition, and maintenance activities.
• Policies establish committee and Board reporting requirements. • Risk reporting and monitoring procedures. • Examiners need to determine the frequency and quality of technology-related reporting to committees and board are satisfactory.
19
Internal Use Only
Question 3 What is the role of the IT Steering Committee? A. Oversee & approve major project deliverables, coordinate within departments and prioritize resources.
B. Managing individual projects goals and expectations.
20
Internal Use Only
Development
21
Internal Use Only
What is Development? • Development projects involve the creation of software applications or integrated application systems. • May include “internally developed” scripts or spreadsheets and database reports for cases where organization rely on the spreadsheets and reports to make important budgeting and accounting decisions. • Software development projects can be completed in-house, through outsourcing, or by a combined approach. • Organizations typically manage development projects using systematic methodologies that divide large, complex tasks into smaller, more easily managed segments or phases (SDLC).
22
Internal Use Only
Development Standards
• Project management standards should address issues such as project management methodologies, risk management procedures, and project approval authorities. • Roles & responsibilities that establish SoD Separation of duties within the development team controls for “test” and “production” environments. • System control standards should address items such as an application's functional, security, and automated control features. Organizations should have written development standards that, at a minimum, address project management, roles and responsibilities, system control, change control, testing and documentation.
23
Internal Use Only
Development Standards • Change control standards to ensure modifications do not disrupt operations or degrade a system's performance or security, organizations should establish appropriate change management standards and procedures. • Testing standards that requires organizations to complete various tests to ensure the accuracy of programmed code, the inclusion of expected functionality, and the interoperability of applications and other network components. • Coding standards are that set coding rules, guidelines, and best practices. • Documentation standards that require programmers to document completed programs and test results thoroughly.
24
Internal Use Only
Acquisition
25
Internal Use Only
What is Acquisition?
Acquisitions are similar to development projects in that management approves project requests, defines functional, security, and system requirements, and appropriately tests and implements products.
Quality assurance, risk management, and testing
Project standards and procedures
Project plans
Definitions of product requirements
Involvement by all affected parties
26
Internal Use Only
Acquisition key areas
Acquisition requires a management to review potential vendors' financial strength, support levels, security controls, etc., prior to obtaining products or services.
Vendor selection and review
Contract negotiation and license reviews
Monitoring (SLAs)
Software escrow arrangements
Disposal End ‐ of ‐ Life (EOL)
Change Control
27
Internal Use Only
Vendor Due Diligence A proper due diligence process should focus on the prospective third party’s: • Ability to provide the services needed • Financial condition • Industry expertise • Knowledge & experience of applicable laws and regulations • Reputation (check references, public information) • Scope of operations and deliverables (can they provide adequate service and support?) • Effectiveness of controls (will they make audit reports available?)
28
Internal Use Only
Software Contract Agreements • Management should establish clear expectations in the contract. • Insist on right to audit. • Agree on notification requirements for security incidents or changes in any subcontracting relationships. • Exit provisions, data ownership, data conversion all need to be considered in the contract. • Regulatory requirements clause. • For mission-critical software, clauses that limit vendor liability are a dangerous practice. • Before management signs the contracts, it should submit them for legal counsel review.
29
Internal Use Only
Software Escrow Agreements • Proprietary programs including those written in publicly available code are copyrighted and distributed through various licensing agreements. • Typically, an independent third party retains the source code as an escrow agent. • Organizations with escrow agreements should ensure correct version and that documentation is included. This should be specified in the contract and verified periodically. • Organizations that have escrow agreements should consider protecting their escrow rights by contractually. • Access to source code is allowed under very limited specific conditions , which must be specified in the agreement; for example,
• Discontinued product support • Financial insolvency of vendor
30
Internal Use Only
Change Management • Procedures should ensure that modifications do not disrupt operations or degrade a system's performance or security. • Involves ensuring that all changes to products, services, and procedures are approved, documented, and implemented. • Management should establish change controls that address major, routine, and emergency software modifications and software patches. • Procedures that include detailed steps and techniques for backing out.
31
Internal Use Only
Types of Changes
Emergency Changes
Routine Changes
Updates that are so important that they need to be implemented as soon as possible. Should be tested prior to implementation when possible. If not possible, backup files back-out procedures are critical. • Descriptions of a change • Reasons for implementing or rejecting a proposed change • Name of the individual who made the change • Copy of the changed code • Date and time a change was made • Post-change evaluations
Can usually be implemented in the normal course of business. Should be formal and include procedures for:
• Requesting • Evaluating • Approving • Testing • Installing • Documenting software modifications
32
Internal Use Only
Disposal
End-of-Life Support
Decommissioned
The point when a vendor ceases support for a product or service. When support ends, the vendor no longer makes code improvements or provides patches to address newly discovered security weaknesses. (Vulnerabilities) Vendors typically work to prepare customers for end of support. Management should have a formalized policy on End-Of-Life assets.
Involves the orderly removal of surplus or obsolete hardware, software, or data. Part of management’s processes should be to have a defined, expected life span for hardware and software. Primary tasks include the transfer, archiving, or destruction of data records. Management should transfer data from production systems in a planned and controlled manner that includes appropriate backup and testing procedures.
33
Internal Use Only
Question 4 If company is having no issues, then why would there a problem with using unsupported programs?
34
Internal Use Only
Questions?
35
Internal Use Only
Appendix Waterfall & Agile
36
Internal Use Only
Waterfall & Agile
Waterfall
Agile
• Agile is a methodology is iterative approach allowing project phases to be worked simultaneously based on the feedback from the client/stakeholder instead of delivering it all at once near the end. • Created to address the issue of deadlines which were missed, going over the budget or sometimes both these issues. Many organizations have succumbed to these issues. • Agile is a lot more flexible and accounts for experimenting with different directions. Rather than a fixed timeline and budget, the schedule adapts as the project progresses .
• Waterfall is a methodology that is a linear system of working that requires the team to complete each project phase before moving on to the next one. • Ideal for projects where the end result is clearly established from the beginning of the project. • Waterfall has a fixed timeline and budget. The idea is that the start and finish of the project are already mapped out from the beginning.
37
Internal Use Only
Waterfall & Agile
Waterfall
Agile
• Initiation
• Initiation
1
1
• Planning
• Planning
2
2
• Design
• Design
3
3
• Development
• Development
4
4
• Testing
• Testing
5
5
• Implementation
• Implementation
6
6
• Maintenance
• Maintenance
7
7
38
Audit
1
Objectives
Provide tools to assess the effectiveness of the IT Audit Program
IT Audit Component Rating
Types of IT Audits/Reviews
IT Auditor Expertise
IT Audit Scope
2
Audit/Independent Review
Performed by independent personnel
Knowledgeable individuals conduct
Risk assessment/complexity based
Documented Findings/recommendations
Board/Committee reported results
Conducted separately or all at once
IT scope & frequency based on inherent or residual risk
3
Assessment Areas for IT Audits
The IT Audit program should be assessed for the following:
• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations reporting and follow ‐ up
4
Guidance for IT Audit
FFIEC IT Examination Audit Handbook
Federal Agency Rules and Regulations
Interagency Policy Statement on the Internal Audit Function and its Outsourcing Interagency Policy Statement on External Auditing Program of Banks and Savings Associations Interagency Guidelines Establishing Information Security Standards (GLBA) Information Systems Audits and Control Association (ISACA)
5
IT Audit Engagement
Engaged and signed by an individual or committee not responsible for IT operations. •Preferably signed by a member of the Board or Audit Committee.
Expectations and responsibilities
The scope, timeframes, and cost of work to be performed
Institution access to audit workpapers
6
IT Audit Risk Assessment
Universe of auditable entities
Risk assessment = audits
Reasonable scale
Effectiveness of Controls
Inherent risk Relevance of controls
7
The only scale where cyber risk should be rated second lowest
8
IT Audit Scope
Identifies areas to be reviewed ‐ consistent with risk assessment/risk level
Describes how the audit will be performed and tools to be used
Provides the timeframe for completing the audit
Firms may provide engagement letter specifying this information including costs
9
Example – Risk Assessment ≠ Audit Scope
Risk Assessment / Audit Schedule
• Network Penetration and Vulnerability Assessment • Wire Transfer Audit • Internet Banking/Social Media Audit • IT Audit • Vendor Management Audit
List of IT Audits
Scope from IT Audit
10
IT Audit Coverage
IT General Controls
Information Security Program (GLBA)
EFT (ACH/Wires/RDC)
NACHA Compliance
Penetration Testing/Vulnerability Assessment
Identity Theft Red Flags Program
Regulation GG/Unlawful Internet Gambling Enforcement Act
11
IT Audit Coverage
Business Continuity Planning
Change/Patch management
Vendor Management
Cybersecurity
Management
Internet/Online Banking
Third ‐ party outsourcing
Strategic Planning
Disaster Recovery
Network Architecture (Firewalls and IDS/IPS)
Project Management
BIA
Social Engineering
Incident Response
GLBA Compliance
Security Monitoring
Red Flags/ID Theft Prevention
12
Written IT Audit Reports Describe scope and objectives
Identifies the deficiencies/wea knesses
Suggests corrective action(s)
Management’s response/timing for corrective action(s)
Provides information on prior audit findings
•Identifies repeat findings
Complies with audit plan and schedule
13
Types of IT Audits
Internal Audits/ Certifications
IT General Controls
Penetration Tests
Vulnerability Assessments
Statement on Standards for Attestation Engagements (SSAE ‐ 16/18)
14
IT General Controls (ITGC)
• Logical access controls over infrastructure, applications, and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back ‐ up and recovery controls • Computer operation controls
ITGC:
ITGCs should be performed annually
15
Wire Transfer/ACH Audits
These services are critical to many financial entities
• Particularly in small to medium community banks, CUs, and MTs Usually included in with ITGC audit • Could occur in financial entities with significant wire/ACH activity • Usually in large community financial entities Can be a separate audit
16
Knowledge Check Which of the following would you not expect to find as part of the scope of the IT Audit Program?
A. Model Risk Management B. Funds Transfers Controls C. GLBA Compliance D. Business Continuity Planning
17
Knowledge Check Which of the following would you not expect to find as part of the scope of the IT Audit Program?
A. Model Risk Management B. Funds Transfers Controls C. GLBA Compliance D. Business Continuity Planning
Model risk management is not considered to be an IT function, and therefore is not included in the IT audit program.
18
Made with FlippingBook flipbook maker