IT Examiner School - Oct 2023

IT Examiner School

October 24 - November 2 /LYH 9LUWXDO

@ www.csbs.org ε @csbsnews

CONFERENCE OF STATE BANK SUPERVISORS 1 , Street NW / 6XLWH / Washington, DC 20 / (202) 296-2840

IT Examiner School Live Virtual October 24 – November 2, 2023

Week 1 Tuesday, October 24, 2023 12:30 pm – 1:30 pm

Introduction & Pre ‐ Course Review/Terminology

Regulations/Guidance

1:30 pm – 2:15 pm

Break

2:15 pm –2:30 pm

IT Examination Work Programs

2:30 pm – 3:00 pm

FFIEC CAT Tool

3:00 pm – 3:30 pm

3:30 pm – 4:00 pm Audit Wednesday, October 25, 2023 12:30 pm – 2:00 pm Audit

Break

2:00 pm – 2:15 pm

Management

2:15 pm – 4:00 pm

Thursday, October 26, 2023 12:30 pm – 1:30 pm

Development & Acquisition

Information Security/ Risk Assessment

1:30 pm – 2:30 pm

Break

2:30 pm – 2:45 pm

Risk Assessment Activity

2:45 pm – 4:00 pm

Week 2 Tuesday, October 30, 2023 12:30 pm – 12:45 pm

Prior Week Review

Support & Delivery

12:45 pm – 2:00 pm

Break

2:00 pm – 2:15 pm

Support & Delivery

2:15 pm – 3:15 pm

Business Continuity

3:15 pm – 4:00 pm

Wednes day, November 1, 2023 12:30 pm – 1:30 pm

Business Continuity

Third Party Risk

1:30 pm – 2:15 pm

Break

2:15 pm – 2:30 pm

Composite Rating Discussion & Exercise

2:30 pm – 3:00 pm

Breakout Rooms

3:00 pm – 4:00 pm

Thursday , November 2, 2023 12:30 pm – 1:30 pm

Composite Rating Exercise Discussion

Emerging Issues

1:30 pm – 2:00 pm

Break

2:00 pm – 2:15 pm

Emerging Issues

2:15 pm – 3:30 pm

Final Assessment & Course Wrap Up

3:30 pm – 4:00 pm

Virtual IT Examiner School October 24-26 & October 31-November 2

1

Zoom

2

Schedule This week:

• Tuesday, October 24: 12:30 PM – 4:00 PM ET • Wednesday, October 25: 12:30 PM – 4:00 PM ET • Thursday, October 26: 12:30 PM – 4:00 PM ET Next Week • Tuesday, October 31: 12:30 PM – 4:00 PM ET • Wednesday, November 1: 12:30 PM – 4:00 PM ET • Thursday, November 2: 12:30 PM – 4:00 PM ET

3

Instructors

Kenneth Biser - North Carolina Office of the Commissioner of Banks

Craig Farrar – New York Department of Financial Services

Matthew Fujikawa – California Department of Financial Protection & Innovation

Will Peterson - New York Department of Financial Services

4

NYS DFS Disclaimer The views expressed are those of the speaker and do not represent the official views of New York State or the NYS Department of Financial Services, aka DFS. Anything said during this training shall not bar, estop, or otherwise prevent DFS, or any federal or other state agency from taking any action different from anything said during this training. Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

5

Introductions

Name

State

IT Exam Experience

Fun fact

Something you hope to learn

6

Go to www.menti.com and enter Game PIN provided

7

Internal Use Only

Regulations & Guidance

1

Internal Use Only

Module Agenda

Provide an Overview of Common Data Privacy Laws and Standards

Discuss Information Security Related Laws Impacting Financial Institutions (FIs) Describe the Gramm-Leach Bliley Act (GLBA) and Federal Implementation of Standards Required Under 501(b) Compare Examination Approaches, Work programs, and Rating Systems for Depository and Non-Depository FIs

2

Internal Use Only

Examples of Data Privacy Related Laws/Standards

LAW

YEAR

OVERVIEW

WHO IT IMPACTS

FERPA (Family Educational Rights and Privacy Act) HIPPAA (Health Insurance Portability and Accountability Act)

1974

Protection of student records

Any post ‐ secondary educational institution

1996

Protects the privacy of patient records

Any company or agency that deals with Health Care Financial institutions (FIs) that offer financial products (insurance, loans, investments) US Public Companies, accounting and management firms Federal Agencies dealing with information related to National Security Companies involved in handling of credit card information

GLBA (Gramm ‐ Leach ‐ Bliley Act)

Mandates that companies secure private information of clients and customers Maintain and protect financial records for seven (7) years Recognizes information security as a national security matter

1999

SOX (Sarbanes ‐ Oxley Act)

2002

FISMA (Federal Information Security Management Act) PCI ‐ DSS (Payment Card Industry/Data Security Standard)

2002

2004

Consumer Credit Card

3

Internal Use Only

Information Security Related Laws Impacting FI's OVERVIEW LAW

Bank Service Company Act 12 USC 1867(c)

Subjects bank service companies to examination and regulation by Federal Regulators and requires notice to be provided within 30 days of entering into a service contract Requires installation, maintenance, and operation of security devices and procedures, to discourage robberies, burglaries, and larcenies and assist in the identification and apprehension of persons who commit such acts Requires each FI to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address risks associated with identity theft Requires each agency or authority to establish appropriate standards for the FI's subject to their jurisdiction relating to administrative, technical, and physical safeguards

Bank Protection Act 12 USC 1882 "Security Measures for Banks and Savings Associations" Fair and Accurate Credit Reporting Act (FCRA) 15 USC 1681W

Gramm ‐ Leach ‐ Bliley Act (GLBA) 15 USC 6801

Source: https://ithandbook.ffiec.gov/laws ‐ regulations ‐ guidance/information ‐ security/#Laws Complete List of FFIEC Maintained Laws, Regulations, and Guidance: https://ithandbook.ffiec.gov/laws ‐ regulations ‐ guidance/

4

Internal Use Only

The Gramm Leach Bliley Act (GLBA)

The Gramm ‐ Leach ‐ Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information ‐ sharing practices to their customers and to safeguard sensitive data.

5

Internal Use Only

The Gramm-Leach-Bliley Act (GLBA) - cont. Title V, Subtitle A of the Gramm ‐ Leach ‐ Bliley Act (“GLBA”) governs the treatment of

"It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information" (Section 501(a))

nonpublic personal information (NPPI or NPI ) about consumers by financial institutions. • Section 501 – protection of nonpublic personal information • Section 502 – prohibits financial institutions from disclosing nonpublic personal information about a consumer to non ‐ affiliated third parties, unless (i) the institution satisfies various notice and opt ‐ out requirements; and (ii) the consumer has not elected to opt out of the disclosure • Section 503 ‐ institutions to provide notice of its privacy policies and practices to its customers

6

Internal Use Only

The Gramm Leach Bliley Act (GLBA) - 501(b)

501(b) requires each agency or authority to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards: • To ensure the security and confidentiality of customer records and information; • To protect against any anticipated threats or hazards to the security or integrity of such records; and • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

In 2000, the Board of Governors of the FRS (“Board”), the FDIC, the NCUA, the OCC, and the former OTS, published regulations implementing provisions of GLBA governing the treatment of nonpublic personal information about consumers by financial institutions.

7

Internal Use Only

Regulatory Authority Examples: Depository Institutions

Regulators / Licensure

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Banks (state-member, national, state non-member, credit union)

FDIC, FRB, OCC, States, CFPB

12 CFR 364, Appendix B; Section 501(b) of GLBA; FFIEC; State Laws/Regulations (e.g., Part 500, CCPA)

Bank Holding Companies, Trust Companies, US Branches of FBOs

FRB, States

Generally, the same as banks (above)

Credit Unions (Federal or State)

NCUA, States

12 CFR 748 (Appendix A & B)

8

Internal Use Only

Regulations & Guidance - FDIC Appendix B, including Supplement, to Part 364 of the FDIC Rules and Regulations – Interagency Guidelines Establishing Information Security Standards

9

Internal Use Only

Regulations & Guidance - FRB Appendix D-2, including Supplement, to Part 208 of the FR Rules and Regulations – Interagency Guidelines Establishing Standards for Safeguarding Customer Information

10

Internal Use Only

Regulations & Guidance - NCUA Appendix A (“Guidelines for safeguarding member information”) & Appendix B (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) of 12 CFR 748 (“Security Program”)

11

Internal Use Only

Regulatory Authority Examples: Non-Depository Institutions

Regulators / Licensure CFPB, FTC, States

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Mortgage Originators and Servicers

16 CFR 314; 501 and 505(b)(2) of GLBA; State Laws and Regulations (e.g., Part 500 and CCPA).

Money Service Businesses / Money Transmitters

FTC, States

Consumer Finance

CFPB, FTC, States

12

Internal Use Only

Regulations & Guidance – Non-Depository

16 CFR Part 314 of the FTC Rules and Regulations – “Standards for Safeguarding Customer Information”

• The “Safeguards Rule”, which took effect in 2003, is designed to ensure that covered entities maintain safeguards to protect the security of customer information • It applies to financial institutions subject to FTC jurisdiction and that aren’t subject to enforcement authority of another regulator under Section 505 of the Gramm ‐ Leach ‐ Bliley Act, 15 U.S.C. § 6805. • In December 2021, the FTC amended the Safeguards Rule to keep pace with current technology.

Source: https://www.ftc.gov/business ‐ guidance/resources/ftc ‐ safeguards ‐ rule ‐ what ‐ your ‐ business ‐ needs ‐ know

13

Internal Use Only

Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff

• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board

14

Internal Use Only

Zoom Annotation Tool

Click View Options at the top then click Annotate

Click the Draw Tool then the double arrow

15

Internal Use Only

MATCH THE REGULATION TO THE INSTITUTION

A. Non ‐ Depository

1. Appendix B, including Supplement, to Part 364

B. Credit Unions

2. Appendices A & B to 12 CFR 748

C. State Banks (FRB)

3. 16 CFR Part 314

D. Banks (FDIC)

4. Appendix D ‐ 2, including Supplement, to Part 208

16

Internal Use Only

Examination Approach Examples: Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Information Technology Risk Examination (InTREx) ; UFIRS/CAMELS, FFIEC Uniform Rating System for IT (URSIT); CAMEL, where “M” includes a review of information systems

Banks

Credit Unions

Trust Companies

FFIEC Uniform Interagency Trust Rating System (UITRS)

Foreign Banking Organizations & Bank Holding Companies

FRB, States; ROCA Rating System – where “O” is operational controls

17

Internal Use Only

Examination Approach Examples: Non-Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Mortgage Originators and Servicers

FFIEC Uniform Interagency Consumer Compliance Rating System (CC Rating System)

CSBS Non-Bank Cybersecurity Exam Program ; MTRA Workprogram (multi-state exams); FILMS rating system

Money Service Businesses / Money Transmitters

18

Internal Use Only

Regulations & Guidance

Good reference, but remember the booklet does not specifically apply to FIs not regulated by the FFIEC FFIEC IT Booklet Handbooks:

19

Internal Use Only

Your Turn!

Tell us about the exam approaches and/or the rating systems you use regularly.

Do you like using one approach more than the other? If so, please explain briefly?

20

Internal Use Only

IT Examination Work Programs

1

Internal Use Only

Components of CSBS Nonbank Cyber Exam Programs Pre-Examination Resources Work Programs

Baseline Nonbank Workprogram

Exam Notification Letter

Enhanced Nonbank Workprogram

Pre-Exam Document Request List (DRL)

2

Internal Use Only

Pre-Exam Document Request List

Used for the Baseline Nonbank Cybersecurity Exam Program (V1.0) and the Enhanced Nonbank Cybersecurity Exam Program (V1.0)

Covers 15 Different Program Areas and defines specific documents to be provided

Includes space for State specific requests

3

Internal Use Only

Nonbank Cybersecurity Exam Programs Baseline

Enhanced • More comprehensive, for larger and more complex institutions • Includes all baseline questions (light blue shading) plus additional questions in areas requiring a deeper dive • Targeted for use by examiners with more specialized knowledge of IT & Cyber

• Based on the pilot program released in December 2020 • Covers same content as pilot in a streamlined version (based on 2021 examiner feedback) • Easier to use and half the questions with no loss of coverage • Covers 4 URSIT component areas

Note: The Baseline and Enhanced Nonbank Cybersecurity Exam Programs were added to SES and are available for mortgage origination, mortgage servicing, and consumer finance exams.

4

Internal Use Only

Baseline Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022 ‐ 08/Baseline%20Nonbank%20Exam%20Program%20V1.0.pdf

5

Internal Use Only

Enhanced Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022 ‐ 08/Enhanced%20Nonbank%20Exam%20Program%20V1.0.pdf

6

Internal Use Only

Components of InTREx ITP

Work Program

Information Technology Profile

Core Modules

Risk Profile

Expanded Modules

Qualitative Adjustment

Supplemental Workprograms

7

Internal Use Only

InTREx Workprogram Core Modules

Support & Delivery

Audit

Management • Risk Assessment • Vendor Management (Ongoing) • Information Security Standards (GLBA) • ID Theft Red Flags

Development & Acquisition • Vendor Management (Acquisition)

• BCP • Information Security • Operations • Incident Response • Network Security (IDS, Firewall) • EFT/E-Banking

8

Internal Use Only

InTREx Framework

Based on URSIT components

ED Module concept used for each component

ED Module core decision factors were derived from URSIT assessment factors

9

Internal Use Only

InTREx Features Incorporates baseline cybersecurity into procedures Requires conclusion on cybersecurity preparedness Requires conclusion on GLBA Information Security Standards (Part 364 Appendix B) Enhances focus on transaction/control testing

Allows for tracking of deficiencies noted in any decision factor

10

Internal Use Only

InTREx Procedures Core Modules Audit, Management, D&A, S&D • All procedures must be completed, but not all bullets need to be addressed • Do have flexibility to scope down, just not scope out

11

Internal Use Only

InTREx Procedures

Cybersecurity Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

12

Internal Use Only

InTREx Procedures

Information Security Standards (GLBA) Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

13

Internal Use Only

InTREx Additional Procedures Expanded Modules • Available for Management and S&D • Provide additional procedures for IT products/ services not covered in Core or that may need additional analysis

14

Internal Use Only

InTREx Additional Procedures Supplemental Workprograms (ED Modules/FFIEC IT Handbook) • ED Modules available for a variety of areas (EFT, Mobile Banking, Merchant Acquiring, etc.) • FFIEC IT Handbook provides in-depth procedures • FDIC Risk Advisories and Technical Examination Aids provide guidance • Should be completed to assess specific products not covered in the Core or Expanded Modules, or areas of higher complexity that require more in-depth review

15

Internal Use Only

InTREx Control Testing

Control Tests • Core Modules identify potential control tests • Control tests are marked with • Use discretion in determining which tests to perform • Not all control tests need to be performed, and conversely, examiners can do own control tests

16

Internal Use Only

InTREx Control Testing

Control Tests • If a control test was performed, the results should be noted in the comments to that procedure • May leverage control testing performed by internal and external auditors • Sufficient testing should be performed to validate the effectiveness of controls

17

Internal Use Only

FFIEC CAT Tool

1

Internal Use Only

Cybersecurity Challenges • The security of the financial industry’s systems and information is essential to its safety and soundness • More sophisticated landscape • Ransomware extortion • Phishing continues to be a problem... • Exploitation of remote work ... • Cloud adoption and misconfigurations... • IoT attacks… • Mobile devices.... • Heightened attacks and loss of critical information is catastrophic

2

Internal Use Only

A New Reality

• The endpoint is the perimeter • The user is the perimeter • The business process is the perimeter • The information is the perimeter There is no perimeter

• Compliance ≠ security, like a firewall ≠ security • It’s a resource and budget conflict, and it splits focus Compliance may threaten security

• Security has grown well past the “do ‐ it ‐ yourself” days • The rate of change and diversity of products makes it difficult, if not impossible, to keep up Technology without a strategy is chaos

3

Internal Use Only

Cybersecurity Preparedness Challenges • How does the board know that the organization is prepared?

• How can the institution measure key risk through an iterative process to examiners & board?

• How can the institution measure their inherent risk and controls to determine the maturity of their cybersecurity posture?

• FFIEC CAT Tool is on process to identify inherent risks and determine level of maturity of an institution's cyber preparedness.

4

4

Internal Use Only

Overview of FFIEC Cybersecurity Assessment Tool • Provided by FFIEC as a methodology for financial institutions to use in determining their cybersecurity preparedness. • Based on NIST 800-53 (National Institute of Standards & Technology) • In 2015, examiners began reviews to ensure Licensees are at the Assessment “Baseline”, voluntary but strongly encouraged. • IT Exam process was updated to include regular Cybersecurity reviews • Divided into two main parts: 1. Inherent risk assessment 2. Maturity assessment

5

Internal Use Only

Benefits Financial Institutions

Identify risks factors that contribute to and determine the institutions' overall cyber risk

Assessing the institutions cyber preparedness

Evaluating whether the institution cybersecurity preparedness is aligned with it’s inherit risks.

Through directive statements, provides risk management practices and controls that could be taken to achieve the institutions desired state of cybersecurity preparedness

Informs on repeatable risk management strategies

6

Internal Use Only

Inherent Risk Profile • Technologies and Connection Types

• Delivery Channels

• Online/Mobile Products and Technology Services

• Organization Characteristics

• External Threats

7

Internal Use Only

Inherent Risk Profile: Technology & Connection Types

• Internet Service Providers • Third Party Connections • Internal vs Outsourced hosted systems • Wireless Access Points • Network Devices

• EOL Systems • Cloud Services • Personal Devices

8

Internal Use Only

Inherent Risk Profile: Delivery Channels

ONLINE & MOBILE PRODUCTS AND SERVICES DELIVERY CHANNELS

ATM OPERATIONS

9

Internal Use Only

Inherent Risk Profile: Online/Mobile Products Services • Credit & Debit cards • P2P Payments • ACH • Wire transfers • Wholesale payments • Remote deposit • Global remittances • Corresponding banking • Merchant acquiring activities

10

Internal Use Only

Inherent Risk Profile: Organizational Characteristics

• Mergers and acquisitions • Direct employees and contractors • IT Environment • Business presence & locations • Operations & Data centers

11

Internal Use Only

Inherent Risk Profile: External Threats

Threat Actors

Motivation

• Nation ‐ States • Professional Cyber Criminals • Hacktivist • Terrorist Groups • Thrill ‐ Seekers • *Insider Threats

• Geopolitical • Profit • Ideological Criminals • Satisfaction • *Discontent, Profit

12

Internal Use Only

Cybersecurity Maturity Assessment: Overview Domain 1 – Cybersecurity Risk Management and Oversight Domain 2 – Threat Intelligence and Collaboration Domain 3 – Cybersecurity Controls Domain 4 – External Dependency Management Domain 5 – Cyber Incident Management and Resilience.

Each domain has 5 levels of maturity: Baseline, Evolving, Intermediate, Advanced, Innovative

13

Internal Use Only

FFIEC- CAT Domains

14

Internal Use Only

Risk/Maturity Relationship

15

Internal Use Only

FFIEC CAT Conclusions • Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether or not they are aligned. • Generally, as an inherent risk rises, an institution’s maturity levels should increase. • An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. • Thus, management should consider reevaluating its inherent risk profile and Cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.

16

Internal Use Only

Cybersecurity Summary 1. Threat actors are more sophisticated and motivated

2. Institutions must demonstrate an understanding of risks and threats they face. 3. Tools such as FFIEC CAT are a starting point for organizations determine their risk profile and cyber maturity 4. As Examiners, expect banks to know where their cyber risks are and devote resources to those areas that present the greatest risk to the institution 5. The end game is to effectively evaluate the institution’s risk • Do the results seem reasonable (size & complexity)? • And are risk adequately mitigated through well-designed and executed controls

17

Internal Use Only

Audit

1

Internal Use Only

Objectives

Provide tools to assess the effectiveness of the IT Audit Program

IT Audit Risk, Planning, and Scope

IT Audit Component Rating

Types of IT Audits/Reviews

IT Auditor Expertise

2

Internal Use Only

Audit/Independent Review

IT scope & frequency based on inherent or residual risks

Performed by independent personnel

Knowledgeable individuals conduct the engagements

Risk assessment/ complexity based

Conducted separately or all at once

Board/Committees receive results

Formal report includes Findings/recommendations

3

Internal Use Only

Assessment Areas for IT Audits

• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations reporting and follow ‐ up

The IT Audit program should be assessed for the following:

4

Internal Use Only

Guidance for IT Audit FFIEC IT Examination Audit Handbook

Federal Agency Rules and Regulations  Interagency Policy Statement on the Internal Audit Function and its Outsourcing  Interagency Policy Statement on External Auditing Program of Banks and Savings Associations  Interagency Guidelines Establishing Information Security Standards (GLBA) Information Systems Audits and Control Association (ISACA)

5

Internal Use Only

IT Audit Engagement

Engaged & signed by an individual or committee not responsible for IT operations (preferably signed by a member of the Board or Audit Committee) The scope, timeframes, and cost of work to be performed

Expectations and responsibilities

Institution access to audit workpapers

6

Internal Use Only

IT Audit Risk Assessment

Universe of auditable entities

Risk assessment = audits

Reasonable scale

Relevance of controls

Effectiveness of Controls

Inherent risk

7

Internal Use Only

The only scale where cyber risk should be rated second lowest

8

Internal Use Only

IT Audit Scope

Identifies areas to be reviewed consistent with risk assessment/ risk level

Describes how the audit will be performed and tools to be used

Provides the timeframe for completing the audit

Firms may provide engagement letter specifying this information including costs

9

Internal Use Only

Example – Risk Assessment ≠ Audit Scope

Risk Assessment / Audit Schedule

• Network Penetration and Vulnerability Assessment • Wire Transfer Audit • Internet Banking/Social Media Audit • IT Audit • Vendor Management Audit

List of IT Audits

Scope from IT Audit

10

Internal Use Only

IT Audit Coverage

IT General Controls

Information Security Program (GLBA)

EFT (ACH/Wires/RDC)

NACHA Compliance

Penetration Testing/ Vulnerability Assessment/ Phishing Test Identity Theft Red Flags Program

Regulation GG/Unlawful Internet Gambling Enforcement Act

11

Internal Use Only

IT Audit Coverage

Business Continuity Planning

Change/Patch Management

Vendor Management

Cybersecurity

Management

Internet/ Online Banking Network

Third ‐ Party Outsourcing

Disaster Recovery

Strategic Planning

Project Management

Architecture (Firewalls & IDS/IPS)

BIA

Incident Response

GLBA Compliance

Social Engineering

Red Flags/ ID Theft Prevention

Security Monitoring

12

Internal Use Only

Written IT Audit Reports Describe scope, objectives, and result

Identifies deficiencies/ weaknesses

Suggests corrective action(s)

Management’s response/timing for corrective action(s)

Provides information on prior audit findings

• Identifies repeat findings

Complies with audit plan & schedule

13

Internal Use Only

Types of IT Audits

Internal Audits/ Certifications

IT General Controls

Penetration Tests

Vulnerability Assessments

Statement on Standards for Attestation Engagements (SSAE ‐ 16/18)

14

Internal Use Only

IT General Controls (ITGC)

• Logical access controls over infrastructure, applications, and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back ‐ up & recovery controls • Computer operation controls

ITGC:

ITGCs should be performed annually

15

Internal Use Only

Wire Transfer/ACH Audits These services are critical to many financial entities

• Particularly in small to medium community banks, CUs, and MTs Usually included in with ITGC audit • Could occur in financial entities with significant wire/ACH activity • Usually in large community financial entities Can be a separate audit

16

Internal Use Only

Question 1 Which of the following would you not expect to find as part of the scope of the IT Audit Program?

A. Model Risk Management B. Funds Transfers Controls C. GLBA Compliance D. Business Continuity Planning

17

Internal Use Only

Question 1

Which of the following would you not expect to find as part of the scope of the IT Audit Program?

A. Model Risk Management B. Funds Transfers Controls C. GLBA Compliance D. Business Continuity Planning

Model risk management is not considered to be an IT function, and therefore is not included in the IT audit program.

18

Internal Use Only

Vulnerability Assessment & Penetration Testing

19

Internal Use Only

Vulnerability Assessment & Penetration Testing

Vulnerability assessment is a process that defines, identifies & classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure  Vulnerability Scans  Tabletop Assessments A penetration test subjects a system to the real-world attacks selected & conducted by the testing personnel

20

Internal Use Only

Vulnerability Assessments

• Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Testing: • Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural catastrophes Basic Vulnerability Assessment description:

21

Internal Use Only

Performing Vulnerability Assessments The goal of vulnerability assessments is to identify devices, applications, or systems that have known vulnerabilities or configuration issues without compromising your systems.

A risk-based security vulnerability methodology is designed to comprehensively identify, classify and analyze known vulnerabilities to recommend the right mitigation actions.

22

Internal Use Only

Vulnerability Assessment vs. Risk Assessment

Assist in mitigating or eliminating vulnerabilities for key resources

Assigning quantifiable value and importance to a resource

Identifying the vulnerability or potential threat(s) to each resource

Cataloging assets and capabilities (resources) in a system

FI will sometimes use vulnerability assessment to aid in completing the risk assessment process

23

Internal Use Only

Penetration Test Considerations External Penetration Testing Internal Penetration Testing “Black Box, White Box” Application Penetration Tests Independent Party Qualifications of Penetration Testers

24

Internal Use Only

Why They Are Important: Penetration tests can give security personnel real experience in dealing with an intrusion

Ideally, should be performed without informing staff, to test whether policies are truly effective. However, may not be practical The test can uncover aspects of network security, application & operational policies that are lacking

25

Internal Use Only

Pen Test Strategies

Targeted Testing

External Testing

Internal Testing

mimics an insider attack by an authorized user with standard access privileges (what can happen with a disgruntled employee)

targets externally visible servers or devices (seen by anybody on Internet) to see if they can get into internal systems and how far

performed by the entity’s IT team and external testing team

26

Internal Use Only

Pen Test Value Ascertain the likelihood of gaining system access

Detecting vulnerabilities not easily found using standard system protective means Ability of current security methods to detect or repel an attack

Likelihood of exploiting a low ‐ risk vulnerability to gain higher level access

List of vulnerabilities that require remediation

Measure of risk for a cyber attack

Additional efforts needed to protect the network(s)/ system(s)

27

Internal Use Only

Penetration Test (Pen Test)

Pen Test “tests” systems to find & exploit known vulnerabilities that an attacker could exploit

Determine if there are

Pen Test report will describe any weaknesses as “high”, “medium” or “low”

Require management’s knowledge & consent

Require a high degree of skill to perform

weaknesses and if able to access system functionality and data

Are intrusive as actual “attack” tools are used

28

Internal Use Only

Question 2 Fill in the blanks: A “vulnerability assessment” ______ vulnerabilities, while a “penetration test” _______

vulnerabilities. A. Assess; Corrects

B. Downloads new; Deletes old C. Scans for; Exploits discovered D. Exploits known; Discovers zero ‐ day

29

Internal Use Only

Question 2 Fill in the blanks: A “vulnerability assessment” ______ vulnerabilities, while a “penetration test” _______

vulnerabilities. A. Assess; Corrects

B. Downloads new; Deletes old C. Scans for; Exploits discovered D. Exploits known; Discovers zero ‐ day

A Vulnerability Assessment scans the network for vulnerabilities, while a penetration test will attempt to exploit discovered vulnerabilities to gain access to the network.

30

Internal Use Only

External Technology Service Provider (TSP) Reports

• FFIEC TSP Reports • Public/open section that is available to FI clients • Confidential section is available to regulatory agencies • Service Organization Control (SOC) Reports • AICPA standard for reviews of service providers • A type of control assessment provided to a service providers clients

FFIEC TSP Reports

SOC Reports SSAE 18 SSAE 16 (2011 ‐ 2016) SAS 70 (pre ‐ 2011)

31

Internal Use Only

Service Organization Control (SOC) Reports

• SOC I • Focus on internal controls over financial reporting (ICFR) • This is the client’s financial reporting • SOC II • Auditor review of internal controls related to: • Security, Availability, Processing, Integrity, Confidentiality, Privacy • Service provider gets to choose the scope of the review • SOC III • Includes a description of the system and the auditor’s opinion • Most abstract, does not include the results of testing

Three Levels of Service Organization Control (SOC) Reports:

32

Internal Use Only

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls ‐ attesting to controls based on servicer’s account of controls ‐ no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six ‐ month period • Auditor expresses an opinion based on their testing

Two types of Service Organization Control (SOC) Reports:

33

Internal Use Only

Audit Reporting/Follow-up

Similar to Safety & Soundness:

o IT Audit reporting channels  What is being reported and to whom o Senior Management Responses  Are they reasonable and corrective timeframe is appropriate o Exception Tracking  Show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)

34

Internal Use Only

Auditor Independence & Qualifications Independence : Whether or not there are conflicting duties, e.g., involved in auditing areas they have responsibilities or oversight Auditor should be reporting to Board or Audit Committee Whether or not the Auditor has a debt with the entity (may have some influence)

Type of IT experience and training • Some IT audits require specific skill sets

Current IT certifications the auditor maintains

List of references from entities with similar IT activities

Qualifications :

These qualifications provide some assurances, but don’t guarantee a quality audit

35

Internal Use Only

IT Audit Review

• Audit scope and objectives • Pertinent areas for improvement based on results of testing • Reasonable and appropriate recommendations • Findings and observations consistent with your examination results

Audit Reports include:

36

Internal Use Only

Audit Report Review

• Be wary of auditors who rely solely on checklists • Using only regulatory workprograms is not an audit • Absence or lack of workpapers could indicate a poorly performed audit  Especially if there are no workpapers showing how ITGCs were reviewed/tested

Signs of a questionable audit:

37

Internal Use Only

Audit Findings Tracking & Resolution

A formal tracking system that assigns responsibility and target date for resolution

Timely and formal status reporting

Tracking and reporting of changes in target dates or proposed corrective actions to the Board or Audit Committee

Process to ensure findings are resolved

Independent validation to assess the effectiveness of corrective measures

Issues & corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner.

38

Internal Use Only

Auditor Interview Areas to focus on with auditor interview: • Knowledge of the IT environment and risks • Understanding of systems covered in the audit universe • Understanding of the basic controls (of these systems) • Verify training and/or certifications (as necessary) ‐ certifications require specific training and number of hours/year (usually 40) • Why auditor used a checklist or FFIEC IT work ‐ program and audit work didn’t fit entity’s activity

39

Internal Use Only

Question 3 An effective IT Audit will not include which of the following? A. Experienced and knowledgeable auditor B. Complete workpapers C. Written audit report that details audit procedures and findings D. Documented scope based on an established standard E. All of the above is part of an effective IT audit

40

Internal Use Only

Question 3 An effective IT Audit will not include which of the following? A. Experienced and knowledgeable auditor B. Complete workpapers C. Written audit report that details audit procedures and findings D. Documented scope based on an established standard E. All of the above is part of an effective IT audit

41

Internal Use Only

42

Internal Use Only

InTREx - Audit

43

Internal Use Only

InTREx – Audit

44

Internal Use Only

Audit Component Rating Areas to focus on when rating IT Audit component adequacy:

• Independence and quality of oversight • Audit risk analysis methodology/resources applied • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and audit trails • Audit plan in providing appropriate coverage of IT risks • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditors • Timely and formal follow ‐ up and reporting on management’s resolution of identified issues/weaknesses • Quality and effectiveness of internal and external audit activity related to IT controls

45

Internal Use Only

Conclusion

Learned basics for IT Audits

Minimum scope in risk focused examination process ‐ must review the entity’s audit program

If audit program is deficient or lacking • Don’t need to dig deeper • Describe the deficiencies & record in your WP • Notify the Safety & Soundness EIC If audit program is satisfactory • Can risk focus areas recently audited

46

Internal Use Only

Summary • Audits are a necessity whether performed by in ‐ house and/or external resources • Must be performed by independent and qualified individuals/companies • Based on a current risk assessment • Must provide written, detailed, stand ‐ alone reports • Results must be reported to the Board’s Audit Committee or a related Board Committee in a timely manner • Audits can aid in exam scope reduction

47

Internal Use Only

Management

1

Internal Use Only

Module Agenda

Governance, Goals, & Objectives

Policies & Procedures

Board & Senior Management Responsibilities

Compliance

Strategic Planning

Succession Planning

Management Information Systems

InTREx Management Module

Risk Assessments

Exam Evaluation of Management

2

Internal Use Only

IT Management

3

Internal Use Only

How Governance Is Achieved • Through management structure & the Board of Directors • Assignment of responsibilities & authority covering • Central oversight & coordination • Risk assessment & measurement • Monitoring & testing • Reporting • Acceptable residual risk • Establishment of policies, procedures & standards • With at least annual review/approval • Allocation of resources • Monitoring • Accountability

4

Internal Use Only

Governance Structure Can take many forms depending on size & complexity

Board of Directors

Appropriate Reporting Lines

Management

5

Internal Use Only

Board & Management Responsibilities

Planning Directing Organizing Controlling

6

Internal Use Only

Board Responsibilities Set the tone, strategic direction, and risk tolerance

Review and approve management’s decisions regarding the handling of residual risk

Approve applicable policies

Budget for appropriate resources to meet IT goals and objectives

7

Internal Use Only

Management Responsibilities

Control risk activities

Oversee day-to-day IT operations and manage vendor relationships

Develop, implement and enforce applicable policies, procedures, and other mitigating controls

Provide regular reporting to Board and executive management

8

Internal Use Only

Board & senior management shared responsibilities:

• Evaluate & agree upon IT goals and objectives • Determine if IT goals & objectives are being met • Assess the effectiveness and efficiency of current IT programs and activities • Develop budgets to maintain ongoing operations and meet IT strategic priorities

9

Internal Use Only

Address & Manage Business IT Needs  Generate value from new products supported by technology  Achieving operational excellence via technology  Maintain IT related risk at an acceptable level  Containing cost of technology & IT services  Ensure departments & IT collaboration to ensure users (internal & external) are satisfied with technology  Complying with laws, regulations, and policy

10

Internal Use Only

Question 1 Which of the following is management’s responsibility?

A. Strategic Planning B. Setting risk tolerances C. Budgeting appropriate resources D. Controlling risk activities

11

11

Internal Use Only

Question 1 Which of the following is management’s responsibility?

A. Strategic Planning B. Setting risk tolerances C. Budgeting appropriate resources D. Controlling risk activities

Controlling risk activities are the only management function in this list. While management has input into the budget through estimates of expenses and requests for funds, ultimate responsibility for setting the budget and allocating resources falls to the Board.

12

12

Internal Use Only

Question 2 Who is ultimately responsible for IT Governance?

A. Board of Directors B. Chief Executive Officer C. Chief Risk Officer D. Chief Information Officer E. All of the above

13

13

Internal Use Only

Question 2 Who is ultimately responsible for IT Governance?

A. Board of Directors B. Chief Executive Officer C. Chief Risk Officer D. Chief Information Officer E. All of the above

While all these people have a role, the Board is ultimately responsible for overseeing the IT program.

14

14

Internal Use Only

Strategic Plans Board & management responsibilities: Strategic Planning Provide direction for the organization • Defining the Organization’s goals and objectives • Establishing and setting enterprise priorities • Providing an enterprise-wide budget Setting timeframes for accomplishing goals and objectives Define the technology needs- general terms Consult with senior/IT management for best IT solutions to accomplish Monitoring status of goals and objectives

15

Internal Use Only

IT Goals/Objectives

IT Goals and Objectives should be:  Clear/apparent - what should be done  Realistic - will it achieve the desired results  Applicable - support enterprise mission & meet customers’ needs  Quantifiable - are there available metrics to determine success/failure  Timely - is the initiation of an IT solution timely or pushed out early to meet competition

16

Internal Use Only

Monitoring/Reviewing Management Information Systems (MIS) Reports Elements of an effective MIS report:

Accuracy

Consistency

Timeliness

Completeness

Relevance

17

Internal Use Only

MIS Reports

MIS Reports must be: • Regularly reviewed • Understood/explained • Utilized

18

Internal Use Only

Risk Mitigation “Tools” • Properly identified risks prioritized for importance/criticality • Independent Audits • Appropriate IT policies, procedures, and standards • Appropriate IT system & application security controls and timely monitoring • Vulnerability Assessment and Pen Tests • Dual controls/separation of duties • Cybersecurity reviews/audits • Strong vendor management controls

19

19

Internal Use Only

Risk Assessment from a Management Component Perspective  The Board is responsible for communicating their risk tolerance to management  Management is responsible for performing the risk assessment, ensuring that the RA is complete, accurate, and reasonable, and reporting the results to the Board  Risk acceptance decisions should be made at the Board level  Review Board minutes for support for answers provided by management during discussions (approval/discussion of risk assessment findings, risk acceptance decisions, etc.)

20

Internal Use Only

Effective Governance Practices There are a variety of ways our financial institutions can achieve effective Governance practices, but policies, procedures, and standards are often the foundation. Policies, procedures, and standards should: • Be designed, approved & implemented enterprise-wide • Provide appropriate guidance & standards for ALL current IT activities • Be tailored to the organization’s unique characteristics • Conform to regulatory guidance and/or legal standards • Provide for appropriate employee awareness training • Reviewed & approved annually by the Board & documented in the Board minutes (Policies—not always procedures/standards)

21

Internal Use Only

Implement Policies, Procedures, Standards  Provide guidance  Define appropriate behaviors  Can take various shapes/formats  Updated and supplemented as required

 Key policies should be reviewed & approved annually  Employee acknowledgement to abide by them, when hired  Annual awareness training & testing for knowledge

22