IT Examiner School eBook

IT Examiner School

May 21-30, 2024 Virtual

@ www.csbs.org ♦ @csbsnews

CONFERENCE OF STATE BANK SUPERVISORS

1300 I Street NW / Suite 700 / Washington, DC 20005 / (202) 296-2840

May 21-30, 2024 IT Examiner School Virtual

ATTENDEES California Department of Financial Protection and Innovation Pineschi, Robert

robert.pineschi@dfpi.ca.gov sophia.vue@dfpi.ca.gov

Vue, Sophia

Colorado Division of Banking Roberts, Courtney

courtney.roberts@state.co.us

Kansas Office of the State Bank Commissioner Norsworthy, Ifiabor

ifiabor.norsworthy@osbckansas.org

Maryland Office of Financial Regulation Brown, Sabrina

sabrina.brown@maryland.gov corvette.grier@maryland.gov rashad.kitchen@maryland.gov matthew.mainolfi@maryland.gov

Grier, Corvette Kitchen, Rashad Mainolfi, Matthew

Michigan Department of Insurance and Financial Services Brown, Anne

browna8@michigan.gov tibbittsa@michigan.gov

Tibbitts, Amy

Minnesota Department of Commerce Jenson, Nicholas

nicholas.jenson@state.mn.us travis.neuman@state.mn.us

Neuman, Travis

Missouri Division of Finance Baker, Adam

adam.baker@dof.mo.gov ryan.mantle@dof.mo.gov

Mantle, Ryan

Nevada Division of Mortgage Lending Carey, Day

dcarey@mld.nv.gov

Mercurius, Neil Yanez, Christian

nmercurius@mld.nv.gov ceyanez@mld.nv.gov

New Hampshire State Banking Department Cloutier, Lorry

lorry.d.cloutier@banking.nh.gov

New York State Department of Financial Services Anderson, Melvin

melvin.anderson@dfs.ny.gov otuoze.baiye@dfs.ny.gov

Baiye, Otuoze

Duffy, John

john.duffy@dfs.ny.gov

Powlina, Alexander

alexander.powlina@dfs.ny.gov

Riegert, Alicia Sabaah, Noorul

alicia.riegert@dfs.ny.gov noorul.sabaah@dfs.ny.gov

North Carolina Office of Commissioner of Banks Prusik, Anthony

tprusik@nccob.gov

Oregon Division of Financial Regulation Adelman, Nicholas

nicholas.w.adelman@dcbs.oregon.gov

Wells, Sandi

sandi.wells@dcbs.oregon.gov

Pennsylvania Department of Banking and Securities Britton, Mason

masbritton@pa.gov

Utah Department of Financial Institutions Kaufman, Clay

ckaufman@utah.gov

Washington Department of Financial Institutions Tormanen, Jacob

jacob.tormanen@dfi.wa.gov

INSTRUCTORS California Department of Financial Protection and Innovation Fujikawa, Matthew

matthew.fujikawa@dbo.ca.gov

New York Department of Financial Services Farrar, Craig

craig.farrar@dfs.ny.gov

Peterson, Will

william.peterson@dfs.ny.gov

North Carolina Office of the Commissioner of Banks Biser, Kenneth

kbiser@nccob.gov

CSBS STAFF Hoyle, Katie

khoyle@csbs.org

IT Examiner School Live Virtual May 21-30, 2024

Week 1 Tuesday, May 21, 2024 12:30 pm – 1:30 pm

Introduction & Pre-Course Review/Terminology

Regulations/Guidance

1:30 pm – 2:15 pm

2:15 pm –2:30 pm

Break

IT Examination Work Programs

2:30 pm – 3:00 pm

3:00 pm – 4:30 pm Audit Wednesday, May 22, 2024 12:30 pm – 1:30 pm Audit

FFIEC CAT Tool

1:30 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Management

2:15 pm – 4:00 pm

Thursday, May 23, 2024 12:30 pm – 1:30 pm

Development & Acquisition

Information Security/Risk Assessment

1:30 pm – 2:30 pm

2:30 pm – 2:45 pm

Break

Risk Assessment Activity

2:45 pm – 4:00 pm

Week 2 Tuesday, May 28, 2024 12:30 pm – 12:45 pm

Prior Week Review

Support & Delivery

12:45 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Support & Delivery

2:15 pm – 3:15 pm

Business Continuity Planning & Disaster Recovery

3:15 pm – 4:00 pm

Wednesday, May 29, 2024 12:30 pm – 1:30 pm

Business Continuity Planning & Disaster Recovery

Third-Party Risk Management

1:30 pm – 2:15 pm

2:15 pm – 2:30 pm

Break

Composite Rating Discussion & Exercise

2:30 pm – 3:00 pm

Breakout Rooms

3:00 pm – 4:00 pm

Thursday, May 30, 2024 12:30 pm – 1:30 pm

Composite Rating Exercise Discussion

Emerging Issues

1:30 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Emerging Issues

2:15 pm – 3:30 pm

Final Assessment & Course Wrap Up

3:30 pm – 4:00 pm

Virtual IT Examiner School May 21-30, 2024

Zoom

Schedule This week:

• Tuesday, May 21: 12:30 PM – 4:00 PM ET • Wednesday, May 22: 12:30 PM – 4:00 PM ET • Thursday, May 23: 12:30 PM – 4:00 PM ET Next Week • Tuesday, May 28: 12:30 PM – 4:00 PM ET • Wednesday, May 29: 12:30 PM – 4:00 PM ET • Thursday, May 30: 12:30 PM – 4:00 PM ET

Instructors

Kenneth Biser - North Carolina Office of the Commissioner of Banks

Craig Farrar – New York Department of Financial Services

Matthew Fujikawa – California Department of Financial Protection & Innovation

Will Peterson - New York Department of Financial Services

NYS DFS Disclaimer The views expressed are those of the speaker and do not represent the official views of New York State or the NYS Department of Financial Services, aka DFS. Anything said during this training shall not bar, estop, or otherwise prevent DFS, or any federal or other state agency from taking any action different from anything said during this training. Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

Introductions

Name

State

IT Exam Experience

Fun fact

Something you hope to learn

Go to www.menti.com and enter Game PIN provided

Internal Use Only

Regulations & Guidance

Internal Use Only

Module Agenda Provide an Overview of Common Data Privacy Laws and Standards Discuss Information Security Related Laws Impacting Financial Institutions (FIs) Describe the Gramm-Leach Bliley Act (GLBA) and Federal Implementation of Standards Required Under 501(b) Compare Examination Approaches, Work programs, and Rating Systems for Depository and Non-Depository FIs

Internal Use Only

Examples of Data Privacy Related Laws/Standards

LAW

YEAR

OVERVIEW

WHO IT IMPACTS

FERPA (Family Educational Rights and Privacy Act) HIPPAA (Health Insurance Portability and Accountability Act)

1974

Protection of student records

Any post-secondary educational institution

1996

Protects the privacy of patient records

Any company or agency that deals with Health Care Financial institutions (FIs) that offer financial products (insurance, loans, investments) US Public Companies, accounting and management firms Federal Agencies dealing with information related to National Security Companies involved in handling of credit card information

GLBA (Gramm-Leach-Bliley Act)

1999

Mandates that companies secure private information of clients and customers Maintain and protect financial records for seven (7) years Recognizes information security as a national security matter

SOX (Sarbanes-Oxley Act)

2002

FISMA (Federal Information Security Management Act) PCI-DSS (Payment Card Industry/Data Security Standard)

2002

2004

Consumer Credit Card

Internal Use Only

Information Security Related Laws Impacting FI's OVERVIEW LAW

Bank Service Company Act 12 USC 1867(c)

Subjects bank service companies to examination and regulation by Federal Regulators and requires notice to be provided within 30 days of entering into a service contract Requires installation, maintenance, and operation of security devices and procedures, to discourage robberies, burglaries, and larcenies and assist in the identification and apprehension of persons who commit such acts Requires each FI to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address risks associated with identity theft Requires each agency or authority to establish appropriate standards for the FI's subject to their jurisdiction relating to administrative, technical, and physical safeguards

Bank Protection Act 12 USC 1882 "Security Measures for Banks and Savings Associations" Fair and Accurate Credit Reporting Act (FCRA) 15 USC 1681W

Gramm-Leach-Bliley Act (GLBA) 15 USC 6801

Source: https://ithandbook.ffiec.gov/laws-regulations-guidance/information-security/#Laws Complete List of FFIEC Maintained Laws, Regulations, and Guidance: https://ithandbook.ffiec.gov/laws-regulations-guidance/

Internal Use Only

The Gramm Leach Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Internal Use Only

The Gramm-Leach-Bliley Act (GLBA) - cont. Title V, Subtitle A of the Gramm-Leach-Bliley Act (“GLBA”) governs the treatment of

"It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information" (Section 501(a))

nonpublic personal information (NPPI or NPI ) about consumers by financial institutions. • Section 501 – protection of nonpublic personal information • Section 502 – prohibits financial institutions from disclosing nonpublic personal information about a consumer to non-affiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements; and (ii) the consumer has not elected to opt out of the disclosure • Section 503 - institutions to provide notice of its privacy policies and practices to its customers

Internal Use Only

The Gramm Leach Bliley Act (GLBA) - 501(b)

501(b) requires each agency or authority to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards: • To ensure the security and confidentiality of customer records and information; • To protect against any anticipated threats or hazards to the security or integrity of such records; and • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

In 2000, the Board of Governors of the FRS (“Board”), the FDIC, the NCUA, the OCC, and the former OTS, published regulations implementing provisions of GLBA governing the treatment of nonpublic personal information about consumers by financial institutions.

Internal Use Only

Regulatory Authority Examples: Depository Institutions

Regulators / Licensure

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Banks (state-member, national, state non-member, credit union)

FDIC, FRB, OCC, States, CFPB

12 CFR 364, Appendix B; Section 501(b) of GLBA; FFIEC; State Laws/Regulations (e.g., Part 500, CCPA)

Bank Holding Companies, Trust Companies, US Branches of FBOs

FRB, States

Generally, the same as banks (above)

Credit Unions (Federal or State)

NCUA, States

12 CFR 748 (Appendix A & B)

Internal Use Only

Regulations & Guidance - FDIC Appendix B, including Supplement, to Part 364 of the FDIC Rules and Regulations – Interagency Guidelines Establishing Information Security Standards

Internal Use Only

Regulations & Guidance - FRB Appendix D-2, including Supplement, to Part 208 of the FR Rules and Regulations – Interagency Guidelines Establishing Standards for Safeguarding Customer Information

Internal Use Only

Regulations & Guidance - NCUA Appendix A (“Guidelines for safeguarding member information”) & Appendix B (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) of 12 CFR 748 (“Security Program”)

Internal Use Only

Regulatory Authority Examples: Non-Depository Institutions

Regulators / Licensure CFPB, FTC, States

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Mortgage Originators and Servicers

16 CFR 314; 501 and 505(b)(2) of GLBA; State Laws and Regulations (e.g., Part 500 and CCPA).

Money Service Businesses / Money Transmitters

FTC, States

Consumer Finance

CFPB, FTC, States

Internal Use Only

Regulations & Guidance – Non-Depository

16 CFR Part 314 of the FTC Rules and Regulations – “Standards for Safeguarding Customer Information”

• The “Safeguards Rule”, which took effect in 2003, is designed to ensure that covered entities maintain safeguards to protect the security of customer information • It applies to financial institutions subject to FTC jurisdiction and that aren’t subject to enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. • In December 2021, the FTC amended the Safeguards Rule to keep pace with current technology.

Source: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Internal Use Only

Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff

• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board

Internal Use Only

Computer Security Incident Notification Rule

The FDIC, FRB, OCC issued a joint final rule in 2021 to establish computer-security incident notification requirements for banking organizations (BO) and bank service providers Required notification to regulators as soon as possible and no later than 36 hours after the BO determines that a computer-security incident that rises to the level of a notification incident has occurred

Compliance with the final rule was required by May 1, 2022

The FTC Amended its Safe Guards Rules in October 2023 to require notification to FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.

Sources: www.fdic.gov/news/financial-institution-letters/2021/fil21074.html www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches

Internal Use Only

Zoom Annotation Tool

Click View Options at the top then click Annotate

Click the Draw Tool then the double arrow

Internal Use Only

MATCH THE REGULATION TO THE INSTITUTION

A. Non-Depository

1. Appendix B, including Supplement, to Part 364

B. Credit Unions

2. Appendices A & B to 12 CFR 748

C. State Banks (FRB)

3. 16 CFR Part 314

D. Banks (FDIC)

4. Appendix D-2, including Supplement, to Part 208

Internal Use Only

Examination Approach Examples: Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Information Technology Risk Examination (InTREx) ; UFIRS/CAMELS, FFIEC Uniform Rating System for IT (URSIT); CAMEL, where “M” includes a review of information systems

Banks

Credit Unions

Trust Companies

FFIEC Uniform Interagency Trust Rating System (UITRS)

Foreign Banking Organizations & Bank Holding Companies

FRB, States; ROCA Rating System – where “O” is operational controls

Internal Use Only

Examination Approach Examples: Non-Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Mortgage Originators and Servicers

FFIEC Uniform Interagency Consumer Compliance Rating System (CC Rating System)

CSBS Non-Bank Cybersecurity Exam Program ; MTRA Workprogram (multi-state exams); FILMS rating system

Money Service Businesses / Money Transmitters

Internal Use Only

Regulations & Guidance

Good reference, but remember the booklet does not specifically apply to FIs not regulated by the FFIEC FFIEC IT Booklet Handbooks:

Internal Use Only

Your Turn!

Tell us about the exam approaches and/or the rating systems you use regularly.

Do you like using one approach more than the other? If so, please explain briefly?

Internal Use Only

IT Examination Work Programs

Internal Use Only

CSBS Non-Bank Cybersecurity Workprogram

CSBS Non-Bank Workprogram (WP) Overview

Used by state examiners to assess the cyber preparedness of non-depository entities

Provides in-depth risk evaluation of the four critical components of the URSIT (Audit, Management, Development and Acquisition, & Support and Delivery). Questions contain applicable Gramm-Leach-Bliley Act (GLBA) Safeguards Rule citation and document request list reference.

The Baseline (v1.0) WP & Enhanced WP were both released in May 2022

An update Baseline WP (V1.1) was released in March 2023

Internal Use Only

Components of CSBS Nonbank Cyber Exam Programs Pre-Examination Resources Work Programs

Baseline Nonbank Workprogram

Exam Notification Letter

Enhanced Nonbank Workprogram

Pre-Exam Document Request List (DRL)

Internal Use Only

Pre-Exam Document Request List

Used for both Baseline & Enhanced Cybersecurity Exam Program

Covers 15 Program Areas and defines documents to be provided

Includes space for State specific requests

Internal Use Only

Nonbank Cybersecurity Exam Programs Baseline

Enhanced • More comprehensive, for larger and more complex institutions • Includes all baseline questions (light blue shading) plus additional questions in areas requiring a deeper dive • Targeted for use by examiners with more specialized knowledge of IT & Cyber

• Based on the pilot program released in December 2020 • Covers same content as pilot in a streamlined version (based on 2021 examiner feedback) • Easier to use and half the questions with no loss of coverage • Covers 4 URSIT component areas

Note: The Baseline and Enhanced Nonbank Cybersecurity Exam Programs were added to SES and are available for mortgage origination, mortgage servicing, and consumer finance exams.

Internal Use Only

Baseline Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022-08/Baseline%20Nonbank%20Exam%20Program%20V1.0.pdf

Internal Use Only

Enhanced Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022-08/Enhanced%20Nonbank%20Exam%20Program%20V1.0.pdf

Internal Use Only

Information Technology Risk Examination (InTREx) Procedures

Internal Use Only

InTREx Program Overview

An enhanced, risk-based, approach for conducting IT examinations of depository institutions

Based on the (URSIT) and includes Core Modules for Audit, Management, Development and Acquisition, and Support and Delivery component ratings

Incorporates procedures for assessing cybersecurity preparedness and compliance with Interagency Guidelines Establishing Information Security Standards

Examiners complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper to assess risk and document examination procedures, findings, and recommendations. Updated in September 2023 (by FDIC) to improve Audit module‘s usability, add steps related to Computer Security Incident Notification Rule (Part 304 Subpart C), provide specificity regarding examiner review of service provider ROEs, and to update links to references.

Internal Use Only

Components of InTREx ITP

Work Program

Information Technology Profile

Core Modules

Risk Profile

Expanded Modules

Qualitative Adjustment

Supplemental Workprograms

Internal Use Only

InTREx Workprogram Core Modules

Support & Delivery

Audit

Management • Risk Assessment • Vendor Management (Ongoing) • Information Security Standards (GLBA) • ID Theft Red Flags

Development & Acquisition • Vendor Management (Acquisition)

• BCP • Information Security • Operations • Incident Response • Network Security (IDS, Firewall) • EFT/E-Banking

Internal Use Only

InTREx Framework

Based on URSIT components

ED Module concept used for each component

ED Module core decision factors were derived from URSIT assessment factors

Internal Use Only

InTREx Features Incorporates baseline cybersecurity into procedures Requires conclusion on cybersecurity preparedness Requires conclusion on GLBA Information Security Standards (Part 364 Appendix B) Enhances focus on transaction/control testing

Allows for tracking of deficiencies noted in any decision factor

Internal Use Only

InTREx Procedures Core Modules Audit, Management, D&A, S&D • All procedures must be completed, but not all bullets need to be addressed • Do have flexibility to scope down, just not scope out

Internal Use Only

InTREx Procedures

Cybersecurity Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

Internal Use Only

InTREx Procedures

Information Security Standards (GLBA) Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

Internal Use Only

InTREx Additional Procedures Expanded Modules • Available for Management and S&D • Provide additional procedures for IT products/ services not covered in Core or that may need additional analysis

Internal Use Only

InTREx Additional Procedures Supplemental Workprograms (ED Modules/FFIEC IT Handbook) • ED Modules available for a variety of areas (EFT, Mobile Banking, Merchant Acquiring, etc.) • FFIEC IT Handbook provides in-depth procedures • FDIC Risk Advisories and Technical Examination Aids provide guidance • Should be completed to assess specific products not covered in the Core or Expanded Modules, or areas of higher complexity that require more in-depth review

Internal Use Only

InTREx Control Testing

Control Tests • Core Modules identify potential control tests • Control tests are marked with • Use discretion in determining which tests to perform • Not all control tests need to be performed, and conversely, examiners can do own control tests

Internal Use Only

InTREx Control Testing

Control Tests • If a control test was performed, the results should be noted in the comments to that procedure • May leverage control testing performed by internal and external auditors • Sufficient testing should be performed to validate the effectiveness of controls

Internal Use Only

Audit

Internal Use Only

Objectives

Provide tools to assess the effectiveness of the IT Audit Program

IT Audit Risk, Planning, and Scope

IT Audit Component Rating

Types of IT Audits/Reviews

IT Auditor Expertise

Internal Use Only

Audit/Independent Review

IT scope & frequency based on inherent or residual risks

Performed by independent personnel

Knowledgeable individuals conduct the engagements

Risk assessment/ complexity based

Conducted separately or all at once

Board/Committees receive results

Formal report includes Findings/Recommendations

Internal Use Only

Assessment Areas for IT Audits

• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations reporting and follow-up

The IT Audit program should be assessed for the following:

Internal Use Only

Guidance for IT Audit FFIEC IT Examination Audit Handbook

Federal Agency Rules and Regulations  Interagency Policy Statement on the Internal Audit Function and its Outsourcing  Interagency Policy Statement on External Auditing Program of Banks and Savings Associations  Interagency Guidelines Establishing Information Security Standards (GLBA) Information Systems Audits and Control Association (ISACA)

Internal Use Only

IT Audit Engagements

Engaged & signed by an individual or committee not responsible for IT operations (This is an indicator of independence.)

Expectations and responsibilities

The scope, timeframes, and cost of work to be performed

Institution access to audit workpapers

Internal Use Only

IT Audit Risk Assessment

Universe of auditable entities (Population)

Risk assessment = audits

Reasonable scale (Scope)

Relevance of controls

Effectiveness of Controls

Inherent risk

Internal Use Only

The only scale where cyber risk should be rated second lowest

Internal Use Only

IT Audit Scope

Identifies areas to be reviewed consistent with risk assessment/ risk level

Describes how the audit will be performed and tools to be used

Provides the timeframe for completing the audit

Firms may provide engagement letter specifying this information including costs, otherwise the scope will be defined in the report.

Internal Use Only

Example – Risk Assessment ≠ Audit Scope

Risk Assessment / Audit Schedule

• Network Penetration and Vulnerability Assessment • Wire Transfer Audit • Internet Banking/Social Media Audit • IT Audit • Vendor Management Audit

List of IT Audits

Scope from IT Audit

Internal Use Only

IT Audit Coverage

IT General Controls

Information Security Program (GLBA)

EFT (ACH/Wires/RDC)

NACHA Compliance

Penetration Testing/ Vulnerability Assessment/ Phishing Test Identity Theft Red Flags Program

Regulation GG/Unlawful Internet Gambling Enforcement Act

Internal Use Only

IT Audit Coverage

Business Continuity Planning

Change/Patch Management

Vendor Management

Cybersecurity

Management

Internet/ Online Banking Network

Third-Party Outsourcing

Disaster Recovery

Strategic Planning

Project Management

Architecture (Firewalls & IDS/IPS)

BIA

Incident Response

GLBA Compliance

Social Engineering

Red Flags/ ID Theft Prevention

Security Monitoring

Internal Use Only

Written IT Audit Reports Describe scope, objectives, and result

Identifies deficiencies/ weaknesses

Suggests corrective action(s)

Management’s response/timing for corrective action(s)

Provides information on prior audit findings

• Identifies repeat findings

Complies with audit plan & schedule

Internal Use Only

Types of IT Audits

Internal Audits/ Certifications

IT General Controls

Penetration Tests

Vulnerability Assessments

Statement on Standards for Attestation Engagements (SSAE-16/18)

Internal Use Only

IT General Controls (ITGC)

• Logical access controls over infrastructure, applications, and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back-up & recovery controls • Computer operation controls

ITGC:

ITGCs should be performed annually

Internal Use Only

Wire Transfer/ACH Audits These services are critical to many financial entities

• Particularly in small to medium community banks, CUs, and MTs Usually included in with ITGC audit • Could occur in financial entities with significant wire/ACH activity • Usually in large community financial entities Can be a separate audit

Internal Use Only

Question 1 Which of the following would you not expect to find as part of the scope of the IT Audit Program?

A. Model Risk Management B. Funds Transfers Controls C. GLBA Compliance D. Business Continuity Planning

Internal Use Only

Vulnerability Assessment & Penetration Testing

Internal Use Only

Vulnerability Assessment & Penetration Testing

Vulnerability assessment is a process that defines, identifies & classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure  Vulnerability Scans  Tabletop Assessments A penetration test subjects a system to the real-world attacks selected & conducted by the testing personnel

Internal Use Only

Vulnerability Assessments

• Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Testing: • Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural catastrophes Basic Vulnerability Assessment description:

Internal Use Only

Performing Vulnerability Assessments The goal of vulnerability assessments is to identify devices, applications, or systems that have known vulnerabilities or configuration issues without compromising your systems.

A risk-based security vulnerability methodology is designed to comprehensively identify, classify and analyze known vulnerabilities to recommend the right mitigation actions.

Internal Use Only

Vulnerability Assessment vs. Risk Assessment

Assist in mitigating or eliminating vulnerabilities for key resources

Assigning quantifiable value and importance to a resource

Identifying the vulnerability or potential threat(s) to each resource

Cataloging assets and capabilities (resources) in a system

FI will sometimes use vulnerability assessment to aid in completing the risk assessment process

Internal Use Only

Penetration Test Considerations External Penetration Testing Internal Penetration Testing “Black Box, White Box” Application Penetration Tests Independent Party Qualifications of Penetration Testers

Internal Use Only

Why They Are Important: Penetration tests can give security personnel real experience in dealing with an intrusion

Ideally, should be performed without informing staff, to test whether policies are truly effective. However, may not be practical The test can uncover aspects of network security, application & operational policies that are lacking

Internal Use Only

Pen Test Strategies

Targeted Testing

External Testing

Internal Testing

mimics an insider attack by an authorized user with standard access privileges (what can happen with a disgruntled employee)

targets externally visible servers or devices (seen by anybody on Internet) to see if they can get into internal systems and how far

performed by the entity’s IT team and external testing team

Internal Use Only

Pen Test Value Ascertain the likelihood of gaining system access

Detecting vulnerabilities not easily found using standard system protective means Ability of current security methods to detect or repel an attack

Likelihood of exploiting a low-risk vulnerability to gain higher level access

List of vulnerabilities that require remediation

Measure of risk for a cyber attack

Additional efforts needed to protect the network(s)/ system(s)

Internal Use Only

Penetration Test (Pen Test)

Pen Test “tests” systems to find & exploit known vulnerabilities that an attacker could exploit

Determine if there are

Pen Test report will describe any weaknesses as “high”, “medium” or “low”

Require management’s knowledge & consent

Require a high degree of skill to perform

weaknesses and if able to access system functionality and data

Are intrusive as actual “attack” tools are used

Internal Use Only

Question 2 Fill in the blanks: A “vulnerability assessment” ______ vulnerabilities, while a “penetration test” _______

vulnerabilities. A. Assess; Corrects

B. Downloads new; Deletes old C. Scans for; Exploits discovered D. Exploits known; Discovers zero-day

Internal Use Only

External Technology Service Provider (TSP) Reports

• FFIEC TSP Reports • Public/open section that is available to FI clients • Confidential section is available to regulatory agencies • Service Organization Control (SOC) Reports • AICPA standard for reviews of service providers • A type of control assessment provided to a service providers clients

FFIEC TSP Reports

SOC Reports SSAE 18 SSAE 16 (2011-2016) SAS 70 (pre-2011)

Internal Use Only

Service Organization Control (SOC) Reports

• SOC I • Focus on internal controls over financial reporting (ICFR) • This is the client’s financial reporting • SOC II • Auditor review of internal controls related to: • Security, Availability, Processing, Integrity, Confidentiality, Privacy • Service provider gets to choose the scope of the review • SOC III • Includes a description of the system and the auditor’s opinion • Most abstract, does not include the results of testing

Three Levels of Service Organization Control (SOC) Reports:

Internal Use Only

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls attesting to controls based on servicer’s account of controls- no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six-month period • Auditor expresses an opinion based on their testing

Two types of Service Organization Control (SOC) Reports:

Internal Use Only

Audit Reporting/Follow-up

Like Safety & Soundness:

o IT Audit reporting channels  What is being reported and to whom o Senior Management Responses  Are they reasonable and corrective timeframe is appropriate o Exception Tracking  Show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)

Internal Use Only

Auditor Independence & Qualifications Independence : Whether or not there are conflicting duties, e.g., involved in auditing areas they have responsibilities or oversight Auditor should be reporting to Board or Audit Committee Whether or not the Auditor has a debt with the entity (may have some influence)

Type of IT experience and training • Some IT audits require specific skill sets

Current IT certifications the auditor maintains

List of references from entities with similar IT activities

Qualifications :

These qualifications provide some assurances, but don’t guarantee a quality audit

Internal Use Only

IT Audit Review

• Audit scope and objectives • Pertinent areas for improvement based on results of testing • Reasonable and appropriate recommendations, often with managements' responses • Findings and observations consistent with your examination results

Audit Reports include:

Internal Use Only

Audit Report Review

• Be wary of auditors who rely solely on checklists • Using only regulatory work programs could indicate a lower standard of engagement • Absence or lack of workpapers could indicate a poorly performed audit  Especially if there are no workpapers showing how ITGCs were reviewed/tested

Signs of a questionable audit:

Internal Use Only

Audit Findings Tracking & Resolution

A formal tracking system that assigns responsibility and target date for resolution

Timely and formal status reporting

Tracking and reporting of changes in target dates or proposed corrective actions to the Board or Audit Committee

Process to ensure findings are resolved

Independent validation to assess the effectiveness of corrective measures

Issues & corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner.

Internal Use Only

Auditor Interview Areas to focus on with auditor interview: • Knowledge of the IT environment and risks • Understanding of systems covered in the audit universe • Understanding of the basic controls (of these systems) • Verify training and/or certifications (as necessary)- certifications require specific training and number of hours/year (usually 40) • Type of work program used to document issues and conclusions. The work program used should be engagement type specific and not necessarily the FFIEC Work Programs

Internal Use Only

Question 3 An effective IT Audit will not include which of the following? A. Experienced and knowledgeable auditor B. Complete workpapers C. Written audit report that details audit procedures and findings D. Documented scope based on an established standard E. All of the above is part of an effective IT audit

Internal Use Only

Internal Use Only

InTREx - Audit

Internal Use Only

InTREx – Audit

Internal Use Only

Audit Component Rating Areas to focus on when rating IT Audit component adequacy:

• Independence and quality of oversight • Audit risk analysis methodology/resources applied • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and audit trails • Audit plan in providing appropriate coverage of IT risks • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditors • Timely and formal follow-up and reporting on management’s resolution of identified issues/weaknesses • Quality and effectiveness of internal and external audit activity related to IT controls

Internal Use Only

Conclusion

Learned basics for IT Audits

Minimum scope in risk focused examination process must review the entity’s audit program

If audit program is deficient or lacking • Don’t need to dig deeper • Describe the deficiencies & record in your WP • Notify the Safety & Soundness EIC If audit program is satisfactory • Can risk focus areas recently audited

Internal Use Only

Summary • Audits are a necessity whether performed by in-house and/or external resources • Must be performed by independent and qualified individuals/companies/firms • Based on a current risk assessment • Must provide written, detailed, stand-alone reports • Results must be reported to the Board’s Audit Committee or a related Board Committee in a timely manner • Audits can aid in exam scope reduction

Internal Use Only

FFIEC CAT Tool

Internal Use Only

Cybersecurity Challenges • The security of the financial industry’s systems and information is essential to its safety and soundness • More sophisticated landscape • Ransomware extortion • Phishing continues to be a problem... • Exploitation of remote work ... • Cloud adoption and misconfigurations... • IoT attacks… • Artificial Intelligence… • Mobile devices.... • Heightened attacks and loss of critical information is catastrophic

Internal Use Only

A New Reality

• The endpoint is the perimeter • The user is the perimeter • The business process is the perimeter • The information is the perimeter There is no perimeter

• Compliance ≠ security, like a firewall ≠ security • It’s a resource and budget conflict, and it splits focus Compliance may threaten security

• Security has grown well past the “do-it-yourself” days • Install and use is no longer an acceptable approach to technology • The rate of change and diversity of products makes it difficult, if not impossible, to keep up Technology without a strategy is chaos

Internal Use Only

Cybersecurity Preparedness Challenges • How does the board know that the organization is prepared?

• How can the institution measure key risk through an iterative process to examiners & board?

• How can the institution measure their inherent risk and controls to determine the maturity of their cybersecurity posture?

• FFIEC CAT Tool is on process to identify inherent risks and determine level of maturity of an institution's cyber preparedness.

4

Internal Use Only

Overview of FFIEC Cybersecurity Assessment Tool • Provided by FFIEC as a methodology for financial institutions to use in determining their cybersecurity preparedness. • Based on NIST 800-53 (National Institute of Standards & Technology) • In 2015, examiners began reviews to ensure Licensees are at the Assessment “Baseline”, voluntary but strongly encouraged. • IT Exam process was updated to include regular Cybersecurity reviews • Divided into two main parts: 1. Inherent risk assessment 2. Maturity assessment

Internal Use Only

Benefits Financial Institutions

Identify risks factors that contribute to and determine the institutions' overall cyber risk

Assessing the institutions cyber preparedness

Evaluating whether the institution cybersecurity preparedness is aligned with it’s inherit risks.

Through directive statements, provides risk management practices and controls that could be taken to achieve the institutions desired state of cybersecurity preparedness

Informs on repeatable risk management strategies

Internal Use Only

Inherent Risk Profile • Technologies and Connection Types

• Delivery Channels

• Online/Mobile Products and Technology Services

• Organization Characteristics

• External Threats

Internal Use Only

Inherent Risk Profile: Technology & Connection Types

• Internet Service Providers • Third Party Connections • Internal vs Outsourced hosted systems • Wireless Access Points • Network Devices

• EOL Systems • Cloud Services • Personal Devices

Internal Use Only

Inherent Risk Profile: Delivery Channels

ONLINE & MOBILE PRODUCTS AND SERVICES DELIVERY CHANNELS

ATM OPERATIONS

Internal Use Only

Inherent Risk Profile: Online/Mobile Products Services • Credit & Debit cards • P2P Payments • ACH • Wire transfers • Wholesale payments • Remote deposit • Global remittances

• Corresponding banking • Mobile device banking • Merchant acquiring activities

Internal Use Only

Inherent Risk Profile: Organizational Characteristics

• Mergers and acquisitions • Direct employees and contractors • IT Environment • Business presence & locations • Operations & Data centers

Internal Use Only

Inherent Risk Profile: External Threats

Threat Actors

Motivation

• Nation-States • Professional Cyber Criminals • Hacktivist • Terrorist Groups • Thrill-Seekers • *Insider Threats

• Geopolitical • Profit • Ideological Criminals • Satisfaction • *Discontent, Profit

Internal Use Only

Cybersecurity Maturity Assessment: Overview Domain 1 – Cybersecurity Risk Management and Oversight Domain 2 – Threat Intelligence and Collaboration Domain 3 – Cybersecurity Controls Domain 4 – External Dependency Management Domain 5 – Cyber Incident Management and Resilience.

Each domain has 5 levels of maturity: Baseline, Evolving, Intermediate, Advanced, Innovative

Internal Use Only

FFIEC- CAT Domains

Internal Use Only

Risk/Maturity Relationship

Internal Use Only

FFIEC CAT Conclusions • Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether or not they are aligned. • Generally, as an inherent risk rises, an institution’s maturity levels should increase. • An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. • Thus, management should consider reevaluating its inherent risk profile and Cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.

Internal Use Only

Cybersecurity Summary 1. Threat actors are more sophisticated and motivated

2. Institutions must demonstrate an understanding of risks and threats they face. 3. Tools such as FFIEC CAT are a starting point for organizations determine their risk profile and cyber maturity 4. As Examiners, expect banks to know where their cyber risks are and devote resources to those areas that present the greatest risk to the institution 5. The end game is to effectively evaluate the institution’s risk • Do the results seem reasonable (size & complexity)? • And are risk adequately mitigated through well-designed and executed controls

Internal Use Only

Management

Internal Use Only

Module Agenda

Governance, Goals, & Objectives

Policies & Procedures

Board & Senior Management Responsibilities

Compliance

Strategic Planning

Succession Planning

Management Information Systems

InTREx Management Module

Risk Assessments

Exam Evaluation of Management

Internal Use Only

IT Management

Internal Use Only

How Governance Is Achieved • Through management structure & the Board of Directors • Assignment of responsibilities & authority covering • Central oversight & coordination • Risk assessment & measurement • Monitoring & testing • Reporting • Acceptable residual risk • Establishment of policies, procedures & standards • With at least annual review/approval • Allocation of resources • Monitoring • Accountability

Internal Use Only

Governance Structure Can take many forms depending on size & complexity

Board of Directors

Appropriate Reporting Lines

Management

Internal Use Only

Board & Management Responsibilities

Planning Directing Organizing Controlling

Internal Use Only

Board Responsibilities Set the tone, strategic direction, and risk tolerance

Review and approve management’s decisions regarding the handling of residual risk

Approve applicable policies

Budget for appropriate resources to meet IT goals and objectives

Internal Use Only

Management Responsibilities

Control risk activities

Oversee day-to-day IT operations and manage vendor relationships

Develop, implement and enforce applicable policies, procedures, and other mitigating controls

Provide regular reporting to Board and executive management

Internal Use Only

Board & senior management shared responsibilities:

• Evaluate & agree upon IT goals and objectives • Determine if IT goals & objectives are being met • Assess the effectiveness and efficiency of current IT programs and activities • Develop budgets to maintain ongoing operations and meet IT strategic priorities

Internal Use Only

Address & Manage Business IT Needs  Generate value from new products supported by technology  Achieving operational excellence via technology  Maintain IT related risk at an acceptable level  Containing cost of technology & IT services  Ensure departments & IT collaboration to ensure users (internal & external) are satisfied with technology  Complying with laws, regulations, and policy

Internal Use Only

Knowledge Check Which of the following is management’s responsibility?

A. Strategic Planning B. Setting risk tolerances C. Budgeting appropriate resources D. Controlling risk activities

11

Internal Use Only

Knowledge Check Who is ultimately responsible for IT Governance?

A. Board of Directors B. Chief Executive Officer C. Chief Risk Officer D. Chief Information Officer E. All of the above

13

Internal Use Only

Strategic Plans Board & management responsibilities: Strategic Planning Provide direction for the organization • Defining the Organization’s goals and objectives • Establishing and setting enterprise priorities • Providing an enterprise-wide budget Setting timeframes for accomplishing goals and objectives Define the technology needs- general terms Consult with senior/IT management for best IT solutions to accomplish Monitoring status of goals and objectives

Internal Use Only

IT Goals/Objectives

IT Goals and Objectives should be:  Clear/apparent - what should be done  Realistic - will it achieve the desired results  Applicable - support enterprise mission & meet customers’ needs  Quantifiable - are there available metrics to determine success/failure  Timely - is the initiation of an IT solution timely or pushed out early to meet competition