SlideShare uma empresa Scribd logo

FFIEC Regulatory Training

Brad Garland
Brad Garland
EducaçãoNegóciosTecnologia
1 de 48
Baixar para ler offline
Garland Group University A regulatory perspective Brad Garland CEO The Garland Group
What are we doing here? Where FIs & IT meet Regulators & What they do Technology Controls Review Process Goal: Provide better service to your clients The Garland Group
Introductions Name Position Tenure at CalTech Previous Experience The Garland Group
The Garland Group Compliance, Security & Web Services firm Founded in 1981 Based out of Dallas, Texas Over 75 clients The Garland Group
Our Services FFIEC Technology Audits Risk Assessments Penetration Testing / Vulnerability Assessments Social Engineering Bank Core System Selections The Garland Group
Sizing up a Financial Institution < $25 Million - Small Community Bank Start-up or Denovo Status Couple of branches No IT staff $25 - $250 Million - Midsize Community Bank Normally still local footprint 1-10 branches Maybe 1 IT person The Garland Group
Sizing up a Financial Institution $250 - $1 Billion - Medium Bank More Regional 5-15 branches Maybe 1-2 IT staff > $1 Billion - Large Bank May cross state lines Lots of branches Normally dedicated IT staff The Garland Group
FI Infrastructures What’s out there? What kind of support do these systems get? Internal/External? Where do we fit in? The Garland Group
Infrastructures Windows, Novell, Unix, Mac and hybrid environments Fat clients or Thin clients? Communications T1 Hub/Spoke MPLS VoIP Security Development Shops The Garland Group
Infrastructures How do you help to support: Check/Item Processing E-Banking / Websites Document Imaging Merchant Capture Mobile Payments The Garland Group
Core Processors The Garland Group
Core Processors Run on variety of mainframe-like systems AS/400 Unix Linux The Garland Group
Core Processors What’s a core processor do? In-house or Outsourced install? Who supports it? User Mgmt. Updates/Patches Backups Regulatory Hurdles The Garland Group
Core from an Audit perspective User Lists Not just from an application level Who controls ‘root’? QSECOFR? Who monitors... System-level changes? ALLOBJ authority? Access Logs? The Garland Group
What’s the best setup for a bank? Which ‘Core’? Inhouse/Outsourced? Fat/Thin Clients? T1’s / MPLS? Dedicated IT staff? Development? The Garland Group
The Regulatory Agencies Federal Reserve ‘The State’ FDIC OCC OTS NCUA The Garland Group
Who Regulates Who? FDIC - State chartered banks OCC - Nationally chartered banks OTS - Savings Bank NCUA - Credit Unions The Garland Group
Our Technology Controls Review Process Review of all booklets of the FFIEC Generate ‘Recommendations’ based off of gaps Bank Mgmt. responds Final Report Executive Summary FFIEC Report IT Risk Assessment The Garland Group
FFIEC Federal Financial Institutions Examination Council Formal Interagency Council Consists of all regulatory bodies Creates guidance for topics such as: Mortgages Bank Secrecy Act/AML Info. Technology The Garland Group
FFIEC IT Exam Handbooks 12 Booklets Does not just cover IT 2001 edition replaced the previous 1996 version All have been updated since 2003 or later Ongoing Development The Garland Group
FFIEC Handbooks Audit Management Business Continuity Operations Planning Outsourcing Technology Development & Acquisition Services E-Banking Retail Payment Systems FedLine Supervision of Technology Service Providers Information Security Wholesale Payment Systems The Garland Group
Audit Major items in this section are: Audit Schedule Audit Committee Minutes Risk Assessments Conducted Proper Audit Follow-up Interim IT Audit work The Garland Group
Management Major items in this section are: Reviewing BoD/ IT Steering Minutes Policy/Procedure Approvals by BoD Succession Planning Strategic Planning IT Budgeting Contract/Insurance Review The Garland Group
Board Reporting Most FI's have IT Steering and Audit Committee These committees should drive functions and make decisions They also are the vessel to report to the Board on the status of the bank You may be asked to participate in these committees The board has ultimate responsibility for everything within the bank The Garland Group
IT Steering Committee Approve major vendors (Core providers, IT support, etc.) Approve major purchases, usually over a set dollar limit Review logs and reports from the network Approve IT audits, Penetration tests, Vulnerability Scans Sometimes serve as a project management committee The Garland Group
Audit Committee Review all audit reports from IT, BSA, Teller, Regulators, etc. Approve audit frequencies, scopes and methodologies Usually all Board members on the committee Approves audit vendors The Garland Group
Business Continuity Plan Major items in this section include: Review of BCP/DR Plan Backup Procedures Shutdown Procedures Offsite Storage DR Agreements & Testing The Garland Group
Operations Major items in this section include: Item Processing workflow process Inhouse/Outsourced? Branch/Teller Capture? Daily Run Sheets Physical Security Training Courier Agreements The Garland Group
Development & Acquisition Major items in this section include: D&A Policy/Procedures Project Management Methodology Change Management Source Code Escrow Agreements Programming Methodology Development Meeting Minutes The Garland Group
Outsourcing IT Services Vendor Management Updated Contracts with each vendor GLBA Wording in Contracts Proper ‘Due Diligence’ performed on critical vendors The Garland Group
E-Banking Major items in this section include: Policy/Procedures Security Reports / What’s reviewed? Who see’s it? Website Change Management Proper Privacy Statements & Logos on website The Garland Group
Retail Payment Systems Major items in this section include: ATM Balancing / Reconciliation processes Agreements for 3rd party ATM vendors ACH Policy/Procedures Review ACH Originators & Agreements Submitting ACH payments (via Web or FedAdvantage) The Garland Group
FedLine/FedAdvantage Major items in this section include: Proper control of users who access the Fed System Segregated Duties / Enter & Verify How they receive Wire requests Approval / Callback Procedures The Garland Group
Information Security Major items in this section include: Information Security Program User Administration Rules Password Policy System Policy Screensaver Policy The Garland Group
Information Security - Cont. Network Diagram - Up to date? Recent Security Testing / Breaches Security Monitoring Hardware/Software Inventory & Licenses Use of Laptops? Secured? How? Remote Access What logs are kept? Wireless The Garland Group
Technology Service Provider Major items in this section include: Review of vendor agreements Any major planned projects/development? Financial Stability of Vendor SAS 70s The Garland Group
Wholesale Payment System Major items in this section include: Large bank-to-bank transactions Proper agreements in place between FIs CHIPS procedures Large Payment System owned by many FIs to transfer large payment orders The Garland Group
Other Regulatory Guidance Graham-Leach Bliley Act (GLBA) Sarbanes - Oxley (SOX) Control Objectives for Information and related Technology (CobiT) ISO17799 The Garland Group
Preparing for Exam/IT Audit What they going to be needing from you: Help with producing documentation for their examiners/auditors Network Diagrams Password Policy (Active Directory) User Lists Firewall/Router Configs The Garland Group
Security Services Penetration Testing Vulnerability Assessments Social Engineering The Garland Group
Penetration Testing Required by ‘some’ examiners Testing normally done annually Scan ports and for any major exploits The Garland Group
Vulnerability Assessments Testing done internal to the network Scanning for unauthorized access points, mesh networks, exposed/exploited systems Done at least annually The Garland Group
Social Engineering Our scope includes: Internet Recon. Dumpster Diving Phone Testing Email Testing In-Person Testing The Garland Group
Social Engineering (Cont.) Done at least annually Ensure an adequate sample size for testing Ensure scope is up to today’s standards The Garland Group
Common Mistakes in IT Mgmt. Lack of good documentation No BoD/Upper Mgmt. involvement Succession Issues Reactionary Environment Proper Backup Procedures The Garland Group
Examiner ‘Requests’ Closed-loop documentation process Board sign-off/approval Annual IT Audits Updated BCPs/BSA risk assessments Penetration tests? The Garland Group
Reminders We’re here to help! Don’t jump into new tech. head first Ensure adequate cross-training Document Everything! The Garland Group
Thanks for the time. If you have any questions feel free to contact me: Our Blog: http://blog.thegarlandgroup.net Banktastic: http://banktastic.com Brad Garland CEO 972.429.8200 The Garland Group

Recomendados

Continuous Controls Monitoring: Putting Controls in Place is Not Enough
Continuous Controls Monitoring: Putting Controls in Place is Not EnoughContinuous Controls Monitoring: Putting Controls in Place is Not Enough
Continuous Controls Monitoring: Putting Controls in Place is Not EnoughFraudBusters
 
Sod remediation best practices for isaca
Sod remediation best practices for isacaSod remediation best practices for isaca
Sod remediation best practices for isacapooshu
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
SMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSureCloud
 
Ey segregation of_duties
Ey segregation of_dutiesEy segregation of_duties
Ey segregation of_dutiesIndrani Bhattacharya
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 

Recomendados

Continuous Controls Monitoring: Putting Controls in Place is Not Enough
Continuous Controls Monitoring: Putting Controls in Place is Not EnoughContinuous Controls Monitoring: Putting Controls in Place is Not Enough
Continuous Controls Monitoring: Putting Controls in Place is Not EnoughFraudBusters
 
Sod remediation best practices for isaca
Sod remediation best practices for isacaSod remediation best practices for isaca
Sod remediation best practices for isacapooshu
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
SMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSureCloud
 
Ey segregation of_duties
Ey segregation of_dutiesEy segregation of_duties
Ey segregation of_dutiesIndrani Bhattacharya
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 
Impact of Digital Transformation on TPRM Operations
Impact of Digital Transformation on TPRM OperationsImpact of Digital Transformation on TPRM Operations
Impact of Digital Transformation on TPRM OperationsJim Hussey
 
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...Information technology controls- David A. Richards, Alan S. Oliphant, Charles...
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...Alejandro Rivera Santander
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 CA CISA Jayjit Biswas
 
Seg dutieschecklist
Seg dutieschecklistSeg dutieschecklist
Seg dutieschecklistPakistan State Oil Company Limited
 
Continuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva SpectrumContinuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva SpectrumAviva Spectrum™
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsDan Aldridge, ERP Software Evangelist, LION
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist, LLC
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Smart ERP Solutions, Inc.
 
CEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCorporater
 
Customer Process & Decision Transformations
Customer Process & Decision TransformationsCustomer Process & Decision Transformations
Customer Process & Decision TransformationsProlifics
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012aj22dms
 
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESINITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESMay Martinsen
 
Forrester GRC Q1 2016 Report
Forrester GRC Q1 2016 ReportForrester GRC Q1 2016 Report
Forrester GRC Q1 2016 ReportDaryl Resnick
 
4 common headaches with sales compensation management
4 common headaches with sales compensation management4 common headaches with sales compensation management
4 common headaches with sales compensation managementIBM Analytics
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRCTranscendent Group
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 
Proteus OCM Company Profile
Proteus OCM Company ProfileProteus OCM Company Profile
Proteus OCM Company ProfileKGanzy
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentIBM Analytics
 

Mais conteúdo relacionado

Mais procurados

Impact of Digital Transformation on TPRM Operations
Impact of Digital Transformation on TPRM OperationsImpact of Digital Transformation on TPRM Operations
Impact of Digital Transformation on TPRM OperationsJim Hussey
 
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...Information technology controls- David A. Richards, Alan S. Oliphant, Charles...
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...Alejandro Rivera Santander
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 CA CISA Jayjit Biswas
 
Continuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva SpectrumContinuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva SpectrumAviva Spectrum™
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist, LLC
 
Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Smart ERP Solutions, Inc.
 
CEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCorporater
 
Customer Process & Decision Transformations
Customer Process & Decision TransformationsCustomer Process & Decision Transformations
Customer Process & Decision TransformationsProlifics
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012aj22dms
 
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESINITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESMay Martinsen
 
Forrester GRC Q1 2016 Report
Forrester GRC Q1 2016 ReportForrester GRC Q1 2016 Report
Forrester GRC Q1 2016 ReportDaryl Resnick
 
4 common headaches with sales compensation management
4 common headaches with sales compensation management4 common headaches with sales compensation management
4 common headaches with sales compensation managementIBM Analytics
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 

Mais procurados (20)

Impact of Digital Transformation on TPRM Operations
Impact of Digital Transformation on TPRM OperationsImpact of Digital Transformation on TPRM Operations
Impact of Digital Transformation on TPRM Operations
 
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...Information technology controls- David A. Richards, Alan S. Oliphant, Charles...
Information technology controls- David A. Richards, Alan S. Oliphant, Charles...
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
 
Seg dutieschecklist
Seg dutieschecklistSeg dutieschecklist
Seg dutieschecklist
 
Continuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva SpectrumContinuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva Spectrum
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23
 
CEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architecture
 
Customer Process & Decision Transformations
Customer Process & Decision TransformationsCustomer Process & Decision Transformations
Customer Process & Decision Transformations
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012
 
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESINITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
 
Forrester GRC Q1 2016 Report
Forrester GRC Q1 2016 ReportForrester GRC Q1 2016 Report
Forrester GRC Q1 2016 Report
 
4 common headaches with sales compensation management
4 common headaches with sales compensation management4 common headaches with sales compensation management
4 common headaches with sales compensation management
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
 

Semelhante a FFIEC Regulatory Training

Proteus OCM Company Profile
Proteus OCM Company ProfileProteus OCM Company Profile
Proteus OCM Company ProfileKGanzy
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentIBM Analytics
 
Optimizing Regulatory Compliance with Big Data
Optimizing Regulatory Compliance with Big DataOptimizing Regulatory Compliance with Big Data
Optimizing Regulatory Compliance with Big DataCloudera, Inc.
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIINextLabs, Inc.
 
Information Security Program &amp; PCI Compliance Planning for your Business
Information Security Program &amp; PCI Compliance Planning for your BusinessInformation Security Program &amp; PCI Compliance Planning for your Business
Information Security Program &amp; PCI Compliance Planning for your BusinessLaura Perry
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)Naba Barkakati
 
Best Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System ReplacementBest Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System ReplacementEdgewater
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...NextLabs, Inc.
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Identity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterpriseIdentity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterprisePerficient, Inc.
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Big data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeBig data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeGuy Pearce
 
How to Best Prepare for a Software Audit
How to Best Prepare for a Software AuditHow to Best Prepare for a Software Audit
How to Best Prepare for a Software AuditIvanti
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07Thomas Danford
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 

Semelhante a FFIEC Regulatory Training (20)

Proteus OCM Company Profile
Proteus OCM Company ProfileProteus OCM Company Profile
Proteus OCM Company Profile
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environment
 
Optimizing Regulatory Compliance with Big Data
Optimizing Regulatory Compliance with Big DataOptimizing Regulatory Compliance with Big Data
Optimizing Regulatory Compliance with Big Data
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of III
 
Information Security Program &amp; PCI Compliance Planning for your Business
Information Security Program &amp; PCI Compliance Planning for your BusinessInformation Security Program &amp; PCI Compliance Planning for your Business
Information Security Program &amp; PCI Compliance Planning for your Business
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)
 
Best Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System ReplacementBest Practices for Rating and Policy Administration System Replacement
Best Practices for Rating and Policy Administration System Replacement
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
 
DLP
DLPDLP
DLP
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
 
Identity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterpriseIdentity Management: Risk Across The Enterprise
Identity Management: Risk Across The Enterprise
 
Presentation
PresentationPresentation
Presentation
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
Big data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeBig data governance as a corporate governance imperative
Big data governance as a corporate governance imperative
 
How to Best Prepare for a Software Audit
How to Best Prepare for a Software AuditHow to Best Prepare for a Software Audit
How to Best Prepare for a Software Audit
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
 

Mais de Brad Garland

Defining Success in your Organization
Defining Success in your OrganizationDefining Success in your Organization
Defining Success in your OrganizationBrad Garland
 
Garland Group - Top Security Threats of 2011
Garland Group - Top Security Threats of 2011Garland Group - Top Security Threats of 2011
Garland Group - Top Security Threats of 2011Brad Garland
 
Competitive advantages of Air Banking
Competitive advantages of Air BankingCompetitive advantages of Air Banking
Competitive advantages of Air BankingBrad Garland
 
Organizational Communications Presentation @ UNT
Organizational Communications Presentation @ UNTOrganizational Communications Presentation @ UNT
Organizational Communications Presentation @ UNTBrad Garland
 
The Business World - You're more ready than you think
The Business World - You're more ready than you thinkThe Business World - You're more ready than you think
The Business World - You're more ready than you thinkBrad Garland
 
ICBA Presentation on Web 2.0 & Financial Services
ICBA Presentation on Web 2.0 & Financial ServicesICBA Presentation on Web 2.0 & Financial Services
ICBA Presentation on Web 2.0 & Financial ServicesBrad Garland
 
Next Generation Banking with Generation Y
Next Generation Banking with Generation YNext Generation Banking with Generation Y
Next Generation Banking with Generation YBrad Garland
 
Banking on Social Media
Banking on Social MediaBanking on Social Media
Banking on Social MediaBrad Garland
 
Web2.0 and your Bank - The Consumers
Web2.0 and your Bank - The ConsumersWeb2.0 and your Bank - The Consumers
Web2.0 and your Bank - The ConsumersBrad Garland
 
Web 2.0 and your Bank - The Technology
Web 2.0 and your Bank - The TechnologyWeb 2.0 and your Bank - The Technology
Web 2.0 and your Bank - The TechnologyBrad Garland
 

Mais de Brad Garland (11)

Defining Success in your Organization
Defining Success in your OrganizationDefining Success in your Organization
Defining Success in your Organization
 
Garland Group - Top Security Threats of 2011
Garland Group - Top Security Threats of 2011Garland Group - Top Security Threats of 2011
Garland Group - Top Security Threats of 2011
 
Competitive advantages of Air Banking
Competitive advantages of Air BankingCompetitive advantages of Air Banking
Competitive advantages of Air Banking
 
Organizational Communications Presentation @ UNT
Organizational Communications Presentation @ UNTOrganizational Communications Presentation @ UNT
Organizational Communications Presentation @ UNT
 
The Business World - You're more ready than you think
The Business World - You're more ready than you thinkThe Business World - You're more ready than you think
The Business World - You're more ready than you think
 
ICBA Presentation on Web 2.0 & Financial Services
ICBA Presentation on Web 2.0 & Financial ServicesICBA Presentation on Web 2.0 & Financial Services
ICBA Presentation on Web 2.0 & Financial Services
 
Community Is King
Community Is KingCommunity Is King
Community Is King
 
Next Generation Banking with Generation Y
Next Generation Banking with Generation YNext Generation Banking with Generation Y
Next Generation Banking with Generation Y
 
Banking on Social Media
Banking on Social MediaBanking on Social Media
Banking on Social Media
 
Web2.0 and your Bank - The Consumers
Web2.0 and your Bank - The ConsumersWeb2.0 and your Bank - The Consumers
Web2.0 and your Bank - The Consumers
 
Web 2.0 and your Bank - The Technology
Web 2.0 and your Bank - The TechnologyWeb 2.0 and your Bank - The Technology
Web 2.0 and your Bank - The Technology
 

Último

GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Dust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSEDust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSEaurabinda banchhor
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxElton John Embodo
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataBabyAnnMotar
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxRosabel UA
 

Último (20)

FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Dust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSEDust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSE
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped data
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptx
 

FFIEC Regulatory Training

  • 1. Garland Group University A regulatory perspective Brad Garland CEO The Garland Group
  • 2. What are we doing here? Where FIs & IT meet Regulators & What they do Technology Controls Review Process Goal: Provide better service to your clients The Garland Group
  • 3. Introductions Name Position Tenure at CalTech Previous Experience The Garland Group
  • 4. The Garland Group Compliance, Security & Web Services firm Founded in 1981 Based out of Dallas, Texas Over 75 clients The Garland Group
  • 5. Our Services FFIEC Technology Audits Risk Assessments Penetration Testing / Vulnerability Assessments Social Engineering Bank Core System Selections The Garland Group
  • 6. Sizing up a Financial Institution < $25 Million - Small Community Bank Start-up or Denovo Status Couple of branches No IT staff $25 - $250 Million - Midsize Community Bank Normally still local footprint 1-10 branches Maybe 1 IT person The Garland Group
  • 7. Sizing up a Financial Institution $250 - $1 Billion - Medium Bank More Regional 5-15 branches Maybe 1-2 IT staff > $1 Billion - Large Bank May cross state lines Lots of branches Normally dedicated IT staff The Garland Group
  • 8. FI Infrastructures What’s out there? What kind of support do these systems get? Internal/External? Where do we fit in? The Garland Group
  • 9. Infrastructures Windows, Novell, Unix, Mac and hybrid environments Fat clients or Thin clients? Communications T1 Hub/Spoke MPLS VoIP Security Development Shops The Garland Group
  • 10. Infrastructures How do you help to support: Check/Item Processing E-Banking / Websites Document Imaging Merchant Capture Mobile Payments The Garland Group
  • 12. Core Processors Run on variety of mainframe-like systems AS/400 Unix Linux The Garland Group
  • 13. Core Processors What’s a core processor do? In-house or Outsourced install? Who supports it? User Mgmt. Updates/Patches Backups Regulatory Hurdles The Garland Group
  • 14. Core from an Audit perspective User Lists Not just from an application level Who controls ‘root’? QSECOFR? Who monitors... System-level changes? ALLOBJ authority? Access Logs? The Garland Group
  • 15. What’s the best setup for a bank? Which ‘Core’? Inhouse/Outsourced? Fat/Thin Clients? T1’s / MPLS? Dedicated IT staff? Development? The Garland Group
  • 16. The Regulatory Agencies Federal Reserve ‘The State’ FDIC OCC OTS NCUA The Garland Group
  • 17. Who Regulates Who? FDIC - State chartered banks OCC - Nationally chartered banks OTS - Savings Bank NCUA - Credit Unions The Garland Group
  • 18. Our Technology Controls Review Process Review of all booklets of the FFIEC Generate ‘Recommendations’ based off of gaps Bank Mgmt. responds Final Report Executive Summary FFIEC Report IT Risk Assessment The Garland Group
  • 19. FFIEC Federal Financial Institutions Examination Council Formal Interagency Council Consists of all regulatory bodies Creates guidance for topics such as: Mortgages Bank Secrecy Act/AML Info. Technology The Garland Group
  • 20. FFIEC IT Exam Handbooks 12 Booklets Does not just cover IT 2001 edition replaced the previous 1996 version All have been updated since 2003 or later Ongoing Development The Garland Group
  • 21. FFIEC Handbooks Audit Management Business Continuity Operations Planning Outsourcing Technology Development & Acquisition Services E-Banking Retail Payment Systems FedLine Supervision of Technology Service Providers Information Security Wholesale Payment Systems The Garland Group
  • 22. Audit Major items in this section are: Audit Schedule Audit Committee Minutes Risk Assessments Conducted Proper Audit Follow-up Interim IT Audit work The Garland Group
  • 23. Management Major items in this section are: Reviewing BoD/ IT Steering Minutes Policy/Procedure Approvals by BoD Succession Planning Strategic Planning IT Budgeting Contract/Insurance Review The Garland Group
  • 24. Board Reporting Most FI's have IT Steering and Audit Committee These committees should drive functions and make decisions They also are the vessel to report to the Board on the status of the bank You may be asked to participate in these committees The board has ultimate responsibility for everything within the bank The Garland Group
  • 25. IT Steering Committee Approve major vendors (Core providers, IT support, etc.) Approve major purchases, usually over a set dollar limit Review logs and reports from the network Approve IT audits, Penetration tests, Vulnerability Scans Sometimes serve as a project management committee The Garland Group
  • 26. Audit Committee Review all audit reports from IT, BSA, Teller, Regulators, etc. Approve audit frequencies, scopes and methodologies Usually all Board members on the committee Approves audit vendors The Garland Group
  • 27. Business Continuity Plan Major items in this section include: Review of BCP/DR Plan Backup Procedures Shutdown Procedures Offsite Storage DR Agreements & Testing The Garland Group
  • 28. Operations Major items in this section include: Item Processing workflow process Inhouse/Outsourced? Branch/Teller Capture? Daily Run Sheets Physical Security Training Courier Agreements The Garland Group
  • 29. Development & Acquisition Major items in this section include: D&A Policy/Procedures Project Management Methodology Change Management Source Code Escrow Agreements Programming Methodology Development Meeting Minutes The Garland Group
  • 30. Outsourcing IT Services Vendor Management Updated Contracts with each vendor GLBA Wording in Contracts Proper ‘Due Diligence’ performed on critical vendors The Garland Group
  • 31. E-Banking Major items in this section include: Policy/Procedures Security Reports / What’s reviewed? Who see’s it? Website Change Management Proper Privacy Statements & Logos on website The Garland Group
  • 32. Retail Payment Systems Major items in this section include: ATM Balancing / Reconciliation processes Agreements for 3rd party ATM vendors ACH Policy/Procedures Review ACH Originators & Agreements Submitting ACH payments (via Web or FedAdvantage) The Garland Group
  • 33. FedLine/FedAdvantage Major items in this section include: Proper control of users who access the Fed System Segregated Duties / Enter & Verify How they receive Wire requests Approval / Callback Procedures The Garland Group
  • 34. Information Security Major items in this section include: Information Security Program User Administration Rules Password Policy System Policy Screensaver Policy The Garland Group
  • 35. Information Security - Cont. Network Diagram - Up to date? Recent Security Testing / Breaches Security Monitoring Hardware/Software Inventory & Licenses Use of Laptops? Secured? How? Remote Access What logs are kept? Wireless The Garland Group
  • 36. Technology Service Provider Major items in this section include: Review of vendor agreements Any major planned projects/development? Financial Stability of Vendor SAS 70s The Garland Group
  • 37. Wholesale Payment System Major items in this section include: Large bank-to-bank transactions Proper agreements in place between FIs CHIPS procedures Large Payment System owned by many FIs to transfer large payment orders The Garland Group
  • 38. Other Regulatory Guidance Graham-Leach Bliley Act (GLBA) Sarbanes - Oxley (SOX) Control Objectives for Information and related Technology (CobiT) ISO17799 The Garland Group
  • 39. Preparing for Exam/IT Audit What they going to be needing from you: Help with producing documentation for their examiners/auditors Network Diagrams Password Policy (Active Directory) User Lists Firewall/Router Configs The Garland Group
  • 40. Security Services Penetration Testing Vulnerability Assessments Social Engineering The Garland Group
  • 41. Penetration Testing Required by ‘some’ examiners Testing normally done annually Scan ports and for any major exploits The Garland Group
  • 42. Vulnerability Assessments Testing done internal to the network Scanning for unauthorized access points, mesh networks, exposed/exploited systems Done at least annually The Garland Group
  • 43. Social Engineering Our scope includes: Internet Recon. Dumpster Diving Phone Testing Email Testing In-Person Testing The Garland Group
  • 44. Social Engineering (Cont.) Done at least annually Ensure an adequate sample size for testing Ensure scope is up to today’s standards The Garland Group
  • 45. Common Mistakes in IT Mgmt. Lack of good documentation No BoD/Upper Mgmt. involvement Succession Issues Reactionary Environment Proper Backup Procedures The Garland Group
  • 46. Examiner ‘Requests’ Closed-loop documentation process Board sign-off/approval Annual IT Audits Updated BCPs/BSA risk assessments Penetration tests? The Garland Group
  • 47. Reminders We’re here to help! Don’t jump into new tech. head first Ensure adequate cross-training Document Everything! The Garland Group
  • 48. Thanks for the time. If you have any questions feel free to contact me: Our Blog: http://blog.thegarlandgroup.net Banktastic: http://banktastic.com Brad Garland CEO 972.429.8200 The Garland Group