2. What are we doing here?
Where FIs & IT meet
Regulators & What they do
Technology Controls Review
Process
Goal: Provide better service to
your clients
The Garland Group
3. Introductions
Name
Position
Tenure at CalTech
Previous Experience
The Garland Group
4. The Garland Group
Compliance, Security & Web Services firm
Founded in 1981
Based out of Dallas, Texas
Over 75 clients
The Garland Group
5. Our Services
FFIEC Technology Audits
Risk Assessments
Penetration Testing / Vulnerability Assessments
Social Engineering
Bank Core System Selections
The Garland Group
6. Sizing up a Financial Institution
< $25 Million - Small Community Bank
Start-up or Denovo Status
Couple of branches
No IT staff
$25 - $250 Million - Midsize Community Bank
Normally still local footprint
1-10 branches
Maybe 1 IT person
The Garland Group
7. Sizing up a Financial Institution
$250 - $1 Billion - Medium Bank
More Regional
5-15 branches
Maybe 1-2 IT staff
> $1 Billion - Large Bank
May cross state lines
Lots of branches
Normally dedicated IT staff
The Garland Group
8. FI Infrastructures
What’s out there?
What kind of support
do these systems get?
Internal/External?
Where do we fit in?
The Garland Group
9. Infrastructures
Windows, Novell, Unix, Mac and hybrid environments
Fat clients or Thin clients?
Communications
T1 Hub/Spoke
MPLS
VoIP
Security
Development Shops
The Garland Group
10. Infrastructures
How do you help to support:
Check/Item Processing
E-Banking / Websites
Document Imaging
Merchant Capture
Mobile Payments
The Garland Group
12. Core Processors
Run on variety of
mainframe-like systems
AS/400
Unix
Linux
The Garland Group
13. Core Processors
What’s a core processor do?
In-house or Outsourced install?
Who supports it?
User Mgmt.
Updates/Patches
Backups
Regulatory Hurdles
The Garland Group
14. Core from an Audit perspective
User Lists
Not just from an application level
Who controls ‘root’? QSECOFR?
Who monitors...
System-level changes? ALLOBJ authority?
Access Logs?
The Garland Group
15. What’s the best setup for a bank?
Which ‘Core’?
Inhouse/Outsourced?
Fat/Thin Clients?
T1’s / MPLS?
Dedicated IT staff?
Development?
The Garland Group
17. Who Regulates Who?
FDIC - State chartered
banks
OCC - Nationally
chartered banks
OTS - Savings Bank
NCUA - Credit Unions
The Garland Group
18. Our Technology Controls Review Process
Review of all booklets
of the FFIEC
Generate
‘Recommendations’
based off of gaps
Bank Mgmt. responds
Final Report
Executive Summary
FFIEC Report
IT Risk Assessment
The Garland Group
19. FFIEC Federal Financial Institutions Examination Council
Formal Interagency
Council
Consists of all
regulatory bodies
Creates guidance for
topics such as:
Mortgages
Bank Secrecy Act/AML
Info. Technology
The Garland Group
20. FFIEC IT Exam Handbooks
12 Booklets
Does not just cover IT
2001 edition replaced
the previous 1996
version
All have been updated since
2003 or later
Ongoing Development
The Garland Group
21. FFIEC Handbooks
Audit Management
Business Continuity Operations
Planning
Outsourcing Technology
Development & Acquisition Services
E-Banking Retail Payment Systems
FedLine Supervision of Technology
Service Providers
Information Security
Wholesale Payment
Systems
The Garland Group
22. Audit
Major items in this section are:
Audit Schedule
Audit Committee Minutes
Risk Assessments Conducted
Proper Audit Follow-up
Interim IT Audit work
The Garland Group
23. Management
Major items in this section are:
Reviewing BoD/ IT Steering Minutes
Policy/Procedure Approvals by BoD
Succession Planning
Strategic Planning
IT Budgeting
Contract/Insurance Review
The Garland Group
24. Board Reporting
Most FI's have IT Steering and Audit Committee
These committees should drive functions and make
decisions
They also are the vessel to report to the Board on the
status of the bank
You may be asked to participate in these committees
The board has ultimate responsibility for everything within
the bank
The Garland Group
25. IT Steering Committee
Approve major vendors (Core providers, IT support, etc.)
Approve major purchases, usually over a set dollar limit
Review logs and reports from the network
Approve IT audits, Penetration tests, Vulnerability Scans
Sometimes serve as a project management committee
The Garland Group
26. Audit Committee
Review all audit reports from IT, BSA, Teller, Regulators,
etc.
Approve audit frequencies, scopes and methodologies
Usually all Board members on the committee
Approves audit vendors
The Garland Group
27. Business Continuity Plan
Major items in this section include:
Review of BCP/DR Plan
Backup Procedures
Shutdown Procedures
Offsite Storage
DR Agreements & Testing
The Garland Group
28. Operations
Major items in this section include:
Item Processing workflow process
Inhouse/Outsourced?
Branch/Teller Capture?
Daily Run Sheets
Physical Security
Training
Courier Agreements
The Garland Group
29. Development & Acquisition
Major items in this section include:
D&A Policy/Procedures
Project Management Methodology
Change Management
Source Code Escrow Agreements
Programming Methodology
Development Meeting Minutes
The Garland Group
30. Outsourcing IT Services
Vendor Management
Updated Contracts with each vendor
GLBA Wording in Contracts
Proper ‘Due Diligence’ performed on critical vendors
The Garland Group
31. E-Banking
Major items in this section include:
Policy/Procedures
Security Reports / What’s reviewed? Who see’s it?
Website Change Management
Proper Privacy Statements & Logos on website
The Garland Group
32. Retail Payment Systems
Major items in this section include:
ATM Balancing / Reconciliation processes
Agreements for 3rd party ATM vendors
ACH Policy/Procedures
Review ACH Originators & Agreements
Submitting ACH payments (via Web or
FedAdvantage)
The Garland Group
33. FedLine/FedAdvantage
Major items in this section include:
Proper control of users who access the Fed System
Segregated Duties / Enter & Verify
How they receive Wire requests
Approval / Callback Procedures
The Garland Group
34. Information Security
Major items in this section include:
Information Security Program
User Administration Rules
Password Policy
System Policy
Screensaver Policy
The Garland Group
35. Information Security - Cont.
Network Diagram - Up to date?
Recent Security Testing / Breaches
Security Monitoring
Hardware/Software Inventory & Licenses
Use of Laptops? Secured? How?
Remote Access
What logs are kept?
Wireless
The Garland Group
36. Technology Service Provider
Major items in this section include:
Review of vendor agreements
Any major planned projects/development?
Financial Stability of Vendor
SAS 70s
The Garland Group
37. Wholesale Payment System
Major items in this section include:
Large bank-to-bank transactions
Proper agreements in place between FIs
CHIPS procedures
Large Payment System owned by many FIs to
transfer large payment orders
The Garland Group
38. Other Regulatory Guidance
Graham-Leach Bliley
Act (GLBA)
Sarbanes - Oxley (SOX)
Control Objectives for
Information and related
Technology (CobiT)
ISO17799
The Garland Group
39. Preparing for Exam/IT Audit
What they going to be needing from you:
Help with producing documentation for their
examiners/auditors
Network Diagrams
Password Policy (Active Directory)
User Lists
Firewall/Router Configs
The Garland Group
40. Security Services
Penetration Testing
Vulnerability
Assessments
Social Engineering
The Garland Group
41. Penetration Testing
Required by ‘some’
examiners
Testing normally done
annually
Scan ports and for any
major exploits
The Garland Group
42. Vulnerability Assessments
Testing done internal to
the network
Scanning for
unauthorized access
points, mesh networks,
exposed/exploited
systems
Done at least annually
The Garland Group
43. Social Engineering
Our scope includes:
Internet Recon.
Dumpster Diving
Phone Testing
Email Testing
In-Person Testing
The Garland Group
44. Social Engineering (Cont.)
Done at least annually
Ensure an adequate sample size for testing
Ensure scope is up to today’s standards
The Garland Group
45. Common Mistakes in IT Mgmt.
Lack of good
documentation
No BoD/Upper Mgmt.
involvement
Succession Issues
Reactionary
Environment
Proper Backup
Procedures
The Garland Group
46. Examiner ‘Requests’
Closed-loop documentation
process
Board sign-off/approval
Annual IT Audits
Updated BCPs/BSA
risk assessments
Penetration tests?
The Garland Group
47. Reminders
We’re here to help!
Don’t jump into new
tech. head first
Ensure adequate
cross-training
Document Everything!
The Garland Group
48. Thanks for the time.
If you have any questions feel free to contact me:
Our Blog: http://blog.thegarlandgroup.net
Banktastic: http://banktastic.com
Brad Garland
CEO
972.429.8200
The Garland Group