Thread Options
|
#202587 - 06/22/04 02:17 PM
Re: Pending FDIC IT Exam
|
10K Club
Joined: Aug 2002
Posts: 34,318
under the Lone Star
|
And there are so few "subject matter experts" that run these exams. I beleive the FDIC has only one "big bank" examiner in charge for Texas. The rating system for big banks can also be very mysterious. It is a cottage industry at the FDIC. Most of the IT examiners came out of the safety and soundness side of the business. We like our examiner in charge, he has been very helpful in applying the IT booklets to our operation. Charles, are you listening ? We really love IT exams.
_________________________
Societies that do not find work in and of itself "pleasing to God and requisite to Man," tend to be highly corrupt.
|
Return to Top
|
|
|
|
#202589 - 06/22/04 03:38 PM
Re: Pending FDIC IT Exam
|
100 Club
Joined: Oct 2001
Posts: 120
|
If you are an "in-house" bank, where you do all your own processing and develop most or any of your software in-house and this is going to be your first full-blown IT exam - hold on tight, it is going to be a bumpy ride. FDIC IT exams however are much smoother than State Dept. of Banking exams. The guys with our Texas Dept. of Banking really know what they are doing and looking for - in other words, you can't "BS" them with a lot of techno-jargon.
|
Return to Top
|
|
|
|
#202591 - 06/22/04 06:17 PM
Re: Pending FDIC IT Exam
|
100 Club
Joined: Oct 2001
Posts: 120
|
Believe me, it can get alot worse. We had just spent several thousand dollars setting up a state-of-the-art training room with multiple wireless computers. We also had tight access controls over the room, the computers and the programs that run on each computer. In the end, we had to go "backwards" and wire everything per examiners.
|
Return to Top
|
|
|
|
#202592 - 06/22/04 06:51 PM
Re: Pending FDIC IT Exam
|
Anonymous
Unregistered
|
You both seem surprised by the enhanced focus on technological controls. Seemingly, as mangers of the technology, you should have a fair grasp on the realities of vulnerabilities of your systems and processes. It should not have to take an examiner to point out to you where you are lacking. That’s why it is important to have a thorough IT audit by a qualified and independent 3rd party before the examiners get there.
In the world of industry best practices for IT and Information security, the Federal regulatory agencies rate about a 6 on a scale of 10 relating to the rigorousness of their examinations and knowledge of and requisite for controls.
I (probably for one) am happy to see that the examiners are doing their jobs – a telephone wiring closet is a perfect place to intercept and disrupt Bank communications, especially if you are running Voice over IP. Wireless? Were you encrypting your radio signal? Hopefully using WPA. Physical access controls don’t really apply to wireless communications systems anymore, as I could intercept all of your network traffic - capturing non-public customer info from blocks away – not to mention using your wireless access point for a launch point for malicious deeds.
It’s a good thing that examiners are probing deeper.
-g
|
Return to Top
|
|
|
|
#202594 - 06/23/04 12:36 AM
Re: Pending FDIC IT Exam
|
Anonymous
Unregistered
|
nice clarification. i agree.
-g
|
Return to Top
|
|
|
|
#202595 - 06/23/04 04:43 PM
Re: Pending FDIC IT Exam
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Quote:
If you are an "in-house" bank ...
Paragon and Don have alluded to points that affect all of us in our organizations' ongoing day-to-day administration, oversight, and testing of technology controls. The problem comes down to the changing dynamics of controls, as well as just how these control proactices are assessed by the bank supervisors.
Not to pick on Susy, but even the quote cited above could almost be said to be obsolete. When you think of it, there really is no total "in-house" institution anymore. My organization has IBM enterprise servers that replaced IBM 30XX. However, we actually have the controlling routers (that act as the "gateway") outsourced to a small Massachusetts network routing company. Our firewall, IDS and virus eradication system was outsourced to a third-party vendor, and some of our bank employees actually went to work for that firm. Our call center's 10-server telephony integration platform is hosted by a third party vendor.
With these rapidly changing and interwoven architectures, I am hoping that the examiners will see that we are managing the controls, access points, and emergency response steps to our overall enterprise, instead of trying to fit us into a box that resembles the old "in-house" processor model or "servicer" model.
To make it easy, I have a complete architectural schematic of all the platforms, where they're hosted, what the access control routine is for each, and what the recovery and restoration process is for each.
It's not easy anymore.
|
Return to Top
|
|
|
|
#202596 - 06/23/04 05:26 PM
Re: Pending FDIC IT Exam
|
Diamond Poster
Joined: Dec 2003
Posts: 2,164
|
Well said. Managing and controlling IT can be compared to the worst-case scenarios within Disaster Recovery, in that you can plan to manage all the ‘normal’ disasters, e.g. fire, theft, flooding, etc. but you cannot plan to manage all disaster scenarios, e.g. Atom Bomb, Comet, etc. Within IT, it appears that each bank is being required to plan to manage all possible IT ‘events’ with possible events being added on a regular basis. It’s almost like IT is an unstructured environment, but it’s actually highly structured, but subject to ‘input’ from unstructured sources, such as hackers.
In-house or outsourced, we are connected to the world and the world is a very scary place, IT wise.
|
Return to Top
|
|
|
|
#202597 - 06/25/04 03:47 PM
Re: Pending FDIC IT Exam
|
New Poster
Joined: Jun 2004
Posts: 14
Parts Unknown
|
Having just completed an OCC IT Audit and an external IT Audit I'm glad it's over for now.
::Removed Link::
Please feel free to ask me anything.
Last edited by Jim Pankey; 06/26/04 05:44 AM.
|
Return to Top
|
|
|
|
#202599 - 06/26/04 02:11 AM
Re: Pending FDIC IT Exam
|
Anonymous
Unregistered
|
Quote:
Now that is one of the most useful and insightful documents that I've ever seen posted on BOL.
I don’t agree.
Whether or not the document technically meets the minimum FFIEC standards for a Risk Assessment (I believe it does not), the poster has revealed a substantial amount of intelligence about his Bank’s IT, his own personal profile, the name of the person and firm that assisted in completing the document, and the Bank name as well as a few other tasty items in an open, global and public forum. It is this type of intelligence that can be used to spawn malicious events towards the Bank.
Heck, the fact that this sensitive Risk Assessment document was posted on the Internet should be a line item in the Risk Assessment itself.
At the minimum, the poster has probably violated his Bank’s Information Security Program, Confidentiality Agreement, and Acceptable Use Agreement by posting a “Bank Confidential” document on the Internet without sanitizing it.
I don’t think this sets a good example or precedent.
-g
|
Return to Top
|
|
|
|
#202600 - 06/26/04 05:37 AM
Re: Pending FDIC IT Exam
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Quote:
Now that is one of the most useful and insightful documents that I've ever seen posted on BOL.
Thanks, Jim.
I wholeheartedly agree with you, Paragon. The information was a very helpful grid for a self-assessment.
The anonymous comment stating that there is risk by presenting this risk matrix is incorrect. The information presented in the Risk Matrix did not reveal any information that would expose either the poster or his institution to risk by virtue of the infomation shown. The information shown was not the type of data that would permit a high-risk exposure -- such as if he had shown port telphone numbers, PBX central-dial numbers, or other call management numbers that a hacker could use to employ an auto-dialer device. The risk matrix dids not reveal any public-network connection numbers, protocols, login sequences, or naming conventions -- the type of drill-down information that would be needed to forge an attack.
If one goes to www.gao.gov and clicks Today's Reports , there are literally hundreds of IT audits and IT security reviews of the highest-risk nature worldwide. These reports do reveal in great detail much more than should be revealed on a public-access network. If one goes to AuditNet, there are hundreds of reports of bank IT audits that can be downloaded. Ditto for IIA and ISACA.
The information discussed in the above-shown risk matrix was meant to be helpful, it was helpful, and, as Paragon correctly observed, this dialogue sharing is what the BOL threads are intended for.
If someone doesn't agree, then they should tell us, specifically, what the exact exposure is, including what information shown on the risk matrix contributed to the exact exposure.
|
Return to Top
|
|
|
|
#202601 - 06/26/04 05:43 AM
Re: Pending FDIC IT Exam
|
New Poster
Joined: Jun 2004
Posts: 14
Parts Unknown
|
"..meets the minimum FFIEC standards for a Risk Assessment (I believe it does not)..."
You're most likely right. It was merely a tool to assist in creating our Risk Assessment.
"...revealed a substantial amount of intelligence..."
Yes, there are some things revealed here. Just how substantial? I feel that the items here are pretty generic for most banks seeing as it was a generic matrix to begin with.
I'll be glad to share my experiences, but have since pulled the document and replaced it with a "blank" matrix. Maybe someone may be able to benefit from it.
Risk Matrix Worksheet
"g", Thanks for your insight. It is truly appreciated.
Last edited by Jim Pankey; 06/26/04 06:00 AM.
|
Return to Top
|
|
|
|
#202603 - 06/29/04 04:29 PM
Re: Pending FDIC IT Exam
|
Anonymous
Unregistered
|
Quote:
The anonymous comment stating that there is risk by presenting this risk matrix is incorrect.
It does not matter whether or not this person or that person “thinks” that there was any sensitive information in the original document, (I applaud Jim for sanitizing it). The document contained enough information to add to a composite profile of information about that Bank’s IT that isn’t available anywhere else. This information can be used against the Bank or its employees in a variety of ways. The information is sensitive and should be classified as such.
The logic for this is: * Organizations should have Information Security Programs – (GLB requires it). * The Information Security Program should classify information based on its contents and sensitivity and risks of exposure. * This classification system then determines what handling procedures, if any, are applied to the different classifications based on the risk. * Low risk documents (e.g. Public info) require no handling procedures. * High risk documents (e.g. internal/external audits, risk assessments, systems/vendor information, customer information, HR information) require the most stringent. This includes labeling the document as to its classification and sensitivity, and restricting its distribution. * Management should enforce this through periodic assessments, audits, and acceptable use agreements.
-g
|
Return to Top
|
|
|
|
#202605 - 06/29/04 05:35 PM
Re: Pending FDIC IT Exam
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Quote:
The document contained enough information to add to a composite profile of information about that Bank’s IT that isn’t available anywhere else.
We can all simply agree to amicably disagree. We'll leave at that.
The matrix that Jim displayed was just that -- a matrix; a mold that he uses as a guide for gathering information from 11 areas in which he has identified various items, a plausible risk for each item, a risk level, and a suggested control method for each identified item.
Nowhere is any "profile" information shown that would give the reader any indication as to the scope of processing, the size of the institution, the types of computing platforms, the nature of the network, the number of users, the number of affected employees, the workstation equipment, where the bank is headquartered, whether the platforms are bank platforms or third parties, or any other data that, if deciphered, could pose risk.
Banking is about taking risks and accurately aassessing and identifying where risk is and is not. . We accurately evaluate credit risk and replenish our loan-loss reserve accordingly; we accurately detect financial and investment risk, and we hedge where interest rate risk has accurately been identified. We also accurately identify technology risk, and we establish measures to mitigate these risks so as to complement the business process and enhance earnings.
Elevating risk where there is none is no better off than not identifying risk in the first place. The key criterion is accuracy .
Nothing shown by Jim posed any level of risk. If anyone thinks otherwise, then I challenge them to identify for me from the matrix the port telphone numbers of any controllers located at Jim's bank; identify the equipment -- any equipment -- at Jim's bank; identify the location(s) of the principal data processing sites of Jim's bank; identify the number of users; identify the security systems used (i.e., RACF, CA-ACF2, CA-TopSecret), the IDS, firewalls, etc. If anyone can do this, then PM me. I will buy you a car once you provide me with the port numbers and we've verified them.
Frankly, I don't even see Jim's bank named anywhere. So you'll have to call him or PM him first.
So far, nobody has identified the specific risk, but only discussed generalized procedural and regulatory-driven issuances purporting to say that Jim can't post the matrix. As I said above, we will agree to disagree as to Jim's matrix posing any risk to his institution.
|
Return to Top
|
|
|
|
#202606 - 06/30/04 04:32 PM
Re: Pending FDIC IT Exam
|
Anonymous
Unregistered
|
Quote:
So far, nobody has identified the specific risk, but only discussed generalized procedural and regulatory-driven issuances purporting to say that Jim can't post the matrix. As I said above, we will agree to disagree as to Jim's matrix posing any risk to his institution.
It would be ethically inappropriate to post system or Infosec vulnerabilities in an open Internet forum such as this or to PM them to an unauthorized party.
I have privately forwarded to Jim my analysis of his original document, the sensitive information contained therein, and the vulnerabilities it creates to his Bank and the employees. Jim can decide if he wants to share with this group.
-g
|
Return to Top
|
|
|
|
#202607 - 06/30/04 06:20 PM
Re: Pending FDIC IT Exam
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
We understand. This is a graceful way of saying you have nothing of substance, there are no cogent risk issues, and you can't admit that. Otherwise, you would PM me or Paragon -- both registered posters -- with your so-called "analysis".
The biggest risk at all is not with Jim or his matrix; the real risk is that we have an anonymous poster identifying him/herself with a small g preceded by a hyphen who wants to opine about unknown risks.
If there is substance to your analysis, then send it to me. I'm registered, and I raised the challenge to you, not Jim.
|
Return to Top
|
|
|
|
#202608 - 07/01/04 03:42 AM
Re: Pending FDIC IT Exam
|
New Poster
Joined: Jun 2004
Posts: 14
Parts Unknown
|
I won't go point by point with the items that were suggested to be a risk, but I feel much of what's there could be ascertained without having the document I posted. I do feel that one having some banking experience should be able to relate to and be aware of how banks work. Knowing the location of my branches isn't that difficult, nor is knowing we've recently built an operations facility.
The thing I saw that was probably the most problematic was identifying the company that does our processing. Of course it wouldn't take many guesses to figure that one out - especially if I blabbed that we don't process our own data.
Another concern that "-g" had was the amount of information about me available on the web. There's a lot, most of it out there by my own design. I'm not good at being anonymous. Having that information available from these posts here on BOL could pose a risk. Of course the fact that I work at a bank poses a risk...
"-g" had some good points, especially from his very conservative approach to IT Security. I took notes.
Thanks.
|
Return to Top
|
|
|
|
#202609 - 07/01/04 02:15 PM
Re: Pending FDIC IT Exam
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Quote:
... but I feel much of what's there could be ascertained without having the document I posted. I'm not good at being anonymous.
This is precisely the points raised in Paragon's posts and in my previous posts...which is that the matrix, standing alone, was not a document elevating any level of risk to you or your institution.
That the third-party processor used by your institution might be named is irrelevant. No third-party processor, mortgage loan servicer, technology application service provider, or any other third party technology vendor -- all of whom are required to undergo rigorous FFIEC/MDPS IT examinations (as long as they want to continue to have banks as customers) -- is going to be penetrated simply because it might be named on a matrix. In fact, if it is a third party transaction servicer to banks, it won't be penetrated because it will have detail penetration testing, documented, and reviewed during FFIEC interagency or MDPS examinations. Therefore, it is wasteful to even discuss such irrelevancies.
That this anonymous individual "-g" indicates that other information about each of us, as revealed on these threads and throughout this web site, can pose risk by promoting hints to our identities is the only issue that I will concede as being correct. However, as Paragon alluded to above, it is the level of trust, the friendships, and the longer-term recognition of each registered poster that gives us a comfort level with recognized posters and permits us to contribute, to share, and to get helpful hints.
Using -g's argument, If I were to conduct a Google search on many of the BOL posters throughout these threads -- many of whom you will note have their names, titles, banks, and some with e-mails, cited as part of each of their postings -- I would be able through social-engineered research locate a great deal about the processing of their employer. But what would be the point.
As I noted previously, and I'll continue to maintain, that the real risk on this specific thread is that we have for so long allowed an anonymous poster using the moniker "-g" to tell registered posters why these registered posters should not post too much about themselves, etc. Failing to register is not only counterproductive, but it is a sign that you do not want to leave even a scintilla of an audit trail as to who you are, and where you could be reached. There are examiners who register; there are IT executives who register; there are Big 4 audit partners who register.
-g should register, or he should be ignored for what he is -- an anonymous poster who would agree with me that anonymous posters discussing purported solutions to technology risk are the greatest risk to us all.
|
Return to Top
|
|
|
|
|
|