Skip to content
BOL Conferences
Page 1 of 2 1 2
Thread Options
#202586 - 06/22/04 12:06 AM Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Yes, they are on the way - end of next month.

This year they want every PC listed, including manufacturer, Model, O/S system and version.

IT has become a really big deal, exam wise. The FDIC has obviously placed it in the very high risk category.

This sould be another interesting exam.

Return to Top
eBanking / Technology
#202587 - 06/22/04 02:17 PM Re: Pending FDIC IT Exam
Pale Rider Offline
10K Club
Pale Rider
Joined: Aug 2002
Posts: 34,318
under the Lone Star
And there are so few "subject matter experts" that run these exams. I beleive the FDIC has only one "big bank" examiner in charge for Texas. The rating system for big banks can also be very mysterious. It is a cottage industry at the FDIC. Most of the IT examiners came out of the safety and soundness side of the business. We like our examiner in charge, he has been very helpful in applying the IT booklets to our operation. Charles, are you listening ? We really love IT exams.
_________________________
Societies that do not find work in and of itself "pleasing to God and requisite to Man," tend to be highly corrupt.


Return to Top
#202588 - 06/22/04 03:28 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Right on the money. It seems that IT is a cottage industry on both sides - the FDIC and those that offer IT audit services to financial institutions.

This time around, one of the questions is: "What percentage of customer has e-banking access?" Also: "What percentage of customers use e-banking access." The first question is easy with the answer to the second question something to ponder. I don't think that "Why do you want to know?" will work. Does 'use' cover a day, a week, a month, a year? Since some customers don't use it that often, how should they be factored in? Unfortunately, the use percentage is not tracked, but it looks like it needs to be. But, based on what parameters?

Return to Top
#202589 - 06/22/04 03:38 PM Re: Pending FDIC IT Exam
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
If you are an "in-house" bank, where you do all your own processing and develop most or any of your software in-house and this is going to be your first full-blown IT exam - hold on tight, it is going to be a bumpy ride. FDIC IT exams however are much smoother than State Dept. of Banking exams. The guys with our Texas Dept. of Banking really know what they are doing and looking for - in other words, you can't "BS" them with a lot of techno-jargon.

Return to Top
#202590 - 06/22/04 05:59 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Thank God - we are not in-house. It's an FDIC/State joint exam.

IT has really become a strange area to manage in that it seems like someone is making up stuff to audit every other day. One must now consider every possibility. For example, in our situation, the telephone 'wiring' is in an area that is not secure. There is now a question being asked covering the securing of telephone wiring. One demerit for sure.

Return to Top
#202591 - 06/22/04 06:17 PM Re: Pending FDIC IT Exam
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
Believe me, it can get alot worse. We had just spent several thousand dollars setting up a state-of-the-art training room with multiple wireless computers. We also had tight access controls over the room, the computers and the programs that run on each computer. In the end, we had to go "backwards" and wire everything per examiners.

Return to Top
#202592 - 06/22/04 06:51 PM Re: Pending FDIC IT Exam
Anonymous
Unregistered

You both seem surprised by the enhanced focus on technological controls. Seemingly, as mangers of the technology, you should have a fair grasp on the realities of vulnerabilities of your systems and processes. It should not have to take an examiner to point out to you where you are lacking. That’s why it is important to have a thorough IT audit by a qualified and independent 3rd party before the examiners get there.

In the world of industry best practices for IT and Information security, the Federal regulatory agencies rate about a 6 on a scale of 10 relating to the rigorousness of their examinations and knowledge of and requisite for controls.

I (probably for one) am happy to see that the examiners are doing their jobs – a telephone wiring closet is a perfect place to intercept and disrupt Bank communications, especially if you are running Voice over IP. Wireless? Were you encrypting your radio signal? Hopefully using WPA. Physical access controls don’t really apply to wireless communications systems anymore, as I could intercept all of your network traffic - capturing non-public customer info from blocks away – not to mention using your wireless access point for a launch point for malicious deeds.

It’s a good thing that examiners are probing deeper.

-g

Return to Top
#202593 - 06/22/04 09:30 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
I don't think that anyone is doubting that the examiners are on the right track, but more than a few of us have IT as just one hat to wear. A bank needs to be almost mid-size to have real IT expertise on staff and keeping that person from jumping ship becomes the issue at that point.

Regulators may rate a 6, but in a reasonably small bank environment, the IT area is also about a six as the required level of expertise is outpacing the level of expertise and funds that are required to keep up. Not only must everything be secure, one needs to meet with management and the board about every fourth minute of the day to discuss that fact.

Of course, the worst part of IT management is dealing with staffers that don't have a clue about PC's and software. When something happens the IT person must deliver instant results.

Return to Top
#202594 - 06/23/04 12:36 AM Re: Pending FDIC IT Exam
Anonymous
Unregistered

nice clarification. i agree.

-g

Return to Top
#202595 - 06/23/04 04:43 PM Re: Pending FDIC IT Exam
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:

If you are an "in-house" bank ...





Paragon and Don have alluded to points that affect all of us in our organizations' ongoing day-to-day administration, oversight, and testing of technology controls. The problem comes down to the changing dynamics of controls, as well as just how these control proactices are assessed by the bank supervisors.

Not to pick on Susy, but even the quote cited above could almost be said to be obsolete. When you think of it, there really is no total "in-house" institution anymore. My organization has IBM enterprise servers that replaced IBM 30XX. However, we actually have the controlling routers (that act as the "gateway") outsourced to a small Massachusetts network routing company. Our firewall, IDS and virus eradication system was outsourced to a third-party vendor, and some of our bank employees actually went to work for that firm. Our call center's 10-server telephony integration platform is hosted by a third party vendor.

With these rapidly changing and interwoven architectures, I am hoping that the examiners will see that we are managing the controls, access points, and emergency response steps to our overall enterprise, instead of trying to fit us into a box that resembles the old "in-house" processor model or "servicer" model.

To make it easy, I have a complete architectural schematic of all the platforms, where they're hosted, what the access control routine is for each, and what the recovery and restoration process is for each.

It's not easy anymore.

Return to Top
#202596 - 06/23/04 05:26 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Well said. Managing and controlling IT can be compared to the worst-case scenarios within Disaster Recovery, in that you can plan to manage all the ‘normal’ disasters, e.g. fire, theft, flooding, etc. but you cannot plan to manage all disaster scenarios, e.g. Atom Bomb, Comet, etc. Within IT, it appears that each bank is being required to plan to manage all possible IT ‘events’ with possible events being added on a regular basis. It’s almost like IT is an unstructured environment, but it’s actually highly structured, but subject to ‘input’ from unstructured sources, such as hackers.

In-house or outsourced, we are connected to the world and the world is a very scary place, IT wise.

Return to Top
#202597 - 06/25/04 03:47 PM Re: Pending FDIC IT Exam
Wild Jimbo Offline
New Poster
Joined: Jun 2004
Posts: 14
Parts Unknown
Having just completed an OCC IT Audit and an external IT Audit I'm glad it's over for now.

::Removed Link::

Please feel free to ask me anything.
Last edited by Jim Pankey; 06/26/04 05:44 AM.
Return to Top
#202598 - 06/25/04 10:22 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Now that is one of the most useful and insightful documents that I've ever seen posted on BOL.

Thanks, Jim.

Return to Top
#202599 - 06/26/04 02:11 AM Re: Pending FDIC IT Exam
Anonymous
Unregistered

Quote:

Now that is one of the most useful and insightful documents that I've ever seen posted on BOL.




I don’t agree.

Whether or not the document technically meets the minimum FFIEC standards for a Risk Assessment (I believe it does not), the poster has revealed a substantial amount of intelligence about his Bank’s IT, his own personal profile, the name of the person and firm that assisted in completing the document, and the Bank name as well as a few other tasty items in an open, global and public forum. It is this type of intelligence that can be used to spawn malicious events towards the Bank.

Heck, the fact that this sensitive Risk Assessment document was posted on the Internet should be a line item in the Risk Assessment itself.

At the minimum, the poster has probably violated his Bank’s Information Security Program, Confidentiality Agreement, and Acceptable Use Agreement by posting a “Bank Confidential” document on the Internet without sanitizing it.

I don’t think this sets a good example or precedent.

-g

Return to Top
#202600 - 06/26/04 05:37 AM Re: Pending FDIC IT Exam
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:

Now that is one of the most useful and insightful documents that I've ever seen posted on BOL.

Thanks, Jim.





I wholeheartedly agree with you, Paragon. The information was a very helpful grid for a self-assessment.

The anonymous comment stating that there is risk by presenting this risk matrix is incorrect.

The information presented in the Risk Matrix did not reveal any information that would expose either the poster or his institution to risk by virtue of the infomation shown. The information shown was not the type of data that would permit a high-risk exposure -- such as if he had shown port telphone numbers, PBX central-dial numbers, or other call management numbers that a hacker could use to employ an auto-dialer device. The risk matrix dids not reveal any public-network connection numbers, protocols, login sequences, or naming conventions -- the type of drill-down information that would be needed to forge an attack.

If one goes to www.gao.gov and clicks Today's Reports , there are literally hundreds of IT audits and IT security reviews of the highest-risk nature worldwide. These reports do reveal in great detail much more than should be revealed on a public-access network. If one goes to AuditNet, there are hundreds of reports of bank IT audits that can be downloaded. Ditto for IIA and ISACA.

The information discussed in the above-shown risk matrix was meant to be helpful, it was helpful, and, as Paragon correctly observed, this dialogue sharing is what the BOL threads are intended for.

If someone doesn't agree, then they should tell us, specifically, what the exact exposure is, including what information shown on the risk matrix contributed to the exact exposure.

Return to Top
#202601 - 06/26/04 05:43 AM Re: Pending FDIC IT Exam
Wild Jimbo Offline
New Poster
Joined: Jun 2004
Posts: 14
Parts Unknown
"..meets the minimum FFIEC standards for a Risk Assessment (I believe it does not)..."

You're most likely right. It was merely a tool to assist in creating our Risk Assessment.

"...revealed a substantial amount of intelligence..."

Yes, there are some things revealed here. Just how substantial? I feel that the items here are pretty generic for most banks seeing as it was a generic matrix to begin with.

I'll be glad to share my experiences, but have since pulled the document and replaced it with a "blank" matrix. Maybe someone may be able to benefit from it.
Risk Matrix Worksheet

"g", Thanks for your insight. It is truly appreciated.
Last edited by Jim Pankey; 06/26/04 06:00 AM.
Return to Top
#202602 - 06/28/04 03:35 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Now that is one of the most useful and insightful documents that I've ever seen posted on BOL.




I don’t agree.




Actually, my statement is not open to agreement or disagreement. It's all about me and what I've seen and not about you and what you've seen.

Now the remaining part of your post is interesting, but I must disagree. There is nothing revealing, from a security point of view, just steps that have been taken to address various issues. The same information can be gleaned from BOL threads and on the web – both the issues and the steps to consider taking to resolve the issues. Therefore, there is nothing included that would be helpful to the outside world that cannot be secured by other means. On the other hand, it’s an excellent list of issues and relevant responses to those issues. It’s seldom that anyone posts their work on BOL – this document is helpful and insightful with the insight being the method used to put the information on paper as part of an overall presentation of the issues.

Return to Top
#202603 - 06/29/04 04:29 PM Re: Pending FDIC IT Exam
Anonymous
Unregistered

Quote:

The anonymous comment stating that there is risk by presenting this risk matrix is incorrect.




It does not matter whether or not this person or that person “thinks” that there was any sensitive information in the original document, (I applaud Jim for sanitizing it). The document contained enough information to add to a composite profile of information about that Bank’s IT that isn’t available anywhere else. This information can be used against the Bank or its employees in a variety of ways. The information is sensitive and should be classified as such.

The logic for this is:
* Organizations should have Information Security Programs – (GLB requires it).
* The Information Security Program should classify information based on its contents and sensitivity and risks of exposure.
* This classification system then determines what handling procedures, if any, are applied to the different classifications based on the risk.
* Low risk documents (e.g. Public info) require no handling procedures.
* High risk documents (e.g. internal/external audits, risk assessments, systems/vendor information, customer information, HR information) require the most stringent. This includes labeling the document as to its classification and sensitivity, and restricting its distribution.
* Management should enforce this through periodic assessments, audits, and acceptable use agreements.

-g

Return to Top
#202604 - 06/29/04 05:21 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
This information can be used against the Bank or its employees in a variety of ways. The information is sensitive and should be classified as such.

The logic for this is:[/QUOTE]

Logic - what logic? If you have the original posting with the steps taken noted, what specifically was posted that was sensitive? And, if you come up with an example - how can it be used against the bank or its employees?

Return to Top
#202605 - 06/29/04 05:35 PM Re: Pending FDIC IT Exam
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:



The document contained enough information to add to a composite profile of information about that Bank’s IT that isn’t available anywhere else.






We can all simply agree to amicably disagree. We'll leave at that.

The matrix that Jim displayed was just that -- a matrix; a mold that he uses as a guide for gathering information from 11 areas in which he has identified various items, a plausible risk for each item, a risk level, and a suggested control method for each identified item.

Nowhere is any "profile" information shown that would give the reader any indication as to the scope of processing, the size of the institution, the types of computing platforms, the nature of the network, the number of users, the number of affected employees, the workstation equipment, where the bank is headquartered, whether the platforms are bank platforms or third parties, or any other data that, if deciphered, could pose risk.

Banking is about taking risks and accurately aassessing and identifying where risk is and is not. . We accurately evaluate credit risk and replenish our loan-loss reserve accordingly; we accurately detect financial and investment risk, and we hedge where interest rate risk has accurately been identified. We also accurately identify technology risk, and we establish measures to mitigate these risks so as to complement the business process and enhance earnings.

Elevating risk where there is none is no better off than not identifying risk in the first place. The key criterion is accuracy .

Nothing shown by Jim posed any level of risk. If anyone thinks otherwise, then I challenge them to identify for me from the matrix the port telphone numbers of any controllers located at Jim's bank; identify the equipment -- any equipment -- at Jim's bank; identify the location(s) of the principal data processing sites of Jim's bank; identify the number of users; identify the security systems used (i.e., RACF, CA-ACF2, CA-TopSecret), the IDS, firewalls, etc. If anyone can do this, then PM me. I will buy you a car once you provide me with the port numbers and we've verified them.

Frankly, I don't even see Jim's bank named anywhere. So you'll have to call him or PM him first.

So far, nobody has identified the specific risk, but only discussed generalized procedural and regulatory-driven issuances purporting to say that Jim can't post the matrix. As I said above, we will agree to disagree as to Jim's matrix posing any risk to his institution.

Return to Top
#202606 - 06/30/04 04:32 PM Re: Pending FDIC IT Exam
Anonymous
Unregistered

Quote:

So far, nobody has identified the specific risk, but only discussed generalized procedural and regulatory-driven issuances purporting to say that Jim can't post the matrix. As I said above, we will agree to disagree as to Jim's matrix posing any risk to his institution.




It would be ethically inappropriate to post system or Infosec vulnerabilities in an open Internet forum such as this or to PM them to an unauthorized party.

I have privately forwarded to Jim my analysis of his original document, the sensitive information contained therein, and the vulnerabilities it creates to his Bank and the employees. Jim can decide if he wants to share with this group.

-g

Return to Top
#202607 - 06/30/04 06:20 PM Re: Pending FDIC IT Exam
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
We understand. This is a graceful way of saying you have nothing of substance, there are no cogent risk issues, and you can't admit that. Otherwise, you would PM me or Paragon -- both registered posters -- with your so-called "analysis".

The biggest risk at all is not with Jim or his matrix; the real risk is that we have an anonymous poster identifying him/herself with a small g preceded by a hyphen who wants to opine about unknown risks.

If there is substance to your analysis, then send it to me. I'm registered, and I raised the challenge to you, not Jim.

Return to Top
#202608 - 07/01/04 03:42 AM Re: Pending FDIC IT Exam
Wild Jimbo Offline
New Poster
Joined: Jun 2004
Posts: 14
Parts Unknown
I won't go point by point with the items that were suggested to be a risk, but I feel much of what's there could be ascertained without having the document I posted. I do feel that one having some banking experience should be able to relate to and be aware of how banks work. Knowing the location of my branches isn't that difficult, nor is knowing we've recently built an operations facility.

The thing I saw that was probably the most problematic was identifying the company that does our processing. Of course it wouldn't take many guesses to figure that one out - especially if I blabbed that we don't process our own data.

Another concern that "-g" had was the amount of information about me available on the web. There's a lot, most of it out there by my own design. I'm not good at being anonymous. Having that information available from these posts here on BOL could pose a risk. Of course the fact that I work at a bank poses a risk...

"-g" had some good points, especially from his very conservative approach to IT Security. I took notes.

Thanks.

Return to Top
#202609 - 07/01/04 02:15 PM Re: Pending FDIC IT Exam
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:

... but I feel much of what's there could be ascertained without having the document I posted.
I'm not good at being anonymous.






This is precisely the points raised in Paragon's posts and in my previous posts...which is that the matrix, standing alone, was not a document elevating any level of risk to you or your institution.

That the third-party processor used by your institution might be named is irrelevant. No third-party processor, mortgage loan servicer, technology application service provider, or any other third party technology vendor -- all of whom are required to undergo rigorous FFIEC/MDPS IT examinations (as long as they want to continue to have banks as customers) -- is going to be penetrated simply because it might be named on a matrix. In fact, if it is a third party transaction servicer to banks, it won't be penetrated because it will have detail penetration testing, documented, and reviewed during FFIEC interagency or MDPS examinations. Therefore, it is wasteful to even discuss such irrelevancies.

That this anonymous individual "-g" indicates that other information about each of us, as revealed on these threads and throughout this web site, can pose risk by promoting hints to our identities is the only issue that I will concede as being correct. However, as Paragon alluded to above, it is the level of trust, the friendships, and the longer-term recognition of each registered poster that gives us a comfort level with recognized posters and permits us to contribute, to share, and to get helpful hints.

Using -g's argument, If I were to conduct a Google search on many of the BOL posters throughout these threads -- many of whom you will note have their names, titles, banks, and some with e-mails, cited as part of each of their postings -- I would be able through social-engineered research locate a great deal about the processing of their employer. But what would be the point.

As I noted previously, and I'll continue to maintain, that the real risk on this specific thread is that we have for so long allowed an anonymous poster using the moniker "-g" to tell registered posters why these registered posters should not post too much about themselves, etc. Failing to register is not only counterproductive, but it is a sign that you do not want to leave even a scintilla of an audit trail as to who you are, and where you could be reached. There are examiners who register; there are IT executives who register; there are Big 4 audit partners who register.

-g should register, or he should be ignored for what he is -- an anonymous poster who would agree with me that anonymous posters discussing purported solutions to technology risk are the greatest risk to us all.

Return to Top
#202610 - 07/01/04 04:57 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
It would be ethically inappropriate to post system or Infosec vulnerabilities in an open Internet forum such as this or to PM them to an unauthorized party.




Please - you've gone over the edge on this issue, it's like telling someone that they are not in compliance, but not furnishing support. It's like trying to disprove a negative.

I have the document – there is nothing there that is not on the web somewhere. Vulnerabilities, that we know of, are posted all over the place. A BOL citizen that is willing to post possible actions to address those issues should not be discouraged without pointing out specifics as to the statements that gave up the store.

Return to Top
Page 1 of 2 1 2

Moderator:  Andy_Z