Skip to content
BOL Conferences
Forums · Active Threads · Forum Rules · Mark All Read · Log In
BankersOnline.com Forums Banker Forums Audit Penetration Test Reqirement - OCC
Thread Options
#365193 - 05/27/05 09:51 PM Penetration Test Reqirement - OCC
Christina C Offline
Junior Member
Joined: Dec 2004
Posts: 48
NE Minnesota
Can someone tell me if and where the OCC defines how often an external penetration test of your network needs to be done? I have every 2 years in my head, but want to confirm.
_________________________
No question is a dumb question... right?

Return to Top
Audit
#365194 - 05/31/05 02:32 PM Re: Penetration Test Reqirement - OCC
osoalone Offline
100 Club
Joined: Dec 2003
Posts: 146
Texas
OCC has not told us how often. We have an IT audit annually and have had a penetration test done at that time. But we will be starting to do testing quarterly just because of the nature of the beast.

Return to Top
#365195 - 06/08/05 07:17 PM Re: Penetration Test Reqirement - OCC
Anonymous
Unregistered

Ideally, once a year. But no less frequently than once every 24 months. I don't believe a specific timeframe is mandated by the regulators. Frequency is a function of several factors, including firewall integrity, quality of firewall equipment, assets at risk, history of firewall breaches, IT competency within your organization, emerging threats in the outside world.

Return to Top
#365196 - 06/09/05 04:39 AM Re: Penetration Test Reqirement - OCC
Ken Baer Offline
New Poster
Ken Baer
Joined: May 2005
Posts: 10
Arizona, United States
A specific timeframe has not been required. The overall quality of your information security program is going to drive how often your examiner wants to see an external pen test. The better your risk assessment, defense in depth strategy, internal testing procedures, etc., the less often they are likely to want some external verification.
_________________________
We help banks solve compliance challenges inexpensively. www.appliedintent.com

Return to Top
#365197 - 06/21/05 05:23 PM Re: Penetration Test Reqirement - OCC
litmachog Offline
Member
litmachog
Joined: Apr 2004
Posts: 83
Arkansas
The information security audit program from the FFIEC web page is a format that you would want to perform. The examiners, FDIC, have stated that you should perform this audit annually and as a part of this, they would like to see penetration testing done annually as well.
_________________________
Praise God from whom all blessings flow!

Return to Top
#365198 - 06/21/05 06:23 PM Re: Penetration Test Reqirement - OCC
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:

The information security audit program from the FFIEC web page is a format that you would want to perform.




I would agree with this statement. The FFIEC documents are the way to go.

Since the anatomy of a compliant information security program is centered on the protection of customer information, the primary goal is to eliminate the probability of vulnerabilities that might be directed at the customer data -- i.e., either where the data is stored (likely on bank servers or storage devices), or whenever it might be transmitted (sent encrypted with minimum SSL-level protection).

For many institutions, the components of the network nearest the public network (i.e., routers, hubs, switches; security applicances such as IDS and firewall) are managed by a third party anyway, so the third party -- and not the bank -- should be proving to the bank that they are periodically testing network penetration defenses, running external-to-internal network scans, and conducting periodic dial-up testing to bank entry ports using random war dialers.

OCC, OTS, FRB, NCUA, the FDIC, etc., are concerned with mitigating vulnerability; they aren't dictating the specific steps or favoring one step over the other.

At this point, we all know that the primary vulnerability involved in all of the recent customer breaches has been the involvement of insiders -- either current employees making mistakes or intentionally causing harm, former employees, disgruntled employees, etc., etc. -- so the focus has to be on the administrative safeguards behind the IDS and firewall. This means conducting a full vulnerability assessment using the FFIEC documents as a guide, rather than just conducting a network-specific test which may or may not have value.

What good would a $300,000 network assessment and penetration test have done Citifinancial or MasterCard? For Citifinancial, a low-level operations staffmember copied unencrypted customer data to CDs for physical transport by UPS, and MasterCard allowed a third-party sevicer to mishandle customer information with no oversight. These incidents did not involve complex network breaches, but involved poor administrative controls coupled with weak management oversight.

Return to Top
#365199 - 07/03/05 09:27 PM Re: Penetration Test Reqirement - OCC
BankLogic Offline
New Poster
BankLogic
Joined: Jun 2005
Posts: 15
Pittsburgh, PA
Quote:


At this point, we all know that the primary vulnerability involved in all of the recent customer breaches has been the involvement of insiders -- either current employees making mistakes or intentionally causing harm, former employees, disgruntled employees, etc., etc. -- so the focus has to be on the administrative safeguards behind the IDS and firewall. This means conducting a full vulnerability assessment using the FFIEC documents as a guide, rather than just conducting a network-specific test which may or may not have value.




Well said... I agree. I run into so many small banks where the penetration test that was performed misses the mark completely. It's so important that the testing be performed in conjuction with the overall IT audit IMHO.
_________________________
Remember, no matter where you go, there you are.

Return to Top

Moderator:  Andy_Z