IT department won't give open access to BSA dept

Posted By: Cher

IT department won't give open access to BSA dept - 03/30/15 02:46 PM

Our IT department has recently installed a new firewall and our BSA department no longer has open access to perform BSA due diligence searches. They have assigned us more open access that the rest of the institution, but we are constantly getting blocked and the IT manager won't open it up as he says it puts the rest of the network at risk. We do appreciate that, so I was wondering what other banks are doing to protect their network while still giving their BSA folks unlimited internet search access.
Posted By: Elwood P. Dowd

Re: IT department won't give open access to BSA dept - 03/30/15 02:58 PM

If you need a tool, FinCEN 2014 - A007 has a section dealing with the availability of information. As this new restriction appears to be a step backward, it may draw some regulatory attention based on how critical it is to your research.
Posted By: AMLMGR

Re: IT department won't give open access to BSA dept - 03/30/15 03:30 PM

Can the IT department put role based access into place for the database? We have non-edit or business partner rights into any database we use for research that is not owned by our department
Posted By: Cher

Re: IT department won't give open access to BSA dept - 03/30/15 03:42 PM

"We have non-edit or business partner rights into any database we use for research that is not owned by our department"

What does that mean?
Posted By: rlcarey

Re: IT department won't give open access to BSA dept - 03/30/15 03:47 PM

They are limiting your access to what sites that you use for due diligence??

Last I checked, IT was a service department.

1. You are responsible for determining what you need to do your job.

2. They are responsible for determining how to safely provide you with that access.

3. Them saying "no" is not part of their job description.
Posted By: Cher

Re: IT department won't give open access to BSA dept - 03/30/15 04:09 PM

I think they're willing but unable to adequately accomplish point #2 on RLCAREY's response. Many times our searches will take us to sites with objectionable material etc. and that is just the nature of what we do. However, they don't know how to give us open access while at the same time insulate the rest of the network from something from one of those sites. I can't imagine this is something new as every bank I've spoken to has their BSA people with unlimited access.
Posted By: jaenelle

Re: IT department won't give open access to BSA dept - 03/30/15 04:31 PM

I'm really confused as to what kind of sites a BSA search would even require you to look at. Are these customers' websites?
Posted By: bonette

Re: IT department won't give open access to BSA dept - 03/30/15 04:38 PM

Could they give you a laptop with internet access that is not tied to your network?
Posted By: rlcarey

Re: IT department won't give open access to BSA dept - 03/30/15 04:42 PM

There are many ways to skin a cat, as "bonette" just pointed out. The fact that they are just saying no shows a lack of imagination.
Posted By: Princess Romeo

Re: IT department won't give open access to BSA dept - 03/30/15 05:04 PM

Originally Posted By bonette
Could they give you a laptop with internet access that is not tied to your network?


A Chromebook connected to wi-fi is an inexpensive way to do that. You can open a g-mail account to email yourself PDF screen shots of what you find.
Posted By: Cher

Re: IT department won't give open access to BSA dept - 03/30/15 05:38 PM

I suggested that but it gets a little cumbersome to have a different machine and also we would have to give everyone in the department 2 machines. I'm really reaching out in this forum to see what others are doing in their bank. Are your BSA people given full access? If so, how does the IT department ensure that safety of the network?

In answer to Jaenelle's comment - We review client's websites during our due diligence and some of our clients are in certain industries that might be considered objectionable. That website would be blocked and we would have to stop and request access, wait for the site to whitelisted and then we can proceed. Its very time consuming.
Posted By: thisisme08

Re: IT department won't give open access to BSA dept - 03/30/15 07:28 PM

TBH this doesn't sound that different than what is considered normal when IT puts a web filtering software on.

Normally you end up with a breakdown like this;

*Exec--full access (even though they shouldn't because they are the most likely for a phishing and other attacks)

*Officer/Compliance/BSA--essentially open access but sites such as shopping, Youtube and others questionable sites are blocked

*CSR--Only sites that they need to do their job (Sec. of State searches, check ordering etc.)

*Tellers--Nothing.

I'm assuming you are reviewing a customer's website in order to determine if they are offering any *extra* services they didn't tell you about but personally I find that step to be slightly above and beyond in performing it for all customers.

The one item method no one else has mentioned is to simply use your own personal cell phone/tablet.
Posted By: LiveFromNYC

Re: IT department won't give open access to BSA dept - 03/30/15 07:43 PM

Had a similar issue at my bank. When they would not open entirely, I was forced to send a ticket to the IT Help Desk explaining why I needed access to a specific site and typically the site's url would then be added to a Domain Safe List. After having done that many times, they decided to give me an off-network laptop to perform our searches.

Posted By: rlcarey

Re: IT department won't give open access to BSA dept - 03/30/15 07:50 PM

Originally Posted By Cher
I suggested that but it gets a little cumbersome to have a different machine and also we would have to give everyone in the department 2 machines.



Really - everyone? I think someone else might not be using their imagination. Maybe you need to reassess who uses the internet for BSA research and why.
Posted By: JacF

Re: IT department won't give open access to BSA dept - 03/31/15 02:39 AM

Originally Posted By Cher
However, they don't know how to give us open access while at the same time insulate the rest of the network from something from one of those sites.


Perhaps you could suggest inviting the vendor in to show IT how to configure the web filter and give BSA their own access profile?
Posted By: ItNeverEnds CRCM

Re: IT department won't give open access to BSA dept - 03/31/15 04:07 PM

Originally Posted By thisisme08
TBH this doesn't sound that different than what is considered normal when IT puts a web filtering software on.

Normally you end up with a breakdown like this;

*Exec--full access (even though they shouldn't because they are the most likely for a phishing and other attacks)

*Officer/Compliance/BSA--essentially open access but sites such as shopping, Youtube and others questionable sites are blocked

*CSR--Only sites that they need to do their job (Sec. of State searches, check ordering etc.)

*Tellers--Nothing.

I'm assuming you are reviewing a customer's website in order to determine if they are offering any *extra* services they didn't tell you about but personally I find that step to be slightly above and beyond in performing it for all customers.

The one item method no one else has mentioned is to simply use your own personal cell phone/tablet.


Groups like thisisme08 describes above are pretty common and what I've experienced. Hopefully your BSA Officer should be at the highest level, with virtually no restrictions, your BSA staff could be staggared with access (depending on how many you have and the different levels of staff).

I'm not a big fan of blocking sites "just because", or blocking Facebook or YouTube so staff won't waste time looking at it. Sites should be blocked based upon risk to the bank, and I can make an argument that all staff should/need to have at least some access to the internet, tellers included, they're not robots, they're people. You do need a strong Information Security training program for everyone. Like Randy said, there is there more than one way to skin a cat and not just with Internet access restrictions, as you can get around many of these restrictions with emails, personal devices and such, so IT needs to think hard about the types of restrictions they put in place and the protections the bank has. A teller can just as easily email themselves from their personal email a virus/malware embedded document as they can click on a link.

They key is training, including heavy social engineering training. Cher - I think your IT department needs a little training themselves.

My my 2 cents.