Never in the history of financial institution IT examinations has there been more IT to examine or greater regulatory scrutiny of the IT area. Your next IT examination will be like no other that you have ever experienced before. Y2K focused more attention on IT, but that attention had a shelf life. On January 1, 2000, financial institution management could breathe a sigh of relief. Not anymore. IT examinations are here to stay and they are not getting any easier.
It is almost ironic that IT is treated separately in examinations. The whole financial institution is basically a communications network. IT is pervasive and extends to every area of the financial institution. Accordingly, the scope of IT examinations is being extended, and examiners are learning more about IT.
Every person is influenced by his or her background and recent experiences. Regulators are no different. Certain hot topics become top of mind with IT examiners due to recent training they received, new regulations, new technologies and what is being discussed in the media. This is not to say that regulators have blinders on when it comes to IT examinations, but it might behoove you to pay attention to the latest regulator “hot buttons.” You will be better prepared for your next IT examination.
While not an all-inclusive list, here are six hot buttons of recent note:
- Business continuity planning
The effects of the 9/11 terrorist attack are far-reaching and will be felt for generations to come. The immediate effect as it relates to IT examinations is an increased emphasis on business continuity planning. Many tragic, yet valuable lessons were learned by financial institutions located near Ground Zero. While your next disaster is not likely to be one of such magnitude, 9/11 has thrust the topic of business continuity back to the forefront.
- The Gramm-Leach Bliley Act and Information Security
In 2001, financial institutions management dealt with the privacy issues surrounding The Gramm-Leach Bliley Act (GLBA) and many thought their job was done. Not so fast. Section 501(b) of the GLBA has management hopping again to comply with the Guidelines Establishing Standards for Safeguarding Customer Information. The old saying, “There is no privacy without security” rings true once again.
IT examiners are also using the GLBA to enforce old recommendations like review and control over user access to new recommendations like reviewing firewall logs. The GLBA has given examiners more ammunition to make financial institution management take notice of IT exam recommendations.
- IT Risk Management
A big part of GLBA is the risk assessment process. Examiners want to see how the institution assesses IT risk as it relates to customer information systems and non-public customer information. Institutions should be taking steps to identify foreseeable threats and assess the likelihood and potential impact of such threats.
- User Access Controls
Controls over user access is nothing new to IT examinations, but greater scrutiny is now placed on how users are granted access, how often that access is reviewed for appropriateness, and how change management is employed. For example, if users are added to the core processing system with virtually, unlimited access to all applications and all functions, you have a problem. User access should be based on need, while observing age-old controls such as segregation of duties and dual control.
- Network Security
Firewalls, intrusion detection systems, network operating system security, virus protection, remote access, network infrastructure issues, all of which did not show up on an examiner’s radar just a few short years ago, are now hot topics. Be prepared for ambiguous questions about specific systems. Do you review firewall logs? If so, how do you respond to known attacks? How is remote access granted to users, including vendors? Do you have a complete, detailed schematic of your network? When was your last vulnerability scan? Have you engaged an outside firm to perform a vulnerability assessment or penetration test? All serious questions. Be prepared to articulate your position and efforts.
Know the difference in a vulnerability scan and a penetration test. Network security technology is still fairly new so much of the terminology has double meaning based on the context of the question or answer. Perhaps you have a monthly vulnerability scan of your firewall complete with a detailed report showing detected vulnerabilities, their related risk and the ease of fix. Perhaps you have engaged consultants to perform a penetration test that includes physical attempts to enter restricted areas of your financial institution.
Get to know your network, document it thoroughly and be prepared to verbally describe your network infrastructure during interviews with the examiner.
- Directorate Awareness of IT Activities
Most Board of Directors meetings are dominated with discussion of financial issues, typically lending, capital expenditures and investments. While vitally important to the safety and soundness of the institution, IT is not always discussed. Some boards are very attune to technology and devote a significant amount of time and effort to understanding the financial institution’s IT environment. More often, any discussion of IT at board meetings is met with glazed looks and glances at watches.
With the current regulatory environment and the push for more corporate responsibility, board members are learning that some aspects of technology can be outsourced, but their responsibility for oversight cannot. At a minimum, the Directorate should understand the impact of IT controls on the integrity of the financial statements. One of the best methods to maintain directorate awareness of IT activities is to reference the Information Systems Steering Committee, or similar committee, minutes in the Board of Directors’ meeting minutes.
Good luck on your next examination.
Note: This information appeared originally in Jimmy's book, IT Auditing for Financial Institutions, available in the BOL Banker Store.
First published on BankersOnline.com 8/4/03