FFIEC Regulatory Training

Garland Group University

Brad Garland

CEO

The Garland Group

A regulatory perspective

The Garland Group

What are we doing here?

Where FIs & IT meet

Regulators & What they do

Technology Controls Review Process

Goal: Provide better service to your clients

The Garland Group

Introductions

Name

Position

Tenure at CalTech

Previous Experience

The Garland Group

The Garland Group

The Garland Group

Compliance, Security & Web Services firm

Founded in 1981

Based out of Dallas, Texas

Over 75 clients

The Garland Group

Our Services

FFIEC Technology Audits

Risk Assessments

Penetration Testing / Vulnerability Assessments

Social Engineering

Bank Core System Selections

The Garland Group

Sizing up a Financial Institution

< $25 Million - Small Community Bank

Start-up or Denovo Status

Couple of branches

No IT staff

$25 - $250 Million - Midsize Community Bank

Normally still local footprint

1-10 branches

Maybe 1 IT person

The Garland Group

$250 - $1 Billion - Medium Bank

More Regional

5-15 branches

Maybe 1-2 IT staff

> $1 Billion - Large Bank

May cross state lines

Lots of branches

Normally dedicated IT staff

Sizing up a Financial Institution

The Garland Group

FI Infrastructures

What’s out there?

What kind of support do these systems get? Internal/External?

Where do we fit in?

The Garland Group

InfrastructuresWindows, Novell, Unix, Mac and hybrid environments

Fat clients or Thin clients?

Communications

T1 Hub/Spoke

MPLS

VoIP

Security

Development Shops

The Garland Group

Infrastructures

Check/Item Processing

E-Banking / Websites

Document Imaging

Merchant Capture

Mobile Payments

How do you help to support:

The Garland Group

Core Processors

The Garland Group

Core Processors

Run on variety of mainframe-like systems

AS/400

Unix

Linux

The Garland Group

Core ProcessorsWhat’s a core processor do?

In-house or Outsourced install?

Who supports it?

User Mgmt.

Updates/Patches

Backups

Regulatory Hurdles

The Garland Group

Core from an Audit perspective

User Lists

Not just from an application level

Who controls ‘root’? QSECOFR?

Who monitors...

System-level changes? ALLOBJ authority?

Access Logs?

The Garland Group

What’s the best setup for a bank?

Which ‘Core’?

Inhouse/Outsourced?

Fat/Thin Clients?

T1’s / MPLS?

Dedicated IT staff?

Development?

The Garland Group

The Regulatory Agencies

Federal Reserve

‘The State’

FDIC

OCC

OTS

NCUA

The Garland Group

Who Regulates Who?

FDIC - State chartered banks

OCC - Nationally chartered banks

OTS - Savings Bank

NCUA - Credit Unions

The Garland Group

Our Technology Controls Review Process

Review of all booklets of the FFIEC

Generate ‘Recommendations’ based off of gaps

Bank Mgmt. responds

Final Report

Executive SummaryFFIEC ReportIT Risk Assessment

The Garland Group

FFIECFormal Interagency Council

Consists of all regulatory bodies

Creates guidance for topics such as:

Mortgages

Bank Secrecy Act/AML

Info. Technology

Federal Financial Institutions Examination Council

The Garland Group

FFIEC IT Exam Handbooks12 Booklets

Does not just cover IT

2001 edition replaced the previous 1996 version

All have been updated since 2003 or later

Ongoing Development

The Garland Group

FFIEC Handbooks

Audit

Business Continuity Planning

Development & Acquisition

E-Banking

FedLine

Information Security

Management

Operations

Outsourcing Technology Services

Retail Payment Systems

Supervision of Technology Service Providers

Wholesale Payment Systems

The Garland Group

Audit

Major items in this section are:

Audit Schedule

Audit Committee Minutes

Risk Assessments Conducted

Proper Audit Follow-up

Interim IT Audit work

The Garland Group

ManagementMajor items in this section are:

Reviewing BoD/ IT Steering Minutes

Policy/Procedure Approvals by BoD

Succession Planning

Strategic Planning

IT Budgeting

Contract/Insurance Review

The Garland Group

Board Reporting

Most FI's have IT Steering and Audit Committee

These committees should drive functions and make decisions

They also are the vessel to report to the Board on the status of the bank

You may be asked to participate in these committees

The board has ultimate responsibility for everything within the bank

The Garland Group

IT Steering Committee

Approve major vendors (Core providers, IT support, etc.)

Approve major purchases, usually over a set dollar limit

Review logs and reports from the network

Approve IT audits, Penetration tests, Vulnerability Scans

Sometimes serve as a project management committee

The Garland Group

Audit Committee

Review all audit reports from IT, BSA, Teller, Regulators, etc.

Approve audit frequencies, scopes and methodologies

Usually all Board members on the committee

Approves audit vendors

The Garland Group

Business Continuity PlanMajor items in this section include:

Review of BCP/DR Plan

Backup Procedures

Shutdown Procedures

Offsite Storage

DR Agreements & Testing

The Garland Group

OperationsMajor items in this section include:

Item Processing workflow process

Inhouse/Outsourced?

Branch/Teller Capture?

Daily Run Sheets

Physical Security

Training

Courier Agreements

The Garland Group

Development & AcquisitionMajor items in this section include:

D&A Policy/Procedures

Project Management Methodology

Change Management

Source Code Escrow Agreements

Programming Methodology

Development Meeting Minutes

The Garland Group

Outsourcing IT Services

Vendor Management

Updated Contracts with each vendor

GLBA Wording in Contracts

Proper ‘Due Diligence’ performed on critical vendors

The Garland Group

E-Banking

Major items in this section include:

Policy/Procedures

Security Reports / What’s reviewed? Who see’s it?

Website Change Management

Proper Privacy Statements & Logos on website

The Garland Group

Retail Payment SystemsMajor items in this section include:

ATM Balancing / Reconciliation processes

Agreements for 3rd party ATM vendors

ACH Policy/Procedures

Review ACH Originators & Agreements

Submitting ACH payments (via Web or FedAdvantage)

The Garland Group

FedLine/FedAdvantage

Major items in this section include:

Proper control of users who access the Fed System

Segregated Duties / Enter & Verify

How they receive Wire requests

Approval / Callback Procedures

The Garland Group

Information Security

Major items in this section include:

Information Security Program

User Administration Rules

Password Policy

System Policy

Screensaver Policy

The Garland Group

Information Security - Cont.Network Diagram - Up to date?

Recent Security Testing / Breaches

Security Monitoring

Hardware/Software Inventory & Licenses

Use of Laptops? Secured? How?

Remote Access

What logs are kept?

Wireless

The Garland Group

Technology Service Provider

Major items in this section include:

Review of vendor agreements

Any major planned projects/development?

Financial Stability of Vendor

SAS 70s

The Garland Group

Wholesale Payment System

Major items in this section include:

Large bank-to-bank transactions

Proper agreements in place between FIs

CHIPS procedures

Large Payment System owned by many FIs to transfer large payment orders

The Garland Group

Other Regulatory Guidance

Graham-Leach Bliley Act (GLBA)

Sarbanes - Oxley (SOX)

Control Objectives for Information and related Technology (CobiT)

ISO17799

The Garland Group

Preparing for Exam/IT Audit

What they going to be needing from you:

Help with producing documentation for their examiners/auditors

Network Diagrams

Password Policy (Active Directory)

User Lists

Firewall/Router Configs

The Garland Group

Security Services

Penetration Testing

Vulnerability Assessments

Social Engineering

The Garland Group

Penetration Testing

Required by ‘some’ examiners

Testing normally done annually

Scan ports and for any major exploits

The Garland Group

Vulnerability AssessmentsTesting done internal to the network

Scanning for unauthorized access points, mesh networks, exposed/exploited systems

Done at least annually

The Garland Group

Social Engineering

Our scope includes:

Internet Recon.

Dumpster Diving

Phone Testing

Email Testing

In-Person Testing

The Garland Group

Social Engineering (Cont.)

Done at least annually

Ensure an adequate sample size for testing

Ensure scope is up to today’s standards

The Garland Group

Common Mistakes in IT Mgmt.Lack of good documentation

No BoD/Upper Mgmt. involvement

Succession Issues

Reactionary Environment

Proper Backup Procedures

The Garland Group

Examiner ‘Requests’Closed-loop documentation process

Board sign-off/approval

Annual IT Audits

Updated BCPs/BSA risk assessments

Penetration tests?

The Garland Group

Reminders

We’re here to help!

Don’t jump into new tech. head first

Ensure adequate cross-training

Document Everything!

The Garland Group

If you have any questions feel free to contact me:

Our Blog: http://blog.thegarlandgroup.net

Banktastic: http://banktastic.com

Brad GarlandCEO972.429.8200

Thanks for the time.