Compliance Insight with David Schneier

Four Tips for a Successful (and Secure) 2009

I'm experiencing the New Year's phenomenon. That's what I call the very early part of each year when I struggle writing the correct date on things like checks, forms and the many other documents that require it. It's maddening, really, how much of a challenge this has been for me going all the way back to grade school. It's why I tend to use pencil instead of pen during January and make certain to have an eraser handy. This week I've already made the mistake of writing 2008 at least twice.

I've been finding over the past few years that the New Year's phenomenon has been expanding into my professional space a bit as well. As noted in my last post of 2008, it's typically very difficult to gain access to clients between Thanksgiving and New Years. People are just too busy between personal and business demands. But once the page of the calendar flips, everything changes. Emails are returned promptly, phones are answered, and our clients are suddenly eager to get their compliance work scheduled for the year. Whereas there's a reluctance to focus on what wasn't done or still needs to be done as the year moves to its end, there's a much more open, much more positive attitude at the onset of the year. I liken it to the first days of the school year, when the record was wiped clean, and the potential for only the highest grades was at its fullest.

This year begins unlike any other that I've known in my lifetime, though. We appear to be surviving our way through a near collapse of our banking system, but one that has brought much greater scrutiny to the industry. We have a new administration coming into control that gives off the impression that accountability and compliance will become much more than buzzwords. And for those of you operating under the supervision of the FDIC, there's also a renewed, reenergized and greatly expanded army of examiners about to be set loose upon you. If there was ever a better time to be proactive and on top of things, I certainly can't recall it.

So, I'll offer to you some solid advice as we begin 2009. This is culled right from what we discuss all of the time within our practice, and which is based directly from what we see in the field -- from examiners, their reports, and which is clearly supported by the regulations.

First, you need to have a recently-completed information security risk assessment. If you didn't have one completed during 2008, you need to schedule one for 2009 (and ideally well before your next exam). Any auditor with a clue will tell you that all audit plans and compliance programs are risk-based. If you don't have a current and thorough understanding of your risk universe, you can't properly manage it. Any examiner will tell you that if you haven't done one recently, you'll need to. And you can vary the approach and areas that are assessed to provide more depth in certain key areas from year-to-year, but have one you must.

Second, you need to have conducted certain vulnerability assessment activities during the most recent year. You need to know what, if any exposures you have with regards to your external-facing connections, and you need to extend that where applicable to those vendors who provide hosted services for both your and your account holders. You also need to gain a full understanding of your internal vulnerabilities, including network access and design issues, as well as key activities such as patch management, anti-virus protection and data backup and recovery. The insider threat is equal in many ways to those on the external front, and the wrong time to find out you've allowed vulnerabilities to be exploited is after the fact. Security assessment activities come in various shapes and sizes, and you'll need to determine what's appropriate for your institution. If you have a recently-completed risk assessment, that would be an excellent place to begin scoping out what you'll want or need to have done. But above all else, if you didn't have any security work done during 2008, you should stop reading right now and start making plans to get this done during 1Q 09.

Third, you need to make certain that your core compliance activities are as they should be. Needing to have a functioning and effective business continuity plan is key to compliance; did you complete a business impact analysis during 2008? Have you conducted and documented a thorough test of the plan within the past year? If the answers to either one of these is "no," make sure you add it to your calendar for 2009. I'm not sure I can make any new and insightful points about vendor management that haven't already been made within my previous posts, but I can tell you that if your program isn't where it needed to be based on 2008 standards, that's likely to be another key first quarter activity for 2009. How long do you think it's going to take for the expanded resources of the FDIC to resume their keen interest in this very area?

Fourth (and I think final for now), you need to not only have your Identity Theft - Red Flags program up and running, but by now there should be some evidence of how well its functioning. After two months of activity, you should have at least a few recorded incidents that required activation of your program. On a personal front, I encounter roughly one situation per week that would qualify as suspicious activity be it either through mail, email or phone calls. What are the odds that your institution hasn't had at least as many incidents as well? If you haven't been monitoring its effectiveness, now would be an excellent time to plan to do so. Plus if you arrange everything properly, you can couple some of the work together so that your risk assessment activity examines the effectiveness of your Red Flags program.

That's my final point as well. If you spend time now at the beginning of the year to determine what work needs to be conducted, it allows you the chance to look for intersects and efficiencies. If you're going to have an information security risk assessment done, make sure that the resources conducting the work include key components such as Red Flags and Vendor Management. Plan to have the risk assessment conducted earlier in the year so that you can leverage the information to plan the remainder of your audit and assessment work. Much like my earlier point regarding the newness of a school year, use the potential of this New Year to build out a plan that will help maintain a safe, secure and compliant infrastructure straight through to its end. As well it will make 2008, or rather 2009 an easier year to manage through with fewer surprises.

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.