Common Pitfalls and Mistakes in Preparing for an IT Regulatory Exam

Common Pitfalls and Mistakes in Preparing for an IT Regulatory Exam
If your financial institution is facing an IT regulatory exam soon, you’ll want to be ready for it. Despite the best efforts of your team, will your institution be ready? BankInfoSecurity.com’s webinar will prepare your team for this arduous task. In the meantime, we interviewed Susan Orr, an ex-FDIC examiner, who will lead the webinar, to illuminate your path to prepare for an IT regulatory exam.

BIS: If you were to narrow down to the top items that institutions should focus on in preparing for an IT regulatory exam, what should the number one concern be?

Susan Orr: I think that the number one thing I’ve seen would be for the last several years is institutions need to perform an enterprise-wide risk assessment before an IT regulatory exam. I am still finding, especially with serviced institutions, (those being serviced by a third-party vendor) that they don’t have appropriate risk assessments in place. They need to do an overall risk assessment before the examiners come in. This should include a review of everything. Whether it is on paper, or in electronic form, all the documents, all the systems, all the threats should be assessed. I find that many institutions look at just the most common threats. You need to look at everything - assess the risk at every level and for every possible scenario. Many institutions do not look at environmental threats. Flooding is a great example. It could be caused by something as small as a broken pipe, or as big as a hurricane. You need to assess what could possibly happen to your facility. I see all institutions not paying attention to this; it’s not just the serviced ones who aren’t looking at this closely. Another common omission for all institutions is evaluating the likelihood of occurrence of an event and then assessing the potential impact. Using a matrix, which allows an easy-to-follow roadmap, to record the results of the assessment, is a good approach.

BIS: What are some of the other concerns institutions should have when preparing for an IT regulatory exam?

Susan Orr: The second concern should be insufficient audit IT coverage. Most internal auditors cover the financials and general internal controls, but aren’t doing good IT audit reviews; most are just hitting the surface. They’re not looking at security in as well as around the information systems, not reviewing policies and procedures or reviewing the risk assessments. You need to make sure you have someone, whether in-house or outsourced who has the background and knowledge level to do a good, thorough IT review.

Number three on my list is make sure all the institution’s policies are up to date, and that they reflect the institution’s operating environment. I see many institutions using templates or fill-in-the-form documents they get off the Internet. These templates and form documents don’t always correspond with what’s in their institution’s operations, or the document refers to internal audit, when they don’t even have an internal audit department. Also institutions must make sure they have a comprehensive, enterprise-wide business continuity plan. Many still just have the basic disaster recovery plan. I would say that 90 percent of the institutions I have reviewed most recently have incomplete plans. Almost all do not have a business impact analysis, and are not preparing test plans for their BCPs.

My fourth concern is vendor management. Many institutions are not able to produce a written vendor management program. This also would include performing due diligence prior to a vendor or service provider’s selection, and preparing a vendor risk assessment, in addition to spelling out what should be included in contracts. Institutions need to be monitoring their vendor relationships on an ongoing basis. They should be receiving and looking closely at documentation. Typically an executive summary will suffice to support the vendor’s security and controls. Most small institutions think that a SAS70 will cover them, I hate to tell them, but that’s not enough. You need to get some kind of assurance from the vendor in writing because a SAS70 isn’t a complete security audit. A third party audit like a SAS70 is definitely a document you want to review, but it shouldn’t be the only documentation you have from a vendor.

BIS: As a former bank examiner, you’ve seen your share of bad preparations for these exams, what are some points of advice you would offer institutions on sharpening their knowledge through the IT examination handbook?

Susan Orr: My first advice is this - Out of all 11 handbooks, if institutions only download one of them, it should be the Information Security handbook. The reason why that would be the thing to focus on? Most exams are now risk focused and the laws mandate the protection of information assets. Security is a priority. I also suggest institutions check their primary regulatory agency’s website, look at the latest announcements, and also look at exam procedures on the website. This gives you a roadmap to follow. And lastly, do not forget the regulations that have been around for a while. Even though GLBA has been around since 1999, it does not mean it is not being overlooked by the regulators. Institutions should look at requirements, and then review their infosec policies and procedures. Please, don’t just wait for your examiners to come in and tell you what you need to do – be proactive.

BIS: How will upgrading to the new Microsoft operating system affect an institution’s preparation for an IT exam? Will examiners look any closer at institutions upgrading to Vista?

Susan Orr: I don’t think that examiners will look at institutions who are upgrading to Vista any differently than they would with the implementation of any new product. With any new program or operating system, it is wise to consider security issues surrounding it. Any software program introduced into the institution should be reviewed and tested carefully. Look at the security risks associated with it, and make sure the institution’s internal security requirements are met. Your policies and procedures should be carried over in the new program or operating system.

To get complete in-depth information on preparing for an IT regulatory exam, register to attend the webinar.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network