Bank examiners and auditors constantly change their expectations. The result is you feel as if your information security practices are trying to hit a moving target while the boundaries shift constantly.
Even in this fluid situation, your Information Security Program (ISP) can be simplified, process based, and repeatable. We created a checklist of the core components of a strong ISP. While it isn’t a comprehensive list, it showcases the primary pillars you’ll return to each year.
Then read more, to better understand what each section covers.
Information Security Program
This section looks at the building blocks of your ISP, it includes your policies, employee training plans, risk assessments, and good ways to present these elements to the Board of Directors. The written and approved programs and policies in this section will help develop the other sections we’ll cover.
Program Tracking Reports and Reviews
This section looks at your program tracking. Do you apply change management principles? Do your track your incidents properly? Do you have a plan in place to remediate findings and recommendations from exams and audits? Have you reviewed your cybersecurity insurance? It’s important to keep this documentation as clean and organized as possible all year long, not only for regulatory audits.
Humans are the weakest components of any ISP. The Cybersecurity Awareness section tracks how you sharpen the knowledge and skills of your team. It also looks at the steps you take to optimize the information you share with your board. Whether it’s cybersecurity awareness training modules or social engineering tests, it’s vital to keep your team apprised of the latest industry trends in order to maintain a strong ISP.
Assessments & Audits
Yes, it’s true your annual assessments and audits are required. But they’re more than just a regulatory box to check off. This is a great time to assess the overall health of your ISP standards and make adjustments accordingly. You can confirm your compliance with GLBA through the App B to Part 364 assessment, conduct penetration and vulnerability tests, or be certain your Cybersecurity Assessment Toolkit is up to date. This section helps you follow an organized path to assess, adjust your ISP and keep it in top form.
It’s crucial for you to have intimate knowledge of the ins and outs of your network. This section helps you track your firewall configuration and the rules applied to keep it secure. It also suggests that you always have updated and current network and data diagrams. These help you keep a close eye on how information enters, moves through, and leaves your network. Make sure you keep these things throughout the year. It will protect your institution in multiple ways.
Business Continuity and Disaster Recovery
As CEO and Finosec Co-Founder Zach Duke says, your best approach is to act like it’s a matter of “when,” not “if,” your institution will be compromised. While the other sections are primarily concerned with the strength and resilience of your information safety practices, the BCP and DR items help you determine and track how best to recover when you’ve suffered an information security breach.
You must be sure your BCP has been board approved and tested in a table top exercise. Your disaster recovery tests confirm you can failover on systems, your network can be established, and that you can recover deleted or compromised data. Finally, you’ll want to conduct an Incident Response Plan to stress test these elements to make sure there are no gaps in your operations. You need to do these things throughout the year. They are beneficial to help keep you, your institution, and your information stay safe as possible.
User Access Management
The User Access Management items help you ensure your user access reports are generated on a regular basis. We suggest you follow this approach for AD, Core, and your individual login systems. This helps you manage to the principle of least privilege, and gives you the documentation to prove it when the information is requested in audits and exams.
The final section is Vendor Management. You will want to be confident you have an up-to-date Board-approved vendor management policy, and that you follow it correctly. Your policy will guide how you perform vendor due diligence, answer the user entity controls, and complete the appropriate oversight reports and risk assessments.
Vendor management helps you assess and manage the security risks that exist outside of your institution. The vendors and systems you partner with will have their own network environments, BCPs, and even ISP. Vendor management helps you monitor the vendors you rely on as well as maintain the integrity of your own ISP when you engage with other providers.
We know how difficult it can be to create and maintain a robust ISP. You’re not alone. Finosec wants to come alongside you and your institution to simplify cybersecurity like never before. Register and join us for this webinar session on October 18th “Exam Readiness – Key things to have in place to make your next exam a success”
The webinar will share details and insights about the topics we discussed here. We hope you can join us!