What to Expect in 2015 Audits

data-encryption
If you handle Cybersecurity at a credit union, bank, or other financial institution there are several key takeaways from NCUA Letter No. 15-CU-01, released earlier this year. The letter discusses where examiners will focus audit activities this year, and the first major topic is Cybersecurity which includes six critical items:

  1. Encrypting sensitive data
  2. Developing a comprehensive information security policy
  3. Performing due diligence over third parties that handle credit union data
  4. Monitoring cybersecurity risk exposure
  5. Monitoring transactions
  6. Testing security measures

In this two-part blog series I will be looking closer at each of these items and outlining FFIEC guidance, describing what we see in the field, and making recommendations based on future expectations. This article covers the first three. Part 2 will cover the last three.

1. Encrypting sensitive data

FFIEC guidance

Encrypting the transmission and storage of authenticators (e.g., passwords, personal identification numbers (PINs), digital certificates, and biometric templates).

Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include

  • Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk,
  • Effective key management practices,
  • Robust reliability, and
  • Appropriate protection of the encrypted communication’s endpoints.

Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. The costs include potentially significant overhead costs on hosts and networks. Generally speaking, authenticators are encrypted whether on public networks or on the financial institution’s network. Sensitive information is also encrypted when passing over a public network and also may be encrypted within the institution.

Encryption has been part of the guidance for a long time but not really enforced due in part to the protection provided by hardened network perimeters. As malware and advanced threats infiltrate networks, however, we expect the use of stored data encryption on internal systems to become a requirement.

What we see in the field

Most, possibly all, software makers and vendors encrypt transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, etc) and most of our clients aren’t developing their own authentication mechanisms.

Most organizations, vendors, and non-IT individuals understand the need to encrypt data in transit over non-private connections such as wireless and the internet. While some weaker implementations such as SSLv2 and TLS POODLE still show up in our testing, this area is mostly squared away.

Data at rest is a somewhat different story. Many of our partners encrypt things that physically move around, such as laptops and backup tapes. Beyond these obvious items most data are not encrypted when stored within the confines of the local area network.

Vendors that provide IT Services are asked by many of their clients (as in: you) if they encrypt data at rest. Those vendors who don’t already encrypt stored data generally have plans to do so. Those who don’t will soon be out of business. Either way, there are still enough reluctant vendors to create an unknown, which we as consumers need to investigate in our Vendor Due Diligence processes.

Recommendation

Create a data flow diagram to pinpoint where all types of sensitive information are stored and transmitted across the network and applications. Use the data flow diagram to provide context in the IT Risk Assessment.

If there is anything that remotely looks like sensitive data traveling over a public connection, I would stop reading this article now and spend 99% of my time and energy encrypting the connection.

Nobody has to rush out and encrypt all data storage locations, but there are some gimmie’s that need to be in place. Encrypt laptop hard-drives with Windows bitlocker (Windows 7 Ultimate and Enterprise, Windows 8.1 Pro and Enterprise), Macbooks with FileVault 2, or third party software like Symantec Endpoint Protection. Also keep an eye out for new solutions such as “Dell Data Protection | Encryption” where you can encrypt and protect specific data based on policy.

Everybody can benefit from developing a mindset toward encrypting data. It is not likely you’ll be able to scrape up the budget to encrypt everything. But you can start with large concentrations of records such as database servers and the core system. You probably won’t get much traction trying to replace your core processing system for the sake of encrypting data but you should be aware of what is available so you can contribute to the discussion. If your institution is looking at new core processors, for example, Fiserv’s DNA for Banks and Credit Unions offers encryption.

2. Developing a comprehensive information security policy

FFIEC Guidance

Institutions are required to establish an information security program that meets the requirements of the GLBA 501(b) guidelines. Information security policies and procedures are some of the institution’s measures and means by which the objectives of the information security program are achieved.

In other words, having the right security policies in place are a key security control.

What we see in the field

I can’t think of a single client over the past 5 years that did not have a security policy in place. So the long-standing premise that everything starts at the top with a security policy has been well adopted.

The form of said policies, however, varies widely from one organization to the next. Some organizations maintain a high-level 2-3 page policy that defines the Information Security Program in a generic sense. Other organizations have a 20-30 page document that outlines specific guidance around different areas of security. For example, the policy might contain a section dedicated to antivirus practices.

In either of these cases, and everything in between, audit findings in this area are typically non-existent. Examiners want to see a document and have been very flexible with the policy format. They understanding the goals of an Information Security Policy can be met in many different ways.

However, the fact that this is called out in the NCUA letter implies that examiners will be looking for more than a lightweight 2-3 pager. The FDIC and other agencies will more than likely follow suite.

Recommendations

First, find a stick to bite down on so you can endure the pain… then dig up all of your security policy documents by whatever name they go by: information security program, policy, incident response policy, network security policy, etc. etc. Once you have everything collected and old versions weeded out, perform an in-depth Policy Review to organize and cross-reference the documents worth keeping.

The comprehensive information security policy doesn’t have to be confined to a single document but the right contents have to be present and the documents need to coordinate with each other.

3. Performing due diligence over third parties that handle credit union (and bank) data

FFIEC Guidance

Effective and compliance due diligence by all financial institutions includes the following steps:

  • Evaluate the overall effectiveness of the third-party relationship and the consistency of the relationship with the financial institution’s strategic goals.
  • Review any licensing or registrations to ensure the third party can legally perform its services.
  • Evaluate the third party’s financial condition at least annually. Financial review should be as comprehensive as the credit risk analysis performed on the institution’s borrowing relationships. Audited financial statements should be required for significant third-party relationships.
  • Review the adequacy of the third party’s insurance coverage.
  • Ensure that the third party’s financial obligations to others are being met.
  • Review audit reports or other reports of the third party, and follow up on any needed corrective actions.
  • Review the adequacy and adherence to the third party’s policies relating to internal controls and security issues.
  • Monitor for compliance with applicable laws, rules, and regulations.
  • Review the third party’s business resumption contingency planning and testing.
  • Assess the effect of any changes in key third party personnel involved in the relationship with the financial institution.
  • Review reports relating to the third party’s performance in the context of contractual requirements and performance standards, with appropriate follow-up as needed.
  • Determine the adequacy of any training provided to employees of the financial institution and the third party.
  • Administer any testing programs for third parties with direct interaction with customers.
  • Review customer complaints about the products and services provided by the third party and the resolution of the complaints.
  • Meet as needed with representatives of the third party to discuss performance and operational issues.

Another recent development to consider is the 2015 Business Continuity Handbook, Appendix J-1 – regarding Cyber Resilience.

What we see in the field

Honestly, this area is a current struggle on several fronts. Examiners are penalizing financial institutions of all sizes and types that don’t have a robust Vendor Management Program in place. In particular smaller institutions without adequate staff are finding the due diligence requirements to be overwhelming.

Third party service providers that are deemed critical are also struggling with the increasing demands of compliance. Software and other companies that have not had extensive audits of their internal Information Security Programs.

Thankfully there are vendors like Rivial Security entering the market who can help with the overwhelming due diligence process.

Recommendations

This is an area that should be dealt with sooner rather than later. The first step is reading through the guidance to understand what is required. Once the requirements are internalized based on the financial institution’s size and culture a strategy can be crafted to put a program in place.

For a small number of critical vendors that need to be investigated and monitored, a spreadsheet may suffice. For larger institutions with more critical vendors the best approach is a SaaS-based Vendor Management solution. Both of these solutions require research on the critical vendors.

Rivial Vendor Intelligence provides due diligence and monitoring of critical vendors. Get a free sample report.