The FFIEC issued a joint statement recently regarding Microsoft’s discontinuation of support for Windows XP. The statement requires financial institutions to identify, assess, and manage the risks of these devices in their institutions after April 8, 2014. After this date Microsoft will no longer provide regular security patches or support for this product, potentially leaving those devices vulnerable to cyber-attack and/or incompatibility with other applications.
Identifying, assessing and managing these devices within your own organization is fairly straightforward. Have your admin or support provider run an OS report and present it to the IT Committee for review and discussion of possible mitigation options. But somewhat lost in the FFIEC guidance is the fact that you are also responsible for identifying and assessing these devices at your third-party service providers as well. While the statement was written as if it was directed at both FI’s and TSP’s separately, the FFIEC makes it clear that:
A financial institution’s use of a TSP to provide needed products and services does not diminish the responsibility of the institution’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the institution were to perform the activities in-house.
So my interpretation of the expectations resulting from this guidance is that you must reach out to your critical service providers and ask about any XP devices currently in use at their organization. If they aren’t using any, an affidavit from the CIO or similar person should suffice. If they are, a statement about how they plan to mitigate the risk should be made a part of your risk assessment. The fact that the FFIEC mentioned “TSP’s” five times in less than two pages indicates to me that they expect you to be pro-active about this.
One other thing that might have been overlooked in the guidance is this concept of operational risk. Many IT risk assessments focus exclusively on the information security elements in their risk assessments, i.e. access to NPI/PII. They only assess the GLBA elements of privacy and security. Operational risk addresses the risk of failure, or of not performing to management’s expectations. If your risk assessment is limited only to GLBA elements, expand it. Make sure the criticality of the asset, product, or service is assessed as well. And, when indicated by high residual risk, refer to your business continuity plan for further mitigation.