Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
21 Mar 2017
Late Night Exam Questions

Ask the Guru: How Can I Best Determine My Cyber Risk Profile?

Hey Guru!

We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified.  Can we draw any conclusions about our average risk and control levels?  For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well.  Can we just average them and conclude that our overall cyber risk levels are minimal?


Towards the end of last year the FFIEC released a Frequently Asked Questions document about the Cybersecurity Assessment Tool, and item #6 directly addressed your question.  The Council stated that “…when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile.”

This would seem to validate the approach of using the average1 of all risk levels to identify your overall risk level.  However, they go on to state that each risk category may pose a different level of risk. “Therefore, in addition to evaluating the number of times an institution selects a specific risk level, management may also consider evaluating whether the specific category poses additional risk that should be factored into the overall assessment of inherent risk.”  This would appear to directly contradict the averaging approach, indicating (correctly, in my opinion) that since all risks are NOT equal, you should NOT determine overall risk based on an average.

For example, let’s say that all of your risks in the Technologies and Connection Types category are in the Least and Minimal level except for Unsecured External Connections, which is at the Moderate level.  So you have 13 items no higher than minimal, and 1 item moderate.  Sounds like an overall minimal level of risk, right?  Except a Moderate level of risk for Unsecured External Connections indicates that you have several (6-10) unsecured connections.  As any IT auditor will tell you, even 1 unsecured connection can be a serious vulnerability!

So although the FFIEC says that “…you may determine…” you’re at one level if the majority of your responses fall within that level, they go on to say you really shouldn’t really draw that conclusion without additional evaluation.

This is just one of many examples of confusing, conflicting, and occasionally misleading elements in the CAT, and a very good reason to have assistance filling it out (shameless plug).

 

1 There are 3 primary ways of defining “average”; mean, mode and median.  If you’ve assigned 1-5 numeric values to the risk levels, we can define average as “mean”.  If we’re assuming average is “mode”, it’s simply the value that occurs most often.  This would appear the way the FFIEC is approaching it.  Regardless how you define “average”, it leads to the same (inaccurate) conclusion.

27 Sep 2016

FFIEC Rewrites the Information Security IT Examination Handbook

In the first update in over 10 years, the FFIEC just completely rewrote the definitive guidance on their expectations for managing information systems in financial institutions.  This was widely expected, as the IT world has changed considerably since 2006.

There is much to unpack in this new handbook, starting with what appears to be a new approach to managing information security risk. The original 2006 handbook put the risk assessment process up front, essentially conflating risk assessment with risk management.  But as I first mentioned almost 6 years ago, the risk assessment is only one step in risk management, and it’s not the first step.  Before risk can be assessed you must identify the assets to be protected and the threats and vulnerabilities to those assets.  Only then can you conduct a risk assessment.  The new guidance uses a more traditional approach to risk management, correctly placing risk assessment in the second slot:

  1. Risk Identification
  2. Risk Measurement (aka risk assessment)
  3. Risk Mitigation, and
  4. Risk Monitoring and Reporting

This is a good change, and it is also identical to the risk management structure in the 2015 Management Handbook.  Its also very consistent with the 4 phase process specified in the 2015 Business Continuity Handbook:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management, and
  4. Risk Monitoring and Testing

Beyond that, here are a few additional observations (in no particular order):

More from Less:

  • The new handbook is about 40% shorter, consisting of 98 pages as contrasted with 138 in the 2006 handbook.

…HOWEVER…

  • The new guidance contains 412 references to the word “should”, as opposed to 341 references previously.  This is significant, because compliance folks know that every occurrence of the word “should” in the guidance, generally translates to the word “will” in your policies and procedures.  So the handbook is 40% shorter, but increases regulator expectations by 20%!

Cyber Focus:

  • “…because of the frequency and severity of cyber attacks, the institution should place an increasing focus on cybersecurity controls, a key component of information security.”  Cybersecurity is scattered throughout the new handbook, including an entire section.

Assess Yourself:

  • There are 17 separate references to “self-assessments”, increasing the importance of utilizing internal assessments to gauge the effectiveness of your risk management and control processes.

Take Your Own Medicine:

  • Technology Service Providers to financial institutions will be held to the same set of standards:
    • “Examiners should also use this booklet to evaluate the performance by third-party service providers, including technology service providers, of services on behalf of financial institutions.”

The Ripple Effect:

  • The impact of this guidance will likely be quite significant, and will be felt across all IT areas.  For example, the Control Maturity section of the  Cybersecurity Assessment Tool contains 98 references and hyperlinks to specific pages in the 2006 Handbook.  All of these are now invalid.  I’m sure we can expect an updated assessment tool  from the FFIEC at some point in the not-too-distant future.  (Which will also necessitate changes to certain online tools!)
  • The new FDIC IT Risk Examination procedures (InTREx) also contains several references to the IT Handbook, although they are not specific to any particular page.

Regarding InTREx, I was actually hoping that the new IT Handbook and the new FDIC exam procedures would be more closely coordinated, but perhaps that’s too much to ask at this point.  In any case, the similarity between the 3 recently released Handbooks indicates increased standardization, and I think that is a good thing.  We will continue to dissect this document and report observations as we find them.  In the meantime, don’t hesitate to reach out with your own observations.

12 Jul 2016

FDIC Updates IT Examination Procedures

Starting immediately, all FDIC-examined institutions will be subjected to new IT examination procedures, the first major overhaul since December 2007.  The new format is dubbed the InTREx program (Information Technology Risk Examination), and is designed to be a bit simpler in the pre-examination phase.  In fact, the InTREx has only 26 questions vs. 59 for the 12/07 version.  But what the new version gives up in the pre-exam phase, it more than makes up for in the actual on-site examination portion.  I believe most institutions should prepare for a much more thorough (i.e. time-consuming) examination experience going forward.

The InTREx is based on the URSIT methodology (Uniform Rating System for Information Technology), which dates back to 1999.  URSIT consists of four main components used to assess the overall performance of IT management within an organization; Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).  Additionally InTREx adds an Expanded Analysis section for both Management and Support and Delivery.

First, the similarities:  Both the old and new model share a pre-exam and an on-site phase.  The pre-exam phase consists of the questionnaire, which is designed to help the examiner “scope” the examination (see #2 below), and determine exactly what documentation they will require from you (some of which they will request ahead of time, some will be requested on-site).

Once on-site the differences between the old and new are more apparent.  The new exam procedures require examiners to “review” (47 instances) and “evaluate” (54 instances) your documentation, and “determine” (30 instances) whether it is sufficient to prove that you’re doing what you say you will do.  The examiner uses the “Core Analysis Procedures” to assess each “Decision Factor” as either Strong, Satisfactory, Less than satisfactory, Deficient, or Critically deficient.  Examiners will then assign a 1 – 5 rating score to each AMDS component, and then assign an overall composite score.  All component ratings and scores, along with examination findings and recommendations, will appear in the final report.

Here is how the pre-exam and on-site phases break down in terms of type and volume of information requested:

  • The pre-exam phase is divided into 6 sections, with a total of 26 questions (most of which have an “If Yes…” portion, very similar to the 12/07 version):
SECTION # QUESTIONS
Core Processing 4
Network 6
Online Banking 4
Development and Programming 1
Software and Services 2
Other 9
  • The on-site exam phase is where the new examiner procedures are defined, and is divided into the AMDS sections, plus the 2 Expanded Analysis sections.  Each of the AMDS sections has a Core Analysis Decision Factors, and a Core Analysis Procedures sub-section:
Exam Procedures Components Core Analysis Decision Factors Core Analysis Procedures
Audit 10 8
Management 8 16
Development and Acquisition 6 9
Support and Delivery 8 26
Management: Expanded Analysis 6 7
Support and Delivery: Expanded Analysis 7 8
GLBA Information Security Standards* 1* 0
Cybersecurity* 1* 0

* These components are not assessed separately, but are scattered throughout the program.

OBSERVATIONS:
  1. This is much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank.  Proper documentation will often make the difference between a “satisfactory” and a “less than satisfactory” assessment.  If you prepared for previous exams by not just answering “Yes” or “No” to the pre-exam questions, but identifying all supporting documentation whether or not it was asked for, you should be fine with the InTREx.  If you were used to answering “Yes” or “No” with little or no examiner follow-up, download the InTREx now and focus on all the items in the Core Analysis Procedures sections.  Pay particular attention to the 34 “Control Test” items marked with FDIC Control Test Image , and make sure you can get your hands on those items.  Again, being able to provide the documentation may make all the difference in your final exam score.
  2. The pre-exam portion of the questionnaire should (in theory) allow the exam to scale to the size and complexity of the institution.  We’ll have to wait and see if that actually occurs, but let’s hope so.  We’ve heard from far too many smaller institutions that said they felt their examiner treated them as if they were much larger.
  3. There is quite a bit of overlap between the elements in the InTREx and the Declarative Statements in the Cybersecurity Assessment Tool.  That should mean that actions taken to strengthen your cybersecurity control maturity will also strengthen your overall IT controls.  Also, cybersecurity elements are now permanently baked-in to the IT examination process, not a separate assessment.  This is consistent with what I’ve been saying all along, that cybersecurity is simply a subset of information security.  However, as with the Control Tests, you should make sure you have documentation available for all items marked with FDIC Cyber Image .
  4. Hopefully, one potentially positive outcome from all this will be a more consistent examination experience.  Inconsistent examination results have been a source of concern for many institutions recently.  This new process should address that by removing some of the subjectivity that results when different examiners interpret the same guidance differently, and also by clarifying precisely what resources they need to “review”, and “evaluate” in order to “determine” the level of compliance achieved. 
  5. It is uncertain how quickly the new format will be adopted by regulators, but I’m guessing it will be pretty quickly.  Since they will send the questionnaire 90 days prior to your scheduled exam, we should expect the new methodology to be implemented for exams conducted in Q4 2016 at the soonest.
  6. It’s also unclear whether the other (non-FDIC) regulators will adopt this format. However, the FDIC insures the funds in all banks they have supervisory authority at all insured institutions (including those for which it is not the primary federal supervisor), so a single standard would make sense.  In any case, even non-FDIC institutions would be wise to familiarize themselves with this guidance.

Shoot me an email if and when you get the new InTREx, and let me know your experiences with it.  I’ll update the post periodically.

20 Apr 2016

FDIC Targets Board Responsibilities

“A topic is at times of such significant interest to bankers and examiners that it warrants a special issue…”  Whenever something from a regulatory body begins this way all bankers should take notice, and the latest Special Corporate Governance Edition from the FDIC is no exception.  In fact the Guru did a little research and the last time the FDIC released a Special Edition of its Supervisory Insights was the Foreclosure Edition in 2011, which was a post-mortem on the banking crisis.

So all bankers would be well advised to review this latest publication, but particularly community bankers.  In fact the full title is:  A Community Bank Director’s Guide to Corporate Governance: 21st Century Reflections on the FDIC Pocket Guide for Directors.  The emphasis on community banks and bankers is intentional, and the release states right up front that:

“Community banks play a vital role in the nation’s economy and local communities, and a bank’s management – including its directors and senior management – is perhaps the single most important element in the successful operation of a bank.”

[pullquote]…a director’s responsibility…necessitates using independent judgment and providing a credible challenge (to management).[/pullquote]

Although the FDIC states that this does not constitute new guidance (the original Pocket Guide was issued almost 30 years ago, but the basics haven’t really changed), the fact that they chose this topic and this time to release a special issue indicates that this is almost certainly going to be an area of increased focus for examiners going forward.

If there is one common theme that resonates from this issue it is that directors are expected to play a more active role in the day-to-day affairs of their institutions, and NOT be simply a “rubber stamp” for management.  This sums it up pretty well:

“…a director’s responsibility to oversee the conduct of the bank’s business necessitates using independent judgment and providing a credible challenge.  This entails engaging in robust discussions with senior management and perhaps challenging recommendations at times, rather than simply deferring to their decisions.”

I’ve talked about this concept of “credible challenge” before, which also appears several times in the recent FFIEC Management Handbook, and is defined as “being actively engaged, asking thoughtful questions, and exercising independent judgment.”  In order to do that, directors need access to accurate, timely and relevant information.  Board reports, once very high-level, should now include sufficient detail to allow members to comprehend (and if necessary, challenge) management decisions.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why some of the most commonly believed “facts” about IT outsourcing for banks are actually myths.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



Make sure your IT management systems and processes are capable of producing these Board-level summary reports, then get them in front of the Board and in the Board minutes.  And be prepared for 2 things going forward; first, examiners WILL ask for these Board minutes and expect to see evidence of more engagement.  And secondly, expect Board meetings to become a lot more spirited!