Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
08 Apr 2011
From the Field Tom Hinkel 0 comment

“Concentration of duties”

It is not unusual for a community financial institution with limited personnel to have the Information Security Officer (ISO) act as a backup network administrator.  In fact, this is a relatively common practice in an environment where key personnel will typically wear several hats.  And there are practical reasons for this; the ISO is typically tech-savvy, and can act as an expedient resource when needed.  Often when admin (or privileged)  access is required, it is for a business critical purpose.

However, we have received several post-exam reports recently that examiners are taking a closer look at this practice.  The finding is called “concentration of duties” (or sometimes “separation of duties”), and it addresses the very legitimate concern that the ISO must act in an oversight capacity to the network administrator, and that oversight dynamic is lost if the ISO has administrative capabilities. In fact in their Information Technology Officer’s Questionnaire, the FDIC requires you to “…briefly describe any known conflicts or concentrations of duties” .  This oversight dynamic is exactly what they are referring to.*

If your institution engages in this multiple-hat practice, there are several things you can do to address this with the regulators.  The first is to transfer the administrative oversight responsibilities from the ISO to a committee, typically the audit or tech steering committee.  This requires more frequent meetings (preferably monthly, but no less than quarterly), and a strict adherence to an agenda that always includes discussion (and documentation) of rights and permission changes whether or not there were any.  You may also want to consider event log monitoring software that can collect and aggregate all administrative user activity, and preferably store it on a logically separate system.

It’s also a good idea to have the committee review and re-approve all privileged accounts at each meeting.  Another best practice is to make sure the ISO has a user account for administrative activities separate from their everyday user account.  This assures that all activity is properly captured and reported.  Finally, never share log in credentials…particularly admin accounts.

Also, review the section on privileged user access from the FFIEC IT Examination Handbook, Information Security Booklet, Page 23:

Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or  application controls. Good practices for controlling privileged access include

  • Identifying each privilege associated with each system component,
  • Implementing a process to allocate privileges and allocating those privileges either on a need-to-use or an event-by-event basis,
  • Documenting the granting and administrative limits on privileges,
  • Finding alternate ways of achieving the business objectives,
  • Assigning privileges to a unique user ID apart from the one used for normal business use,
  • Logging and auditing the use of privileged access,
  • Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and
  • Prohibiting shared privileged access by multiple users.

Incorporate these best practices into your access rights administration process.  In the end, what’s expected is that you understand the risk of “concentration of duties”, and balance that against your business needs, given your size and complexity and the nature and scope of your operations.  If you understand the residual risk, and believe your business needs are best met by sharing admin duties with your ISO, make sure your examiner knows how you got to that decision, and how you plan to manage it going forward.

 

*Note – Although you may be tempted to answer “No” to this question in order to avoid drawing attention to it, you are much better off responding “Yes”, and then describing your risk assessment process and resulting controls.  It may not prevent the finding, but you will have a proactive response to it, which almost always implies more effective risk management.

04 Apr 2011
From the Field Tom Hinkel 8 Comments

The Control Self-Assessment (CSA)

If there was a process that was mentioned 43 times in 7 of the 12 FFIEC IT Examination Handbooks, (including 12 times in the Information Security Handbook alone!), would you consider implementing it?  How about if it virtually assured better audits and examinations?  OK, you’re interested, but the last thing you need is to implement another complicated process, right?  What if the framework is probably already in place at your institution, and all you need to do is fine-tune it a bit?

I’m referring to the Control Self-Assessment (CSA), and let’s first make the regulatory case for it.  The FFIEC Operations Handbook says:

Periodic control self-assessments allow management to gauge performance, as well as the criticality of systems and emerging risks.
And…
Senior management should require periodic self-assessments to provide an ongoing assessment of policy adequacy and compliance and ensure prompt corrective action of significant deficiencies.

If you’re familiar with “FFIEC-speak”, then you know that “should” really translates to “must”.  But the Information Security Handbook makes the most compelling argument for utilizing the CSA in your risk management program:

Control self-assessments validate the adequacy and effectiveness of the control environment. They also facilitate early identification of emerging or changing risks.

So there is plenty of regulatory support for the CSA process, what about the audit and exam benefits?  All of the major auditing standards bodies (IIA, AICPA, ISACA) address the importance of internal control reviews.  Indeed most auditors say that institutions with an internal CSA process in place generally demonstrate a much more evolved risk management process, resulting in fewer, and less severe, audit findings.  This stands to reason, as they tend to identify, and correct, control weaknesses prior to audit, as opposed to waiting for the auditor to identify them.  And since one of the first things the examiner wants to see when they come in is your most recent audit, this often results in fewer examination findings as well.

One more reason to implement a CSA process from the examination perspective is something I touched on here…for those institutions trying to maximize their CAMELS IT composite ratings, one of the biggest differentiators between a “1” and a “2” is that in institutions rated a “1” “…management identifies weaknesses promptly (i.e. internally) and takes appropriate corrective action to resolve audit and regulatory concerns”.   Conversely, in those institutions rated a “2” “…greater reliance is placed on audit and regulatory intervention to identify and resolve concerns”. A CAMELS “3” rating speaks directly to the CSA, stating that “…self-assessment practices are weak…“.

OK, so there are certainly lots of very good reasons to implement a CSA process in your institution.  How can this be done with minimal disruption and the least amount of resource overhead?  Chances are you already have a Tech Steering Committee, right?  If the committee consists of members representative of all functional units within the organization, it has the support of senior management, and is empowered to report on all risk management controls, all that’s needed is a standardized agenda to follow.  The agenda should address the following concerns:

  • Identification of risks and exposures
  • Assessment of the controls in place to reduce risks to acceptable levels
  • Analysis of the gap between how well the controls are working, and how well management expects them to work

As you can see, this is not substantially different from what you are probably already doing in your current Tech Steering Committee meetings.  In fact, this list is really only a sub-set of your larger agenda…the only possible difference is that any and all findings in the gap analysis must be assigned to a responsible party for remediation.

In summary; the FFIEC strongly encourages it, the auditors and examiners love it, and for most institutions it’s not too difficult to implement and administer.  But if you only need one good reason to consider the CSA process, it should be this:

Improved audit and examination ratings!

27 Mar 2011
Hot Topics Tom Hinkel 0 comment

The RSA breach, and 5 things you should do

For those of us already waiting for the latest update on guidance from the FFIEC on Internet Authentication, the news of the recent RSA SecurID breach complicates things a bit.  One-time password (OTP) hardware devices (tokens and smartcards) are considered one of the most secure forms of the “something you have” element in complying with the multifactor authentication requirement.  So let’s take a look at the RSA breach in the context of authentication guidance, and what you should do to respond.

When the FFIEC released its original guidance on Internet Authentication in 2005, they said this about tokens: 

Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging.

And 6 years later, in the draft release of the FFIEC updated guidance, they said:

“OTP tokens have been used for several years and have been considered to be one of the stronger authentication technologies in use.”

And they are correct; in the last few years OTP tokens for authentication have proven to be very secure and have become very popular, and arguably the biggest player in that market is RSA.  There are millions of RSA SecurID tokens in use today, many of them in financial institutions, and many of those authenticating Internet based financial transactions…perhaps for your customers.

So what exactly happened?  Well, their Website is (strangely) completely silent on the event, and RSA customers I’ve spoken to say that information is slow coming to them, and extremely vague when it does, but according to what has been disclosed by the RSA, here is what we do know:

“…the attack resulted in certain information being extracted from RSA’s systems. Some of that information is related to RSA SecurID authentication products.”

So…according to the FFIEC, the security of the OTP is based on “randomness, unpredictability, and uniqueness”, but we don’t know if the “certain information” mentioned by the RSA included the main algorithm or some other critical information necessary to generate the OTP.

As a financial institution responsible (and liable) for the security of your customers’ Internet based transactions, you must err on the side of caution here if you utilize RSA tokens.  I’ve got to believe that RSA will do the right thing here, and place their customer’s security ahead of their own business interests, but in the meantime it may be prudent to consider some additional measures, such as:

  • Since multi-factor authentication relies on “something you know” in addition to “something you have”, encourage (require?) your customers to change their user names and passwords.
  • Review (and possibly temporarily adjust) your built-in transaction monitoring metrics, such as dollar volumes, transaction frequency, ACH / Wire recipient lists, etc.
  • Implement “Out-of-Band” confirmation for all high-risk transactions.  In other words, temporarily require all transactions to be confirmed via a return phone call, fax, SMS, or similar method.
  • Make sure your customers know exactly who they can contact if they suspect unauthorized activity, and most importantly, let them know under what circumstances (and what methods) you will contact them.
  • Finally, consider an alternate token vendor.  You may be at the mercy of your on-line banking software vendor on this, but there are 2 trust issues in jeopardy here…the one between you (or your vendor) and the RSA, and the much more important one between you and your customer.  RSA may be able to fix whatever problems allowed the breach, and thereby repair the trust (or not) with their customers (your vendor), but the trust issue with your customers may not be repairable.  Rightly or not, they may be reluctant to use anything with “RSA” printed on it.

All of these items (except the last) are best practices anyway, but the key is that you must be pro-active on this.  Do not wait for RSA to release all the details (we may never know them anyway), because what we do know now is enough to justify additional security measures.

In conclusion, tokens and OTPs are still very effective as one element in one layer of a multi-layer, multi-factor, authentication process, but clearly the lesson here is that there is no fool-proof method.  Indeed as we await the FFIEC update, this line from the draft release is almost prophetic:

“Since virtually every authentication technique can be compromised, financial institutions should not rely on any one authentication method or security technique in authorizing high risk transactions, but rather institute a system of layered security.”

Perhaps the only change necessary to that statement in the final release is to remove the word “virtually”.

23 Mar 2011
From the Field Tom Hinkel 1 Comment

IT Composite Ratings: 1 vs. 2

In a recent survey conducted with our customers, we asked them to tell us (anonymously) what their FDIC IT composite scores were after their last IT examination, and whether those scores increased (got worse), or decreased (got better).  The average score was 1.8 on the 5 point scale.  Of course the results could be attributed to the fact that by virtue of their relationship with us, they demonstrate a higher level of awareness of IT and IT risks, resulting in a kind of reverse “adverse selection”, but regardless anything better than 2 is considered much better than average.  And slightly more institutions saw their score increase (or get worse) than stay the same…almost none saw their scores decrease.
So is the FDIC issuing any 1’s in IT anymore?  Not many, as far as I can see.  But for those institutions looking to maintain, or even enhance, their IT scores, it’s critical to review the components in each category…particularly the differences…between 1 and 2.  And since there are significant similarities between the two, the difference is all in the details.

The full list with all details is here, but this is a condensed version of how the FDIC IT Examination Composite Ratings break out by component:

Risk Management:

One (1) – “Risk Management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity and risk profile of the entity.”
Two (2) – “Risk Management processes adequately identify and monitor risk relative to the size, complexity and risk profile of the entity.”

The difference between a 1 and a 2 in risk management is a “comprehensive program”…very subtle, but using the IT Steering Committee to manage IT could be the difference.

Strategic Planning:

One (1) – “Strategic plans are well defined and fully integrated throughout the organization.  This allows management to quickly adapt to changing market, business and technology needs of the entity”.
Two (2) – “Strategic plans are defined but may require clarification, better coordination or improved communication throughout the organization.  As a result, management anticipates, but responds less quickly to changes in market, business, and technological needs of the entity”.

This distinction is the most significant between the 2 categories, and in my opinion, seems to be the critical factor.  I addressed the IT Strategic Plan in detail here.  Often the difference between a 1 and a 2 in IT is in how well you manage, and communicate, your strategic plan.

Self Assessment:

One (1) – “Management identifies weaknesses promptly and takes appropriate corrective action  to resolve audit and regulatory concerns”.
Two (2) – “Management normally identifies weaknesses and takes appropriate corrective action.  However, greater reliance is placed on audit and regulatory intervention to identify and resolve concerns“.

Both have the ability to identify and correct weaknesses, but the key difference here is that the stronger organization handles it internally.  The key to this is the control self-assessment process.  The FFIEC mentions “control self-assessment” 43 times, and  in 7 of the 12 IT Examination Handbooks.  This is not a new concept, nor is it particularly difficult to implement, but for some reason it is under-utilized by most financial institutions.

I intend to address the self-assessment process more completely in a future post, but until then here are some of the benefits:

  • Early detection of risks
  • Improved internal controls
  • Assurance to top management that you are doing what you say you’re doing,  and of course
  • Improved audit and examination ratings!
16 Mar 2011
Hot Topics Tom Hinkel 1 Comment

Risk Managing Social Media – 4 Challenges

Twitter, LinkedIn, Facebook, Google+…the decision to establish an on-line presence is a very popular topic these days, and it is extremely easy to do, but effectively managing social media risk can be frustratingly complicated.  In many ways. it just doesn’t lend itself to traditional risk management techniques, so the standard pre-entry justification process is much more difficult.  And because you are expected to assess the risks before you jump in, many of you may already be accepting unknown risks.

I see 4 big challenges to managing social media risk:

  1. Strategic Risk – If you determine that engaging in social media would be beneficial to achieving the goals and objectives of your business plan, you’ve made a strategic decision.  But even if you decide NOT to engage, you’ve still made a strategic decision because strategic risk exists if you fail to respond to industry changes.  (“If you choose not to decide, you still have made a choice”*.)  And you are expected to justify your strategy by periodically assessing whether or not you have achieved the goals you anticipated when you made the decision  to engage in social media, which leads to challenge #2:
  2. Cost / Benefit – This is closely related to strategic, but relates to the difficulty of quantifying both the costs (strategic and otherwise) and the tangible benefits.  Most institutions decide to engage in social media as a “me too” reaction, but 1 or 2 years later they can’t go back and validate their decision on business grounds because they didn’t have well defined, quantifiable, expectations going in.  Anchor your decision on a set of specific goals, which could include increased brand or product exposure, but which should ultimately be defined  in terms of an increase in capital and earnings.  And although there is a very small financial barrier to entry, there are other costs which leads to my next challenge;
  3. Reputation Risk – This is where the decision to not engage in social media really manifests itself, because reputation risk exists regardless…it cannot be avoided.  All it takes is one disgruntled employee or customer (or a competitor) to post a negative comment about you or your products or services on-line, and your reputation could suffer.  If you do have an on-line presence, you may be able to quickly respond to counter the comments, but if you decided to stay out you have no recourse.  Also, are your employees blurring the line between their professional lives as official (and controllable) representatives of your institution, and their (un-controlled) personal, on-line lives?  In a traditional risk management model, each risk identified would be accompanied by an off-setting control or set of controls.  In the case of reputation risk, there really in no way to off-set, or control,  the risk.  This brings me to the final, and perhaps biggest, challenge;
  4. Residual Risk – This is the end result of the risk management process; the amount of risk remaining after the application of controls.  Essentially, this is what you deem “acceptable” risk.  Since social media risk can never be completely avoided (see #3 above), you are already accepting some measure of risk.  The challenge is to quantify it.  Auditors and examiners expect you to have a firm grasp on residual risk, because that is really the only way to validate the effectiveness of your risk management program.  An uncertain or inaccurate level of residual risk implies to examiners an ineffective (or even non-existent) risk assessment.

So managing social media risk boils down to this:  You must be able to justify your decision (both to engage and to not engage) strategically, but to do so requires an accurate cost/benefit analysis.  Both costs (reputation, and other residual risks) and benefits (strategic) are extremely difficult to quantify, which means that in the end you are accepting an unknown level of risk, to achieve an uncertain amount of benefit. Ordinarily that would be a regulatory red-flag, but clearly many institutions currently have an on-line social media presence.  So at this point the question becomes not so much how did they arrive at that decision, but how will they justify their decision (and manage the risk) going forward?

 

*Lee, Geddy; Lifeson, Alex; Peart, Neil

08 Mar 2011
Hot Topics Tom Hinkel 0 comment

Auditor rotation – pro and con

The practice of periodically changing, or rotating, your external auditor has been a topic of interest with our customers lately, and there are two schools of thought on this.  The pro-rotation side takes the position that a different set of eyes looking at the same system might see something the other missed.  This is certainly a valid position, and probably originated in the post-Enron/Arthur Anderson days.  In fact, Section 203 of Sarbanes-Oxley (SOX) does require audit partner rotation every 5 years for publicly held companies, but this provision only applies to the lead auditor and the auditor responsible for reviewing the audit, not the auditing firm.

Indeed in interviews conducted in 2003 by the Government Accounting Office among Fortune 1000 companies, the majority surveyed indicated that audit partner rotation (using different individuals within an audit firm) would achieve the same benefits as audit firm rotation (using different audit firms).

Changing auditor firms can also be somewhat disruptive, as the new firm must get up to speed on the particularities of the institution’s control environment.   There is evidence that maintaining the same auditor may actually improve the quality of subsequent audits, as the auditor’s store of institutional knowledge increases.  Additionally, changing auditors too frequently may cause the appearance of “auditor shopping”, or shopping around for better results.

For their part, the FFIEC is silent on the practice of auditor rotation, stating only that:

“…management should ensure that there are no conflicts of interest and that the use of these (external auditor) services does not compromise independence”

Bank examiners are instructed to assess “whether the structure, scope, and management of an internal audit outsourcing (or external audit) arrangement adequately evaluate the institution’s system of internal controls“.  In other words, are they doing what they are supposed to do?

In the end analysis, in the absence of a regulatory mandate there is really only one overriding concern for financial institutions…are your examination results satisfactory? If so, and if there are no conflicts of interest or other independence concerns, there is really no compelling reason to change auditing firms…but periodically using a different set of eyes is definitely a good idea.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy