Tag: DR

22 Aug 2011

Risk Assessing Internet Banking – Two Different Approaches

One of the big “must do” take-aways from the updated FFIEC Authentication Guidance was the requirement for all institutions to conduct risk assessments.  Not just prior to implementing electronic banking services, but periodically throughout the relationship if certain factors change, such as:

  • changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement;
  • changes in the customer base adopting electronic banking;
  • changes in the customer functionality offered through electronic banking;
  • and actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry.

The guidance also mandated annual re-assessments if none of these previous factors change, but given the increasingly hostile on-line environment it’s really a question of ‘when’ actual incidents occur, not ‘if’.  That being the case, if you only update your risk assessment annually the regulators could reasonably take the position that you’re not doing it often enough.

So risk assessments must occur “routinely”, but what is the best way to approach them?  Although the guidance does not specify a particular approach, it might be instructive to take a look at what the FFIEC has to say about Information Security and Disaster Recovery, both of which require (separate) risk assessments.  In both cases the FFIEC encourages that you approach the task by analyzing the probability and impact of the threat, not the nature of the threat.  This makes perfect sense.  By shifting the focus of your risk assessment off of the moving target of the constantly changing threat environment, and on to strengthening the overall security of your Internet-based services1, you can build a secure transaction environment that will scale and evolve as you grow.  Here is the critical difference between the two approaches; if you take a “nature-of-the-threat” approach, you must list every possible specific threat both existing and reasonably anticipated2.  It doesn’t work very well for disaster recovery or information security risk assessments, and in my opinion it is not the best approach for Internet banking either.

Although certainly not the only way to do the risk assessment, I would recommend a 2-step approach that addresses most if not all of the updated FFIEC guidelines.  Step 1 of this approach is to assess the overall risk of your products by listing the capabilities and controls for each one.  As a part of that step you would determine how many customers use the product, and then also how many of those you consider to be “high-risk” as defined by high transaction frequency and high dollar amount.  In Step 2 you should list those high-risk customers you identified in step 1 separately, along with the associated controls you plan to implement for each one.

Again, there is no one single way to do this correctly.  Whatever you do should be consistent with the size and complexity of your institution, and the nature and scope of your Internet banking operations.  Good luck!

 

1 Although other regulations and guidelines address financial institutions’ responsibilities to protect customer information and prevent identity theft, this guidance specifically addresses Internet authentication, and should be the primary focus of this risk assessment.

2 You must still re-assess if either you or the industry experience any actual incidents, but instead of adding a new threat to your risk assessment, you simply determine if your existing control environment is sufficient to address the impact of the threat. In other words, you re-assess for the impact, not the nature of the threat.

21 Jul 2011

BCP plans continue to draw criticism

In a recent FDIC IT Examination, the examiner made the following criticism of the institutions’ DR/BCP:

“Business continuity planing should focus on all critical business functions that need to be recovered to resume operations. Continuity planing for technology alone should no longer be the primary focus of a BCP, but rather viewed as one critical aspect of the enterprise-wide process. The review of each critical business function should include the technology that supports it.” (bold is mine)

This is not the first time we’ve seen this finding, nor is it a new direction for regulators, but rather follows directly from the 2008 FFIEC Handbook on Business Continuity Planning when they state:

“The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.”

I still see way too many DR plans that focus on the recovery of technology, instead of recovery of the critical process supported by the technology.  Sure, technology is an interdependency of nearly every function you provide, but it must not be the primary focus of your recovery effort.  Focus instead on recovery of the entire process (teller, CSR, lending, funds management, etc.), by recognizing that each process is nothing more than the sum of its interdependencies.   For example, what does it take to deliver typical teller functionality?

  • A physical facility for customers to visit
  • A trained teller
  • A functional application, consisting of:
    • A workstation
    • A printer
    • A database, requiring:
      • LAN connectivity
      • WAN (core) connectivity, requiring:
        • Core functionality
      • A server, requiring:
        • Access rights
      • etc.
    • etc.
  • etc.

As you can see, technology certainly plays a very important role, but it is not the only critical aspect of the process.  All sub-components must work, and work together, for the overall  process to work.  Mapping out the processes through a work-flow analysis is an excellent way to get your arms around all of the interdependencies.

So next time you perform the annual review of your BCP (and you do review your plan annually, right?), make sure your IT department isn’t the only one in the room!

28 Dec 2010

Looking back – 2010 compliance hits & misses

Every year about this time, I’m asked to look ahead to the upcoming year and prognosticate on regulatory compliance trends.  I  intend to do just that in a future post, but today I wanted to do something very few other prognosticators do…look back at last years’ predictions and see which ones hit and which missed (and why).

Here was the list of 2010 trends as I saw them early last year:

  • Risk Assessments –New standards and expectations
  • Documentation–Who, What, How and Why
  • Disaster Recovery –Compliant and Recoverable
  • Vendor Management –Trust but Verify

Overall I scored 2 hits and 2 misses, although to be fair the misses are more along the line of “not yet hits”.  Here is how 2010 actually shaped up:

  • Risk Assessments – miss.  This prediction was taken from the Winter 2009 FDIC Supervisory Insights Newsletter article entitled “Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk”.  It described how examiners should start to evaluate risk on an enterprise-wide basis instead of simply focusing on information security risks.  I predicted that examiners would start to adjust their examination procedures for the new criteria in 2010, but it hasn’t manifested itself in examination work papers yet.  However, some of the enterprise-wide risk criteria has made its way into various risk assessment best practices.  Criteria such as strategic risk, operational/transactional risk, reputation risk and legal/regulatory risk are now part of the vernacular for disaster recovery, retail payment systems and new technology risk assessments.  We’ll call this a miss…for now.
  • Documentation – hit.  The vast majority of audit and examination findings I’ve seen this year we’re not related to missing or insufficient policies or procedures, they were due to the institutions inability to document (prove) that they were following their own procedures.  Expect this trend to continue in 2011.
  • Disaster Recovery – hit.  Both auditors and examiners are finding fault with DR plans that do not strictly conform to the FFIEC guidance.  Specifically, they must contain a business impact analysis, risk assessment, risk management and testing sections, and in that order.  A non-compliant plan that may even be able to demonstrate (through testing) recoverability will still be written up.  (More here.)
  • Vendor Management – miss.  With the increasing reliance of financial institutions on third-party vendors, I predicted that 2010 would be the year that the examiners started scrutinizing vendor management programs more closely.  It hasn’t happened…yet.  It may be because of the continued overwhelming emphasis on asset quality during the safety and soundness examination, but I’m leaving this on the list for 2011.  Asset quality will undoubtedly still dominate in 2011, but there are indications that the pendulum is starting to swing back around.  (More on that later.)

My next post will be my predictions for 2011.  I’m also collecting survey responses from auditors and examiners on where they think the areas of focus will be, and I’ll report that in early 2011 as well.

All the best for a Happy and Compliant New Year!!

13 Oct 2010

DR Plans – Compliant or Recoverable?

When addressing the issue of your disaster recovery plan, the ultimate goal is both.  But if you’re faced with limited resources (time, personnel, and money), and need to decide whether you’ll conduct a test or re-write your existing plan, what should you do?  A successful test demonstrates that you can recover if you have to.  Isn’t that the point of a DR plan?  Why waste limited resources tweaking your plan when the tests validate your recovery capability?

Because if your plan doesn’t follow the FFIEC guidance, you may fail an audit or examination regardless of how many successful tests you’ve conducted.  It may seem like a case of misplaced priorities, but it does make sense.  The March 2006 IT Examination Handbook is (unlike most of the other handbooks) pretty prescriptive in it’s guidance.  It “encourages” financial institutions to adopt a 4-phase process consisting of:

  • Business Impact Analysis
  • Risk Assessment
  • Risk Management
  • Risk Monitoring & Testing

I put “encourages” in quotes, because whenever the FFIEC uses that word what they really mean is that you better have a very very good reason NOT to adopt this process.  In fact, since 12/07 the FDIC has made the Business Impact Analysis mandatory, and recent audits have faulted plans for not having a Risk Assessment.  So the first reason you should focus on bringing your plan into alignment with current regulatory guidance is to avoid audit and examination deficiencies.  You may never experience an actual emergency severe enough to activate your plan, but you are virtually guaranteed to have it audited and examined, and repeatedly so.

But the most important reason to focus on having a compliant plan is that the prescribed process actually makes sense.  Each phase specified in the Handbook flows logically to the next phase, with the end result being a comprehensive program that:

  1. Identifies and prioritizes all critical business process and their inter-dependencies (Phase 1)
  2. Identifies threats to those processes (Phase 2)
  3. Develops recovery procedures in the event the threats affect the processes (Phase 3), and
  4. Tests all assumptions to validate all previous phases (Phase 4)

Unless you’ve completed Phases 1 & 2, how do you know your test results are valid, i.e. that you are recovering the processes that are most important to you?  If you haven’t done the analysis and assessment steps, you really don’t know.

So, complaint AND recoverable is the goal, but if the question is compliant OR recoverable, you should always opt for compliant.  Because if compliant is done correctly, recoverable will be the result.

11 Aug 2010

WHO declares H1N1 pandemic over

The head of the World Health Organization (WHO) today declared the H1N1 influenza pandemic over, saying worldwide flu activity has returned to typical seasonal patterns and many people have immunity to the virus.   WHO Director-General Margaret Chan said “The H1N1 virus has largely run its course.”

This likely means that you are unlikely to encounter any additional scrutiny in this area from your examiner, however the FFIEC still requires that all financial institutions have plans in place to detail how they will manage through a pandemic event.   This includes incorporating pandemic into all 4 phases of the planning process.  (See Appendix D of the Business Continuity Planning IT Examination Handbook for additional guidance.)

09 Jul 2010

DR/BCP Scrutiny – UPDATED

Auditors (and some FDIC examiners) are scrutinizing disaster recovery plans more closely, specifically looking to verify that the plan structure adheres to FFIEC guidance. We’ve definitely seen this regarding the Business Impact Analysis and the Risk Assessment; the first 2 phases specified by the guidance.

FFIEC DR Cycle

UPDATE: At least one regulator (OTS) is demanding that all Recovery Time Objectives (RTO’s) be based on an methodical analysis of the tolerance for downtime for each process, and NOT simply a subjective value.