08 Apr 2011

From the Field Tom Hinkel 0 comment

“Concentration of duties”

It is not unusual for a community financial institution with limited personnel to have the Information Security Officer (ISO) act as a backup network administrator. In fact, this is a relatively common practice in an environment where key personnel will typically wear several hats. And there are practical reasons for this; the ISO is typically tech-savvy, and can act as an expedient resource when needed. Often when admin (or privileged) access is required, it is for a business critical purpose.

However, we have received several post-exam reports recently that examiners are taking a closer look at this practice. The finding is called “concentration of duties” (or sometimes “separation of duties”), and it addresses the very legitimate concern that the ISO must act in an oversight capacity to the network administrator, and that oversight dynamic is lost if the ISO has administrative capabilities. In fact in their Information Technology Officer’s Questionnaire, the FDIC requires you to “…briefly describe any known conflicts or concentrations of duties” . This oversight dynamic is exactly what they are referring to.*

If your institution engages in this multiple-hat practice, there are several things you can do to address this with the regulators. The first is to transfer the administrative oversight responsibilities from the ISO to a committee, typically the audit or tech steering committee. This requires more frequent meetings (preferably monthly, but no less than quarterly), and a strict adherence to an agenda that always includes discussion (and documentation) of rights and permission changes whether or not there were any. You may also want to consider event log monitoring software that can collect and aggregate all administrative user activity, and preferably store it on a logically separate system.

It’s also a good idea to have the committee review and re-approve all privileged accounts at each meeting. Another best practice is to make sure the ISO has a user account for administrative activities separate from their everyday user account. This assures that all activity is properly captured and reported. Finally, never share log in credentials…particularly admin accounts.

Also, review the section on privileged user access from the FFIEC IT Examination Handbook, Information Security Booklet, Page 23:

Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include

Identifying each privilege associated with each system component,
Implementing a process to allocate privileges and allocating those privileges either on a need-to-use or an event-by-event basis,
Documenting the granting and administrative limits on privileges,
Finding alternate ways of achieving the business objectives,
Assigning privileges to a unique user ID apart from the one used for normal business use,
Logging and auditing the use of privileged access,
Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and
Prohibiting shared privileged access by multiple users.

Incorporate these best practices into your access rights administration process. In the end, what’s expected is that you understand the risk of “concentration of duties”, and balance that against your business needs, given your size and complexity and the nature and scope of your operations. If you understand the residual risk, and believe your business needs are best met by sharing admin duties with your ISO, make sure your examiner knows how you got to that decision, and how you plan to manage it going forward.

*Note – Although you may be tempted to answer “No” to this question in order to avoid drawing attention to it, you are much better off responding “Yes”, and then describing your risk assessment process and resulting controls. It may not prevent the finding, but you will have a proactive response to it, which almost always implies more effective risk management.

04 Apr 2011

From the Field Tom Hinkel 8 Comments

The Control Self-Assessment (CSA)

If there was a process that was mentioned 43 times in 7 of the 12 FFIEC IT Examination Handbooks, (including 12 times in the Information Security Handbook alone!), would you consider implementing it? How about if it virtually assured better audits and examinations? OK, you’re interested, but the last thing you need is to implement another complicated process, right? What if the framework is probably already in place at your institution, and all you need to do is fine-tune it a bit?

I’m referring to the Control Self-Assessment (CSA), and let’s first make the regulatory case for it. The FFIEC Operations Handbook says:

Periodic control self-assessments allow management to gauge performance, as well as the criticality of systems and emerging risks.

And…

Senior management should require periodic self-assessments to provide an ongoing assessment of policy adequacy and compliance and ensure prompt corrective action of significant deficiencies.

If you’re familiar with “FFIEC-speak”, then you know that “should” really translates to “must”. But the Information Security Handbook makes the most compelling argument for utilizing the CSA in your risk management program:

Control self-assessments validate the adequacy and effectiveness of the control environment. They also facilitate early identification of emerging or changing risks.

So there is plenty of regulatory support for the CSA process, what about the audit and exam benefits? All of the major auditing standards bodies (IIA, AICPA, ISACA) address the importance of internal control reviews. Indeed most auditors say that institutions with an internal CSA process in place generally demonstrate a much more evolved risk management process, resulting in fewer, and less severe, audit findings. This stands to reason, as they tend to identify, and correct, control weaknesses prior to audit, as opposed to waiting for the auditor to identify them. And since one of the first things the examiner wants to see when they come in is your most recent audit, this often results in fewer examination findings as well.

One more reason to implement a CSA process from the examination perspective is something I touched on here…for those institutions trying to maximize their CAMELS IT composite ratings, one of the biggest differentiators between a “1” and a “2” is that in institutions rated a “1” “…management identifies weaknesses promptly (i.e. internally) and takes appropriate corrective action to resolve audit and regulatory concerns”. Conversely, in those institutions rated a “2” “…greater reliance is placed on audit and regulatory intervention to identify and resolve concerns”. A CAMELS “3” rating speaks directly to the CSA, stating that “…self-assessment practices are weak…“.

OK, so there are certainly lots of very good reasons to implement a CSA process in your institution. How can this be done with minimal disruption and the least amount of resource overhead? Chances are you already have a Tech Steering Committee, right? If the committee consists of members representative of all functional units within the organization, it has the support of senior management, and is empowered to report on all risk management controls, all that’s needed is a standardized agenda to follow. The agenda should address the following concerns:

Identification of risks and exposures
Assessment of the controls in place to reduce risks to acceptable levels
Analysis of the gap between how well the controls are working, and how well management expects them to work

As you can see, this is not substantially different from what you are probably already doing in your current Tech Steering Committee meetings. In fact, this list is really only a sub-set of your larger agenda…the only possible difference is that any and all findings in the gap analysis must be assigned to a responsible party for remediation.

In summary; the FFIEC strongly encourages it, the auditors and examiners love it, and for most institutions it’s not too difficult to implement and administer. But if you only need one good reason to consider the CSA process, it should be this:

Improved audit and examination ratings!

23 Mar 2011

From the Field Tom Hinkel 1 Comment

IT Composite Ratings: 1 vs. 2

In a recent survey conducted with our customers, we asked them to tell us (anonymously) what their FDIC IT composite scores were after their last IT examination, and whether those scores increased (got worse), or decreased (got better). The average score was 1.8 on the 5 point scale. Of course the results could be attributed to the fact that by virtue of their relationship with us, they demonstrate a higher level of awareness of IT and IT risks, resulting in a kind of reverse “adverse selection”, but regardless anything better than 2 is considered much better than average. And slightly more institutions saw their score increase (or get worse) than stay the same…almost none saw their scores decrease.
So is the FDIC issuing any 1’s in IT anymore? Not many, as far as I can see. But for those institutions looking to maintain, or even enhance, their IT scores, it’s critical to review the components in each category…particularly the differences…between 1 and 2. And since there are significant similarities between the two, the difference is all in the details.

The full list with all details is here, but this is a condensed version of how the FDIC IT Examination Composite Ratings break out by component:

Risk Management:

One (1) – “Risk Management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity and risk profile of the entity.”
Two (2) – “Risk Management processes adequately identify and monitor risk relative to the size, complexity and risk profile of the entity.”

The difference between a 1 and a 2 in risk management is a “comprehensive program”…very subtle, but using the IT Steering Committee to manage IT could be the difference.

Strategic Planning:

One (1) – “Strategic plans are well defined and fully integrated throughout the organization. This allows management to quickly adapt to changing market, business and technology needs of the entity”.
Two (2) – “Strategic plans are defined but may require clarification, better coordination or improved communication throughout the organization. As a result, management anticipates, but responds less quickly to changes in market, business, and technological needs of the entity”.

This distinction is the most significant between the 2 categories, and in my opinion, seems to be the critical factor. I addressed the IT Strategic Plan in detail here. Often the difference between a 1 and a 2 in IT is in how well you manage, and communicate, your strategic plan.

Self Assessment:

One (1) – “Management identifies weaknesses promptly and takes appropriate corrective action to resolve audit and regulatory concerns”.
Two (2) – “Management normally identifies weaknesses and takes appropriate corrective action. However, greater reliance is placed on audit and regulatory intervention to identify and resolve concerns“.

Both have the ability to identify and correct weaknesses, but the key difference here is that the stronger organization handles it internally. The key to this is the control self-assessment process. The FFIEC mentions “control self-assessment” 43 times, and in 7 of the 12 IT Examination Handbooks. This is not a new concept, nor is it particularly difficult to implement, but for some reason it is under-utilized by most financial institutions.

I intend to address the self-assessment process more completely in a future post, but until then here are some of the benefits:

Early detection of risks
Improved internal controls
Assurance to top management that you are doing what you say you’re doing, and of course
Improved audit and examination ratings!

03 Mar 2011

Hot Topics Tom Hinkel 2 Comments

FDIC issues new FIL…

…and pretty much confirms what most of us already knew; regulatory scrutiny has increased across the board. FIL-13-2011 entitled “Reminder on FDIC Examination Findings” was just released March 1st, and in spite of the title, is not so much a reminder but a response. Here is the one-line summary:

“Recently, the FDIC has received some criticism that its examination findings have been overly harsh.”

Make no mistake, this is NOT a reminder, this is a response to a flurry of criticism from financial institutions who feel that:

Their examiners are finding fault with policies, procedures and practices that they have not had problems with in past examinations, and
The examiners are less willing to “work with them” to resolve the findings during the examination…before they appear in the exit letter.

I have heard the same criticism from our customers, and I think it is highly significant that the FDIC has seen fit to issue an FIL to address this. This confirms that the problem is not sporadic, it is endemic, and it is the new normal.

The FIL goes on to describe the procedures by which an institution might formally express their concerns, but in the end there is little the institution can do to change the findings. My attitude is that there are really only 3 ways to respond to an examiner finding:

Admit that the finding is valid, and commit to making the recommended change(s). The vast majority are handled this way.
Contest the finding. This is a viable option only if you can demonstrate that you’ve made a different interpretation of the underlying guidance, and as a result of your risk analysis, you’ve come to a different conclusion. If properly documented, this can be a very effective response.
Refuse the finding. This is an adversarial position and NOT really recommended, but I see this more often than you would think.

Given the new normal, the second option makes the most sense IF you’ve implemented an effective risk management process, because in the final analysis all examiner findings are about one thing…they believe you’ve accepted too much risk. I’ve addressed effective risk management in detail here.

One other thing caught my eye in the FIL, because the fact that the FDIC felt necessary to address it indicates that it has become an issue: “Prohibition Against Retaliation”. Apparently some institutions feel that not only are the examiners more critical, but that they have experienced “…retaliation, abuse, or retribution by an agency examiner…”. This may be because institutions are choosing the adversarial option. Even more reason to make sure that if and when you do decide to push back on an examiner finding, you do so in a logical, dispassionate way. Make a risk-based case that focuses on the residual, or remaining, risk. The vast majority of findings revolve around the examiner’s belief that you haven’t properly recognized that residual risk, and that as a result, it’s unacceptably high. If you can demonstrate that you do in fact understand the risks, and have decided to accept them as a business decision, you will eliminate the vast majority of examination findings.

22 Feb 2011

From the Field Tom Hinkel 1 Comment

Management of IT reflects overall management

(This is an extract from an article written for Bank Technology News. The full article is here.)

One of the reasons compelling the shift towards increased focus on IT is found in the only non-financial element in the CAMELS ratings: management. Post-mortem reports on the failures of both Washington Mutual and Indy Mac placed the blame equally on management for pursuing overly aggressive growth strategies, as well as on the regulator (OTS) and their inability to effectively identify and assess the risks. The OTS was a regulatory casualty of Dodd-Frank, and I think we can expect (and rightly so) increased focus on all governance issues going forward. But how does that translate into increased IT focus?

There are twelve factors that go into the CAMELS management rating component, and one of them is a measure of how well the institution manages its information systems. In addition to that, the FFIEC makes it clear in their IT Examination Handbook on Management that

“…effective IT management practices play an integral role in achieving many goals related to corporate governance. The ability to manage technology effectively in isolation no longer exists. Institutions should integrate IT management into the strategic planning function of each line of business within the institution.”

And regarding the relationship between IT and strategic planning;

“…an institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success.”

Clearly IT is so pervasive throughout financial institutions that no enterprise-wide assessment of management and governance is complete without a thorough review of IT. It also stands to reason that an institution that can not demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide.

Bottom line…more scrutiny of management equals more scrutiny of IT, and deficiencies in IT can lead to lower CAMELS scores. Solution? Implement a formal IT management process consisting of a dedicated committee. Use a standardized agenda, assigning follow-up items to responsible parties with specific time-frames for resolution. Involve ALL functional units in the committee, and regularly report status updates to the Board.

Then take this same model and apply it to the rest of the organization!

01 Feb 2011

Hot Topics Tom Hinkel 1 Comment

Top 5 Compliance Trends for 2011 – Part 4

According to the FFIEC IT Examination Management Handbook, many institutions choose to delegate responsibility for monitoring IT activities to an IT Steering Committee. I also addressed this here. One of the most important roles of the IT Steering Committee is to ensure that the IT strategy is aligned with the overall business strategy. And the best way to do that brings me to my next trend:

The IT Strategic Plan

Although the FFIEC Management Handbook came out in June 2004, we first saw this appear in FDIC examinations in 2009. Since then it sort of faded away, but now it’s back, and at least one other primary federal regulator is asking for it…the OTS. (Whether or not this makes the transition to the OCC remains to be seen.)

According to the FFIEC:

Strategic IT planning focuses on a three to five year horizon and helps ensure the institution’s technology plans are consistent or aligned with its business plans. If effective, strategic IT planning can ensure delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace.

Since IT is often the largest single investment (not to mention the largest concentration of risks) a financial institution has, regulators recognize that managing this process is vitally important. The IT Strategic Plan can demonstrate that you are managing effectively.

There is no one single template for this, but in general the plan should contain the following elements:

A mission statement. This should establish the basis for the plan, and the broad goals and objectives.
Coordination with the overall Strategic Plan
Organizational structure
Agenda
A list of IT initiatives

Many institutions choose to manage the plan in their IT Steering Committee…it simply become another agenda item. As the FFIEC states:

The information technology steering committee’s cross-functional membership makes it well suited for balancing or aligning the organization’s IT investment with its strategic and operational objectives.

However you choose to do it, since the IT Strategic Plan is so critical operationally, you may not want to wait until the examiners ask for it (and they will). And if you need to get senior management buy-in, mention this:

Well implemented technology plans provide the capability to deliver business value in terms of market share, earnings, and capital growth to the organization.

← Previous 1…345…8 Next →