Pub. 13 2018-2019 Issue 6

NEBRASKA BANKERS ASSOCIATION 27 IT Risk Exams: Good Habits Enable Success Adam Ward, Scantron Technology Solutions T HEITRISKEXAMINATIONPROCESSTAKESANINCREASINGDEGREE of time and effort, especially for community bankers who operate with fewer resources. But unlike many kinds of exams or audits, you can actually “study” for these. In the endless quest to stay current on technology while complying with cybersecurity regulations, some banks run the risk of adopting new tech that’s not truly exhaustively tested. Others put all their faith in one or two service providers who themselves may not have reliable IT. Even large governing bodies like the FDIC face cybersecurity challenges in their own deployment of new tech solutions, partly because they’re bigger targets for bad actors, and partly because it’s difficult to keep up with constant innovation. 1 You can keep current on tech and have high confidence in your compliance. Don’t wait for an examor audit exceptions to force you to initiate sound ITmanagement routines; prepare and adopt good habits now. The following guidelines will help you streamline the exam process, proactively expose gaps, and reduce the duration of your exams. You should collect this information year-round. These are just the basics and this list is not exhaustive. A very detailed exam/audit checklist is available on the FDIC website. 2 1. Vendor Management Gather and store vendor management documents for all of your critical third-party vendors. These would include: • SSAE16/SOC Audit Reports • Financials / Cyber Insurance information and manage- ment procedures • Copies of current vendor contracts Vulnerability Remediation Process Collect any procedural documentation. What is your process for tracking and reporting on vulnerability remediation? Are any automated scripting processes for remediation in use? Do you have a process for repeat vulnerability prevention? Catalog the results of your last internal/external penetration testing and the remediation results to provide any examiner. 2. IT Process & Procedure Documentation Document all network management procedures, as well as any network topology information. Keep this updated and ready to present electronically. This documentation should include: • Detailed LAN / WAN diagram showing all network gateways and remote points of access • Data flow diagrams • Detailed backup process and data retention policy • Defined patching & update procedures • Virus/malware detection and response processes Fill out your exam questionnaire. This may re- quire vendor support if you outsource IT functions. 3. Backup/DR Proof & Testing Effectiveness Run a disaster recovery test on your core system and windows server network at least once a year. You should have a detailed report prepared and signed off on each test. Have a copy of your current Business Continuity Plan included with any DR procedures. 4. System Reports and Review Keep all copies of any system health and patching reports to show examiners. These include: • Current software and hardware asset inventories • Microsoft & third-party patching reports • Firewall reports • Remote administration reports • System backup and replication status reports • Any custom SIEM tool reports The smaller your institution, the less tolerance your business has for unsatisfactory examfindings. Hold your vendors account- able for reporting on the health and security of their systems. When you establish good routines for testing, monitoring, and documentation, you’re proactively reducing risk and allowing your team to focus on adding value to the customer.  For more information, contact AdamWard at 402-235-8925 or adam. ward@scantron.com. Adam is a business development manager for Scantron Technology Solutions, Nebraska’s largest and longest continuously operating IT service provider. Based in Omaha, Scantron serves more than 450 community banks nationwide. 1 “FDIC’s Top 3 Challenges Are All Tech Related,” www.nextgov.com, February 19, 2019. 2 https://www.fdic.gov/news/news/financial/2016/fil16043a.pdf.