Randy Hughes, CISA, IT Consultant
By now, we are all well aware of the wide assortment of technical controls that are commonplace in protecting an institution’s data:
- Network firewalls
- Intrusion prevention systems
- Content filtering
- Host level firewalls
However, through my experience, I have found that many institutions lack one key control – employee awareness training.
An institution can spend tens of thousands of dollars on technical controls to protect its sensitive data and still suffer a data breach due to the human element of its IT control environment. The human element is the weakest link in the security chain, and by not training your employees on their roles and responsibilities concerning information security, you run the risk of an intruder bypassing all those fancy technical controls through the ignorance of your staff.
The Value of Customized Training
Most institutions try to address this issue by having their employees complete a generic online training course, which is “ok” if you are trying to pass an audit. Is this once-a-year training course really providing enough value to protect your institution’s sensitive information and information systems?
To provide maximum value, it is important to customize your employee awareness training to its unique control environment. Create an information security presentation to inform all employees of the latest trends in social engineering (e.g., phishing, vishing) to ensure they are aware of the various attack vectors used by social engineers, as well as the controls your institution has in place to prevent and detect such attacks.
Define Acceptable Use
Another key component of employee awareness training is to inform your employees on acceptable use of your institution’s I.T. resources (e.g., e-mail, internet). Ok, your institution has an Acceptable Use Policy that covers this information. Yes, the employees sign a form (yearly) acknowledging they understand the policy, but do they really understand why such a policy exists?
It is not just because senior management is mean; it is to help ensure viruses don’t find their way into the institution, to ensure employees will have the proper bandwidth to do their jobs, etc. Again, include this information in a presentation, as it provides all employees the opportunity to ask questions.
So all the employees have completed a proper training program...still not done yet! It is essential to remind your employees of their roles and responsibilities concerning information security on a regular basis to help insure the training sticks. Maybe everyone is focused on the free donuts instead of how to handle a visitor to the institution. Use things such as posters in the lunchroom, screen savers, etc., to serve as constant reminders.
Randy Hughes, CISA, IT Consultant
Auditors and examiners are not around just to give bank management headaches; they are there to provide value to the institution under review. In my consulting work, I always review past reports to gauge the value provided, and have found common issues in the following components of a review:
Evaluation of Controls – Design, Implementation, and Effectiveness
- Evaluation of the control structure.
- Audit recommendations.
- Repeat findings.
How do you know your institution’s information and information systems are secure? Well, you have auditors and examiners test your internal control structure, right? However, the scope of “testing” may only focus on the design (policy, standards, guidelines, procedures) of the control structure, failing to test the implementation and effectiveness of the controls in place. Is it possible to say an institution is secure in only reviewing their policies and procedures? In my eyes, the answer is no; the most important part of a review is to examine what they actually have in place, and more often than not, I see audits or examinations focus solely on the design of the controls.
It is also important to mention that senior management and the board of directors are ultimately accountable for these controls, so it is in their best interest to develop a process to monitor key controls, as an audit or examination only provides a level of assurance for that point in time.
I have more than a few pet peeves when it comes to the recommendation provided for an audit finding. Auditors, please stop stating the obvious, as I am confident most “auditees” understand that they need to “follow the policy” or “apply patches to a system.” Instead, provide value by helping the institution determine the root cause of the finding. Was it that the institution failed to train all employees on the policy? Is a process in place to install patches in a timely manner? Please provide value by determining the root cause of the finding.
Another common problem is the communication of the audit finding and recommendation. Again, it comes down to providing value to the institution, so it is essential that the auditee understands the finding and the objective of the recommendation. I cringe when I hear “because the auditor told me I had to” when discussing controls with an institution.
Enough picking on the auditors; auditees are to blame for at least a part of my frustration. How is there ever a repeat finding? You paid someone to point out flaws in your control structure, and you responded to their recommendations, stating you would fill the gaps. One year later, I find the same issue. More often than not, the root cause of a repeat finding is lack of accountability and failure to track the finding through remediation (re-testing).
Young and Associates, Inc. offers IT audits, risk assessments, and network penetration/vulnerabilities assessments. In these audits/assessments, we focus on more than the design of your control structure, and strive to provide easy-to-understand recommendations that address the true cause of the finding. In addition, we offer an Audit Tracking System that will help you track a finding from management’s response to implementation to remediation. Within this database, the institution may assign responsibility for remediating the finding.
For more information on this article or on how Young & Associates, Inc. can assist your bank with its audit function, please contact me at 1.800.525.9775 or click here
to send an Email.
Mike Detrow, CISSP, IT Consultant
No matter what the current crisis or emergency may be, someone will try to exploit it for profit. Whether it’s a hurricane, flood, terrorist attack, or financial crisis, some people will attempt to take advantage of the situation.
The recent bank failures and concerns of additional bank failures provide an opportunity for social engineers and phishers. Bank employees are concerned about their jobs and customers are concerned about their money. Employees may be fooled by someone posing as a consultant or a regulator that either comes to the bank or calls on the phone attempting to gather information. A phisher may send e-mails to bank employees with financial status reports or other bank news in an attempt to install malware on an employee’s computer. Banks should ensure that employees are receiving appropriate information security awareness training to protect against these threats.
In addition, a phisher may use this opportunity to try to lure customers into thinking that their bank has been sold and attempt to obtain non-public information such as social security numbers or online banking login details. Banks may want to develop additional customer education efforts during this time of uncertainty to help customers avoid identity theft.
For more information on potential threats to bank security and the measures that your bank may take to protect itself and its customers, give me a call at 1.800.525.9775 or click here
to send an Email.
Mike Detrow, CISSP, Consultant
How easy is it for an employee to take information out of your bank? It is very easy if you do not have the proper controls in place. If an employee carried a stack of papers home, you would notice it, but what about electronic media that can fit in a pocket or a file that is E-mailed? Almost all of the computers in your bank have USB ports. Some probably have CD writers and some have a floppy drive. A USB thumb drive is the size of a car key and can hold gigabytes of information, more than enough room to save the names, addresses, and social security numbers of all of your customers. An employee can simply plug the thumb drive into a PC and save any data to which he/she has access. If the computer is equipped with a CD writer, the employee can save the data to a CD. Although it will not hold as much data, floppy disks can be used to take data if a floppy drive exists in the PC. Of course, there will be some employees that need access to a USB port, CD writer, or floppy drive, but do all of your tellers need to burn CDs and plug in thumb drives?
What Can You Do?
Now for the good news! You can put controls in place to prevent the misuse of these devices. First, you need to evaluate which employees need to have access to these devices. If the employee does not need to create CDs, don’t order the PC with a CD writer or disable it if it is already installed. To block the use of thumb drives, there are several options. If the computer does not use a USB mouse, keyboard, or printer, you can just disable USB in BIOS (if the option is available) and set a BIOS password. If the computer does use a USB mouse, keyboard, or printer, you will need to edit the Registry, use Group Policy, or install software to limit what type of USB devices can be used. If a floppy drive is installed and not needed, disable it through BIOS or by unplugging the cable. These methods will control physically carrying data out of the bank, but what about E-mailing data?
With an Internet connection, an employee can E-mail large quantities of data just as easily as copying it to a thumb drive or other media. Multiple controls need to be put in place to block the ability to E-mail data out of the bank. Block Internet access and do not assign E-mail accounts to employees who do not need those capabilities for their positions. Block access to Web mail sites such as Yahoo! And Hotmail to keep an employee from using his/her personal E-mail account. Block outgoing E-mail attachments and/or install software that examines outgoing messages.
These controls should be included in your bank’s information security program to minimize the risk of unauthorized data leaving your institution.
For more information about establishing an information security program, or to have your existing program reviewed, contact Mike Detrow at 1.800.525.9775 or click here
to send an Email.