← Return to Blog

29 May, 2020

Four Tips to Improve Monitoring and Compliance Demands

Last week, I hosted a complimentary webinar for members of the Community Bankers Association of Kansas, and feedback showed that top industry concerns were monitoring and compliance demands. Training and resources regarding due diligence, cybersecurity, IT management and risk management can help banks with oversight and accountability regarding confidentiality and the integrity of their data.

Consider the following policies and strategies to better protect what’s yours.

Due Diligence

Your financial institution must perform proper due diligence on all its vendors. This includes a vendor management strategy that evaluates all vendors and assesses the risk they pose. Review our recent blog post on de-risking your IT services supply chain, and take it a step further by collecting the following information for your vendors:

  • SSAE16/18 or SOC Audit
  • Exam Results
  • Business Continuity Testing
  • Insurance
  • Financials
  • Privacy Agreements
  • Incident Response
  • Follow-up to any regulatory letters issued about the vendor
  • Follow-up to any open vendor-related audit or exam related findings

Do your due diligence to know who you are working with.

Cybersecurity

Cybersecurity matters now more than ever. Ensure the confidentiality and integrity of your information is kept secure by protecting your networks, devices, and data from unauthorized access and criminal use. Questions to ask to gauge the effectiveness of your network include:

  • Network Security: Are the devices protecting the bank’s network properly configured to protect bank assets?
  • Information Security: Are proper controls in place to protect information whether in-house or third-party?
  • Access Management: Is access to applications and infrastructure limited to only those needing access? (Least privilege)
  • Planning and Testing: Have adequate plans been put into place for areas such as business continuity and incident response? Have those plans been tested through tabletop or other types of testing?
  • Audit: Does the bank engage a third party to evaluate the security posture of the bank? Are penetration tests, vulnerability scans and operations considered in the scope?
  • Training: Does the bank conduct awareness training for employees and board members?

IT Management

The proper management of policies and applications will also keep your business safe. Consider the following when discussing IT management:

  • Antivirus Software
  • Asset Inventory
  • Audit & Exam Tracking
  • Backup Management
  • Business Continuity Planning
  • Capacity Management
  • Cyber Attack Monitoring
  • Data Loss Prevention
  • IDS/IPS Monitoring
  • Log Management
  • Network Changes
  • Patch Management
  • Policies & Risk Assessments
  • Remote Access
  • SPAM Filtering
  • Security Information and Event Management (SIEM) Solution

Risk Management

Basic risk management includes identifying potential threats and the likelihood of impact, as well as mitigating controls. Your risk assessment should include both inherent and residual risk ratings. Consider the following:

  • Information Security
  • Disaster Recovery
  • E-banking
  • Multifactor Authentication

We’ve created a complimentary risk assessment tool to help financial leaders understand their organization’s current level of risk and the biggest areas of opportunity. Email BankOnIT to inquire.

Sharon Bracken, CISA, is the Senior Audit and Regulatory Manager at BankOnIT. BankOnIT provides comprehensive information technology services for financial institutions across the USA. www.BankOnITUSA.com

← Return to Blog

Disclaimer

This publication attempts to provide timely and accurate information concerning the subjects discussed. It is furnished with the understanding that it does not provide legal or other professional services. If legal or other expert assistance is required, the services of a qualified professional should be obtained.

Related Posts

Information Security Brief - October 2024

Cyber Security Awareness Month In 2004, the President of the United States and Congress declared October Cyber Security ...

Read more

CEO Update - Q4 2024

Donald Rumsfeld, Secretary of Defense of the United States of America, 1975-1977 and 2001-2006, is famous for saying, “T...

Read more

Information Security Brief - September 2024

Login Here Login There; Login Everywhere Whether you’re at work, at home, or traveling, websites and applications consta...

Read more