Skip to content

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

Christy ThomasMay 14, 202410 min read

10 Information Security Topics to Discuss in Your Next Review

10 Information Security Topics to Discuss in Your Next Review

Cyberattacks no longer only impact the targeted organization but also have a ripple effect that harms partners, service providers, customers, and others. In an era where digital interconnectedness is the norm, the consequences of cyber incidents extend far beyond the initial breach, affecting a wide network of stakeholders.

As data breaches continue to trend up, organizations are spending more money and resources to ensure they have the appropriate solutions in place to prevent attacks without disrupting normal business. This escalating threat landscape underscores the critical role of the information security officer (ISO) in adopting proactive security measures. The ISO's role is becoming more important than ever in ensuring organizations are taking every precaution to avoid becoming victims.




All organizations should consider the following topics as part of an information security program review. 


1. Ransomware Awareness

One of the most crucial risks to organizations in today’s environment is ransomware. The Conference of State Bank Supervisors (CSBS) released the Ransomware Self-Assessment Tool (R-SAT) in 2020 and recently updated to version 2.0, which was updated due to evolutions in the ransomware threat environment, bad actor tactics, and changes in environments and controls. In addition, CSBS has a non-bank R-SAT for all organizations to utilize in assessing security gaps associated with their environments pertaining to ransomware risk.

Inadequate mitigation measures or lack thereof may intensify vulnerabilities and increase the risk of ransomware attacks if not promptly addressed. The R-SAT provides significant advantages, such as raising awareness about ransomware risks and identifying security gaps (focusing on specific areas of weakness). The tool also provides an overview for executive management and the board of directors to give them the information they need to make informed decisions and allocate resources appropriately. It can also assist auditors, consultants, and examiners in evaluating the security practices of an organization. The tool also incorporates lessons learned from organizations that have experienced ransomware attacks, which can help organizations apply best practices to their own environment.

Overall, the R-SAT is a valuable resource for organizations to evaluate their cybersecurity posture and improve their security practices.


2. Board Cybersecurity Training

An organization’s board of directors holds the ultimate fiduciary responsibility for its overall security. Without a solid grasp of cybersecurity, the board may make decisions that inadvertently weaken the organization’s security posture. A lack of understanding may result in insufficient budget allocation for cybersecurity initiatives. Boards unaware of cybersecurity implications may not align security strategies with overall business objectives. A board that underestimates cybersecurity risks may not take proactive measures to prevent breaches and won't have effective crisis response plans, leading to inadequate cybersecurity risk management.


How SBS Can Help: Information security is the responsibility of everyone at the bank, not just one individual or committee. Implementing a consistent training program helps establish trust that your organization takes cybersecurity seriously. Whether you are looking to educate your board of directors, executives, employees, or customers, we have a tailored program for each group. Learn more about our board or director cybersecurity training.Blog_Lock&Line-Gray


3. Firewall Reporting and Monitoring

Approximately 60-75% of our customers utilize an outsourced vendor for firewall management; while it is a trusted relationship, the organization has the ultimate oversight responsibility. The organization should, at a minimum, understand its network baseline to determine the right questions to ask and key risk indicators for its environment.

When a vendor manages your firewall, it introduces both risks and opportunities. Relying on a third party means your organization is dependent on their expertise, responsiveness, and reliability. However, misconfigured firewalls can lead to vulnerabilities and become exposed to threats. Also, having limited visibility into the vendor’s operations can hinder your ability to monitor and assess security effectively and ensure proper data protection measures to prevent unauthorized access or leaks.

To mitigate the risks of vendor firewall management, it is important to implement appropriate controls, including defining roles, responsibilities, and expectations in written contracts to eliminate any questions as to who is doing what. Periodic security audits of the vendor’s practices should be conducted as part of your vendor management program.

Administrative access to the firewall should be limited to authorized personnel only, and require strong authentication mechanisms, such as multi-factor authentication (MFA) and individual authentication (no shared accounts). Oversight should include receipt and review of comprehensive logs or read-only access, at a minimum, to monitor these logs for suspicious activities or policy violations. Vendors should be consulted on the organization’s incident response plan including definition of roles, communication channels, and escalation procedures.

Remember that collaboration and transparency are essential – and these controls play a crucial role in ensuring the security and proper functioning of firewalls. By implementing them diligently, organizations can enhance their oversight and response capabilities regarding firewall activity.


4. Multi-Factor Authentication (MFA)

Hackers increasingly use malware, ransomware, and phishing attacks to compromise user credentials and gain network access. Implementing MFA is a key defense strategy, adding an essential layer of security by requiring two or more verification factors. Enhancing network security with MFA solutions helps increase data-center security, boosts cloud security for a safer remote working environment, and minimizes cybersecurity threats.

Additional controls surrounding administrative access to directory services, network backup environments, network infrastructure, organization’s endpoints/servers, remote access (employees and vendors), and firewall management are recommended. Many cybersecurity insurance vendors now require organizations to complete a self-attestation to renew policies. Included within the attestation is the verification of multi-factor authentication for remote access users and administrative users.

Without adequate controls for administrative users, the organization faces significant risks, including unauthorized access, data breaches, financial loss, reputational damage, legal consequences, and operational disruption.


5. Vendor Management Program

The vendor management program continues to evolve and requires diligent monitoring and research, especially for those vendors deemed critical to operations. Adhering to the FFIEC Guidance and Interagency Guidance ensures comprehensive risk evaluation in vendor relationships, comprised of due diligence procedures, acquisition procedures, defined vendor risk classifications, annual risk assessments, presentation of critical vendors to an authorized committee, and adequate contract review procedures.

Effective vendor management optimizes costs, grants access to vendor expertise, enhances agility, minimizes potential disruptions, and provides a seamless customer experience. However, poor vendor management practices can lead to operational disruptions, security breaches, and non-compliance with regulatory requirements.

Organizations should adopt a comprehensive vendor management program to address vendor risks and ensure adherence to legal and regulatory standards.


SBS Vendor Management Solutions: Vendor management is important, but it’s certainly not easy. Delegate some (or most – depending on what you need!) of the most tedious work while also gaining the expertise you need to ensure you're working with the right vendors and keeping information safe. Learn more about Vendor Management as a Service.Blog_Lock&Line-Gray


6. Microsoft 365 Controls Assessment

SBS CyberSecurity began Microsoft 365 audits in 2021 due to discoveries by our network security team. An independent assessment is crucial for identifying and mitigating potential cyber threats within the Microsoft 365 environment. The independent assessment should evaluate the environment and ensure the organization has implemented appropriate controls to mitigate risks, including malware, third-party app access, data loss prevention, external sharing, advanced threat protection, and permissions.

Common security gaps within the Microsoft 365 environment include overly privileged administrator roles, incorrectly implemented multi-factor authentication, inadequate admin center settings, audit log and activity log neglect, and authorization misconfiguration.



7. Adequate Backups & Testing

Implementing various disaster recovery measures to prevent and mitigate ransomware attacks is important, including keeping multiple backups on and off-site, replicating critical data, encrypting data, and air-gapped backups. Regular testing of backup procedures is essential for ensuring data recoverability in the event of an attack. An air-gapped backup is not connected to a network, so it cannot be reached by hackers, as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is critical because there is no need to pay a ransom for data that is readily accessible to your organization.

An additional step to mitigate ransomware, which may be an option depending on budgeting, is immutable backups. An immutable backup is a backup file that cannot be altered in any way. It should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss. Keeping an archive of immutable backups can guarantee recovery from a ransomware attack by finding and recovering the last clean backup you have on record.

As part of risk mitigation, organizations should create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident. If a vendor or managed service provider is responsible for maintaining and securing your organization’s backups, ensure they follow the applicable best practices. Formalizing security requirements through contract language is a best practice that safeguards your data integrity.

Additionally, regularly testing and validating backup processes can give an organization confidence in its ability to restore data in the event of an emergency. This includes restoration testing, functional failover testing - spinning up critical backup servers, and other emergency preparedness testing (tabletop exercises, simulations, etc.).


The remaining topics are specific to financial institutions when completing an information security program review. 


8. Bank Protection Act of 1968

The shift towards remote audits and examinations has spotlighted the Bank Protection Act of 1968, ensuring institutions manage and monitor physical security effectively in line with regulatory expectations and risk levels. The move to remote audits poses challenges for physical security verification, often relying on videos or photographs for assessment.

To bolster physical security measures, it is recommended to appoint a dedicated security officer to oversee the comprehensive implementation of the security program and deliver an annual security report to the board of directors.


9. Segregation of Information Security from Information Technology

Once a financial institution reaches $750 million in assets, the regulatory and external audit scrutiny will increase surrounding the segregation of roles associated with information security and information technology. The information security officer should be independent of IT operations staff and should not report to IT operations management. When these roles are not appropriately segregated, several disadvantages can result, including conflicts of interest, lack of independence, inadequate checks and balances, reduced accountability, operational bias, limited focus on risk management, and inefficient incident response. On the other hand, by implementing independent separate roles for IS and IT, advantages include clear accountability, objective decision making, more effective risk management, compliance and audit readiness, incident response efficiency, and minimizing of overall risk exposure.


Table outlining the benefits of separated IT and IS roles


10. New / Updated Policies

The following policies should be documented within an information security program, and some have become formal recommendations by examiners and regulators within the last 12 months.

  • End-of-Life (EOL) Policy: Address EOL timeframes and track the EOL of IT assets to determine when to replace or upgrade respective assets. Failure to maintain effective identification, tracking, and replacement processes could have operational or security implications (e.g., unavailable or unapplied security updates [patches] that make technology vulnerable to disruption). EOL timeframes are also an essential part of an organization’s IT strategic planning to ensure adequate resources and dollars are allocated when needed.
  • Imaging Policy: Address the storage of critical documents to ensure readability and accuracy, responsibility, procedure, and disposal of original documents.
  • ATM/Debit Card Management Policy: Include policy and procedures to address the following: application process, employees authorized to order/issue cards, card activation procedures, PIN change procedures, receipt of returned PIN mailers, receipt of returned debit cards, logging documentation, contacting the customer for pick up / address changes, length of time to hold cards before being logged and destroyed.
  • Instant Issue Policy: Describe the instant issue environment, authorized access, security controls (both physical and logical), dual control, inventory, monitoring, internal audits, and related procedures.
  • Internet Banking Policy: Designate the responsibility of the program, summarize all Internet banking services, describe the risk assessment process, define transaction processes, determine appropriate training, and ensure all aspects of the Internet banking program are adequately addressed. Also, reference FFIEC Authentication and Access to Financial Institution Services and Systems (August 2021) as appropriate.

These enhancements aim to bolster the institution's security posture, ensuring comprehensive coverage of physical and digital security aspects in alignment with evolving regulatory standards and cyber threat landscapes.




Christy Thomas

Christy Thomas is the Auditor Manager at SBS CyberSecurity. Christy has over 15 years of risk management and operations experience in the financial services industry, holding a variety of roles that include: Information Security Officer, Internal Auditor, Bank Secrecy Act Officer, and IT Auditor.