Print Whitepaper

Since the FDIC rolled-out the new Information Technology Risk Examination procedures (InTREx) on June 30, 2016, expectations regarding required documentation from financial institutions have been made a bit clearer. The following is a list of documentation pulled from the InTREx procedures. We hope this helps you as you update your Information Security Program documentation and as you prepare for your next IT examination.

General Required Documentation (listed multiple times in InTREx)

InTREx highlights a great deal of documentation in its four (4) Core modules, and even more in a few supplemental sections. The following is a list of documents that are mentioned multiple times throughout the new examination procedures that all financial institutions should include in their Information Security Program documentation:

• Most recent IT Examination report(s) and work-papers

• Pre-examination memoranda and file correspondence

• Formal, documented Information Security Program documentation, including:
  • Information Security controls, including cybersecurity
  • Network Security controls, including intrusion detection
  • Acceptable Use
  • User Access Rights Management
  • Electronic Funds Transfer
  • Vendor Management/Third-Party Risk
  • Remote Access
  • Bring Your Own Device (BYOD)
  • Institution-issued Mobile Devices
  • Anti-virus/Anti-malware
  • System Configuration Standards
  • Change/Patch Management
  • Physical and Environmental Security
  • Encryption
  • Unauthorized/Unlicensed Software
  • Information Security Training Program, including both the staff and the Board

• Incident Response Plan, including:
  • Identifying and Reporting Incidents
  • Assessing the nature and scope of an Incident
  • Incident escalation procedures
  • Identifying what customer information and information systems have been accessed or misused
  • Notifying primary Federal regulator(s), law enforcement, and customers
  • Filing of a SAR
  • Incident response and recovery
  • Testing Program, including results-tracking

• Business Continuity/Disaster Recovery Plan(s), including:
  • Enterprise-wide business continuity plan
  • Business impact analysis
  • Risk/threat assessment, including cyber risks/threats
  • Appropriate recovery operations
  • Pandemic Preparedness
  • Testing program, including results-tracking

• Vendor Management Program
  • Vendor Risk Assessment
  • Acquisition of Key Vendors
  • Ongoing Management of Vendors (both foreign and domestic)

• Most recent IT Risk Assessment
  • IT asset inventory, including cloud-based and virtualized systems
  • Criticality of IT assets
  • Threats (including likelihood and impact)
  • Inherent Risk Level
  • Controls to reduce risk
  • Control testing
  • Residual Risk Level
  • Frequency of IT Risk Assessment
  • Acceptable levels of risk
  • Remediation of unacceptable risks

• Most recent Cybersecurity Risk Assessment

• Most recent Internal and External IT Audit reports

• Board/Committee minutes related to the review of:
  • IT-related Committee meetings and decisions
  • Approval of Information Security Program and IT-related policies
  • IT and Cybersecurity Risk Assessments
  • IT Audits
  • Vendor Management
  • Change/Patch Management, including major IT projects
  • Network Security, including Security or Cyber Incidents

• Organizational Charts that reflect:
  • Business and IT Structure
  • Audit Reporting Structure

• Remediation/ Action Tracking to demonstrate management responses to IT Audit and Examination recommendations and deficiencies

Additional InTREx Required Documents, by section

In addition to the documents listed multiple times throughout InTREx, the following are documents to be reviewed under each identified section:

Audit

• IT Audit Policy and Charter

• IT Audit Plan/Schedule, including:
  • Information Security, including compliance with the Interagency Guidelines Establishing Information Security Standards
  • Cybersecurity
  • Network architecture, including firewalls and intrusion detection/prevention systems (IDS/IPS)
  • Incident Response Planning
  • Business Continuity/Disaster Recovery Planning
  • Security monitoring, including logging practices
  • Change/Patch Management
  • Third-party outsourcing
  • Social engineering
  • Electronic Funds Transfer
  • Electronic Banking (all products, services, and channels), including Mobile Banking

• Most recent IT Audit Risk Assessment

Management

• IT Governance – Documentation regarding the committees, names, and titles of the individual(s) responsible for managing IT and information security

• IT Asset Inventory

• IT-related committee minutes

• IT job descriptions, including qualifications of key IT employees

• Insurance policies (including Cybersecurity insurance)

• Strategic plans (business and IT)

• Succession plans

• IT budgets

Development and Acquisition

• Change Management Policy and procedures, including:
  • Request and approval
  • Testing
  • Implementation
  • Backup and back-out
  • Documentation
  • User notification and training

• Project Management Policy and procedures

• System Development Life Cycle process and procedures (if applicable)

• IT-related contracts and license agreements

Support and Delivery

• Business Operations-related policies, including:
  • Monitoring of systems for problems or capacity issues
  • Daily processing issue resolution and escalation procedures
  • Independent review of master file input and file maintenance changes
  • Independent review of global parameter changes
  • Document Imaging and Management Systems
  • Item Processing Functions, including Check Imaging

• Up-to-date Network topology

• Information Technology Profile (InTREx)

• Most recent Network Vulnerability Assessment/Penetration Testing reports

• Regulatory vendor reports (e.g., TSP reports)

Other Requirements:

Additionally, InTREx mentions the following areas in two different “Expanded Analysis” sections – Management Expanded Analysis and Support and Delivery Expanded Analysis. Ensure these areas are appropriately addressed in your Information Security Program and IT-related documentation:

• Cloud Computing – update the following to include any cloud-based products, systems, or vendors:
  • Information Security Program and IT-related policies
  • IT and Cybersecurity Risk Assessments
  • Vendor Management Program
  • Incident Response Plan
  • Business Continuity/Disaster Recovery Plan

• Managed Security Services Providers (MSSP)
  • Type and frequency of security reports provided by MSSP
  • MSSP responsiveness to audit findings
  • Incident Response capabilities
  • Service Level Agreements (SLA)
  • Business Continuity/Disaster Recovery Plan
  • Secure handling of sensitive data
  • In-house expertise to manage MSSP

• Foreign-based Technology Service Providers (FBTSP)
  • Location of FBTSP and institution’s data
  • Familiarity of FBSTP with US banking laws and regulations
  • Choice of governing law (US law is preferred)
  • Right of US regulators to audit
  • FBSTP’s Vendor Management Program

• Wireless Networks
  • Guest wireless networks vs. Corporate wireless networks
  • Security and Access guidelines
  • Periodic network security testing

• Virtualization
  • Updated Network Topology to reflect virtualized environment
  • Access Rights Administration, including privileged users and remote access
  • System/Image Standard Configurations
  • Licensing
  • Patch Management
  • Incident Response Plan
  • Business Continuity/Disaster Recovery Plan
  • Physical Security
  • Encryption
  • Monitoring, Logging, and Auditing
  • Network Vulnerability Assessment and Penetration Testing

• Voice over IP (VoIP)
  • Physical and Logical Security controls
  • Patch Management
  • Network Segmentation
  • Periodic network security testing
  • Emergency service communications

• ATM Operations
  • Physical and Logical Security controls
  • Patch Management
  • Network Segmentation
  • Dual control over cash
  • Card issuance procedures, including PIN issuances

• Customer-facing Call Center Operations
  • Customer Identification Procedures
  • Access Rights Administration
  • Personnel Security
  • Type and frequency of management reports
  • Scope and frequency of Call Center audits

• Internal IT Help Desk Operations
  • Access Rights Administration
  • Help Desk activity logging and monitoring
  • Ticketing/Tracking system adequacy/prioritization
  • Type and frequency of management reports
  • Scope and frequency of Help Desk audits

• Servicing provided to other entities
  • Contract adequacy
  • Service Level Agreements (SLA) compliance
  • Business Continuity/Disaster Recovery Plan considerations
  • IT and Cybersecurity Risk Assessments
  • Insurance coverages for services provided
  • Security of client data, including encryption over data-at-rest and data-in-transit
  • Type and frequency of management reports for services provided to other entities
  • Scope and frequency of Help Desk audits

SBS Information Security Program Blueprint

SBS has been partnering with financial institutions across the United States for more than 10 years to help build Information Security Programs that are comprehensive, manageable, and valuable. SBS’ Information Security Program framework is been built on regulatory guidance (primarily the FFIEC IT handbooks) with help from industry best-practice (ISO 27001, NIST, SANS, CIS, and COBIT). SBS has laid out the foundation of a strong Information Security Program in an Information Security Program Blueprint (click image to enlarge).

The ISP Blueprint is designed to give bankers a visual depiction of what an Information Security Program should look like, a sense of flow from the top-down, and path to ensure an ISP that is repeatable and can handle anything you throw at it.

The focus of this whitepaper is the documentation outlined by the FDIC InTREx procedures, which aligns directly with the ISP Blueprint above. The “Policy Components” listed out in the first tier of ISP documentation in the Blueprint are the things that all financial institutions need to do, regardless of size or complexity.

If you align the ISP Blueprint Policy Components with the InTREx expected documentation, you’ll find most of the major ISP Blueprint sections are listed out multiple times in InTREx, including:

• The Information Security Program
• IT Risk Assessment
• Cybersecurity Assessment
• Vendor Management
• Business Continuity/Disaster Recovery
• Incident Response
• IT Audit

There are three (3) tiers to the top-level of the ISP Blueprint: 1) Policy Components, 2) Implementation Programs, and 3) Plans/ Deliverables/ Services. Policy Components define the high-level, long-lasting policy statements that define the purpose, scope, requirements, and responsibilities of each individual ISP component. Implementation Programs are the day-to-day operating procedures for each component. And finally, Plans/ Deliverables/ Services represent the outcome from each component, whether it’s the result of an assessment (report), a deliverable as a result of a service-performed, training, or testing of a BCP or IRP.

The next component of the ISP Blueprint is the Issue and System Specific Components section. These additional components of your ISP are based on your risk assessment. If your institution implements Remote Deposit Capture, for example, you should either outline an RDC policy or include an RDC section in your ISP. The controls you have decided to implement around RDC in your risk assessment to reduce risk should then be documented in your RDC policy. If your institution does not implement RDC, you don’t need to include it in your ISP. Many of these additional requirements are outlined in the “Other Requirements” section above. Those items may include cloud-computing, managed security service providers, VoIP, ATMs, virtualization, wireless, help desk, etc.

That brings us to the testing component, otherwise referred to as auditing. There are three (3) ways to protect information: People, Process, and Technology. Financial institutions must also test (audit) their People, Process, and Technology for compliance and adequacy. Testing your Processes is frequently performed through an IT Audit. Testing your Technology is accomplished most often through external Penetration Testing and internal Vulnerability Assessment (or other combinations of the two). Testing your People is done through Social Engineering Assessments.

InTREx has an entire section dedicated to Audit, which includes documentation around an IT Audit Policy, IT Audit Charter, IT Audit Plan/Schedule (that includes testing for People, Process, and Technology), IT Audit Risk Assessment, and making sure that findings and recommendations are tracked to remediation or acceptance.

The final component of a well-rounded ISP is Remediation and Reporting. Remediation involves closing the loop on the feedback component (Audit) by ensuring improvements to the ISP are implemented (completed), tabled, or accepted. Accepted risks should be documented and reported upstream regularly. Reporting is the other final component of the ISP. Strong ISP reporting means that regular reports to senior management and the Board of Directors include updates and progress on all the major items discussed above – from the risk assessment to the ISP components, to testing the institution’s People, Process, and Technology.

When your Information Security Program is at its best, it allows your financial institution to identify risk and make decisions on how to mitigate risk (risk assessment), document those decisions in your policies and procedures (ISP), test those decisions (audit), and continuously improve security at your institution (remediation and reporting). Using a model like the ISP Blueprint can help your organization better understand how all of the components work together to build a better ISP and mature the security of your institution.

Written by: Jon Waldman, CISA, CRISC
Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity