Skip to main content


How Do You Mature Your Information Security Program in 2018?

How Do You Mature Your Information Security Program in 2018?

Your ISP = More Than Checking the Box

What does your Information Security Program need to look like for 2018? Over the last two years, updated guidance in Bank regulations and the Cybersecurity Assessment Tool updates are moving us to tangible improvements in securing our information. For many years, we implemented check-box regulatory items (often based on exam results) and thought to ourselves “why is this necessary?” We are now seeing why and how the updated regulation is making a big difference in securing the information in our Banks. So, what should we look for in 2018 that will continue to help improve our Information Security Programs?


Two ISP Areas to Improve in 2018

There are two major components of an Information Security Program that most institutions should look to improve in 2018. The first improvement area is Vendor Management. Many banks are doing as little as needed to complete vendor reviews. If you are not necessarily spending the time and effort to document a full review of a Service Organization Controls (SOC) audit from the vendor or not performing a proper vendor selection process of new IT products, it’s time to mature your Vendor Management program. The second improvement area is your Incident Response Plan. Incident Response needs to be updated to include today's threats, including ransomware, vendor breaches, and DDoS attacks. Your Incident Response Plan should also include more frequent tabletop testing in all areas of the Bank to make sure everyone knows what to do during an unforeseen threat event.


Vendor Management Improvements

The importance of a good Vendor Management program has grown with the threats to our networks and our vendors. As we outsource more systems to our vendors, our reliance on these vendors has also increased. It is easy to think we are passing on the responsibility for protecting our customer information to these vendors, but it’s important to always remember that it is still our responsibility to make sure our vendors are protecting our customer information just like it were still within our physical walls. We can improve vendor due diligence by going beyond gathering basic information from these vendors to reviewing a SOC report details, privacy documentation, and vendor disaster recovery testing results. Also, be sure that your vendor selection process includes up-front risk management when choosing a new IT product such as mobile deposit, online account opening, board portals, or outsourcing an internally hosted system like email. If you are not performing a vendor risk assessment prior to signing new contracts, as the FFIEC IS Booklet requires, some work needs to be done to improve your security culture. Your Vendor Management Program should document the process of selecting new IT products and outline how many vendors you should consider based on the type of product you are evaluating. The results comparing the vendor's product based on at least a cost-benefit analysis, product comparisons, and references should be documented and shared with the decision-makers. Making improvements to your vendor selection and review processes will mature your vendor management program and help you to make better decisions around how your vendors are protecting your information.


Incident Response Improvements

The purpose of the Incident Response Plan is to help the Bank quickly identify steps needed to isolate and recover from various types of threats that are becoming more commonplace in today’s market. It is certainly not possible to mitigate all risks, but you can learn to fail well by planning to recover properly and quickly. Depending on the type of threat, the plan should include how you escalate the Incident Response process depending on the severity and scope of the incident, as well as when you notify your customers, regulatory body, and legal authorities. Each situation can be different. By creating specific scenarios for the threat you feel are most likely, then reviewing the plan along with the scenario, the plan can be updated to help recover more quickly. Include representation from all areas of the Bank to ensure the testing is comprehensive and provides perspectives that may not be identified otherwise. Incident Response testing results should be documented, and the lessons learned should be tracked to conclusion.

These improvements will help to mature your Information Security Program by helping you to make better decisions around Vendor Management and Incident Response. Be sure to review the recent updates to regulatory guidance, including the FFIEC IT Management and Information Security booklets, to see where you may be able to mature your program and make 2018 a year of improvement. 

Written by: Jeff Spann
Senior Information Security Consultant - SBS CyberSecurity, LLC


SBS Resources:

  • {Service} Vendor Management: SBS security experts will get to work for you by taking on the daunting responsibility of vendor management. Your organization will be able to make better data-driven security decisions without having to do all the background work.
  • {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event.
  • {Webinar} Hacker Hour: Defining and Refining Your Information Security Program: A written Information Security Program is required for organizations that are subject to GLBA scrutiny, however, it is also the linchpin for ANY organization to successfully protect sensitive data. Join SBS as we discuss the key components of a strong Information Security Program and explore the issues organizations have in designing and maintaining their program. We will also have a conversation about if and where Virtual CISO services could fit into your business. 
  • {Article} How to Truly Manage Your Information Security Program: In today’s busy world, the easiest thing to do when it comes to your Information Security Program (ISP) is to focus solely on compliance. Ok, well, it might not be that easy to put together an Information Security Program that meets the bare minimum standards for your industry, but only meeting the ISP basics sure feels much easier than spending your time building an ISP that truly demonstrates how your organization manages information and cybersecurity.
  • {CyberByte Video} Information Security Program: Managing an Information Security Program (ISP) is an ongoing, dynamic process because risk is always changing. Your program demonstrates how well you are managing information security to examiners, auditors, and upper-level management. Watch this CyberByte for an overview of how a layered approach is key to a successful ISP.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Manager    Certified Banking Vendor Manager       Certified Banking Incident Handler


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, February 26, 2018
Categories: Blog