Skip to main content


Prepare for Your Next IT Exam Using Five Common Findings

Prepare for Your Next IT Exam Using Five Common Findings

Download Article

IT Exams are one area that separates the financial industry from other critical infrastructures, which can be a good thing (for the most part, IT Exams ensure that the institution has sound security controls in place) and a bad thing (IT Exams can be very stressful for the ill-prepared). A typical exam begins when the institution receives the notice of an examination. The institution is asked in-advance to answer questions about the implementation of technology-related products and the completion of Information Security Program (ISP) items. This questionnaire allows an examiner to gain a general understanding of the institution’s riskiest processes, constituting the beginnings of a risk-based exam. Based on your answers, the examiner will examine the riskiest items with greater scrutiny. A true risk-based IT Exam or Audit is good for the institution, validates the institution’s risk management practices, and allows an examiner to spend the most time on what is important.

Preparing for Your Next IT Exam

Are you Ready?As your next IT Exam approaches, how should your institution prepare for the exam? Perhaps a better question is when does the institution start getting ready for the exam? Should the process start when the notification and IT Exam paperwork arrive, asking you to answer questions and prepare documentation? 

An institution that is truly prepared is working on ISP components throughout the year; not just before the exam. Updating or creating documents only right before the exam will continue to keep the institution on high alert and stressed before the exam. Additionally, failing to address and manage your ISP throughout the year typically leads to more severe IT Exam findings and recommendations, introducing even more stress to the system, as these findings often have deadlines. 

An institution that proactively manages its risk assessments, response plans, recovery plans, and the controls will always perform well during an exam. Managing risk should be a living and breathing process. Proactively managing the ISP and institutional risks will prepare any institution for the next exam or audit no matter when it comes. Then any examination findings presented should already be known to the institution. If they are not, findings aren’t a big deal, as they should be seen as a way to continue to mature the institution’s information security posture.

Regulatory compliance does not necessarily mean good security, and good security does not always mean good compliance; both are required to be truly prepared.

Common Exam Findings

Examiners are focused on risk-based examination procedures to validate regulatory guidance and to ensure the use of industry best practices to identify and manage cybersecurity risks. SBS has been fortunate enough to work with many institutions in nearly every state, and we’ve seen a wide range of examination findings. Here are five of the most common findings we see from today’s examinations, listed in no order:

  • Security controls around the administrative accounts
  • Incident Response Plan does not include response procedures addressing highly impactful or probable threats
  • Data flow diagrams not completed
  • Previous exam and audit recommendations not being completed timely
  • Business Impact Analysis does not address RTO or RPO for critical business functions


Administrative Account Control

The security controls around administrative accounts are a risk that threatens to cause significant harm to the institution. If an attacker gains access to your network, and your administrative accounts are not properly secured, privilege escalation to standard user access becomes extremely easy. This leads to the exposure of your confidential information. Unsecured administrative accounts also increase the risk of insider fraud or inadvertent mistakes that could lead to insider fraud.

To resolve this finding, be sure that all users and administrators utilize standard, everyday user accounts that do not have administrative privileges for day-to-day access to the network. Individuals needing to perform administrative functions should use a separate administrative account. An IT Admin, for example, should have two (2) separate accounts: one for regular use and access, and a second only for performing administrative functions.

Finally, administrative user account activity should be closely monitored, and the institution should receive alerts if any suspicious administrative activity is logged or if a standard user account escalates to an administrative account.

Update Your Incident Response Plan

Another common IT Exam finding is an institution’s Incident Response Plan not having been updated to include response procedures that address highly impactful or probable threats. In today’s threat landscape, an Incident Response Plan that does not address procedures for handling a malware infection, ransomware, DDoS attacks, or unauthorized access either on the institution’s network or at a critical vendor is not a valuable Incident Response Plan. The Incident Response Plan should be designed to help the institution respond quickly to mitigate the risk of an incident and plan to fail well.

To resolve this finding, the institution should use the IT Risk Assessment to identify which modern threats determine the biggest risk. Then build incident response scenarios to address how the institution will respond to these threats should they occur. Performing at least annual Incident Response tabletop test is the expectation.

Additionally, if your institution is not sure it could quickly identify an active incident, or if you are concerned that you’re not logging the right things on your network, please refer to our 50+ Incident Response Preparedness Checklist Items article. This checklist is a comprehensive list of settings and logs to allow your institution to respond to an incident.

Data Flow Diagrams

The Data Flow Diagram (DFD) has been a financial institution requirement since the 2004 FFIEC Operations booklet, but the Cybersecurity Assessment Tool (CAT) introduced the DFD as a baseline requirement for all institutions. Data Flow Diagrams are many times not complete, or the institution simply has not documented an appropriate DFD. A DFD should be used to understand how the data flows from your institution to external parties, and who is storing, transmitting, and processing your customer information. A DFD is separate and wholly different from a Network Diagram, which is designed to show the architecture of your network from a WAN and LAN perspective.

To resolve this Data Flow Diagram finding, please check out SBS’ Data Flow Diagram blog post, which includes details on what a DFD should contain and why DFDs are important.

Track Exam and Audit Findings to Completion

Your last exam or audit likely produced a list of actions your institution must address to comply with the regulatory guidance. These Action Items are to be addressed in a timely manner, relevant to their level of risk. However, it should be a rare occurrence for an Action Item to last more than six months without a resolution.

The institution should create an Action Plan around all IT Exam and Audit findings to address this finding. Findings should be prioritized from high to low, and all findings should be tracked to completion. The Action Plan should address the description of the finding, date of the finding, date to be completed, the person assigned to address the finding, a measure of progress, description of action taken, completion date, and notes to add additional information. All employees assigned to address these findings should regularly review the Action Plan, and the Committee responsible for tracking audit findings should oversee Action Plan progress. The Board of Directors has the overall responsibility for ISP oversight at the institution, so Action Plan progress should be presented to the Board of Directors for review and approval regularly.

Business Impact Analysis Measurables

The Business Impact Analysis (BIA) is the process to determine the institution’s priority of recovery for business processes. To properly and consistently measure business process recovery priorities, the institution should include three measurables: Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Maximum Allowable Downtime (MAD) for all business processes assessed in the BIA. The Business Continuity Plan relies on the BIA to identify business process recovery priorities, and without these three factors, an institution would have to guess to determine recovery priorities and risk further delays in the recovery efforts.

The institution should upgrade its BIA to include RTO, RPO, and MAD as quantifiable, measurable categories for each business process to resolve the finding. In November of 2017, SBS published an article titled What Does a Good BIA Look Like. This article explains the components of a good BIA to help build a mature business process recovery priority, which is the backbone of a good Business Continuity Plan.

Proactive or Reactive

Proactive vs ReactiveThese five common findings should help your institution get ahead of potential findings and recommendations during your next exam. Remember, there are two types of institutions: proactively managed institutions and reactively managed institutions. Reactive management will always keep the institution on high alert and stressed before the next exam while sitting around waiting for someone else to tell you what to do. Proactive management will mature the institution’s information security posture, not only so that you’re ready for your next exam, but to help you truly manage information security. Lastly, consider reading bank regulations from FFIEC and from your federal regulator to look for other opportunities to improve your risk management and compliance.

Written by: Jeff Spann
Senior Information Security Consultant
SBS CyberSecurity, LLC

SBS Resources:

  • {Blog} Data Data Flow Diagram 101: What is a Data Flow Diagram, why are they important, and where do you start when creating one? Let's cover the basics and get you started on the right path.
  • {Blog} What Does a Good BIA Look Like?:  The purpose of the BIA is to help you prioritize your business processes and tell you where to start when beginning your response. When creating a BIA, there are going to be three (3) main components that you should address to get the best results, including 1) Impacts, 2) Timeframes, and 3) Dependencies. This article will cover each of these BIA components, along with a little information on your business processes themselves.
  • 50+ Incident Response Preparedness Checklist ItemsIf you are uncertain how to go about preparing for and detecting an incident on your network, you are certainly not alone, this checklist will get you started. This list contains over 50 items in the following areas that should be prepared ahead of time: Configurations, Logging, Vendor Information, Key Personnel, and Detection Monitoring
  • {Hacker Hour} Creating a Data Flow Diagram: According to our research, the development of a Data Flow Diagram (DFD) is one of the most common missing baseline statement in the FFIEC Cybersecurity Assessment Tool. Many financial institutions struggle with finding value in the DFD or have a hard time getting started. Join SBS as we discuss the guidance around DFDs and walk through examples of ways you can create a DFD for your organization - and get value from it.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Manager      


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, July 18, 2018
Categories: Blog