Skip to main content


Topics to Consider in Your Next Information Security Program Review

Topics to Consider in Your Next Information Security Program Review

Cyberattacks no longer just impact the targeted organization but often have a ripple effect that harms partners, service providers, customers, and others. Cybercriminals have adopted strategies to exploit vaccination mandates, pandemic efforts, elections, and the transition to remote working environments.

The shift to remote and hybrid work has allowed criminals to utilize mobile malware as an attack vector. With the growing use of mobile wallets and payment services, attackers will continue exploiting the reliance on mobile devices through various avenues.

As data breaches continue to trend up, organizations will be forced to spend more money to recover and ensure they have the appropriate solutions in place to prevent attacks without disrupting normal business. This means that the role of the information security officer (ISO) is becoming more important than ever when it comes to ensuring organizations are taking every precaution to avoid becoming victims.

All organizations should consider the following topics as part of an Information Security Program review, implementing as deemed necessary by management. 


Multi-Factor Authentication (MFA)

Hackers increasingly use malware, ransomware, and phishing attacks to compromise user credentials and gain network access. Enhancing network security with MFA solutions helps increase data-center security, boosts cloud security for a safer remote working environment, and minimizes cybersecurity threats.

Additional controls surrounding administrative access to directory services, network backup environments, network infrastructure, organization’s endpoints/servers, remote access (employees and vendors), and firewall management are recommended. Many cybersecurity insurance vendors now require organizations to complete a self-attestation to renew policies. Included within the attestation is the verification of multi-factor authentication for remote access users and administrative users.


Contract Review Procedures

The vendor management program continues to evolve and requires diligent monitoring and research, especially for those vendors deemed critical to operations. Furthermore, the FFIEC has outlined contract review guidelines within the Information Security Booklet, which should be used as a guide in evaluating new contracts and renewals for risk.

Formal contract review procedures should be developed and include, but not be limited to, the following: scope of service, performance standards, security and confidentiality, controls, audit requirements, reports available for review, business resumption or contingency plans, subcontracting, ownership and license of data, dispute resolution, termination, assignment, regulatory compliance, and breach notification procedures.


Microsoft365 Controls Assessment

SBS CyberSecurity began Microsoft365 control assessments in 2021 due to discoveries by our network security team. An independent assessment of the Microsoft365 environment should be performed after implementation and occasionally thereafter to mitigate multiple cyber threats. The independent assessment should evaluate the environment and ensure the organization has implemented appropriate controls to mitigate risks, including malware, third-party app access, data loss prevention, external sharing, advanced threat protection, and permissions.


Backup Best Practices

Implementing various disaster recovery measures to prevent and mitigate ransomware attacks is important, including keeping multiple backups on and off-site, replicating critical data, encrypting data, and air-gapped backup. Maintaining offline, encrypted data backups and regular testing are critical and backup procedures should be conducted routinely.

An air-gapped backup is not connected to a network, so it cannot be reached by hackers, as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is critical because there is no need to pay a ransom for data that is readily accessible to your organization.

An additional step to mitigate ransomware, which may be an option depending on budgeting, is immutable backups. An immutable backup is a backup file that cannot be altered in any way. It should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss. Keeping an archive of immutable backups can guarantee recovery from a ransomware attack by finding and recovering the last clean backup you have on record.

As part of risk mitigation, organizations should create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.

If a third party or managed service provider is responsible for maintaining and securing your organization’s backups, ensure they follow the applicable best practices. Using contract language to formalize your security requirements is also a best practice.


​The remaining topics are specific to financial institutions when completing an Information Security Program review, implementing as deemed necessary by management. 


Bank Protection Act of 1968

With the transition to remote audits and exams, an emphasis on the Bank Protection Act of 1968 has been incorporated into IT audits to ensure the organization is adequately managing and monitoring physical security in alignment with regulation and risk. Physical in-person security checks can be a struggle with the trend of remote audits by external auditors and examiners. Typically, videos or photos are used to examine physical security as part of the audit. As an additional step, a security officer should be officially named to ensure all requirements of a thorough physical security program are implemented, including an annual report to the board of directors on the security program’s implementation, administration, and effectiveness.


FFIEC Updated Guidance

The FFIEC released updated guidance in August 2021 regarding authentication and access measures, including bullet points emphasizing customer awareness and education programs. Institutions should be making improvements and adjustments accordingly. An emphasis on specific policies will be incorporated into audits as well. A customer awareness program should include any cash management customers, specifically ACH originators and merchant remote deposit customers, and the ability to ensure they are aware of security protocols and abide by the expectations outlined in the respective agreements.

FFIEC Authentication and Access to Financial Institution Services and Systems guidance suggests considering the following examples of program elements when developing a customer awareness program:

  • An explanation of how customers can determine the legitimacy of communications from the financial institution, particularly communications that seek information that could be used to access the customer’s account.
  • An explanation of controls the financial institution offers that customers can use to mitigate risk, such as MFA.
  • An explanation of communication mechanisms that customers may use to monitor account activity, such as transaction alerts.
  • A listing of financial institution contacts that customers may use to report suspicious account activity or information security-related events.
  • Educational information regarding prevalent external threats and methods used to illegally access accounts and account information, such as phishing, social engineering, mobile-based trojans, and business email compromise.
  • An explanation of situations in which the institution uses enhanced authentication controls, such as call center contact or certain types of account activity like password reset.
  • An explanation of the legal and other rights and protections a customer may have in the event of unauthorized access to an account, including protections under Regulation E.


New / Updated Policies

The following policies should be documented within an Information Security Program, and some have become formal recommendations by examiners and regulators within the last 12 months.

  • Imaging Policy: Address the storage of critical documents to ensure readability and accuracy, responsibility, procedure, and disposal of original documents.
  • ATM/Debit Card Management Policy: Include policy and procedures to address the following: application process, employees authorized to order/issue cards, card activation procedures, PIN change procedures, receipt of returned PIN mailers, receipt of returned debit cards, logging documentation, contacting the customer for pick up / address changes, length of time to hold cards before being logged and destroyed.
  • Instant Issue Policy: Describe the instant issue environment, authorized access, security controls (both physical and logical), dual control, inventory, monitoring, internal audits, and related procedures.
  • Internet Banking Policy: Designate responsibility of the program, summarize all Internet banking services, describe the risk assessment process, define transaction processes, determine appropriate training, and ensure all aspects of the Internet banking program are adequately addressed. Also, reference FFIEC Authentication and Access to Financial Institution Services and Systems (Aug 2021) as appropriate.


Written by: Christy Thomas, CPA, CISA, CDPSE
Senior IT Auditor/Regional Director – SBS CyberSecurity


SBS Resources:

  • {Service} IT Audit: Identify system shortcomings and arm your organization with information to fortify your network.
  • {Service} Full Service Vendor Management: SBS security experts will get to work for you by taking on the daunting responsibility of Vendor Management. Your organization will be able to make better data-driven security decisions without having to do all the background work.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a complete list of certifications.
Certified Banking Security Technology Professional   



Posted: Thursday, May 5, 2022
Categories: Blog

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, June 17, 2022
Categories: Blog