FFIEC Regulatory Training
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


FFIEC Regulatory Training






Total Views
Views on SlideShare
Embed Views



1 Embed 7

http://www.slideshare.net 7


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

FFIEC Regulatory Training Presentation Transcript

  • 1. Garland Group University A regulatory perspective Brad Garland CEO The Garland Group
  • 2. What are we doing here? Where FIs & IT meet Regulators & What they do Technology Controls Review Process Goal: Provide better service to your clients The Garland Group
  • 3. Introductions Name Position Tenure at CalTech Previous Experience The Garland Group
  • 4. The Garland Group Compliance, Security & Web Services firm Founded in 1981 Based out of Dallas, Texas Over 75 clients The Garland Group
  • 5. Our Services FFIEC Technology Audits Risk Assessments Penetration Testing / Vulnerability Assessments Social Engineering Bank Core System Selections The Garland Group
  • 6. Sizing up a Financial Institution < $25 Million - Small Community Bank Start-up or Denovo Status Couple of branches No IT staff $25 - $250 Million - Midsize Community Bank Normally still local footprint 1-10 branches Maybe 1 IT person The Garland Group
  • 7. Sizing up a Financial Institution $250 - $1 Billion - Medium Bank More Regional 5-15 branches Maybe 1-2 IT staff > $1 Billion - Large Bank May cross state lines Lots of branches Normally dedicated IT staff The Garland Group
  • 8. FI Infrastructures What’s out there? What kind of support do these systems get? Internal/External? Where do we fit in? The Garland Group
  • 9. Infrastructures Windows, Novell, Unix, Mac and hybrid environments Fat clients or Thin clients? Communications T1 Hub/Spoke MPLS VoIP Security Development Shops The Garland Group
  • 10. Infrastructures How do you help to support: Check/Item Processing E-Banking / Websites Document Imaging Merchant Capture Mobile Payments The Garland Group
  • 11. Core Processors The Garland Group
  • 12. Core Processors Run on variety of mainframe-like systems AS/400 Unix Linux The Garland Group
  • 13. Core Processors What’s a core processor do? In-house or Outsourced install? Who supports it? User Mgmt. Updates/Patches Backups Regulatory Hurdles The Garland Group
  • 14. Core from an Audit perspective User Lists Not just from an application level Who controls ‘root’? QSECOFR? Who monitors... System-level changes? ALLOBJ authority? Access Logs? The Garland Group
  • 15. What’s the best setup for a bank? Which ‘Core’? Inhouse/Outsourced? Fat/Thin Clients? T1’s / MPLS? Dedicated IT staff? Development? The Garland Group
  • 16. The Regulatory Agencies Federal Reserve ‘The State’ FDIC OCC OTS NCUA The Garland Group
  • 17. Who Regulates Who? FDIC - State chartered banks OCC - Nationally chartered banks OTS - Savings Bank NCUA - Credit Unions The Garland Group
  • 18. Our Technology Controls Review Process Review of all booklets of the FFIEC Generate ‘Recommendations’ based off of gaps Bank Mgmt. responds Final Report Executive Summary FFIEC Report IT Risk Assessment The Garland Group
  • 19. FFIEC Federal Financial Institutions Examination Council Formal Interagency Council Consists of all regulatory bodies Creates guidance for topics such as: Mortgages Bank Secrecy Act/AML Info. Technology The Garland Group
  • 20. FFIEC IT Exam Handbooks 12 Booklets Does not just cover IT 2001 edition replaced the previous 1996 version All have been updated since 2003 or later Ongoing Development The Garland Group
  • 21. FFIEC Handbooks Audit Management Business Continuity Operations Planning Outsourcing Technology Development & Acquisition Services E-Banking Retail Payment Systems FedLine Supervision of Technology Service Providers Information Security Wholesale Payment Systems The Garland Group
  • 22. Audit Major items in this section are: Audit Schedule Audit Committee Minutes Risk Assessments Conducted Proper Audit Follow-up Interim IT Audit work The Garland Group
  • 23. Management Major items in this section are: Reviewing BoD/ IT Steering Minutes Policy/Procedure Approvals by BoD Succession Planning Strategic Planning IT Budgeting Contract/Insurance Review The Garland Group
  • 24. Board Reporting Most FI's have IT Steering and Audit Committee These committees should drive functions and make decisions They also are the vessel to report to the Board on the status of the bank You may be asked to participate in these committees The board has ultimate responsibility for everything within the bank The Garland Group
  • 25. IT Steering Committee Approve major vendors (Core providers, IT support, etc.) Approve major purchases, usually over a set dollar limit Review logs and reports from the network Approve IT audits, Penetration tests, Vulnerability Scans Sometimes serve as a project management committee The Garland Group
  • 26. Audit Committee Review all audit reports from IT, BSA, Teller, Regulators, etc. Approve audit frequencies, scopes and methodologies Usually all Board members on the committee Approves audit vendors The Garland Group
  • 27. Business Continuity Plan Major items in this section include: Review of BCP/DR Plan Backup Procedures Shutdown Procedures Offsite Storage DR Agreements & Testing The Garland Group
  • 28. Operations Major items in this section include: Item Processing workflow process Inhouse/Outsourced? Branch/Teller Capture? Daily Run Sheets Physical Security Training Courier Agreements The Garland Group
  • 29. Development & Acquisition Major items in this section include: D&A Policy/Procedures Project Management Methodology Change Management Source Code Escrow Agreements Programming Methodology Development Meeting Minutes The Garland Group
  • 30. Outsourcing IT Services Vendor Management Updated Contracts with each vendor GLBA Wording in Contracts Proper ‘Due Diligence’ performed on critical vendors The Garland Group
  • 31. E-Banking Major items in this section include: Policy/Procedures Security Reports / What’s reviewed? Who see’s it? Website Change Management Proper Privacy Statements & Logos on website The Garland Group
  • 32. Retail Payment Systems Major items in this section include: ATM Balancing / Reconciliation processes Agreements for 3rd party ATM vendors ACH Policy/Procedures Review ACH Originators & Agreements Submitting ACH payments (via Web or FedAdvantage) The Garland Group
  • 33. FedLine/FedAdvantage Major items in this section include: Proper control of users who access the Fed System Segregated Duties / Enter & Verify How they receive Wire requests Approval / Callback Procedures The Garland Group
  • 34. Information Security Major items in this section include: Information Security Program User Administration Rules Password Policy System Policy Screensaver Policy The Garland Group
  • 35. Information Security - Cont. Network Diagram - Up to date? Recent Security Testing / Breaches Security Monitoring Hardware/Software Inventory & Licenses Use of Laptops? Secured? How? Remote Access What logs are kept? Wireless The Garland Group
  • 36. Technology Service Provider Major items in this section include: Review of vendor agreements Any major planned projects/development? Financial Stability of Vendor SAS 70s The Garland Group
  • 37. Wholesale Payment System Major items in this section include: Large bank-to-bank transactions Proper agreements in place between FIs CHIPS procedures Large Payment System owned by many FIs to transfer large payment orders The Garland Group
  • 38. Other Regulatory Guidance Graham-Leach Bliley Act (GLBA) Sarbanes - Oxley (SOX) Control Objectives for Information and related Technology (CobiT) ISO17799 The Garland Group
  • 39. Preparing for Exam/IT Audit What they going to be needing from you: Help with producing documentation for their examiners/auditors Network Diagrams Password Policy (Active Directory) User Lists Firewall/Router Configs The Garland Group
  • 40. Security Services Penetration Testing Vulnerability Assessments Social Engineering The Garland Group
  • 41. Penetration Testing Required by ‘some’ examiners Testing normally done annually Scan ports and for any major exploits The Garland Group
  • 42. Vulnerability Assessments Testing done internal to the network Scanning for unauthorized access points, mesh networks, exposed/exploited systems Done at least annually The Garland Group
  • 43. Social Engineering Our scope includes: Internet Recon. Dumpster Diving Phone Testing Email Testing In-Person Testing The Garland Group
  • 44. Social Engineering (Cont.) Done at least annually Ensure an adequate sample size for testing Ensure scope is up to today’s standards The Garland Group
  • 45. Common Mistakes in IT Mgmt. Lack of good documentation No BoD/Upper Mgmt. involvement Succession Issues Reactionary Environment Proper Backup Procedures The Garland Group
  • 46. Examiner ‘Requests’ Closed-loop documentation process Board sign-off/approval Annual IT Audits Updated BCPs/BSA risk assessments Penetration tests? The Garland Group
  • 47. Reminders We’re here to help! Don’t jump into new tech. head first Ensure adequate cross-training Document Everything! The Garland Group
  • 48. Thanks for the time. If you have any questions feel free to contact me: Our Blog: http://blog.thegarlandgroup.net Banktastic: http://banktastic.com Brad Garland CEO 972.429.8200 The Garland Group