Garland Group University
A regulatory perspective



Brad Garland
CEO
The Garland Group
What are we doing here?

  Where FIs & IT meet
  Regulators & What they do
  Technology Controls Review
  Process
  Goal: ...
Introductions

  Name
  Position
  Tenure at CalTech
  Previous Experience




The Garland Group
The Garland Group

  Compliance, Security & Web Services firm
  Founded in 1981
  Based out of Dallas, Texas
  Over 75 clie...
Our Services

  FFIEC Technology Audits
  Risk Assessments
  Penetration Testing / Vulnerability Assessments
  Social Engi...
Sizing up a Financial Institution
 < $25 Million - Small Community Bank
    Start-up or Denovo Status

    Couple of branc...
Sizing up a Financial Institution
 $250 - $1 Billion - Medium Bank
     More Regional

     5-15 branches

     Maybe 1-2 ...
FI Infrastructures

  What’s out there?
  What kind of support
  do these systems get?
  Internal/External?
  Where do we ...
Infrastructures
    Windows, Novell, Unix, Mac and hybrid environments

    Fat clients or Thin clients?
    Communication...
Infrastructures
How do you help to support:
  Check/Item Processing
  E-Banking / Websites
  Document Imaging
  Merchant C...
Core Processors




The Garland Group
Core Processors

  Run on variety of
  mainframe-like systems
     AS/400
     Unix
     Linux




The Garland Group
Core Processors
  What’s a core processor do?
  In-house or Outsourced install?
  Who supports it?
     User Mgmt.

     U...
Core from an Audit perspective
  User Lists
     Not just from an application level
     Who controls ‘root’? QSECOFR?
   ...
What’s the best setup for a bank?
  Which ‘Core’?
  Inhouse/Outsourced?
  Fat/Thin Clients?
  T1’s / MPLS?
  Dedicated IT ...
The Regulatory Agencies
  Federal Reserve
  ‘The State’
  FDIC
  OCC
  OTS
  NCUA



The Garland Group
Who Regulates Who?
  FDIC - State chartered
  banks
  OCC - Nationally
  chartered banks
  OTS - Savings Bank
  NCUA - Cre...
Our Technology Controls Review Process
  Review of all booklets
  of the FFIEC
  Generate
  ‘Recommendations’
  based off ...
FFIEC                   Federal Financial Institutions Examination Council

  Formal Interagency
  Council
  Consists of a...
FFIEC IT Exam Handbooks
  12 Booklets
  Does not just cover IT
  2001 edition replaced
  the previous 1996
  version
     ...
FFIEC Handbooks
  Audit                       Management

  Business Continuity         Operations
  Planning
            ...
Audit
  Major items in this section are:
     Audit Schedule
     Audit Committee Minutes
     Risk Assessments Conducted
...
Management
  Major items in this section are:
     Reviewing BoD/ IT Steering Minutes
     Policy/Procedure Approvals by B...
Board Reporting
  Most FI's have IT Steering and Audit Committee
     These committees should drive functions and make
   ...
IT Steering Committee

  Approve major vendors (Core providers, IT support, etc.)
  Approve major purchases, usually over ...
Audit Committee

  Review all audit reports from IT, BSA, Teller, Regulators,
  etc.
  Approve audit frequencies, scopes a...
Business Continuity Plan
  Major items in this section include:
     Review of BCP/DR Plan
     Backup Procedures
     Shu...
Operations
  Major items in this section include:
     Item Processing workflow process
       Inhouse/Outsourced?

       ...
Development & Acquisition
  Major items in this section include:
     D&A Policy/Procedures
     Project Management Method...
Outsourcing IT Services
  Vendor Management
  Updated Contracts with each vendor
  GLBA Wording in Contracts
  Proper ‘Due...
E-Banking

  Major items in this section include:
     Policy/Procedures
     Security Reports / What’s reviewed? Who see’...
Retail Payment Systems
  Major items in this section include:
     ATM Balancing / Reconciliation processes
     Agreement...
FedLine/FedAdvantage

  Major items in this section include:
     Proper control of users who access the Fed System
     S...
Information Security
  Major items in this section include:
     Information Security Program
       User Administration R...
Information Security - Cont.
     Network Diagram - Up to date?
     Recent Security Testing / Breaches
     Security Moni...
Technology Service Provider

  Major items in this section include:
     Review of vendor agreements
     Any major planne...
Wholesale Payment System
  Major items in this section include:
     Large bank-to-bank transactions
     Proper agreement...
Other Regulatory Guidance
  Graham-Leach Bliley
  Act (GLBA)
  Sarbanes - Oxley (SOX)
  Control Objectives for
  Informati...
Preparing for Exam/IT Audit
  What they going to be needing from you:
     Help with producing documentation for their
   ...
Security Services

  Penetration Testing
  Vulnerability
  Assessments
  Social Engineering




The Garland Group
Penetration Testing

  Required by ‘some’
  examiners
  Testing normally done
  annually
  Scan ports and for any
  major ...
Vulnerability Assessments
  Testing done internal to
  the network
  Scanning for
  unauthorized access
  points, mesh net...
Social Engineering
  Our scope includes:
     Internet Recon.
     Dumpster Diving
     Phone Testing
     Email Testing
 ...
Social Engineering (Cont.)

  Done at least annually
  Ensure an adequate sample size for testing
  Ensure scope is up to ...
Common Mistakes in IT Mgmt.
  Lack of good
  documentation
  No BoD/Upper Mgmt.
  involvement
  Succession Issues
  Reacti...
Examiner ‘Requests’
  Closed-loop documentation
  process
  Board sign-off/approval
  Annual IT Audits
  Updated BCPs/BSA
...
Reminders
  We’re here to help!
  Don’t jump into new
  tech. head first
  Ensure adequate
  cross-training
  Document Ever...
Thanks for the time.
  If you have any questions feel free to contact me:
  Our Blog: http://blog.thegarlandgroup.net
  Ba...
Upcoming SlideShare
Loading in …5
×

FFIEC Regulatory Training

2,486
-1

Published on

Published in: Education, Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,486
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
101
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

FFIEC Regulatory Training

  1. 1. Garland Group University A regulatory perspective Brad Garland CEO The Garland Group
  2. 2. What are we doing here? Where FIs & IT meet Regulators & What they do Technology Controls Review Process Goal: Provide better service to your clients The Garland Group
  3. 3. Introductions Name Position Tenure at CalTech Previous Experience The Garland Group
  4. 4. The Garland Group Compliance, Security & Web Services firm Founded in 1981 Based out of Dallas, Texas Over 75 clients The Garland Group
  5. 5. Our Services FFIEC Technology Audits Risk Assessments Penetration Testing / Vulnerability Assessments Social Engineering Bank Core System Selections The Garland Group
  6. 6. Sizing up a Financial Institution < $25 Million - Small Community Bank Start-up or Denovo Status Couple of branches No IT staff $25 - $250 Million - Midsize Community Bank Normally still local footprint 1-10 branches Maybe 1 IT person The Garland Group
  7. 7. Sizing up a Financial Institution $250 - $1 Billion - Medium Bank More Regional 5-15 branches Maybe 1-2 IT staff > $1 Billion - Large Bank May cross state lines Lots of branches Normally dedicated IT staff The Garland Group
  8. 8. FI Infrastructures What’s out there? What kind of support do these systems get? Internal/External? Where do we fit in? The Garland Group
  9. 9. Infrastructures Windows, Novell, Unix, Mac and hybrid environments Fat clients or Thin clients? Communications T1 Hub/Spoke MPLS VoIP Security Development Shops The Garland Group
  10. 10. Infrastructures How do you help to support: Check/Item Processing E-Banking / Websites Document Imaging Merchant Capture Mobile Payments The Garland Group
  11. 11. Core Processors The Garland Group
  12. 12. Core Processors Run on variety of mainframe-like systems AS/400 Unix Linux The Garland Group
  13. 13. Core Processors What’s a core processor do? In-house or Outsourced install? Who supports it? User Mgmt. Updates/Patches Backups Regulatory Hurdles The Garland Group
  14. 14. Core from an Audit perspective User Lists Not just from an application level Who controls ‘root’? QSECOFR? Who monitors... System-level changes? ALLOBJ authority? Access Logs? The Garland Group
  15. 15. What’s the best setup for a bank? Which ‘Core’? Inhouse/Outsourced? Fat/Thin Clients? T1’s / MPLS? Dedicated IT staff? Development? The Garland Group
  16. 16. The Regulatory Agencies Federal Reserve ‘The State’ FDIC OCC OTS NCUA The Garland Group
  17. 17. Who Regulates Who? FDIC - State chartered banks OCC - Nationally chartered banks OTS - Savings Bank NCUA - Credit Unions The Garland Group
  18. 18. Our Technology Controls Review Process Review of all booklets of the FFIEC Generate ‘Recommendations’ based off of gaps Bank Mgmt. responds Final Report Executive Summary FFIEC Report IT Risk Assessment The Garland Group
  19. 19. FFIEC Federal Financial Institutions Examination Council Formal Interagency Council Consists of all regulatory bodies Creates guidance for topics such as: Mortgages Bank Secrecy Act/AML Info. Technology The Garland Group
  20. 20. FFIEC IT Exam Handbooks 12 Booklets Does not just cover IT 2001 edition replaced the previous 1996 version All have been updated since 2003 or later Ongoing Development The Garland Group
  21. 21. FFIEC Handbooks Audit Management Business Continuity Operations Planning Outsourcing Technology Development & Acquisition Services E-Banking Retail Payment Systems FedLine Supervision of Technology Service Providers Information Security Wholesale Payment Systems The Garland Group
  22. 22. Audit Major items in this section are: Audit Schedule Audit Committee Minutes Risk Assessments Conducted Proper Audit Follow-up Interim IT Audit work The Garland Group
  23. 23. Management Major items in this section are: Reviewing BoD/ IT Steering Minutes Policy/Procedure Approvals by BoD Succession Planning Strategic Planning IT Budgeting Contract/Insurance Review The Garland Group
  24. 24. Board Reporting Most FI's have IT Steering and Audit Committee These committees should drive functions and make decisions They also are the vessel to report to the Board on the status of the bank You may be asked to participate in these committees The board has ultimate responsibility for everything within the bank The Garland Group
  25. 25. IT Steering Committee Approve major vendors (Core providers, IT support, etc.) Approve major purchases, usually over a set dollar limit Review logs and reports from the network Approve IT audits, Penetration tests, Vulnerability Scans Sometimes serve as a project management committee The Garland Group
  26. 26. Audit Committee Review all audit reports from IT, BSA, Teller, Regulators, etc. Approve audit frequencies, scopes and methodologies Usually all Board members on the committee Approves audit vendors The Garland Group
  27. 27. Business Continuity Plan Major items in this section include: Review of BCP/DR Plan Backup Procedures Shutdown Procedures Offsite Storage DR Agreements & Testing The Garland Group
  28. 28. Operations Major items in this section include: Item Processing workflow process Inhouse/Outsourced? Branch/Teller Capture? Daily Run Sheets Physical Security Training Courier Agreements The Garland Group
  29. 29. Development & Acquisition Major items in this section include: D&A Policy/Procedures Project Management Methodology Change Management Source Code Escrow Agreements Programming Methodology Development Meeting Minutes The Garland Group
  30. 30. Outsourcing IT Services Vendor Management Updated Contracts with each vendor GLBA Wording in Contracts Proper ‘Due Diligence’ performed on critical vendors The Garland Group
  31. 31. E-Banking Major items in this section include: Policy/Procedures Security Reports / What’s reviewed? Who see’s it? Website Change Management Proper Privacy Statements & Logos on website The Garland Group
  32. 32. Retail Payment Systems Major items in this section include: ATM Balancing / Reconciliation processes Agreements for 3rd party ATM vendors ACH Policy/Procedures Review ACH Originators & Agreements Submitting ACH payments (via Web or FedAdvantage) The Garland Group
  33. 33. FedLine/FedAdvantage Major items in this section include: Proper control of users who access the Fed System Segregated Duties / Enter & Verify How they receive Wire requests Approval / Callback Procedures The Garland Group
  34. 34. Information Security Major items in this section include: Information Security Program User Administration Rules Password Policy System Policy Screensaver Policy The Garland Group
  35. 35. Information Security - Cont. Network Diagram - Up to date? Recent Security Testing / Breaches Security Monitoring Hardware/Software Inventory & Licenses Use of Laptops? Secured? How? Remote Access What logs are kept? Wireless The Garland Group
  36. 36. Technology Service Provider Major items in this section include: Review of vendor agreements Any major planned projects/development? Financial Stability of Vendor SAS 70s The Garland Group
  37. 37. Wholesale Payment System Major items in this section include: Large bank-to-bank transactions Proper agreements in place between FIs CHIPS procedures Large Payment System owned by many FIs to transfer large payment orders The Garland Group
  38. 38. Other Regulatory Guidance Graham-Leach Bliley Act (GLBA) Sarbanes - Oxley (SOX) Control Objectives for Information and related Technology (CobiT) ISO17799 The Garland Group
  39. 39. Preparing for Exam/IT Audit What they going to be needing from you: Help with producing documentation for their examiners/auditors Network Diagrams Password Policy (Active Directory) User Lists Firewall/Router Configs The Garland Group
  40. 40. Security Services Penetration Testing Vulnerability Assessments Social Engineering The Garland Group
  41. 41. Penetration Testing Required by ‘some’ examiners Testing normally done annually Scan ports and for any major exploits The Garland Group
  42. 42. Vulnerability Assessments Testing done internal to the network Scanning for unauthorized access points, mesh networks, exposed/exploited systems Done at least annually The Garland Group
  43. 43. Social Engineering Our scope includes: Internet Recon. Dumpster Diving Phone Testing Email Testing In-Person Testing The Garland Group
  44. 44. Social Engineering (Cont.) Done at least annually Ensure an adequate sample size for testing Ensure scope is up to today’s standards The Garland Group
  45. 45. Common Mistakes in IT Mgmt. Lack of good documentation No BoD/Upper Mgmt. involvement Succession Issues Reactionary Environment Proper Backup Procedures The Garland Group
  46. 46. Examiner ‘Requests’ Closed-loop documentation process Board sign-off/approval Annual IT Audits Updated BCPs/BSA risk assessments Penetration tests? The Garland Group
  47. 47. Reminders We’re here to help! Don’t jump into new tech. head first Ensure adequate cross-training Document Everything! The Garland Group
  48. 48. Thanks for the time. If you have any questions feel free to contact me: Our Blog: http://blog.thegarlandgroup.net Banktastic: http://banktastic.com Brad Garland CEO 972.429.8200 The Garland Group
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×