Search

FFIEC Regulatory Training

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    1 Favorite

    FFIEC Regulatory Training - Presentation Transcript

    1. Garland Group University A regulatory perspective Brad Garland CEO The Garland Group
    2. What are we doing here? Where FIs & IT meet Regulators & What they do Technology Controls Review Process Goal: Provide better service to your clients The Garland Group
    3. Introductions Name Position Tenure at CalTech Previous Experience The Garland Group
    4. The Garland Group Compliance, Security & Web Services firm Founded in 1981 Based out of Dallas, Texas Over 75 clients The Garland Group
    5. Our Services FFIEC Technology Audits Risk Assessments Penetration Testing / Vulnerability Assessments Social Engineering Bank Core System Selections The Garland Group
    6. Sizing up a Financial Institution < $25 Million - Small Community Bank Start-up or Denovo Status Couple of branches No IT staff $25 - $250 Million - Midsize Community Bank Normally still local footprint 1-10 branches Maybe 1 IT person The Garland Group
    7. Sizing up a Financial Institution $250 - $1 Billion - Medium Bank More Regional 5-15 branches Maybe 1-2 IT staff > $1 Billion - Large Bank May cross state lines Lots of branches Normally dedicated IT staff The Garland Group
    8. FI Infrastructures What’s out there? What kind of support do these systems get? Internal/External? Where do we fit in? The Garland Group
    9. Infrastructures Windows, Novell, Unix, Mac and hybrid environments Fat clients or Thin clients? Communications T1 Hub/Spoke MPLS VoIP Security Development Shops The Garland Group
    10. Infrastructures How do you help to support: Check/Item Processing E-Banking / Websites Document Imaging Merchant Capture Mobile Payments The Garland Group
    11. Core Processors The Garland Group
    12. Core Processors Run on variety of mainframe-like systems AS/400 Unix Linux The Garland Group
    13. Core Processors What’s a core processor do? In-house or Outsourced install? Who supports it? User Mgmt. Updates/Patches Backups Regulatory Hurdles The Garland Group
    14. Core from an Audit perspective User Lists Not just from an application level Who controls ‘root’? QSECOFR? Who monitors... System-level changes? ALLOBJ authority? Access Logs? The Garland Group
    15. What’s the best setup for a bank? Which ‘Core’? Inhouse/Outsourced? Fat/Thin Clients? T1’s / MPLS? Dedicated IT staff? Development? The Garland Group
    16. The Regulatory Agencies Federal Reserve ‘The State’ FDIC OCC OTS NCUA The Garland Group
    17. Who Regulates Who? FDIC - State chartered banks OCC - Nationally chartered banks OTS - Savings Bank NCUA - Credit Unions The Garland Group
    18. Our Technology Controls Review Process Review of all booklets of the FFIEC Generate ‘Recommendations’ based off of gaps Bank Mgmt. responds Final Report Executive Summary FFIEC Report IT Risk Assessment The Garland Group
    19. FFIEC Federal Financial Institutions Examination Council Formal Interagency Council Consists of all regulatory bodies Creates guidance for topics such as: Mortgages Bank Secrecy Act/AML Info. Technology The Garland Group
    20. FFIEC IT Exam Handbooks 12 Booklets Does not just cover IT 2001 edition replaced the previous 1996 version All have been updated since 2003 or later Ongoing Development The Garland Group
    21. FFIEC Handbooks Audit Management Business Continuity Operations Planning Outsourcing Technology Development & Acquisition Services E-Banking Retail Payment Systems FedLine Supervision of Technology Service Providers Information Security Wholesale Payment Systems The Garland Group
    22. Audit Major items in this section are: Audit Schedule Audit Committee Minutes Risk Assessments Conducted Proper Audit Follow-up Interim IT Audit work The Garland Group
    23. Management Major items in this section are: Reviewing BoD/ IT Steering Minutes Policy/Procedure Approvals by BoD Succession Planning Strategic Planning IT Budgeting Contract/Insurance Review The Garland Group
    24. Board Reporting Most FI's have IT Steering and Audit Committee These committees should drive functions and make decisions They also are the vessel to report to the Board on the status of the bank You may be asked to participate in these committees The board has ultimate responsibility for everything within the bank The Garland Group
    25. IT Steering Committee Approve major vendors (Core providers, IT support, etc.) Approve major purchases, usually over a set dollar limit Review logs and reports from the network Approve IT audits, Penetration tests, Vulnerability Scans Sometimes serve as a project management committee The Garland Group
    26. Audit Committee Review all audit reports from IT, BSA, Teller, Regulators, etc. Approve audit frequencies, scopes and methodologies Usually all Board members on the committee Approves audit vendors The Garland Group
    27. Business Continuity Plan Major items in this section include: Review of BCP/DR Plan Backup Procedures Shutdown Procedures Offsite Storage DR Agreements & Testing The Garland Group
    28. Operations Major items in this section include: Item Processing workflow process Inhouse/Outsourced? Branch/Teller Capture? Daily Run Sheets Physical Security Training Courier Agreements The Garland Group
    29. Development & Acquisition Major items in this section include: D&A Policy/Procedures Project Management Methodology Change Management Source Code Escrow Agreements Programming Methodology Development Meeting Minutes The Garland Group
    30. Outsourcing IT Services Vendor Management Updated Contracts with each vendor GLBA Wording in Contracts Proper ‘Due Diligence’ performed on critical vendors The Garland Group
    31. E-Banking Major items in this section include: Policy/Procedures Security Reports / What’s reviewed? Who see’s it? Website Change Management Proper Privacy Statements & Logos on website The Garland Group
    32. Retail Payment Systems Major items in this section include: ATM Balancing / Reconciliation processes Agreements for 3rd party ATM vendors ACH Policy/Procedures Review ACH Originators & Agreements Submitting ACH payments (via Web or FedAdvantage) The Garland Group
    33. FedLine/FedAdvantage Major items in this section include: Proper control of users who access the Fed System Segregated Duties / Enter & Verify How they receive Wire requests Approval / Callback Procedures The Garland Group
    34. Information Security Major items in this section include: Information Security Program User Administration Rules Password Policy System Policy Screensaver Policy The Garland Group
    35. Information Security - Cont. Network Diagram - Up to date? Recent Security Testing / Breaches Security Monitoring Hardware/Software Inventory & Licenses Use of Laptops? Secured? How? Remote Access What logs are kept? Wireless The Garland Group
    36. Technology Service Provider Major items in this section include: Review of vendor agreements Any major planned projects/development? Financial Stability of Vendor SAS 70s The Garland Group
    37. Wholesale Payment System Major items in this section include: Large bank-to-bank transactions Proper agreements in place between FIs CHIPS procedures Large Payment System owned by many FIs to transfer large payment orders The Garland Group
    38. Other Regulatory Guidance Graham-Leach Bliley Act (GLBA) Sarbanes - Oxley (SOX) Control Objectives for Information and related Technology (CobiT) ISO17799 The Garland Group
    39. Preparing for Exam/IT Audit What they going to be needing from you: Help with producing documentation for their examiners/auditors Network Diagrams Password Policy (Active Directory) User Lists Firewall/Router Configs The Garland Group
    40. Security Services Penetration Testing Vulnerability Assessments Social Engineering The Garland Group
    41. Penetration Testing Required by ‘some’ examiners Testing normally done annually Scan ports and for any major exploits The Garland Group
    42. Vulnerability Assessments Testing done internal to the network Scanning for unauthorized access points, mesh networks, exposed/exploited systems Done at least annually The Garland Group
    43. Social Engineering Our scope includes: Internet Recon. Dumpster Diving Phone Testing Email Testing In-Person Testing The Garland Group
    44. Social Engineering (Cont.) Done at least annually Ensure an adequate sample size for testing Ensure scope is up to today’s standards The Garland Group
    45. Common Mistakes in IT Mgmt. Lack of good documentation No BoD/Upper Mgmt. involvement Succession Issues Reactionary Environment Proper Backup Procedures The Garland Group
    46. Examiner ‘Requests’ Closed-loop documentation process Board sign-off/approval Annual IT Audits Updated BCPs/BSA risk assessments Penetration tests? The Garland Group
    47. Reminders We’re here to help! Don’t jump into new tech. head first Ensure adequate cross-training Document Everything! The Garland Group
    48. Thanks for the time. If you have any questions feel free to contact me: Our Blog: http://blog.thegarlandgroup.net Banktastic: http://banktastic.com Brad Garland CEO 972.429.8200 The Garland Group

    + Brad GarlandBrad Garland, 2 years ago

    custom

    1745 views, 1 favs, 0 embeds more stats

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 1745
      • 1745 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 1
    • Downloads 56
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    more
    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved