Protect Your Institution While Meeting Examiner Expectations
“Cybercrime is relentless, undiminished, and unlikely to stop.” This dire statement from the 2018 McAfee Economic Impact of Cybercrime report cannot be ignored. The study, conducted in association with the Center for Strategic and International Studies (CSIS), estimates that cybercrime now costs the global economy approximately $600 billion.
Financial regulators are worried about this reality and the danger it poses to the safety and soundness of the financial system. Even though institutions have long perfected the art of securing physical cash, they are not nearly as expert at protecting their information and data.
As a result, examiners want proof that financial institutions are closing that security gap, and for them, the proof lies in the existence and efficacy of information technology (IT) policies. Given the high stakes for their organizations, institutional boards should be pressing for the same proof.
Examiner Expected IT Policies
According to ITSP Magazine, “financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries.” Its research also shows that they pay more per breached record than other businesses—$336 versus $225. This explains why federal regulators are increasing their focus on IT policies.
Financial institutions are required to have a written Information Security (IS) policy, which Techopedia describes as "a set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organization’s boundaries of authority.”
Through individual policies or those included in their IS policy, institutions need to address these IT particulars:
- Acceptable Use: How and when systems and information can be used.
- Antivirus/Anti-Malware: Virus and maleware prevention measures and methods.
- Asset Management: The appropriate acquisition, tracking and disposal of hardware and software.
- Backup: When, where and how systems should be backed up and restored.
- Business Continuity: How the institution would continue operating in a disruptive event.
- Bring Your Own Device (BYOD): Institutional use and support of personal devices.
- Change Control: Planning, approving and implementing technology changes.
- Clean Desk: How employees should leave their work space when absent from it.
- Disaster Recovery: How systems and operations will be recovered after a disruptive event.
- Email: Appropriate use of electronic communications.
- Encryption: Acceptable encryption technologies and how they are used.
- Firewall: How inbound and outbound network traffic are handled by your firewall.
- Incident Response and Reporting: How and who deals with the fallout from a cyberattack.
- Log Management: Log level usage, reviewing, reporting and storage requirements.
- New Technologies: Rules for evaluating and implementing technologies into an IT environment.
- Password: Standards for password strength and change frequency.
- Patch Management: Patching frequency, reviews and determining how vulnerabilities are discovered and remediated.
- Remote Access: Standards for remote access to the network systems, including authentication.
- Vendor Management: The inventory, risk assessment and monitoring of all vendors.
- Wireless: Acceptable use of wireless networking for employees and guests.
- Removable Media: Use of readable and writable media, i.e., flash drives, CDs and DVDs.
8 Tips for Improving Your IT Policies
Improving your IT policies is a daunting task for institutions, especially those with limited resources. However, it is a necessary in order to protect your institution from cyberattacks and to be better prepared for your next IT exam. Institutions should determine if they’ve addressed the above IT areas with policy documentation and whether those policies are effective. Once you’ve inventoried your policy library, tackle the process of improving specific policies with these tips:
1. Prioritize Policy Writing by Risk
Including Information Security, there are 22 policy areas outlined above. Instead of getting overwhelmed by the sheer volume, start your policy assessment with the areas that pose the greatest risk to your institution. Conduct a business impact analysis to rank them all by level of risk. Use the top five risk areas as your starting point. If you don’t currently have a written policy for any of your top five, write those policies first. Then review existing policies for the remaining top five. Whether writing or updating a policy, make sure it is relevant and specific to your current and emerging environment using the additional tips below.
2. Grab the Low-Hanging Fruit
Several of these policy areas present quick and easy wins. A Clean Desk Policy (CDP) is a perfect example. Although all institutions should have one, it does not need to be long or complicated. TechTarget sums it up as follows: “Most CDPs require employees to clear their desks of all papers at the end of the day.” This could be a one paragraph contract that employees sign at onboarding and annually thereafter. Another example: if you don’t allow employees to use their own personal devices for work purposes, your BYOD policy can simply be a short statement to that effect. Acceptable Use and Removable Media are further examples of relatively simple policies to implement.
3. Use Policy Templates
Federal regulators do not expect or require you to write policies from scratch. Take full advantage of the policy templates available online. For example, the SANS Institute provides many samples, such as its Email Policy Template. The Center of Internet Security (CIS) is another useful policy resource. Just make sure that you customize such templates to fit your specific situation and risk profile.
4. Develop Practical and Testable Policies
After defining a policy as “an overall statement of the institution’s philosophy or intent,” the Federal Financial Institutions Examination Council’s (FFIEC) Management IT Booklet specifies that policies be “clearly written.” This is to ensure that employees can follow them and institutions can test them. When writing or updating an IT policy, keep these writing rules in mind:
- Simple is more effective than complicated.
- Keep it as short but complete as possible.
- Always keep the end user in mind.
- Write so the least technical person can understand it.
- Spell out both do’s and don’ts for employees.
5. Set Policy Review Expectations for Employees
Policy education with employees should occur during the new hire process and on a routine basis thereafter, with high-risk area training occurring at more frequent intervals. Policy training needs to be more robust than passing out the document and asking employees to sign it. Make sure to emphasize the purpose of the policy, explain employee roles in fulfilling it and point out any changes to the policy or environment since the last policy update. And don’t forget to educate contractors or others who have access to sensitive information or systems. They need to be held accountable to your policies, too.
6. Give Your Vendors Appropriate Weight
Many institutions use third-party service providers to conduct various IT and IS functions, in which case those vendors may use their expertise to help develop, test or enforce policies. Just remember that your board of directors is ultimately responsibility for all institutional policies and operations in the eyes of examiners.
7. Create a Process for Routinely Updating Basic Things
As you inventory your policy library, take note of the policies that contain basic information that may change more frequently than the principles of the policy. This could include phone numbers, other contact information or task assignments. If this information is not kept up to date, it could impede your institution’s ability to effectively carry out its policy, especially in the case of Business Continuity or Incident Response. Set up a process for updating this basic information on a more frequent basis than your annual policy review, and make sure those updates are available to all staff.
8. Use a Rolling Policy Review Schedule
There is no requirement that all annual policy reviews be done at the same time. Instead, spread it out over the course of the year with a rolling policy review schedule. Each month, review and update one in-depth policy (i.e. Business Continuity or Asset Management) and one easy policy (i.e., CPD or BYOD), and this will be a much more manageable process.
Business or Compliance Motivation?
Institutions that view these tasks only through the lens of regulatory compliance are missing the point. Yes, examiners will expect you to have a robust library of IT policies, and exams will go much better for institutions that can prove that. However, the bigger takeaway is protecting your institution from the ever-increasing number of cyberattacks and the evolving methods used by its perpetrators.
As the McAfee/CSIS report notes, “banks remain the favorite target of skilled cybercriminals,” and “cybercrime imposes a heavy cost on financial institutions as they struggle to combat fraud and outright theft.” Your IT policies are not just a box to check; they are a vital part of your cybersecurity program, helping your institution minimize the financial costs and reputational risks posed by cybercrime.
Are you looking for more tips and best practices to protect your institution from cybercriminals? Read our Broaden Your Cybersecurity Mindset white paper to learn more.
Rachael has over 9 years of experience in advising financial firms. Prior to joining CSI, she worked with some of the largest hedge funds and private equity funds in New York City as an IT and cybersecurity consultant. In her current role at CSI, she lends her expertise to community banks, helping them maximize their technology investments and increase security while reducing their operational burdens.