Posted by: David Schneier
Audit, business continuity, business continuity planning, compliance, FDIC, GLBA, NCUA, penetration test, penetration testing, regulatory, Regulatory Compliance, risk, risk assessment, Security, security awareness, social engineering, Vendor Management, vulnerability test
Summer at home officially ended this morning as my children returned to school. Beyond the fact that I consider it cruel and inhuman punishment to resume academic activities before Labor Day, it also serves as a wake-up call that we’re well past mid-year on the traditional calendar and eying the home stretch for 2010; before we know it we’ll be moving into Q4. So why is that on my mind today? Because I’m mindful of all those institutions that have yet to address their obligations specific to GLBA and NCUA regulations.
This is something of an annual post that I’ve been issuing over the years where I bang the proverbial spoon on the proverbial pot trying to warn everyone that there’s work to be done. I’m not talking about running through the paces to prepare for an exam but rather having work done that ensures the protection of your customer/member information. I used to work for a company whose primary sales approach was to tell current and prospective clients that they had to conduct all manner of tests and assessments because of the regulations. The firm’s angle was that in order to be compliant you “must do this work,” which not coincidentally dovetailed with services we offered.
I always thought that the “because I said so” logic was flawed. My thinking then and now was that we should educate clients on why they need to have regular audits and assessments: How scheduling the work at proper intervals and coordinated activities so that they flow naturally into one another greatly reduces their risk of exposure and improves their reputation as a bank or credit union that can be trusted. But what if an institution’s basic strategy is to wait until an exam is a week away and then pull long hours and work all weekend to update what’s needing updating?
The regulatory compliance trinity is fairly simple and straightforward at its highest level: You document your controls and related activities (the infamous policies and procedures collection), periodically assess your risk factors to determine if you need to add or modify those controls and related activities, and then test the controls to determine if they’re in place and effective. GLBA at its core is actually that simple and really quite effective. It’s GRC 101 and there’s no doubt that by complying with its basic tenets you’re doing the right thing to protect your account holders.
And yet you’d be surprised by how many financial institutions routinely reach this point in the calendar year having deferred scheduling much (if not all) of their compliance work. You can’t go an entire year without having conducted both an audit and a risk assessment. No business infrastructure goes through a 12-month period without something significant changing, without risk factors emerging that haven’t been present before that need to be managed. By extending your compliance work to align with your exam cycle, you’re opening up a huge gap through which a truckload of problems is likely going to drive. Based on the size and complexity of your institution, you can arrange your compliance program so that not everything needs to occur annually. I’ve worked with clients where their program called for a risk assessment and audit to occur in alternate years and where only the ongoing programs (e.g. vendor management, penetration testing, business continuity planning, etc.) needed to be addressed and validated annually. And while it’s true that you don’t need to shoehorn everything into a 12-month period, you do need to have a clearly defined plan on how your institution complies with the various regulations. You simply can’t get two-thirds of the way through the year without having conducted or scheduled any manner of testing or assessments.
We’re about to turn another page on the calendar and enter September. While you may count that as four months to year-end and think there’s plenty of time to get things done you need to consider that it’s more like three months. Between the major holidays, the minor holidays and people taking time off as the year winds down you’re going to find it hard to secure resources to conduct the work and even harder to have them complete tasks while people are constantly out of the office. So with three effective months of working time left in the year, you need to move quickly to come up with a plan. What are you committed to accomplishing by year end and how are you going to succeed? Remember, there’s no more obvious red flag to an examiner than finding a pile of documentation where the ink is still wet or the update/completion dates are suspiciously recent.
And don’t come back at me with the logic that it doesn’t clearly state anywhere in GLBA/NCUA regulations that you need to conduct an audit, a risk assessment or any manner of security-based testing. As I’ve stated here in my blog several times, FFIEC guidance clearly indicates a need to have a recently conducted risk assessment available. FFIEC guidance also clearly specifies the need to conduct an audit at a frequency appropriate for the size and complexity of an institution. All you need to do is look at the Master Table of Contents in the FFIEC examination handbooks to see which parts of your infrastructure need to be tested periodically (why do you think the agency authored the handbooks?). Considering that both the FDIC and NCUA rely on FFIEC guidance to support their examination process, there’s little doubt (actually no doubt) that’s where you need to look to figure out what work to schedule.
Three months to go, what’s your plan?