I’ve personally reviewed and/or audited somewhere close to fifty business continuity/disaster recovery (BCP/DR) plans over the past decade.  I’ve also written or edited several of those as well in the past five years since moving into professional services for financial institutions.   Furthermore I’ve participated in roughly a half-dozen tests while still working within the infrastructure during the first part of my career.  Suffice to say I have at least an informed opinion regarding the viability of any such BCP/DR strategies.

Fundamentally there are a few varieties of  BCP/DR plans:  Those that are current and viable, those that convince your examiner that it’s current and viable and those that may have been viable years ago but bear no resemblance to your current business profile.  And beyond those there’s the worst of BCP/DR realities, the non-existent one.  But really in the end what your current state of preparedness comes down to is this – either you’re ready for an event or you’re not.   And in the past forty-eight hours that’s been made abundantly clear in the form of how many of my clients affected by Hurricane Sandy have navigated through what’s now clearly one of the worst weather events in my lifetime.

Around noontime yesterday (October 29, 2012) as weather conditions worsened and major metropolitan areas were literally shutting down for business I started checking up on a few clients.  The first thing I did was visit the website of every client that my practice has assisted with their BCP/DR strategy – each of them had updated their website to announce that branches in the affected areas were closed.  Some had a pop-up window with the update, others had a message displayed in either bright red letters, bold font or both.  As a standard design consideration each of them also had phone numbers clearly displayed and when I called a sampling real people answered and were available to assist me.  I inquired of a few of them where they were physically located and they were all located remotely and not on site in affected areas (much to their credit they were reluctant to share too much information).   The second thing I did was visit the website for a few clients whose BCP/DR plans were tagged during an audit/assessment as either being deficient or missing.  The websites were not updated and in all but one case I only learned that they were closed for the day after calling into a branch (one had an 800 number that was redirected to a real person).

Now I know this wasn’t a very deep or meaningful test of anyone’s ability to continue operations in the event of a disaster.   But what it did prove is that those institutions who had plans that were current and whose management team knew to rely upon had already thought through the little things that make a difference.   Someone knew to update the website, management knew to reroute calls away from unmanned branch locations.  I can only assume that the appropriate parties desginated to do so also contacted their regulators to inform them of their closing and that a phone chain was initiated informing staff thus keeping them off the roads and safe.  And because an important part of the plan creation/update process is both training and testing stakeholders are able to navigate through the decision tree and take appropriate related steps without having to think through it – one of the biggest challenges confronting management during a crisis.  The very best part of having a viable and current plan is that all the thinking has been done in advance and has been reviewed and validated which greatly reduces the chances that something (or someone) will be missed.

Here’s a sanity test:  If you didn’t know exactly where to begin the decision-making process or who to engage you’re in need of a new plan.  And if you did know but can’t be absolutely certain that others would be able to do the same in your absence, you’re in need of a new plan.  One of the rebuttals I’ve heard all too often when identifying a deficient or missing BCP is that management knows what to do should some manner of disaster strike.  That may be true but what happens if key people are unavailable or can’t be reached?

Seriously, when something like Hurricane Sandy occurs it’s the best time to consider how you’re institution would fare when navigating such an event.  Block off an hour within the next week with your key people, pull out your BCP/DR documentation and try and step through how you’d handle things under similar circumstances.  In a very short time you’ll gain a sense of whether or not you’re prepared and if necessary afford you the opportunity to improve.

Trust me on this – you don’t want to be in the middle of a disaster scenario and find out that your plan doesn’t work.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

That first experience has arguably tainted my opinion of the role played by internal audit for nearly twenty years.  Subsequent to that first encounter I’ve been audited a few more times, assisted clients in preparing for internal audits many times and have had hundreds of interactions either directly or indirectly with a variety of companies internal audit function.  And despite all of this experience and having eventually become an auditor myself I’m not sure I could present a credible argument as to where there’s real value being generated by the process beyond maintaining appearances.

The first problem is that for most companies there’s an unhealthy fear of auditors.  There’s often real concern that if any major issues are uncovered someone’s head will roll.  At the aforementioned Fortune 100 company, it was widely believed that if your group was found to have a material finding (or anything remotely resembling one) the highest ranking person in the group was doomed.  To their credit the company also had a mechanism in place so that if you figured out that you had a problem before anyone else and self-reported it you were allowed appropriate time to remediate.  But that wasn’t always effective enough because most application and business managers weren’t auditors and couldn’t always recognize when a control was either missing or failing and so there was still an enormous amount of work and panic leading up to a scheduled audit.  I remember thinking that the company should remove the threat of termination and encourage both auditor and auditee to work openly and honestly together so that in the end issues were surfaced, defined and repaired.  In the two decades since I’ve worked with and for a few companies who believed they had this healthier sort of dynamic in place between their internal audit department and its business and technology functions but really in the end it’s almost always the same problem.  Internal audit is viewed as an unforgiving and punishing agent and no one ever want them snooping around.

The second problem is that there’s a degree of incompetence found within many internal audit functions.  While conducting my first technical audit back in 1997 (my company was managing an outsourced audit plan) I identified a significant issue with the methodology used to make production changes in a certain database environment.  It resulted in there being virtually no clear or simple way for the DBA to back out a change if it didn’t work.  If a change failed it would require bringing down production for several hours in order to restore things to the previous state.  The first person who challenged my finding was the internal auditor who had audited the same platform for years and didn’t either understand or agree with the finding.  It took me nearly an hour to first educate him as to why the technical issue existed, prove that it did and finally to agree with the associated risks.  He had worked there for years, had never had the chance to see how other companies managed similar infrastructures and was way more concerned with his authority and capabilities being challenged than with the fact that his company had a significant risk to be repaired.  In the time since I’ve met many more people just like that one, auditors who stay at one company for years, fall into bad habits and fail to keep their skills relevant.  They wind up relying too much on the Internet to try and update their knowledge base, don’t have the perspective of understanding how other companies are managing similar challenges and are happy enough to bring out the same whipping stick and a feeling of empowerment to scare the daylights out of internal control owners while conducting their audits.  It results in poorly formed and often irrelevant findings that waste everyone’s time.  I wish I had a ten dollar bill for every instance I knew of where something was being fixed because it was easier to appease the auditor than it was to convince them their finding was flawed or even wrong.

Now I’m not saying all internal auditors are incompetent, they’re not.  I’ve met some brilliant and extremely effective internal auditors along the way.  And in those environments audits weren’t feared because there was a high degree of confidence that if an issue was identified it was something worth knowing about.  But in almost all of those cases the auditors involved had only been with their company for a few years, not decades.

The third problem is that audit needs to be seen as adding value, not creating unnecessary delays or work.  Practically speaking internal audit is playing for the same team as the control owners whose processes they assess.  Their primary goal shouldn’t be to notch as many findings as possible on the board but rather to identify weaknesses and deficiencies so that they can be remediated and help further harden the infrastructure and reduce risks.  I understand the need for the function to maintain independence and separation but only so they can remain objective not so they can operate as if though they’re the ultimate authority on right and wrong and beyond reproach.  If they’re invited to participate early in a project and find issues they should issue interim findings so that small problems don’t become bigger problems further on down the project road.  If you wait for the post-implementation audit to document early stage issues you’re not really helping anyone.  If they abuse being granted access to meetings and documentation long before the audit function is typically engaged the only predictable outcome is that access will be denied until someone forces the issue.  And one more major issue I routinely find with internal audit is that no matter how strong or weak a finding may be, no matter how poorly or strongly worded, no matter how relevant or irrelevant they all too often defend it as if though it’s gospel that’s beyond reproach.  Why is that?  Why can’t the control owner question the finding, demand clarity or try to frame it’s relevancy?  All auditors should feel an obligation to issue a final report which resonates with everyone involved as being accurate and hopefully fair.

Until internal audit is seen as part of the solution, not part of the problem it’s going to remain, well, a problem.  Until control owners gain a sense that by developing a healthy dialogue with their auditors it will only help things and not hurt them it will continue to be a problem.  And until all involved parties working for the company feel as if though they’re working towards a common goal it will remain a problem.

My first thought was that it was just like what drug dealers do – they give you free product until you’re hopelessly addicted and then start making you pay to feed that addiction.  My second thought was that I couldn’t imagine anyone actually wanting to pay for the content.  While it’s better than nothing as a framework it’s not that much better.  I’m sure there are certain pockets in the GRC industry who think that the Shared Assessment is to vendor management what COBIT is to IT governance but I certainly don’t.

Since first encountering the Shared Assessment a few years back I’ve always thought of it as bloated, difficult to effectively apply and all at once redundant and oddly vague.  The very first time I reviewed the content I immediately thought that whoever was behind creating it must be people who get paid by the hour because any attempt at relying on it was going to be major league time consuming.  And of course once I started investigating the companies behind developing the questionnaire(s) I realized I was spot on.  I once commented to a colleague that the questionnaire looked as if though the purpose of the collective assignment was to think of every possible question you might ever want to ask a vendor, throw it into a spreadsheet and then try and organize it after the fact.  If I’ve ever truly liked it in any meaningful way it’s as a reference source when considering questions to include in customized questionnaires and assessment.

The folks running the show have made strides to truly make the questionnaire into a framework with accompanying methodology but in my experiences most companies simply want to leverage the content of the questionnaires and use it how they see fit.  Some have made the effort to dig through the massive pile of questions and whittle it down to something more manageable while others pretty much ship it out as is to their vendors including both the lite and full versions.  As someone whose practice often has to complete due diligence questionnaires I have to tell you that if we needed to fill out even the lite version it might be a deal breaker due to time constraints.

As I alluded to earlier, I think many practitioners who use the Shared Assessment think of it as being something more like COBIT.  I know COBIT and you sir are no COBIT.  It’s really intended to be used by large vendors who provide services to multiple clients as something akin to a SAS 70/SSAE 16 report.  They pay someone to complete it for them and sign off on it and when their customers look for annual proof that they’re properly controlled they can send along a copy of the completed questionnaire with managements approval stamped on the cover.  In theory it’s a good idea but I’d still prefer a proper audit instead.

And it’s heavily geared towards technology vendors and to a lesser extent those who host services.  When you try and use the Shared Assessment for non-technology vendors it becomes that much more difficult to apply and sort of forces your hand into coming up with something else.  Trying to whittle 900+ questions down to something smaller only to discover you need to write a bunch of new questions on top of that has to be something between depressing and outrageous I would think.

What I really don’t understand is why this was even needed to begin with.  My vendor management experience goes back several years and I’ve always been satisfied working with content from existing sources.  I think that when you combine content from COBIT and FFIEC you can adequately  cover what needs to be covered to assess vendors.  I would go so far as to say that most examiners would agree with me based mostly on the fact that there are more than 100 institutions using some version of a vendor management program my practice has designed and they always do well on that front, always.

For those of you who are going to stay the course, cough up the money and continue along with the Shared Assessment I wish you good luck.  I hope you’re able to glean something meaningful from the process and I pray you never wind up working for a vendor that needs to complete one of the resulting questionnaires.

Is it possible that this incredibly important and still developing concept known as GRC can be hijacked and used instead to almost marginalize the sum total of all it’s related parts?  Until this week I would never have even thought of something like this as possible but there it was, right in front of me and a bit of a shock.

There are likely two main drivers behind this disturbing trend: GRC software and the overwhelming volume of compliance-based activities.  So many of the GRC solutions currently on the market tend to be rather broad in their scope.  While most of them are oriented towards one particular point within the GRC spectrum they have all expanded to try and touch on as much as they can justify.  So whereas you have a product that may have been designed to manage policy content it now also offers risk assessment, audit and overarching governance features.  But still what it does best is manage policy content.  The license for the product isn’t cheap and senior management has been sold to some degree on the promise of automating much of the required work via this new and costly solution.  Thus we have the first driver behind the blurring of GRC lines: “We paid a lot for it so we better use the heck out of it”.  And so there’s a slow but steady march through the organization looking for things that can be brought into the fold.  However not everything belongs in every GRC solution because as noted previously, each offering no matter how effective tends to favor one specific location within the GRC spectrum.

But even when you have a solution that’s broad enough to accommodate most of what you need to accomplish there’s the other driver coming into play, massive compliance requirements.  I’ve had clients who don’t even care so much about if what they need to do to comply makes sense for them but will do anything to pass an exam.  And so there’s this mad, Lemming-like dash in a single direction to shoehorn everything and anything into this thing called GRC that might even be remotely related.  There’s little thought put into how best to get the work done with the primary concern being “we have to have something to show the examiner”.  The result is a hodgepodge of seemingly related activities being coordinated under a single function or initiative but with almost zero effort made to try and normalize the workload and gain the efficiency’s that GRC promises.  How thoroughly depressing for us practitioners.

And it’s fantasy to think that once things are setup to be done a certain way they’ll ever change.  Unless an examiner or auditor tells you something needs to change everything stays the same.  So a poorly designed GRC function remains poorly designed forever.  And an unnecessary GRC activity continues because no one typically cares if you’re doing too much, only too little.  It’s almost like people just want to stuff everything remotely related to the discipline into the GRC closet and then make sure guests never open that door.

I know we’re still early in the GRC life cycle (Michael Rasmussen recently noted in an article that it’s been ten years since he first conceived of the acronym and concept) but what if this trend isn’t derailed sometime soon?  What if because of the weak economy (I’m being polite, I should swap “weak” for “horrible”) companies continue to just sweep everything under the GRC rug and don’t exploit the benefits of the concept?

I’m reminded of the old joke about the immigrant who decides he’s going to use his lumberjack skills in the U.S.A. to make a living and invests his life savings in a chainsaw.  After repeatedly failing to achieve any appreciable gains in his productivity he finally returns to the store to find out what’s wrong with the machine.  Once they pull the ripcord and fire it up he jumps back in surprise asking “what’s that noise”.  I have this image in my head of some internal controls manager managing his/her company’s GRC program ten years from now stumbling across an OCEG document, reading it and jumping back in surprise and exclaiming “what a great idea, why aren’t we doing this sort of thing”.  Don’t laugh, I can all but guarantee it’s going to happen at this rate.

But these past four years has allowed me more than ample opportunity to rectify that heretofore unknown blind-spot in my career.  We don’t just sell a solution, we support it and that involves the establishment and maintenance of what can most aptly be classified as a relationship.  While we have a large number of clients we seldom hear from there are some who call us all of the time.  Often it’s to ask about how best to exploit functionality, sometimes it’s because they forgot how to do something (and we advocate calling to ask rather than reading through the user guides) and on more than one occasion it’s because they have an exam looming large on the horizon and they still haven’t quite finished setting everything up.  It’s the latter that has proven to be a revelation.

The entire reason for purchasing a solution is so that you don’t have to first figure out what needs to be done.  If the solution is designed right there should be a series of relatively basic steps that are clearly outlined and once followed have you up and running.  Instead of wasting precious time and effort getting started you can pretty much start focusing on conducting the related work so that everything is kept current.  That’s not to say that it’s easy, only simple.  And because most compliance-based work is spread out over the course of a full year it should never require herculean efforts to maintain.  Our vendor management solution pretty much requires a few hours of setup time then roughly a few hours per week going forward on average.  And when properly supported it works, it actually works the way it’s intended to.

But here’s the problem: Developing or purchasing the right solution to comply with any regulation or mandate is just the very first part of what’s necessary.  You actually have to properly implement and use that solution.  All too often that part is missed.

It’s not just with my current collection of clients but also with those that I’ve provided consultative support to over the years.  I have one client who has somewhere close to $2M in purchased software sitting locked in a file cabinet having never been implemented due to shifting prioritization by management.  Shocking?  Yes but also frustrating because some of the very problems that software was intended to address still existed.  I have another client I conducted a risk assessment for that had multiple solutions that were near identical to each other but were subsequently replaced by something different because as management changed they wanted only those solutions they already knew.  The result was hundreds of thousands of dollars per year being spent on maintenance costs because they needed to keep the data contained in each solution and there was no straight-forward way of extracting from one and merging with another.

Whatever solution you decide to go with from a simple spreadsheet all the way through to a seven-figure software package it makes little difference if nothing happens beyond setting it up.  Our advice to clients is that when they purchase one of our solutions they can often get a one-year pass with their examiners as long as they can actually display the solution and provide a real and credible plan on how they’re going to be using it.  Typically the examiner will give you points for taking a step in the right direction and will allow you the additional time necessary to get it up and running.  But that’s Year One – Year Two you’d better be able to show progress.

It’s why when I’m engaged with any implementation be it one of our own solutions or when I’m serving in a pure consulting role I often caution that it’s a good first step but only the first of many needed to be successful.  Everyone gets sort of caught up in the potential of the project and starts seeing their better selves once it’s fully implemented.  But I’ve witnessed too many projects where after the initial success fades and resources start getting pulled onto newer initiatives momentum is lost and progress stalls.  I was on one business continuity project where they all but had the plan updated to address an examination finding.  I left right before they submitted the BCP for Board of Director approval and found out a year later that although that part had been properly completed they never actually deployed the plan.  Someone in senior management felt that the plan itself would satisfy the examiners and because of resource constraints decided to delay the implementation and training necessary.  Management gambled and they were tattooed by their examiner the following year.  How frustrating is it to know that the hardest part of the project was already done but not enough so to make the finding go away?  It happens all the time.

I understand the pressures in play for most institutions, honestly I do.  Too few resources, too little time and trying to figure out the right balance between running a business and meeting regulatory requirements.  But that doesn’t explain why you’d implement a solution but not maintain it.  And does it ever make business sense to invest in anything but not leverage the benefits associated with that investment?  Besides, who want to be the one standing in front of the CEO explaining that while it’s true that the money was spent to solve the problem the problem still exists?

Seriously, go the distance, finish what was started and then put someone in charge of keeping the thing current.  In the end you’re going to have to anyway so why wait?  Oh, and before you run out and purchase a brand new solution check the file cabinets and make certain you don’t already own one.

Does anyone know why vendor management is such a big issue for banking regulators?  I mean, I’ve long advocated that most of what GLBA covers makes sense and should be part of a healthy business strategy anyway.  But when working with clients I’m often surprised to discover that they just see it as another something they have to do and don’t fully appreciate why that is.  So does anyone know?

One of the basic tenets of GLBA, perhaps the MOST basic goal is to protect customers sensitive data.  Sure you can make the argument that it has hooks into disaster recovery and business continuity planning, both also covered by regulatory requirements.  And you can also claim it has to do with service level agreements and gauging the vendors performance.  But really in the end the primary driver behind why your regulator wants you to do a better job of managing your vendors is to make sure they’re protecting your customers where applicable.  Think about it, it’s so simple it’s almost too simple.

Which is why I’m always amazed how so many institutions fail to not only figure out what they need to do but also never really seem to get where they need to be.  It so often becomes about the document collecting game; do they have a SAS 70?  Do they have an Information Security Program?  Who cares?  That’s not what vendor management is intended to address.  What you’re really supposed to do is step back and assess the nature of the relationship, the types of products and/or services the vendor provides and try and identify where threats to your customers sensitive information may exist.  Vendor management is seldom a thinking exercise but rather an attempt to standardize on what artifacts are required in order to prove compliance with the program.  It blows me away how this important activity gets boiled down to something little better than a baseball card collection.

I offer for example my favorite blind spot in every vendor management program I’ve ever conducted a first ti me review of.  Where’s the information for the vendor who cleans the facilities? It’s almost always contracted out and the vendor who owns the contract is responsible for staffing the work.  Where’s proof that they properly screen the people they’re sending into your allegedly secure facilities to make sure they’re not convicted felons?  Where’s proof that they properly police their crews to make sure they’re not behaving in a reckless manner and perhaps letting their friends and family into your secured facilities to drop off dinner or stop by and say “hello”?  When I challenge the clients on this relationship they look at me like I’m nuts.  Almost all of them fail to even include that particular vendor (and those who do tend to include every single vendor they’ve ever done any business with – another big issue).  But all you’ll ever need to do in order to see why this is a potentially huge threat is to walk around the office after hours and see what’s been left out on desks, in printer and fax queues and examine what sort of documentation has been tossed in with the regular trash.

And because vendor management is never truly approached from the right angle it fails to address the very spirit of the exercise and why the three senators who authored GLBA wanted you to pay more attention to it.  But it really reveals a fundamentally bigger issue with most of the compliance domain – no one really approaches most of the work with a true risk oriented perspective.  Compliance isn’t simply about creating checklists and ticking off all the to-do’s – it’s about really trying to identify relevant risks and make sure your institution has controls in place to manage them properly.  And I know for those of you who read my blog with any regularity you’re thinking I’ve written about this before.   That’s true, I bring this up every chance I get because it’s still a huge issue and those of us who have any practitioners attention need to constantly bang on this particular drum.

This is one of the reasons why whenever I’m given a chance to discuss how any of my clients approaches vendor management I try never to tell them what they need to do but rather try and instead have a conversation about what they think they should be doing.  The back-and-forth often helps them expand on their thinking and come up with better, more effective ways in which they can properly categorize and assess their business relationships.

Oh and as for my “Who cares” comment about collecting documentation, there’s a place for that to be sure.  But when you tell your examiner or auditor that you’re OK because the vendor provided a recent SAS 70 and can’t really discuss any of the details you’ve fallen way short of what you needed to do.  Waving documentation in my face never convinces me you’ve done your job and it absolutely never proves that your customers sensitive information is protected.  Remember, SAS 70′s (and now SSAE 16) are subjective and what each one covers can vary wildly from one to another.  And it absolutely does not prove that they’ve successfully addressed all the items in your checklist either.  One of my favorite cut-through-the-weeds tricks is to pick a single checklist item and ask the person waving the report to show me where that’s addressed in the report.  I’ve met a few who could do it and prove to me they’ve actually read the thing but most just start flipping through pages like a poorly prepared student during an open book exam.

Why is this so hard for so many to do a reasonable job on?

I’m having that kind of month right now where I’ve been learned of one scheme after another to separate people I know personally from their hard earned money.  And much to my chagrin, the schemers are enjoying some measure of success.

Last week I was regaled by a tale of how a senior citizen was stopped on her way to the bank to have a cashiers check drawn for $500.  She needed it because someone contacted her with an offer that was impossible to ignore or turn down.  If she paid for the modest bank fees for a large international wire transfer she could keep a small percentage as a “thank you” gift, a mere $2M (yeah, that’s two million).  The people who contacted her did so because she was recommended as a trusting resource who would be flexible and work with them.  And so the combination of the compliment and the chance to net a nifty seven-figure profit for a simple enough favor was just good enough to make her want to do it.  Fortunately she ran into a friend who happened to ask her where she was off to and when she answered honestly was more or less forcibly snapped back to reality.

Now to be honest with you I was stunned to learn that this scam ever works.  I’ve long advocated to friends and family that they should respond to electronic offers exactly the same way as if though they received it in the mail.  But while we throw out junk mail automatically we’ll read sometimes very cleverly worded emails because they look authentic.  But if you filter all electronic email through the same logic that has taught us to toss mass marketing materials you can cut out much of the clutter.  But what if that email finds someone who is perhaps a little lonely or a little desperate?  What if that email finds someone who is willing to roll the dice that just once what appears to be a scam might be the real thing?  I wouldn’t have thought it possible until last week but sometimes it works.  And when you think about it just a little bit more it’s the perfect scam.  Once a senior citizen falls prey to the trap and comes to realize they’ve been had many will keep it to themselves both because they’re embarrassed and as I’ve come to learn more recently, out of fear that they’ll be labeled as losing their facilities.  And while not all seniors are wealthy a sizable enough percentage have access to $500 easily enough.

Then this week a story was shared with me about how someones identify was stolen but with a twist.  They didn’t try and completely take over the identity but rather borrow it.  The man-in-the-middle attack worked as such: Person A routinely communicates with Person B via email and instant messenger because they’re on opposite sides of the world with a language barrier and about twelve hours separating them.  The electronic communications reduces the impact of the language barriers and allows them to keep in touch outside of the boundaries of a shared work day.  This has proven successful for both Person A and Person B for several years.  Recently Person B asked for special handling of a payment that while unusual within the designs of their business relationship was not otherwise out of the ordinary when dealing with others in the same country – Person A agreed to the request.  After several back-and-forth communications to arrange for the payment which spanned several days Person A sent an email asking Person B to confirm that they finally received the payment.  Person B responded by asking “what payment?”.

Someone had hacked into Person B’s account and was intercepting emails and instant messages and assuming that identity.  They still allowed most communications to pass through but successfully filtered out anything having to do with the payment from Person A.  So Person B had no idea there was something amiss and Person A saw very little outside of  normal communications.  But apparently that one time the hacker must have been off their game and not paying attention and so the two legitimate parties were made aware of the situation.  A long painful phone call ensued and some amateur detective work confirmed their suspicions.  And so a new version of phishing comes into play, one in which the scam is not so apparent or easy to detect.

That’s the thing, while there may be rules to how the scams are being run today those rules are ever changing.  You can’t simply look for one telltale sign that something is amiss because once a trend emerges the hackers change things up.  And while financial institutions and a multitude of agencies are always trying to educate the masses about the perils lurking about it seldom penetrates into peoples way of thinking.  The popular adage about suckers has never been truer only now there are two to the power of X ready to take them.  There are increasing measures available to counter attack some of these scams (e.g. Red Flags – Identity Theft) but by and large they go undetected or unreported.

So here’s the sum total of my PSA: If it seems too good to be true it is.  And if any financial dealing is presented where something is out of the ordinary apply the old audit mantra – trust but verify.

A week went by and I didn’t hear from the client about how the exam was progressing.  Another week went by and despite pinging the CIO a few times I still didn’t hear back from him.  Nearly two weeks after the exam should have concluded I finally received an email from the client and all he had to share was that the examiners hardly asked for any of the things that were missing and only dinged him on a few minor points.  OK, so it’s entirely possible that I overstated how bad things were there and the examiner simply didn’t share my opinion.  That is until I took a big mental step back and thought about it.  They didn’t have a vendor management program (or anything even close to one), they didn’t have a business continuity or disaster recovery plan, they hadn’t done a vulnerability assessment or pen test in more than two years and their firewall allowed me to establish a remote desktop connection on my guest machine while plugged into their network.  How is it possible that anyone with the slightest bit of audit/compliance experience did even the tiniest amount of real fieldwork during the exam?  Sadly it wasn’t an isolated situation.

I’m routinely amazed by how often I encounter financial institutions that have real and significant issues sitting right out in the open and somehow their examiners don’t notice.  And every time it happens I’m left wondering who examines the examiners?

One of the reasons our practice first committed to developing our vendor management software was because of how many of our existing clients were badly in need of a solution.  We almost always found that either they didn’t have something already in place or it was at best partially baked (a spreadsheet does not a vendor management program make).  We reasoned that if we could offer something that was user-friendly and focused on what the regulations required we’d have an anxious and ready market to sell to.  Fast forward three years and while we’ve had a healthy measure of success the number of institutions still needing help with vendor management remains shockingly high.  Why is that?  Because no one is going to spend money on a solution or commit resources to working on something their examiners never seem to care about.  And why is it that examiners don’t seem to care about it?  It’s either because they don’t look for it or they don’t know exactly what to look for.

So here’s my head scratching moment: How can anyone ever pass an IT exam without having a truly viable vendor management program?  How can someone pass an IT exam without a business continuity plan?  How can someone pass an IT exam without providing evidence that their network is secure?

Two years ago we anticipated a spike in services work when the Red Flags regulation from the FTC was due to go into effect – we’re still waiting.  Most of our clients have something in place to show when asked about Red Flags but when pressed to provide evidence of its effectiveness they have little to share.  This was not some obscure requirement that’s been around forever or is ancient or poorly designed or explained – this had awesome marketing material to accompany its launch so that everyone who had to comply clearly knew how to do so.  Everyone was talking about it in the months leading up to the effective date and everyone made sure they were working on some sort of program.  And still there’s little to show for their efforts.  Isn’t anyone paying attention to this fact?

What makes all of this extra frustrating is that there are safeguards in place where exams are audited.  But there are limitations to how much can be covered and if what I suspect is true, they’re not so much focusing on artifacts that are missing but rather on making sure that conclusions formed based on available evidence are solid.  So if the examiner doesn’t collect a current BCP and doesn’t write it up anywhere that it was missing or inadequate no amount of double or triple checking will identify a gap.   And to compound my frustration the blind spots are generally regional in nature.  Some of our clients get hammered on everything and others are barely pressed to provide evidence.  When we take a step back to see if a pattern emerges it does and it’s almost always defined by geography.  How does any of this make sense if all of the examiners are trained using the same methodology?

I don’t think I’m expecting too much from the process.  I’d like to know that if my banks main data center is hit by a meteor they have a plan in place to ensure that I can still access my money and pay my bills.  I’d like to know that my social security number is not being shared with a vendor who subcontracts out their work to a rogue group comprised of known felons.  I’d like to know that the tellers in my local branch aren’t able to cut and paste my account information from their teller software into a Yahoo email on their workstation and send it to an accomplice.  Or in other words, I’d like to know that my bank is compliant with GLBA.  Is that too much to ask?  I don’t think so, I really don’t.