This is something of an annual post that I’ve been issuing over the years where I bang the proverbial spoon on the proverbial pot trying to warn everyone that there’s work to be done.  I’m not talking about running through the paces to prepare for an exam but rather having work done that ensures the protection of your customer/member information.  I used to work for a company whose primary sales approach was to  tell current and prospective clients that they had to conduct all manner of tests and assessments because of the regulations.  The firm’s angle was that in order to be compliant you “must do this work,” which not coincidentally dovetailed with services we offered.

I always thought that the “because I said so” logic was flawed.  My thinking then and now was that we should educate clients  on why they need to have regular audits and assessments: How scheduling the work at proper intervals and coordinated activities so that they flow naturally into one another greatly reduces their risk of exposure and improves their reputation as a bank or credit union that can be trusted.   But  what if an institution’s basic strategy is to wait until an exam is a week away and then pull long hours and work all weekend to update what’s needing updating?

The regulatory compliance trinity is fairly simple and straightforward at its highest level:  You document your controls and related activities (the infamous policies and procedures collection), periodically assess your risk factors to determine if you need to add or modify those controls and related activities, and then  test the controls to determine if they’re in place and effective.  GLBA at its core is actually that simple and really quite effective.  It’s GRC 101 and there’s no doubt that by complying with its basic tenets you’re doing the right thing to protect your account holders.

And yet you’d be surprised by how many financial institutions routinely reach this point in the calendar year having deferred scheduling much (if not all) of their compliance work.  You can’t go an entire year without having conducted both an audit and a risk assessment.  No business infrastructure goes through a 12-month period without something significant changing, without risk factors emerging that haven’t been present before that need to be managed.  By extending your compliance work to align with your exam cycle, you’re opening up a huge gap through which a truckload of problems is likely going to drive.  Based on the size and complexity of your institution, you can arrange your compliance program so that not everything needs to occur annually.  I’ve worked with clients where their program called for a risk assessment and audit to occur in alternate years and where only the ongoing programs (e.g. vendor management, penetration testing, business continuity planning, etc.) needed to be addressed and validated annually.  And while it’s true that you don’t need to shoehorn everything into a 12-month period, you do need to have a clearly defined plan on how your institution complies with the various regulations.  You simply can’t get two-thirds of the way through the year without having conducted or scheduled any manner of testing or assessments.

We’re about to turn another page on the calendar and enter September.  While you may count that as four months to year-end and think there’s plenty of time to get things done you need to consider that it’s more like three months.  Between the major holidays, the minor holidays and people taking time off as the year winds down you’re going to find it hard to secure resources to conduct the work and even harder to have them complete tasks while people are constantly out of the office.  So with three effective months of working time left in the year, you need to move quickly to come up with a plan.  What are you committed to accomplishing by year end and how are you going to succeed?  Remember, there’s no more obvious red flag to an examiner than finding a pile of documentation where the ink is still wet or the update/completion dates are suspiciously recent.

And don’t come back at me with the logic that it doesn’t clearly state anywhere in GLBA/NCUA regulations that you need to conduct an audit, a risk assessment or any manner of security-based testing.  As I’ve stated here in my blog several times, FFIEC guidance clearly indicates a need to have a recently conducted risk assessment available.  FFIEC guidance also clearly specifies the need to conduct an audit at a frequency appropriate for the size and complexity of an institution.  All you need to do is look at the Master Table of Contents in the FFIEC examination handbooks to see which parts of your infrastructure need to be tested periodically (why do you think the agency authored the handbooks?).  Considering that both the FDIC and NCUA rely on FFIEC guidance to support their examination process, there’s little doubt (actually no doubt) that’s where you need to look to figure out what work to schedule.

Three months to go, what’s your plan?

I clicked on the link and instead of being directed to the desired page was instead routed through to a Websphere Administration panel.

But that’s not even the best part of the story.

After confirming that in fact I was somehow through their firewall security and at some point along the way into their infrastructure,  I decided to be a good citizen and let them know.  I tried calling their customer support department twice and both times, after being routed through some crazy series of automated menus, wound up being treated as someone who was simply having trouble accessing his online account.  One customer support representative had no clue what I was describing to them and the other one seemed to grasp what I was saying conceptually but didn’t have a page in his playbook to manage the call and so he defaulted to trying to help me pay my bill.

The funny thing is that once I navigated from their homepage through to the payment page it worked just fine, but if I selected the bookmark it deposited me right back at Websphere Central.  And as of 30 seconds ago it still does.

Now I know that bashing the local cable company is a popular thing to do and has fast become one of our nation’s favorite pastimes.  But I’m not so much picking on them as I’m amazed that they have such an obvious flaw in their network security.  My firm conducts basic penetration tests all the time and this is the sort of thing that would be flagged without much of an effort.  Why haven’t they found it yet?  And if I’ve found it entirely by chance what about the hackers who go hunting for these sort of things?  Or have they discovered it and are currently feeding large while it remains available?

It’s amazing any of us are ever willing to conduct business online, when you get right down to it.