Posted by: David Schneier
Audit, bcp, compliance, general controls, GLBA, NCUA, regulatory, Regulatory Compliance, risk, risk assessment, Security
My practice recently wrapped up an engagement in which we conducted a tabletop test of a client’s business continuity plan. As always with such exercises, it’s interesting to find out how much distance exists between what’s documented in an institution’s policy/program and how business is actually conducted. In this particular case, it turned out that the client’s responses tracked fairly close to what was specified in their plan. But what was interesting was that most of their answers were extemporaneous; they barely referenced the plan itself and instead were relying on common sense. This begged the question: What’s the practical value of a policy or procedure if no one relies on it?
Everyone that participated in the test knew the nature of the exercise. Almost everyone had recently been involved in the rewrite of their current plan. In total there were approximately a dozen participants spread out over multiple test scenarios and of all of them, only one showed up with a printed copy of the plan. In what can best be described as an open book exam, only one person thought to bring the book along.
It’s like when I’m conducting an ITGC audit and ask for the institution’s password policy in order to determine if it’s compliant with the policy. You’d think that would be about as basic a control as possible, right? You write down that the minimum password length is X and the reset frequency is Y and then you configure each applicable system accordingly. This may be the purest example of low-hanging fruit in the compliance domain, and yet you’d be amazed by how my times I find significant disconnects between what’s documented and what’s done. When you consider how much effort goes into first creating and then maintaining the broad library of documentation all financial institutions have, it’s sort of a breathtaking waste of time. It makes you think that for the most part, the only time anyone ever references anything is when someone external from the company asks for it.
This is why when conducting a risk assessment I always throw a question into each interview asking if the person knows what the related documented policy states. Do you know what the BCP directs you to do if you cannot safely access your office location? What do you do according to your Red Flags program if you receive a suspicious phone call about a customer account? If someone tries to access a secured area of your facility what should you do, who should you contact according to your incident response plan? Care to guess how many times the reply is somewhere along the lines of “I have no clue”? But every bank and credit union has these artifacts in place; why is it that no one either knows to use them or knows that they’re even there?
If a policy exists on the intranet but no one knows that it’s there, or how or when to use it, does it really serve a purpose? And if a policy exists on the intranet but no one ever tests to measure its effectiveness, do they need to have it at all? Until we as an industry find a more reliable method of assessing the viability of an institution’s documentation and connecting it to actual activities, we’re falling far short of realizing its true potential. And in a time of unprecedented financial stress, can anyone really afford to waste even a single dollar on something for nothing?