Posted by: David Schneier
assessment, bcp, business continuity plan, GLBA, NCUA, NCUA Part 748, regulations audit, regulatory, Regulatory Compliance, risk, risk assessment, Vendor Management
I remember conducting a risk assessment a few years back for a credit union in which they were missing just about every artifact necessary to prove compliance with NCUA Part 748 (if you’re not already aware, thats GLBA for credit unions). It was, for lack of a better term, a complete disaster. Halfway through the fieldwork armed with the knowledge that they had an exam kicking off the following week I switched from risk assessment to disaster planning. I explained to the newly minted CIO (who had never participated in an exam before) that the best strategy at that point was to focus on a remediation plan. Detail the work that needs to be done, build out a schedule for when that work will occur and rather than try and cover up the all too obvious lack of programs and procedures throw yourself on the mercy of the examiner(s) and be honest. I figured it was a new guy trying to do all the right things and as long as he displayed an awareness of what complying required and had a plan to get there he’d be given a narrow window of opportunity to fix the problem.
A week went by and I didn’t hear from the client about how the exam was progressing. Another week went by and despite pinging the CIO a few times I still didn’t hear back from him. Nearly two weeks after the exam should have concluded I finally received an email from the client and all he had to share was that the examiners hardly asked for any of the things that were missing and only dinged him on a few minor points. OK, so it’s entirely possible that I overstated how bad things were there and the examiner simply didn’t share my opinion. That is until I took a big mental step back and thought about it. They didn’t have a vendor management program (or anything even close to one), they didn’t have a business continuity or disaster recovery plan, they hadn’t done a vulnerability assessment or pen test in more than two years and their firewall allowed me to establish a remote desktop connection on my guest machine while plugged into their network. How is it possible that anyone with the slightest bit of audit/compliance experience did even the tiniest amount of real fieldwork during the exam? Sadly it wasn’t an isolated situation.
I’m routinely amazed by how often I encounter financial institutions that have real and significant issues sitting right out in the open and somehow their examiners don’t notice. And every time it happens I’m left wondering who examines the examiners?
One of the reasons our practice first committed to developing our vendor management software was because of how many of our existing clients were badly in need of a solution. We almost always found that either they didn’t have something already in place or it was at best partially baked (a spreadsheet does not a vendor management program make). We reasoned that if we could offer something that was user-friendly and focused on what the regulations required we’d have an anxious and ready market to sell to. Fast forward three years and while we’ve had a healthy measure of success the number of institutions still needing help with vendor management remains shockingly high. Why is that? Because no one is going to spend money on a solution or commit resources to working on something their examiners never seem to care about. And why is it that examiners don’t seem to care about it? It’s either because they don’t look for it or they don’t know exactly what to look for.
So here’s my head scratching moment: How can anyone ever pass an IT exam without having a truly viable vendor management program? How can someone pass an IT exam without a business continuity plan? How can someone pass an IT exam without providing evidence that their network is secure?
Two years ago we anticipated a spike in services work when the Red Flags regulation from the FTC was due to go into effect – we’re still waiting. Most of our clients have something in place to show when asked about Red Flags but when pressed to provide evidence of its effectiveness they have little to share. This was not some obscure requirement that’s been around forever or is ancient or poorly designed or explained – this had awesome marketing material to accompany its launch so that everyone who had to comply clearly knew how to do so. Everyone was talking about it in the months leading up to the effective date and everyone made sure they were working on some sort of program. And still there’s little to show for their efforts. Isn’t anyone paying attention to this fact?
What makes all of this extra frustrating is that there are safeguards in place where exams are audited. But there are limitations to how much can be covered and if what I suspect is true, they’re not so much focusing on artifacts that are missing but rather on making sure that conclusions formed based on available evidence are solid. So if the examiner doesn’t collect a current BCP and doesn’t write it up anywhere that it was missing or inadequate no amount of double or triple checking will identify a gap. And to compound my frustration the blind spots are generally regional in nature. Some of our clients get hammered on everything and others are barely pressed to provide evidence. When we take a step back to see if a pattern emerges it does and it’s almost always defined by geography. How does any of this make sense if all of the examiners are trained using the same methodology?
I don’t think I’m expecting too much from the process. I’d like to know that if my banks main data center is hit by a meteor they have a plan in place to ensure that I can still access my money and pay my bills. I’d like to know that my social security number is not being shared with a vendor who subcontracts out their work to a rogue group comprised of known felons. I’d like to know that the tellers in my local branch aren’t able to cut and paste my account information from their teller software into a Yahoo email on their workstation and send it to an accomplice. Or in other words, I’d like to know that my bank is compliant with GLBA. Is that too much to ask? I don’t think so, I really don’t.