Posted by: Jeromie Jackson
A panel discussion amongst NCUA Examiners from across the United States provided insight and guidance for focus areas for credit union assessments in 2010. The top five topics found themselves being repeated themes across the panel of examiners. Below summarizes the forum and provides guidance for how to prepare.
1. Risk Assessment
One of the primary focus areas is the risk assessment. I know many have had risk assessments in the past that have missed the mark when it comes to a deliverable that works, thus Risk Assessments are often seen as a resource drain as opposed to a value. By prioritizing assets, risks, and threats organizations can properly align resources. I really like the Octave Allegro and NIST methodologies. The regulators commented on the need to use a risk-based portfolio to determine what controls are prudent to be implemented to protect the information assets. The Risk-Portfolio is the primary deliverable whenever I conduct these- I generally translate these portfolios to a set of milestones to be charged at for the following year. They mentioned many organizations assessments are “becoming stale,” I believe much of this can be attributed to the lack of value many have received from their previous engagements.
2. Strategic IT Planning & Board Transparency
IT is a critical element to many organizational strategic plans. When not aligned large amounts of resources can be consumed while still not moving towards strategic goals. “Transparency,” was one of the words I heard from across the regulatory districts. I asked for clarification on what this meant, and received a few responses. First, they wanted to ensure that risks and incidents that have/are affecting the organization are communicated to the board. If incidents come up, and are not appropriately escalated, the board can not appropriately respond. Documentation showing the value of IT was also mentioned. If IT cannot demonstrate their effectiveness, how can the board determine if IT is functioning well? The third comment was related to dashboards & the concept of a telescope. As risks and incidents move up through the organizational hierarchy summarization and removal of technical jargon become required. Dashboards provide a way to rid the goals of technical jaron and to communicate the quality of IT to non-technical staff.
3. Controls Testing
“Focusing on controls,” was a focus of the group. Organizations often conduct penetration tests, vulnerability assessments, and social engineering projects to determine the effectiveness of their information security program. While these assessments are good for the organization, they do not necessarily directly correlate to the risk assessment and controls identified as prudent for the business. Going back to basics, utilizing a risk-based perspective, often these point solutions do not validate the documented controls are working as intended. The regulators put a significant focus on the percentage of controls that are tested. Security is cyclical and needs to be continually tested- the auditors have seen controls being define and not met.
4. Vendor Management
With all the focus towards IT optimization many are looking at leveraging third-parties to provide IT functionality at a reduced cost. Equally, many vendors provide unique services which need to be accessed through an outsourced solution. I have personally found many organizations who were vulnerable to issues a third-party has created. Co-Mingling of data, sniffing capabilities, lack of quality IT deployment, and non-comprehensive audit are just a few of the issues I’ve came across. Vendors generally have to go through a due-diligence review when engaging with a credit union, but many of these do not receive yearly review. A focus on the vendor management procedures of an organization will be another of the focus areas of the auditors this year.
5. Disaster Recover & Business Continuity Testing
Disaster recovery and business continuity are critical to the success of organizations under environmental or IT distress. Huge amounts of resources have been devoted to DR/BCP programs yet many do not test the program to an adequate level. Having a plan that is not tested provides many of the same risks as not having a plan at all. Regulators plan on honing-in on the DR/BCP plans of credit unions to ensure not only is it documented but equally tested to an appropriate level.
I have been assessing credit unions since 1994 and would love the opportunity to earn YOUR business. Please contact me when you’re ready to discuss your organizations information security needs.
Jeromie Jackson- CISSP, CISM
COBIT & ITIL Certified
President- San Diego OWASP
Vice President- San Diego ISACA