Banking today is an inherently risky business. One of the best ways to protect your bank is to identify any security gaps with an internal or an external vulnerability assessment and then work to close those gaps. Here are some of the core questions of a vulnerability assessment you should be able to answer.
1. Are your cybersecurity resources adequate?
In many companies, especially banks, IT personnel are not professionals in cybersecurity. For financial institutions, staffing options may be limited because of a shortage of available talent or the high costs of hiring full-time security personnel. However, community banks must have a means of reliably managing security around the clock. Part-time staff or personnel who wear many hats – only one of which is security –aren’t enough to combat the covert and targeted threats targeting community banks. This means having a full-time security officer with technical expertise in security of desktops, servers, firewalls, networking, applications, and Internet. A rare find for sure.
Many community banks that don’t have adequate resources in-house partner with a managed security service provider. MSSPs can provide all security services, or work with you to supplement your in-house resources. They can even help conduct vulnerability and risk assessments.
2. Does your methodology meet or exceed regulatory requirements and standards?
As any bank’s leadership team knows, compliance is critical to the business’s viability. An internal or external vulnerability assessment is a great way to identify compliance shortcomings, so you can fix them before they become an issue. Compliance enforcement should be a top priority for community banks. Any compliance gaps identified in a vulnerability assessment need to be addressed immediately. In addition to the vulnerability assessment, it’s important to understand the deviations from solid security baselines. You must also understand how the results affect the risk within your institution so that you can align your resources appropriately and address the risks. This underlines having a strong partnership with a company that can add perspective and guidance for you.
3. Are your networks and systems secure?
Networks and systems need to be designed and configured properly to work according to your risk assessment plan and its control objectives. Your methodology should include the testing of the design and the effectiveness of the controls. It should also include regular vulnerability assessments and penetration testing. You need to document your risk treatment plan with clear corrective actions, including well-tested and formalized incident reporting and a breach escalation process.
4. Are privileges for user access granted only to users who have been clearly authorized and on a must-have basis?
Financial institutions often give the responsibility of user access privileges to their IT person or team. The problem is that while IT could understand who works at the bank, they may not necessarily understand who needs to have particular levels of access. The IT team needs to provide lists of the users and business unit managers – such as loan department leaders and branch managers – and should look at all of the users’ access and ensure access privileges are given on a must-have basis. Additionally, users’ access rights need to be reviewed whenever their roles and responsibilities change and when a user leaves the organization.
Peters & Associates is a family-owned managed service provider that knows the ins and outs of technology and how it relates to your financial institution. We know the answers to the above questions and how to help you and your institution be ready for them. We hold a strong, proven bank risk assessment methodology, and we can help you create a bank information security policy that improves your institution’s cybersecurity and makes sense for your business.
To continue strengthening your institution’s security plan, download my free Incident Response Plan (IRP) checklist for community banks.