About Us | Contact Us
View Cart

Interim Framework for Auditing Progress on Supplement

By Dan Hadaway | Wednesday, September 21, 2011 - Leave a Comment

An Interim Audit Framework for the Supplement to the 2005 Authentication Guidance

Since I find myself sending this in e-mails to several of our Clients, I thought it would make a good Dan’s New Leaf post:

The problem:  Between now and your next examination, depending on when that is, you “should be” working on ensuring your bank complies with the Supplement that was released on June 28th 2011 to clarify the Authentication Guidance that was released in October 2005.  But what are you supposed to be doing?  The guidance itself establishes January as the date that “examiners will start guiding banks towards compliance.”

So what actually needs to be done between now and then?

The following is an audit framework that I will be using for banks I audit between now and March of 2012.  It may change as I learn more about the FFIEC’s expectations, especially at the upcoming IT Security Conference on October 12th and 13th.  There will be at least one talk dedicated to the subject, and we’ll also have that examiner panel!!

But, if you have ME coming in to audit you between now and March of 2012, I believe if you see this seven-point plan as the goal post, and have a good explanation as to where you are against this goal post, and you are closer to the 20 yard line than the 50 yard line, you will be in good shape.

 

Seven Point Plan for Compliance with the Supplement to the 2005 Authentication Guidance:

  1. Branchless Banking (or Electronic Banking Policy1): Have you updated your Policy to establish that the bank needs to a) Inventory all Branchless Banking Assets conduct a risk assessment to identify assets (including payment processes, delivery systems, and authentication assets) which require more scrutiny from a risk management perspective?
  2. Asset Prioritization Risk Assessment: Do you have a high-level (system-level) risk assessment on your Branchless Banking Assets to help you prioritize which assets require more scrutiny?  Have you conducted a risk assessment on the primary systems you call “electronic banking” to determine which ones require more scrutiny?
  3. Inventory of your branchless banking assets: Have you inventoried all assets which store bank information outside of the bank?  This would include an inventory of transactions as well as payment processes as well as system.  In other words, you might have Internet Banking on your inventory, but also Billpay and Set Up New Payee.  All three are different assets, even though one is a subset of another which is a subset of another.  The level of detail in your inventory depends upon the results of your Asset Prioritization Risk Assessment (see point 2 above.)
  4. Documentation of Authentication Methods: In that inventory, are you documenting for each asset the type of authentication method being used?  By the way, if the answer for ANY asset is “that depends,” then your asset inventory is not detailed enough.  In other words, if you say “the type of authentication we use for Billpay depends on whether you are setting up a new payee or whether you are just authorizing a payment” then you actually have three assets:  Billpay, Setting up New Payee, Authorizing Payments.  You want your inventory to be that detailed.
  5. Drill-down Risk Assessments: Have you started detailed (drill-down) risk assessments on assets identified in the high-level assessment as high priority?  As an auditor, I will be asking how that’s going and offering suggestions as to how to make sure it is complete and in compliance with the supplement.
  6. Vendor Management: Have you contacted your vendors and service providers?  Compliance?  Projected Timeline?  Good faith effort to be ongoing?  Regular communication on progress.  Do you understand how your Vendor intends to come into compliance with various parts of the supplement?
  7. Customer Awareness Training Strategy: Have you created a strategy, or at least met with your marketing team and/or the appropriate persons in the bank, for how you are going to meet the Customer Awareness and Education requirements of the Supplement.

I hope this “audit framework” provides a little direction for you.  I’d be happy to answer any questions you may have, especially if you’re a Client!

We’ll get through this together!!

Footnote #1:  To understand why I’m using the term “Branchless Banking Assets” instead of “Electronic Banking Assets,” check out this article.)

——————————————-——————————————————————–————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

——————————————-——————————————————————–————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


 

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]