About Us | Contact Us
View Cart

Interim Framework for Auditing Progress on Supplement

By Dan Hadaway | Wednesday, September 21, 2011 - Leave a Comment

An Interim Audit Framework for the Supplement to the 2005 Authentication Guidance

Since I find myself sending this in e-mails to several of our Clients, I thought it would make a good Dan’s New Leaf post:

The problem:  Between now and your next examination, depending on when that is, you “should be” working on ensuring your bank complies with the Supplement that was released on June 28th 2011 to clarify the Authentication Guidance that was released in October 2005.  But what are you supposed to be doing?  The guidance itself establishes January as the date that “examiners will start guiding banks towards compliance.”

So what actually needs to be done between now and then?

The following is an audit framework that I will be using for banks I audit between now and March of 2012.  It may change as I learn more about the FFIEC’s expectations, especially at the upcoming IT Security Conference on October 12th and 13th.  There will be at least one talk dedicated to the subject, and we’ll also have that examiner panel!!

But, if you have ME coming in to audit you between now and March of 2012, I believe if you see this seven-point plan as the goal post, and have a good explanation as to where you are against this goal post, and you are closer to the 20 yard line than the 50 yard line, you will be in good shape.

 

Seven Point Plan for Compliance with the Supplement to the 2005 Authentication Guidance:

  1. Branchless Banking (or Electronic Banking Policy1): Have you updated your Policy to establish that the bank needs to a) Inventory all Branchless Banking Assets conduct a risk assessment to identify assets (including payment processes, delivery systems, and authentication assets) which require more scrutiny from a risk management perspective?
  2. Asset Prioritization Risk Assessment: Do you have a high-level (system-level) risk assessment on your Branchless Banking Assets to help you prioritize which assets require more scrutiny?  Have you conducted a risk assessment on the primary systems you call “electronic banking” to determine which ones require more scrutiny?
  3. Inventory of your branchless banking assets: Have you inventoried all assets which store bank information outside of the bank?  This would include an inventory of transactions as well as payment processes as well as system.  In other words, you might have Internet Banking on your inventory, but also Billpay and Set Up New Payee.  All three are different assets, even though one is a subset of another which is a subset of another.  The level of detail in your inventory depends upon the results of your Asset Prioritization Risk Assessment (see point 2 above.)
  4. Documentation of Authentication Methods: In that inventory, are you documenting for each asset the type of authentication method being used?  By the way, if the answer for ANY asset is “that depends,” then your asset inventory is not detailed enough.  In other words, if you say “the type of authentication we use for Billpay depends on whether you are setting up a new payee or whether you are just authorizing a payment” then you actually have three assets:  Billpay, Setting up New Payee, Authorizing Payments.  You want your inventory to be that detailed.
  5. Drill-down Risk Assessments: Have you started detailed (drill-down) risk assessments on assets identified in the high-level assessment as high priority?  As an auditor, I will be asking how that’s going and offering suggestions as to how to make sure it is complete and in compliance with the supplement.
  6. Vendor Management: Have you contacted your vendors and service providers?  Compliance?  Projected Timeline?  Good faith effort to be ongoing?  Regular communication on progress.  Do you understand how your Vendor intends to come into compliance with various parts of the supplement?
  7. Customer Awareness Training Strategy: Have you created a strategy, or at least met with your marketing team and/or the appropriate persons in the bank, for how you are going to meet the Customer Awareness and Education requirements of the Supplement.

I hope this “audit framework” provides a little direction for you.  I’d be happy to answer any questions you may have, especially if you’re a Client!

We’ll get through this together!!

Footnote #1:  To understand why I’m using the term “Branchless Banking Assets” instead of “Electronic Banking Assets,” check out this article.)

——————————————-——————————————————————–————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

——————————————-——————————————————————–————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


 

Latest News
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]