Search    Home    Login    Help   
Consulting Group
Online Store
 Associate Members
 Public Information
 Calendar of Events
Overview
Compliance Consulting
Technology Consulting
Consulting Staff
Compliance Query
IT Insights

IT Insights

Q:  What are most banks doing about the new Reg E requirements?

A:  The answers vary.

Some banks are sending opt-in letters while others have elected to place all effected customers in an opt-out status (without the option of opt-in). What I have been hearing the most about is several banks that are changing the order in which items will be paid. They are processing ATM and point of sale items before ACH and checks. This way, if an account is overdrawn, the bank has retained the ability to charge overdraft fees on the items in which it is allowed.

Q:  We have maintained our online banking risk assessment for the past seven years. We thought that it was complete and has passed exams in the past. Now we have been told to expand it. Where do we begin?

A:  Like all applications with direct customer access, online banking should be looked at from your bank’s perspective and from your customer’s perspective. All transaction processes should be identified and addressed. All security controls need to be documented. One way to make sure that your process is complete is to retrace each control from the bank to the customer and again from the customer to your bank.

This same process holds true for you overall risk assessment. If you can track each identified risk to a control and from each control to each process risk, you should be able to identify all of your risks and controls that have been implemented. This can also identify where you may have a risk that is not substantially covered by a control. The main idea is to make sure that all areas of risk for each process are being identified. The more detailed you are in this process the better your overall information security program will be.

Q:  I have heard a lot about “cloud computing” lately. What does it mean?

A:  In a broad sense cloud computing references any service or system that is outside of your banks firewall. You may already use email filters. Technically that service is using cloud computing. Mostly what it is referring to is a shared storage area that is rented to you as a service. You pay for just the disk space, processor volume, and bandwidth that is being accessed via internet or data communication lines.

Q:  We have our firewall monitored by an outside company for all suspicious activity. Do we still need to have external vulnerability testing conducted?

A:  Yes, you still do.

You will want to test the monitoring company to find out how responsive they are to live, planned threats along with making sure that the settings on your firewall have not changed. We recommend that an external vulnerability test is scheduled at least once per year, and again, to check if any setting on your firewall have changed.

Q:  Do regulators look more favorably at us if we outsource our network support to a trusted outside service provider?

A:  Good Question. The right answer is IF.

  • If you have a full understanding of what security levels you have in place on each system.
  • If you document that the level of security that you mandate as a bank is being met by the outside service provider.
  • If the outside service provider can maintain a full log of all system changes that are made to the security of your systems.
  • If you have a good service provider agreement in place that specifies that the service provider will adhere to a level of security equal to or exceeds the Bank Policies.

A good service provider will be more than happy to comply with all of your demands and probably suggest even stronger security as new enhancements are released.

Regulators are after the documentation on the security controls that have been implemented to protect your information assets. In many cases, having a service provider that documents all security controls and enhancements is good. This does not replace the bank’s responsibility to frequently audit the security controls which then documents that policy is being followed.
 


 

 
Site Map | Contact Us | Privacy/Disclaimer | Home | Back to Top