External Network Vulnerability Assessment
Banks are required to have penetration testing to test the security of their external network by simulating activities of an intruder. The testing process involves development of an inventory, and a thorough, hands-on analysis of external network vulnerabilities. This process is carried out from the mindset of an intruder. The testing involves the formulation of a penetration plan and a rigorous analysis of each security vulnerability discovered. The list of validated security issues discovered is reported to the bank together with an assessment of their impact on overall risk. The Board-approvable report provided will detail the descriptions of the security issues along with recommendations for their mitigation. Recommendations are based on industry best practices and regulation.
- Discovery − We validate the bank’s external IP address and research information available about the bank and the IP address.
- Penetration Testing − We locate, inventory, and meticulously analyze all external network vulnerabilities, then formulate likely penetration scenarios and perform a rigorous interrogation of each security vulnerability discovered. The list of validated security issues are reported to the bank with an assessment of their impact on overall risk.
- DNS Testing − We carefully test general configurations of zones and connections to the parent domain.
- Email Testing − We perform this analysis to determine whether the bank’s email service is vulnerable to email spoofing.
- Report Deliverable − An accurate, detailed and Board-approvable report outlining the findings of each step will be produced and presented to the bank.
Information Security Assessments and Audit
The overall objective of the MBA Information Security Assessment is to measure your bank information security’s compliance with GLBA (Gramm-Leach-Bliley Act) 501B “Assess Risk,” proportionate with the bank’s size and level of sophistication. The assessment includes a rigorous audit of security controls and an evaluation of your information management processes, such as system backups, to ensure critical information is organized and protected in the event of a system failure.
Conclusions of this assessment will be based on sufficiency of policy, procedures, customer information systems and other means used to control information security risks. The following means are employed to collect information during the assessment process: onsite inspections, policy review, staff interviews, network tools and internal testing guided by best practices and regulation. The final report provides an assessment of the bank’s current information security state and detailed recommendations to improve the bank’s current information security program. The following are the assessment’s focus areas:
- Information security controls audit
- Internal network review with an emphasis on network topology and continuity
- Comprehensive internal assessment of all of the bank’s information assets. The assessment report will include a grid that summarizes the risk associated with each of the bank’s information assets. An Information Asset is an archive, a system which stores or utilizes, or a system which delivers confidential information. Internal assessment results will be benchmarked to both the bank’s information security policy and industry best practices. The assessment will include the assets from the following groups:
- Core system
- Workstations and servers
- Network operating system
- Network hardware
- Correspondent banking services
- Applications and platforms
- Permissions and passwords to access confidential information
- Patch management
- Virus protection
- Electronic mail
- Modems and remote access to the bank’s private network
- Connections to outside vendor networks (credit bureaus, ATMs, etc.)
- Physical security (limited to information technology)
- Confidential document handling
Internal Vulnerability Assessment
Internal vulnerability testing is a vital part of your information security program testing. The MBA Compliance Group will catalogue and analyze network vulnerabilities or security concerns which often stem from system configuration errors or failure to patch operating systems. We perform vulnerability research from within the bank’s network for a more in-depth examination of the bank’s internal systems. We differentiate our offering by performing comprehensive assessments at each bank location. The list of validated security issues discovered will be reported to the bank together with an assessment of their impact on overall risk. The Board approvable-report provided will detail the descriptions of the security issues along with recommendations for their mitigation.
Social Engineering Assessment
It is important to test how well bank employees adhere to information security policies. We can help you answer the question: How easily can my staff be manipulated or tricked into divulging sensitive information such as passwords or customer information? The MBA Compliance Group evaluates the security of the bank’s sensitive information and specifically, the amount/level of information that may be released to us using phone calls, email, visits and other means. We will document if critical information can be obtained utilizing these means and evaluate the test result’s impact on the bank’s overall security.
Technology Strategic Planning
The MBA Consulting Group’s Strategic Technology Plan is designed to be a technology road map that corresponds with each bank client’s mission, values, operating principles, and risk tolerance. The strategic technology plan’s purpose is to enable the bank’s management to respond appropriately to technological, industry and regulatory changes. We begin by facilitating stakeholder meetings, conducting interviews and studying the bank-wide strategic plans. We also perform audits, site inspections, research, and price negotiation as part of the service. The end result is a comprehensive technology strategic plan that includes a step-by-step, clearly written action plan. We have developed a time-tested system to allow us to deliver the service at a reasonable price.
Originally developed as an IT Risk Assessment Tool, TRAC™ has evolved into a full-fledged Information Security Software Suite! Say goodbye to the era of working long days on tedious projects, studying regulation, and walking down an unguided path! With TRAC™, a bank can easily conduct numerous tasks, and produce customized results that align with regulation, best practice, and, of course, your institutions’ strategic goals!
Here are a few quick high-points:
TRAC™ separates its features out into the following “Modules” to allow an À la carte package to be built specifically for your institution :
- Automated IT Risk Management: Create a valuable Risk Assessment in a fraction of the time.
- Policy Creation: It’s the 21st century, why would you start from scratch?
- Policy Management: Ever forgotten to update a policy? Never again!
- Recommendation Tracking: No more excuses to not shine during your next exam!
- Business Continuity Plan Creation: Quick, thorough, and manageable; need we say more?
- BSA Risk Management: Determine the risk of your services, save time and money.
- Third Party Management: Ask all the right questions, tailored to the vendor.
- Commercial Account Risk: Risk Assess and educate your accounts, prove to your customers you care!
TRAC is sold and supported by MBA staff to insure that your bank’s needs are being met.
- Information Technology
Everything needed to perform an IT Risk Assessment, create documentation surrounding your environment, and make technical topics simple and painless.
- Information Security
Look at your information security processes from a high level, and see your institution as an Examiner would see it. In addition, create and manage all of your policies by taking advantage of our email notification system.
Perform an internal audit on your institution utilizing provided frameworks or simply stick with what you’ve been using in an automated stream-lined process. TRAC™ will help you generate beautiful reports in seconds that management will love!
- Third Party Management
Whether you’re looking to review your existing vendors or begin working with a new one, TRAC™ will guide you through the process.
- Bank Secrecy Act
Built from the requirements of the Bank Secrecy Act, this module will risk assess your products and services and create easy-to-use reports for everyone to benefit from.
- Action Tracking
Tired of a low CAMEL’s rating? This module may be just what your institution needs by guiding you along the paths suggested by Examiners and Auditors.
- Commercial Accounts
Designed to help you combat commercial account breaches, this module will help you educate your accounts and keep money where it belongs.
- Business Continuity Plan
Quickly and easily create a Business Continuity Plan built on the foundation of a Business Impact Analysis.
- Enterprise Risk Management
Adequately compare the risk of one area of the Institution to another, such as comparing Lending to marketing.
Products to Help with Bank IT and Compliance Needs
Far more than software, Ncontracts is a web-based contract and vendor management solution that allows banks to monitor and assess FDIC vendor risk ratings that enables them to respond quickly and confidently to regulator inquiries and audit demands of examiners. Ncontracts combines full service implementation services with a professional contract management application that provides banks and financial institutions with the ability to have insightful summaries of their contracts, alert notifications, and robust compliance tools and services. Together, these features allow banks to reduce expenses, enhance profitability, and improve internal efficiencies. Ncontracts is the ONLY solution to feature a two-tiered paralegal document review and implementation for maximum integrity and data accuracy.
“Vendor and contract management is important to our banks and is a focus area for the banking regulators, so we are pleased to partner with Ncontracts, which provides banks a high quality, cost-effective solution,” said Joe Witt, president/CEO of the Minnesota Bankers Association. “After thoroughly evaluating this solution, our team has concluded that Ncontracts is exactly what our banks need,” he said.
For many years banks have ensured that their computer systems have strong anti-fraud defenses. Computer hackers know that fact, so they have begun attempting to hack into bank customers’ computer systems. One scam involves using malware to take over a business’s computer and capture keystroke patterns. Once the malware has captured the business’s banking passwords, the criminal initiates a fraudulent wire transfer. Because the request looks legitimate, the bank processes the transaction. The bank customer and the bank realize that the transaction was fraudulent only after it is too late. The eBankSafe product offered by Total Networx helps protect the bank customer and the bank from this type of fraudulent transaction.
“Keeping one step ahead of the fraudsters is difficult,” said Joe Witt, president/CEO of the MBA. “After thoroughly evaluating this solution, our team has concluded that eBankSafe provides an important additional layer of security for banks and their commercial customers,” he said.
The eBankSafe product line includes:
- Secure Computing Environment
- Security Threat Alerts
- Educational mailers
- Deployment and Usage Reports for FFIEC exams
Ongoing Technology Guidance
Bankers are concerned with the difficulty in retaining a strong IT staff, as well as the difficulty in keeping up to date with technology trends. Some bankers get the majority of their IT guidance from vendors with products to sell. The MBA has developed a quarterly retainer program with the purpose of stepping into the role of CIO in your bank, short-term or long-term. Aspects of this program include:
- Providing impartial IT management to member banks for a flat monthly fee
- Providing required annual training
- Participating in quarterly technology committee meetings
- Performing quarterly audits
- Large-scale project management
Disaster Recovery and Business Continuity Planning
Disaster recovery and business continuity are often ignored until it’s too late. The MBA assesses and addresses member banks’ level of preparedness for responding to and recovering from an unexpected event. The MBA Compliance Group will assess the effectiveness of bank-wide continuity planning by performing a plan review and onsite audit. The MBA Compliance Group will provide relevant recommendations and revise contingency plan documents when necessary. The disaster recovery and business continuity assessment includes:
- Asset recovery inventory audit
- Review or perform business impact analysis
- Recovery priorities review
- Information backup, recovery and offsite storage assessment
- Review of continuity plan testing