Upcoming Training

Are Your IT Audits Serving Your Cybersecurity Needs?

October is national cybersecurity month

By Rob Foxx, CCBTO

Cybersecurity is quickly joining phishing, artificial intelligence (AI), and ransomware on the list of information technology (IT) industry buzzwords — but that isn’t entirely a bad thing. Cybersecurity is the practice of protecting your digital data and is just one aspect of the information security charged with protecting the institutions whole database.

When asked how they know if their institution is correctly safeguarding its data, many may refer to their IT professional. While it is not wrong to rely on these individuals, it is important that all bankers understand their bank’s positioning. To do so, teams may consider sitting in on an IT audit, or at the very least, familiarizing themselves with the process of a risk assessment and review of all policies, procedures, guidelines, and standards. While not all IT audit programs are created equally, and the review may also examine a host of other items, many audits are required by regulators and are performed at some frequency related to the bank’s level of risk.

Many IT audit programs only cover IT operations, governance, and general controls. However, these are limited in scope and often do not cover the areas of highest risk in greater detail. In the banking industry, these high-risk areas usually include:

  • Access controls: How your data and information systems are accessed
  • eBanking: Outward facing digital profile
  • Disaster recovery and business continuity planning: What do you do in a disaster and how do you recover business functions
  • Vendor Management: How do you manage your third-party vendors

Although many professionals are able to write a document review, the errors are often not as clear as it might be to an outside source and management may not have the expertise to see these problems. In order to receive high quality feedback, employing an outside auditor may be the best solution for your bank. However, it is important to select your auditor carefully.

While some auditors do not review all the documentation provided to them, others may only review documents that are sanitized or redacted for confidentiality. Finding an industry peer to conduct a complete review may be difficult, but it is entirely worth it for the security of the institution. One of the most obvious signs of a poor auditor will be their lack of comments on the provided documentation. If this happens, chances are that the documentation was not reviewed.

When selecting an auditor, it is also important to understand what security standard they adhere to. Many may only consider guidance presented by the Federal Deposit Insurance Corporation (FDIC) or Financial Institutions Examination Council (FFIEC). While these are both fine for remaining compliant, they may not have your security best interest in mind.

Guidelines from the National Institute of Standard and Technology (NIST), International Organization for Standardization (ISO), or Center for Internet Security (CIS) offer a better framework for security controls and can help make the institution more than just compliant. Additionally, it is often best practice to invest in an auditor who has experience working with the banking industry and will work with the bank’s needs and goals in mind.

Finally, consider auditors that do more than just an audit. A good auditor will take the time to explain their findings and offer recommendations, advice, sample documentation, or even connections with other resources to help answer questions.

While IT audits can be a stressful event for everyone involved — it does not have to be. FIPCO’s IT Audit & Security Service is designed to cover critical aspects of business operation and ensure that vulnerabilities are identified before its too late. To learn more about this service, please contact me at rfoxx@fipco.com or reach out to our team of professionals at 800-722-3498.

Foxx is director – infosec and IT audit services for FIPCO

For more information about FIPCO forms, software, or other products, visit fipco.com, call 800-722-3498, or email fipcosales@fipco.com.

FIPCO is a WBA Gold Associate Member.