Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Safeguarding Customer Information Through an Information Technology Examination and Vulnerability Testing
March 01, 2005

Note: This is the second article in a four-part series on protecting financial institution customer information. The first article, “Safeguarding Customer Information through a Compliant Information Security Program," is available in the Financial Institutions industry archive.

No doubt, every financial institution has standards and procedures in place to protect customer information. But how well are such standards performing? Are policies and procedures fully compliant, particularly in light of GLBA? Has any aspect of technology and its ability to protect information been inadvertently overlooked?

Examining your financial institution’s information technology and identifying its vulnerabilities are the first steps in diligently safeguarding your customers’ information. Only by implementing a comprehensive review process can you develop an effective and thorough risk assessment (more details on this topic in part three of the series).

To build a reliable information security program, a financial institution must review the safeguards currently in place and identify any threats to customer information. This process can often involve a third-party vendor to help conduct an objective IT exam and perform valuable testing. Two areas of focus include ensuring adequate policies and procedures and verifying adequate internal controls.

Sufficient and satisfactory

A thorough IT exam will consider several factors that determine whether adequate policies and procedures are in place. For instance, policies and procedures should be tailored to the types of risks that might arise from the financial institution’s existing information technology. There should also be written procedures providing detailed guidance for the day-to-day implementation of information technology, and policies should include limits designed to shield the financial institution from excessive and imprudent risks.

Establishing and maintaining an effective system of controls is one of management’s more important responsibilities, and an IT exam can also help determine whether internal controls are indeed adequate. A review of the organization’s structure can establish whether there are clear lines of authority and responsibility for monitoring adherence to policies, procedures, and limits. What’s more, the exam can ensure that important internal audits or other control review practices are properly in place. Such audits and reviews can provide independence and objectivity and enable the financial institution’s board of directors, as well as its management, to continually evaluate the effectiveness of its internal control processes.

An evaluation on all fronts

Financial institutions that pursue an independent and formal review should insist on thoroughness. A sound IT exam and vulnerability test will include an evaluation of both physical and operational system access to customer information, as well as both internal and external threats. It’s also important that the process explore controls in place for prevention and detection and examine overall management responsibilities.

Examining physical access takes into account a wide spectrum of internal and external aspects, such as building access (both by employees and vendors), automated teller machine access, IT equipment access, and physical document transfers.

A system access evaluation will again consider both internal and external factors, from the accessibility of the core processing system and network file servers to Internet/telephone banking and off-site data storage, and so much more.

Rigorous and reliable network testing

IT exams and vulnerability testing should adequately assess the availability, integrity, and, above all, the confidentiality of the institution’s data and systems. While a strong network testing process is critical, it should also be appropriate for the financial institution and its systems. Likewise, while frequency of testing is also important, such frequency should be determined by the financial institution’s particular needs and circumstances. What’s more, because the frequency of independent reviews is costly, an appropriate internal testing process can limit external reviews. 

One of the objectives of network testing is to catch vulnerabilities before they become issues. Special industry tools and techniques can be used to test the effectiveness of controls in order to safeguard information assets. For instance, Wipfli uses many of the same tools used by information security professionals and hackers.

Proper testing should also include a review of the work performed by financial institution staff and, if possible, it should be a separate function from any implementation efforts.

Basically, testing is a point-in-time snapshot of a financial institution’s security posture. Testing procedures should be performed at least annually to ensure that the information security program is being properly implemented and that any weaknesses or issues have been adequately addressed.

A means to successful safeguards

IT examinations and vulnerability testing are the foundations for strong customer information security. When well performed, they provide financial institution management with a powerful tool for measuring business risks and for developing a well-defined focus for audit procedures, both internal and external.

Part three of this four-part series explores the risk assessment process. In part four, discover the details required to create an information security policy.