How to protect the most common exceptions found in IT audits
The need to do an IT audit each year is crystal clear. What’s not so clear is what to do with the problems an audit reveals.
Here are the five most common findings and how you can address them.
The greatest danger to your system is from not installing security patches or software updates, which is why patching problems show up in almost every audit.
One in three breaches today are caused by unpatched vulnerabilities, and no one is immune. In 2017, 143 million records were compromised at Equifax due to unpatched software. And 198 million voters’ records were compromised in 2017.
To protect your systems, you should:
- Start with a thorough software inventory.
- Ensure unnecessary software is removed.
- Ensure you have adequate resources for knowing when patches for major products like Microsoft Windows, Adobe Products, and Oracle Java are released.
- Review status reports from your patch management system at least monthly.
- Conduct periodic manual check for patches. Systems can disappear from patching systems without notice, or there can be glitches or malfunctions preventing the systems from functioning properly. This can be performed when visiting departments and locations.Just stop by and check installed updates for Windows and third-party applications through the control panel-programs and features windows utility.
- Keep an eye on Oracle Java. Due to changes in licensing requirements, the application will not automatically install patches unless you purchase a license. This software should be removed from any workstation where it is not required. A license should be purchased for each system still requiring the program or an alternative should be installed in its place.
Mobile device management sandboxing
Mobile devices are blurring the lines between work and personal data, which makes it more crucial for IT to protect data not matter where it’s accessed.
Security breaches on mobile devices is a top concern since mobile use is only increasing and the average data breach cost is now $3.6 million.
Password protected timeouts, remote wipes and two-factor authentication alone are not enough as cybercriminals get smarter and mobile devices blur the lines between work and personal data.
Mobile device management (MDM) sandboxing means protecting the data, not the device itself, and good audits will flag when financial institutions fall short of requiring separation of FI and personal information.
Most MDM solutions have the feature available; all you need to do is enable it. Check with your vendor to verify if it is already available or if it requires additional licensing
The threat is global. Amnesty International recently reported that hackers in the Middle East and Africa have automated a process where they can crack a password and a two-factor authentication code in seconds.
Another gap in your security that audits often flag is related to your firewalls.
Firewalls are designed to analyze incoming traffic and block access based upon a set of security rules, which means hackers are slip through holes in those rules.
Earlier this year, hackers targeted the U. S. power grid by inundating firewalls at North American Electric Reliability Corporation’s firewalls (NERC). While there was no breach, the hackers caused the firewalls to reboot repeatedly, weakening their system.
To help mitigate problems, you should have a qualified professional perform a documented review your firewalls at least once a quarter.
Each review should check:
- Current rules are appropriately configured to protect the network
- Ensure any changes in rules since the last review were authorized
Weak change management policy
Another common error spotted in audits is a poor or non-existent change management policy. This policy outlines the formal process for making changes to IT systems.
While this flaw isn’t as much of an immediate threat as the previous three, the risk in the long-term is just as great.
Most institutions practice at least reasonable change management but may not have a policy as required by Federal Financial Institutions Examination Council guidelines.
Whether they are stand-alone or incorporated with other existing bank policies, change management needs to be clearly defined and follow a managed process that is repeatable.
Here are suggestions to help you get started:
- Define roles and responsibilities
- Outline evaluation of risks of the change
- Require proper authorization and approval
- Require proper timing of implementation (i.e. timelines to meet)
- Test procedures for the change
- Post project review (evaluate factors causing delay, measurement of completion and success)
- Include Backout and recovery plans
Testing baseline standards
Most financial institutions have a tracking system that covers their IT audits and regulatory exams, but they often don’t cover everything they should.
Tracking systems should address assessment factors that are below baseline standards from the FFIEC Cybersecurity Assessment Tool (CAT).
Vulnerability assessment reports (perimeter and internal scan reports) are often treated like a checklist item and are filed away once reported to the Board of Directors. These reports can identify some of the most immediate risks to your network and exceptions identified should be tracked until they are mitigated. Internal vulnerability assessment reports can be lengthy. Focus on tracking top findings. If the report doesn’t identify specific top findings, try to group findings by categories (missing patches, configuration issues, etc.) and develop your tracking from there.
Once you’ve established your priorities, then you can start to improve your testing before the next round.
How Wipfli can help
Whether it’s testing your systems with an IT audit or cybertesting your people with phishing tests, the team at Wipfli can help. You can sign up for Wipfli’s cybersecurity weekly email that includes the latest in patches and updates. See how we can guide you through a FFIEC cyber assessment, check out our free cybersecurity assessment tool or learn more from the following articles: