An effective cybersecurity program requires an established system vulnerability and penetration testing program. Vulnerability testing involves scanning internal and external networks using automated scanners and manual analysis to identify known security flaws and weaknesses. Penetration testing, as the name suggests, is a more rigorous, real-world, manual effort to exploit flaws and weaknesses and gain unauthorized access to systems and data.
Advice and regulatory guidance regarding frequency of testing and the use of independent third parties come from a variety of sources. Determining the appropriate frequency for your organization will depend on its products and services, technology utilization, risk tolerance, size and complexity. In addition, the nature of regulatory oversight and feedback depend on the regulator, geography, specific examiner perspectives and size of the organization.
Traditional regulatory guidance for the financial sector, and particularly banks and credit unions, has come from the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Infobase and FFIEC Cybersecurity Assessment tool. These resources indicate that frequency should be determined by an organization’s risk management process, and there should be ongoing independent internal or third-party audits. These audits should assess the reasonableness and appropriateness of and compliance with policies, standards and procedures, including audit tracking of deficiencies identified in penetration tests and vulnerability assessments.
Industry, state guidelines
The Payment Card Industry Data Security Standard (PCI-DSS) has established a set of security requirements for any business that processes credit or debit card transactions. The PCI-DSS indicates that vulnerability testing be performed at least quarterly and that penetration tests occur at least annually, and more frequently when significant system changes are made.
The state of New York has adopted comprehensive cybersecurity standards. Financial services companies doing business in the state are required to monitor and test in accordance with the organization’s risk assessment and that continuous monitoring or periodic penetration and vulnerability testing be performed, according to the Department of Financial Services (NY CRR 500 Cyber Security Requirements). In lieu of continuous monitoring, organizations should conduct biannual vulnerability assessments and annual penetration testing.
The Federal Trade Commission (FTC) recently released their Security Safeguards for Consumer Financial Information that strengthens data security safeguards for financial institutions. The FTC safeguards are targeted at non-banking financial institutions engaged in a broad range of financial services, including insurance, lending and financial advisory services. These organizations include mortgage brokers, motor vehicle dealers, money transmitters, tax preparers and payday lenders.
The FTC Security Safeguards indicate that organizations should have in place continuous monitoring, and in lieu of continuous monitoring, annual penetration tests should be performed on all systems. Vulnerability scanning and assessments should be performed every six months.
Ramping up testing
As organization’s security controls mature, organizations are moving toward greater testing frequency, be it quarterly, monthly or continuous vulnerability scanning and penetration testing. A top priority is securing an organization’s perimeter and critical assets and validating that changes in their operational environment or newly discovered vulnerabilities do not impact the security.
Services such as Tenable.io and other cloud-based vulnerability management platforms can provide clients with ongoing ways to identify weaknesses and manage their risk.
In addition, some organizations choose to implement their own internally managed vulnerability scanning or have their IT service provider perform this service. In these situations, it is recommended that an independent third party periodically perform vulnerability assessments and penetration tests to validate the effectiveness of ongoing monitoring, patching, and system and network hardening procedures.
In summary, best practice and regulatory guidance points to, at a minimum, annual penetration testing and twice-a-year vulnerability assessments for an organization’s internet facing environment. In addition, testing should occur after significant changes are deployed. Regular testing should be built into operational processes as part of the overall security program. And moving forward, expect that frequency to rise along with the level of risk.
How Wipfli can help
Do you have concerns about flaws or weaknesses in your organization’s security systems? Wipfli can help you assess your risks and boost your security controls. Learn more about Wipfli’s cybersecurity services.
Sign up to receive additional content for financial institutions in your inbox, or continue reading on: