4 minute read

Security, GRC and Audits: Avoiding the Findings

Security, GRC and Audits: Avoid the Findings

Audits and regulatory examinations are inevitable in the financial industry. Audit findings don’t need to be, but as banking services grow more sophisticated and compete at fever pitch, you might find yourself postponing that risk assessment meeting to focus on your new digital banking platform release. Maybe the new release has caused an increase in customer calls and now you also need to postpone your InfoSec Committee meeting to support your teams. Next thing you know, it’s audit time and you are not prepared.

I am reminded of my teenage years, when cleaning my bedroom was a chore and a daily battle. “How can you find anything in this room?” my parents would say. “Please clean your room.” I’d respond, “I know where everything is,” or “I’ll do it later. It’s just my room, nobody is coming to see it.” Back and forth we’d go until the day I wasn’t allowed to attend that much-anticipated party because I needed to clean my room. The horror of being the only one in our class to miss it, if only I’d done as they asked the first time.

How often have we found ourselves in a similar situation at work? The fact is that risk assessments, policy reviews, business continuity planning, and similar proactive tasks often take a lower priority when they compete with client-facing and daily operational activities. We may think “customers aren’t coming to see those.” But these proactive tasks are the proverbial “necessary evil” and usually the topic of audit findings for being ineffective, incomplete, or inappropriate.

An Audit Tale

These are examples of audit findings we can avoid if we take a proactive approach:

Access Controls – Administrative Accounts

“Weak password criteria and management of default administrator accounts.”

Information Security Program
“Information Security Policy does not fully document activities or include processes which are repeatable and measurable.”

Governance
“No comprehensive metrics to evaluate the effectiveness of the Information Security Program and provide early indication of a breakdown in the control environment.”

I have seen this often throughout my career as an information security practitioner working with banks and credit unions. Sometimes it really is necessary to postpone that access review or risk assessment. Maybe it’s just another hat we wear and it’s difficult to carve out the time. Maybe we depend on others who also wear other hats and may have conflicting priorities. The challenge of doing policy/access reviews or risk assessment work is completing the task, not just because we have an upcoming audit, but because it’s a regulatory expectation to be an ongoing activity.

Now is a good time to re-evaluate your reactive approach to information security. Below are some practical ways to use your security and GRC building blocks to make your IT security, risk, compliance, vendor, and business continuity programs more effective and avoid findings in your next audit/exam.

A Strong Foundation

Strong foundation to avoid audit findings graph

We often talk about the concept of people, process, and technology (PPT) in Operations. A framework introduced in the 1960s to drive organizational change and efficiency, it still applies today in IT, risk management, and information security. The right combination of people, processes and technology is important to deliver innovative financial products and services to the market. Equally important, and a regulatory expectation, is the need to protect the confidentiality, integrity, and availability of the information managed with financial products and services.

Enter governance, risk, and compliance, which provides the structure to accomplish information security by aligning:

  1. People in the right roles determining and overseeing your strategic direction (governance)
  2. Processes to identify information assets, their related risks and appropriate mitigating controls (risk)
  3. Technology to monitor and measure performance against policies and regulations (compliance)

People in the right roles can determine the appropriate processes to manage your enterprise programs. With appropriate processes in place, you can standardize and scale your operations. Using technology, you can then automate these processes to support growth and provide greater visibility and accountability.

This is sometimes easier said than done. However, taking the time to set these up properly will provide a strong foundation to manage your programs, complete your tasks and be well prepared for your next audit.

GRC to Avoid Findings

On June 30, 2021, the FFIEC announced a new “Architecture, Infrastructure, and Operations (AIO)” booklet in the examination handbook series. The booklet outlines regulatory “…expectations regarding architecture and infrastructure planning, governance and risk management, and operations of regulated entities. The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers…”

Of note in this and the subsequent release of the “Authentication Guidance” on August 11, 2021, the FFIEC makes it clear that banks and credit unions must ensure proper governance of IT and information security, especially the risk of unauthorized users accessing internal networks and digital banking systems. The guidance talks about the importance of properly documenting roles and responsibilities for information security as well as AIO management. It also provides examples of best practices for authentication controls and clearly states the importance of asset inventories and risk assessments. We expect this to be the focus of the next set of regulatory examinations coming to a city near you.

Some practical tips to avoid findings in your next audit:

  1. Use GRC technology to your advantage. Take the time to deploy or contract with a cloud solution to:
    1. List and track your asset inventory
    2. Identify and document the threats that impact your infrastructure and business operations
    3. Assess the overall risk landscape of your organization
    4. Determine the controls necessary to reduce risks to acceptable levels, and
    5. Maintain your business continuity plans
    6. Track vendor risks and service levels
    7. Report your progress
  2. Establish proper reports to:
    1. Provide visibility across the organization
    2. Enforce accountability
    3. Show progress and highlight issues to address
    4. Provide evidence for audit
    5. Measure success
  3. Have a plan and follow it – often audit findings result not only from weaknesses in a control environment, but also from lack of proper remediation planning. Know your weaknesses but always have a plan and, more importantly, follow it to completion.

Ensuring audit success takes a little bit of effort at first. The goal should be to create processes you can Rinse and Repeat. Start with proper/current documentation. This is the biggest weakness in information security programs. Even if done well the first time, it’s important to have a continuous process to keep all documentation current at established intervals. Transparency is key because in the end it’s all about protecting what’s important.


Source:

“Architecture, Infrastructure, and Operations (AIO)”: FFIEC: https://www.ffiec.gov/press/pr063021.htm

 

Share
Button - Back to Top