Common Pitfalls and Mistakes in Preparing for an IT Regulatory Exam
CUIS: If you were to narrow down to the top items that institutions should focus on in preparing for an IT regulatory exam, what should the number one concern be?
Susan Orr: I think that the number one thing Iâ€™ve seen would be for the last several years is institutions need to perform an enterprise-wide risk assessment before an IT regulatory exam. I am still finding, especially with serviced institutions, (those being serviced by a third-party vendor) that they donâ€™t have appropriate risk assessments in place. They need to do an overall risk assessment before the examiners come in. This should include a review of everything. Whether it is on paper, or in electronic form, all the documents, all the systems, all the threats should be assessed. I find that many institutions look at just the most common threats. You need to look at everything - assess the risk at every level and for every possible scenario. Many institutions do not look at environmental threats. Flooding is a great example. It could be caused by something as small as a broken pipe, or as big as a hurricane. You need to assess what could possibly happen to your facility. I see all institutions not paying attention to this; itâ€™s not just the serviced ones who arenâ€™t looking at this closely. Another common omission for all institutions is evaluating the likelihood of occurrence of an event and then assessing the potential impact. Using a matrix, which allows an easy-to-follow roadmap, to record the results of the assessment, is a good approach.
CUIS: What are some of the other concerns institutions should have when preparing for an IT regulatory exam?
Susan Orr: The second concern should be insufficient audit IT coverage. Most internal auditors cover the financials and general internal controls, but arenâ€™t doing good IT audit reviews; most are just hitting the surface. Theyâ€™re not looking at security in as well as around the information systems, not reviewing policies and procedures or reviewing the risk assessments. You need to make sure you have someone, whether in-house or outsourced who has the background and knowledge level to do a good, thorough IT review.
Number three on my list is make sure all the institutionâ€™s policies are up to date, and that they reflect the institutionâ€™s operating environment. I see many institutions using templates or fill-in-the-form documents they get off the Internet. These templates and form documents donâ€™t always correspond with whatâ€™s in their institutionâ€™s operations, or the document refers to internal audit, when they donâ€™t even have an internal audit department. Also institutions must make sure they have a comprehensive, enterprise-wide business continuity plan. Many still just have the basic disaster recovery plan. I would say that 90 percent of the institutions I have reviewed most recently have incomplete plans. Almost all do not have a business impact analysis, and are not preparing test plans for their BCPs.
My fourth concern is vendor management. Many institutions are not able to produce a written vendor management program. This also would include performing due diligence prior to a vendor or service providerâ€™s selection, and preparing a vendor risk assessment, in addition to spelling out what should be included in contracts. Institutions need to be monitoring their vendor relationships on an ongoing basis. They should be receiving and looking closely at documentation. Typically an executive summary will suffice to support the vendorâ€™s security and controls. Most small institutions think that a SAS70 will cover them, I hate to tell them, but thatâ€™s not enough. You need to get some kind of assurance from the vendor in writing because a SAS70 isnâ€™t a complete security audit. A third party audit like a SAS70 is definitely a document you want to review, but it shouldnâ€™t be the only documentation you have from a vendor.
CUIS: As a former financial institution examiner, youâ€™ve seen your share of bad preparations for these exams, what are some points of advice you would offer institutions on sharpening their knowledge through the IT examination handbook?
Susan Orr: My first advice is this - Out of all 11 handbooks, if institutions only download one of them, it should be the Information Security handbook. The reason why that would be the thing to focus on? Most exams are now risk focused and the laws mandate the protection of information assets. Security is a priority. I also suggest institutions check their primary regulatory agencyâ€™s website, look at the latest announcements, and also look at exam procedures on the website. This gives you a roadmap to follow. And lastly, do not forget the regulations that have been around for a while. Even though GLBA has been around since 1999, it does not mean it is not being overlooked by the regulators. Institutions should look at requirements, and then review their infosec policies and procedures. Please, donâ€™t just wait for your examiners to come in and tell you what you need to do â€“ be proactive.
CUIS: How will upgrading to the new Microsoft operating system affect an institutionâ€™s preparation for an IT exam? Will examiners look any closer at institutions upgrading to Vista?
Susan Orr: I donâ€™t think that examiners will look at institutions who are upgrading to Vista any differently than they would with the implementation of any new product. With any new program or operating system, it is wise to consider security issues surrounding it. Any software program introduced into the institution should be reviewed and tested carefully. Look at the security risks associated with it, and make sure the institutionâ€™s internal security requirements are met. Your policies and procedures should be carried over in the new program or operating system.
To get complete in-depth information on preparing for an IT regulatory exam, register to attend the webinar.