William Henley of Office of Thrift Supervision: Guidance on Effective Security Program Management
Richard Swart: Hi, this is Richard Swart with Information Security Media Group, publishers of bankinfosecurity.com and cuinforsecurity.com. Today weâ€™ll be speaking with William Henley. He is the Director of IT and Risk Management for the Office of Thrift Supervision. Now William, what specific guidance and advice can the OTS give thrifts and financial institutions in the development, implementation and maintenance of policies, procedures and guidelines regarding technology risk management?
William Henley: Well, Richard, IT risk management is an area that the five federal regulatory agencies try to speak with one voice and display interagency agreement. So, I would direct thrifts first to the resources that are available to all financial institutions, and that would be the FFIEC IT Examination Handbook. Now, the cornerstone of success of any financial institution is management. And this booklet, the management booklet, addresses the roles and responsibilities of the board of directors, the committees of the board that oversee the IT function, and IT senior executives, as well as IT and line management and business unit managers. A major responsibility of the board and senior management is the development of policies, standards and procedures. Policies and procedures should be appropriate or tailored for each thrift and enforced by senior management. Also, I would direct the audience to the information security booklet for guidance and developing policies, procedures and guidance. And finally for thrifts, we would direct them to the OTS examination handbooks and Section 341 of the examination handbook, it maps directly to the FFIEC IT handbook, but itâ€™s tailored for smaller and community based thrifts. And finally, I would direct their attention to CEO Letter 231 thatâ€™s addressed to thrifts.
Swart Well, William, could you also tell us how the OTS facilitates and monitors the examination function of thrifts, and what are some key areas that are of significant importance in this examination program or process?
Henley: Okay, the examination procedures are developed in Washington, and implemented by our examiners. And there are five regional offices, and each regional office has a consistent framework with an IT manager thatâ€™s responsible for evaluating the thrift and service, the thrifts and service providers in their geographic area of responsibility. Now, the resource allocation within these regions is risk focused. And there are basically two examination tracks that we pursue here in the OTS. For thrifts with complex risk profiles or for third party service provides, the IT managers generally assign our senior IT examiners that would use a detailed set of examination procedures for their evaluation. And their examination procedures are based on the FFIEC IT Examination Handbook. Now, for thrifts with a less complex risk profile, generally a safety and soundness examiner would perform that review during the safety and soundness exam, and they would use the IT risk and controls examination procedures found in Section 341 of the OTS Examination Handbook. Now, the areas that we focus on, as I said in my response to the first question, is it all begins and ends with management. So thatâ€™s where we put the bulk of our emphasis on, but you know, the audit and having an independent audit function is also a key area that we look at during our IT examination procedures, as well as the other ERISA component rating areas of development and acquisition if itâ€™s appropriate on a larger complex, thrift, and support and delivery.
Swart: I was wondering if youâ€™d also tell us, based on the exams that your agency is conducting, what are some trends that youâ€™re seeing in information security management that need to be brought to our audienceâ€™s attention?
Henley: Well, the trends are the greater emphasis on information security. Now with the passage of the GLBA, and moving forward to today, what we see is a greater awareness among financial institutions for information security. And as a result of the passage of the GLBA, thereâ€™s been various interagency guidance pieces that have been released, including the authentication guidance that had an effective date of, or effective compliance date of January 1, 2007, the response program guidance, and greater general awareness on the part of thrifts of recognizing that information is an asset, and like any asset of the thrift, that it has to be protected.
Swart: So, for another area, vendor management has been of interest to the financial community for quite some time, but recently institutions rely on some third-party services as becoming increasingly important. There have been cases recently where system compromises at a service provider have caused financial institutions to activate their incident response program and even notify their customers about breaches and take actions. What are some of the OTSâ€™ expectations regarding vendor management and what about incident response programs?
Henley: Okay, the OTSâ€™ expectation regarding vendor management is clearly defined in Thrift Bulletin 82A, and it states that you must retain accountability for any third party arrangement and determine the strategic role and objectives for the arrangement. The thrifts are responsible for understanding the risk associated with third party arrangement, and ensuring that effective management practices are in place. A thrift should clearly define each partyâ€™s expectations and obligations so they are enforceable. And the risk management process should include the following items: 1), an assessment of risk to identify the associationâ€™s needs and capabilities; 2), due diligence to identify and select a third party; 3), a written contract that states the duties, obligations, contingencies, and responsibilities of the parties, and ensures that third parties maintain adequate internal controls over activities; 4), policies procedures and controls to oversee the third partyâ€™s activities and performance; 5), ongoing oversight of third party performance, including periodic assessments of cost, compliance management, acceptability of service levels, and unforeseen risk; and 6) is documentation regarding the periodic assessment of a third partyâ€™s performance and the due diligence that the thrift performed to arrive at their conclusion. Also, the FFIEC handbooks, specifically the management booklet and the outsourcing of technology service provider booklet, identify the regulatory expectations for strong vendor management. And, the OTS examination handbook Section 341 as I mentioned earlier, maps to the IT Handbook and it encourages strong vendor management programs. Now, with respect to the second part of your question, what are our expectations for incident response programs? Well, there are three primary components for incident response programs, and that would be an assessment of what data had been exposed in the face of a data breach, containment of the situation, and then contacting the OTS following a data breach. And looking at an incident response program, we would like the thrift to be of the mindset that data breaches are an inevitability, because a thrift can have a sound data security program, strong policies, and still suffer a compromise of confidential customer data because threats can come from various sources. They can either be internal or external. They can be from human, technical, or environmental sources. And they can either be intentional or unintentional. But following an incident there are certain steps for damage control that can be followed in order to reduce the exposure of confidential customer information following such a breach. So, as I mentioned the three main points were assessing the nature and scope of the incident, identifying what systems and information have been accessed, and then notifying the OCS. Now, after those three steps are followed, then there may be four additional steps depending on the results of those steps that would need to be addressed, and that would be filing a suspicious activity report, notifying law enforcement in situations involving criminal activity, and containing, controlling the incident to prevent further unauthorized access or misuse, and then finally notifying customers when warranted.
Swart: Well, as a follow up to that, how would you rate the effectiveness of thrifts at responding to incidents today?
Henley: To date, I would say that thrifts have followed our guidance as contained in CEO Letter 214 that outlines the basic components of an incident response program, that we have good relationships between the thrifts and the primary level contacts at the regional offices, and when necessary in the event of some of the more serious breaches, the Washington office has been brought into the picture, but overall their response to such breaches has been strong and effective. And you know, thatâ€™s seen by the continued confidence in the banking system, so thatâ€™s across charter types. I think that compliance with this guidance and recognition of the importance of the guidance has helped to maintain a level of consumer confidence in the face of the growing number of data breaches across the economy.
Swart: Well, thatâ€™s good to know. This is a very hostile environment and itâ€™s good to know that institutions are adequately addressing the challenges. Last question for you, William. What advice would you give to someone thatâ€™s interested in pursuing a career in financial institution regulation?
Henley: Well, the advice that I would give is if for students, that are interested, there are various internship programs that are available through the regulatory agencies. We have not only summer internship programs, but part time and ongoing internship programs during the year that would give them exposure to this field. And also, weâ€™re consistently looking to bring in new employees because we have a very experienced and senior staff and we want to provide for continuity of staff and so weâ€™re always looking out for, or always open to bringing in young, talented college graduates in our trainee program, examiner trainee program.
Swart: Well, it sounds like thereâ€™s lots of good opportunities available out there. Well, thank you for your time today, William. We certainly appreciate your information.
Henley: Well, Richard, thank you for the invitation to participate on the podcast, and I hope that my answers were informative for your audience.
Swart: Are there any other resources that our listeners could go to?
Henley: Well, the resources would be those available on the OTS website, thatâ€™s www.ots.treas.gov, and also the resources available at the FFIEC website, the ffiec.gov website that contains the various CEO letters, thrift bulletins, as well as the links to the FFIEC IT handbooks.
Swart: Well, thank you for listening to another podcast of the Information Security Media Group. To listen to a selection of other podcasts, or to find other educational content regarding information security for the banking and finance community, please visit www.bankinforsecurity.com, or www.cuinfosecurity.com.