Inside the IT Security ExamRegulator on How Institutions Can Prepare
To resolve these issues and prepare for the next IT exam, institutions need to have a corporate culture of security from the top down, Hinkle says in an interview with Information Security Media Group's Tom Field [transcript below]. "It has to be adopted by senior management. We find that once that occurs, everything else begins to fall into place year after year."
Prior to coming to work for the Texas Department of Banking, Phillip was the Manager of Correspondent Reviews for First Interstate Bank of Denver, Denver, Colorado.
In dealing with vendor management, banks need to have a more formal process on what they should monitor on each vendor. "We're finding that the annual reviews ... are sometimes just too superficial," Hinkle says.
Institutions also need to have better controls in place when monitoring wire transfers. Although insider abuse of wire transfers is rare, Hinkle says, it's still an area that can cause a lot of damage for banks.
Lastly, information security risk assessments need to constantly be updated. "Threats and risks are always changing, and that needs to be updated at least during annual review," Hinkle says.
In an exclusive interview on account takeover and IT security exams, Hinkle discusses:
- Most common misconceptions about IT security examinations;
- The threat of corporate account takeover;
- What institutions can do to prepare for their next exam.
As Chief IT Security Examiner, Hinkle oversees the Information Technology examination function of approximately 350 banks and trust companies chartered by the state of Texas. He is well known to many bankers for addressing complex technical issues in a comprehensible and balanced approach. He has held a variety of IT certifications including Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Ethical Hacker, and he was trained by the National Security Agency in Information Security Assessment Methodology.
His early career included a broad background in the banking industry, including financial analysis, loan work out, and both bank & trust company examination. Prior to coming to work for the Texas Department of Banking, Phillip was the Manager of Correspondent Reviews for First Interstate Bank of Denver, Denver, Colorado. He is a graduate of the American Banker's Association National Graduate Trust School and the Texas Governor's Management Development program. He has received the FBI's Service Award from FBI Director Robert Mueller and has served on the national governing board of the United States Public and Private Partnership, Inc. (USP3), which he helped form for gathering and sharing information as a pilot program of the Department of Homeland Security.
TOM FIELD: To start out, why don't you tell us a little bit about your own banking experience and your current role with the Texas Department of Banking, please?
PHILLIP HINKLE: I started working in IT security about 30 years ago, and, of course, a lot has changed since then. I worked with the FDIC Division on Liquidation for a few years during the banking crisis of the 80s. I worked with First Interstate Bank in Denver for some of their troubled assets back in that period of time. And I've been working with the Texas Department of Banking for a little over 20 years now, and most of that's been related to IT security examination. We are the state banking regulatory agency, and we charter about 315 banks, ranging in size from approximately $60 billion in total assets to as small as $4 million in assets. I've been in my current role as the chief IT security examiner for about six years. In this position, I manage and direct our IT examinations of the banks we charter. We have eight full-time IT security examiners, and we require all of them to be CISA certified, which is an internationally recognized certification related to information security.
IT Security ExamFIELD: Well really, you've had a chance to see this role grow up. I'd be curious as what you see as the primary role or roles of the IT security exam.
HINKLE: Well, in some respects it hasn't changed a lot over the years other than the details. There are multiple roles and objectives for the exam, but the primary one is to ensure that the bank has adequate safeguards in place to protect not just customer information, but also corporate information as well. These safeguards include not just protecting the confidentiality of the information, but also ensuring that the information is available when it's needed. In Texas, we have a large coastal region that is subject to hurricane threats and also a large plains region that's subject to tornadoes, so part of this objective is ensuring that the banks have adequate disaster recovery plans that they test regularly.
Another important objective is helping ensure that management is informed of current security trends and threats. We utilize FDIC examination procedures and we also ensure that banks are following FFIEC guidance. You'll find that the FFIEC guidance is what helps keep a lot of our bankers informed of current threats, without question very real challenges for the banking industry and regulators, as well as keeping pace with the changing risks. We try and have a dialogue regarding those when we're meeting with the banks because they're on the frontline and they're seeing threats often before we're aware of them.
FIELD: What would you say are some of the common misconceptions about IT security examinations?
HINKLE: There are a couple of misconceptions. I'd say the biggest one is that our examinations are full scope IT security audits. While we do some testing of controls to ensure that the controls are functioning, we don't test all controls and our scope of review is narrower than an audit. As a matter of fact, one of our key sources of information to evaluate the security that a bank has is their own audit. GLBA, or Gramm-Leach-Bliley Act, requires that all important controls be tested or audited to make sure they're functioning. So if a bank has a full scope IT security audit by a qualified firm and it's relatively recent, then we're going to rely on those findings of that audit for at least some portion of our examination. We don't want to be burdening the bank by staying longer, testing or evaluating the same things that they've already had tested and evaluated independently.
Another misconception is that our IT security examiners have to write something up, or that they can't complete an exam without saying that the bank is doing something wrong. Most of our larger banks realize that isn't the case, but it's still a situation we run into in some of the smaller banks. The reality is most banks are doing a good job at information security, and it has significantly improved in the banking industry over the last five years. Part of that comes about through GLBA having been passed, with more emphasis and awareness of the need for it. But our agency, like most institutions, is stretched for resources, so if we can complete an examination quickly and write a report that essentially says there are no major findings, then that's better for us. We're not going to just be looking for something to put in a report and write up about a bank.
FIELD: What would you say then are your most common findings in your investigations?
HINKLE: There isn't one common finding that's real prevalent, but there are several that show up with some frequency. Vendor management issues are one. We're finding that the annual reviews of the vendors are sometimes just too superficial. The review is of the vendor's financial statement, and maybe it's just reviewed at someone's desk. There's no write-up regarding some other important factors that maybe should have been reviewed, such as has the vendor had its own IT security audit, or if the vendor has tested their disaster recovery plan. What should be reviewed is going to vary from vendor to vendor, so there needs to be a more formal process by the bank as to what they need to monitor on each vendor.
Another finding that occurs is the need for better segregation of duties with wire transfer controls. Although insider abuse of wire transfers is extremely rare and the banks have multiple safeguards against it, abuse in that area can cause a lot of damage to a bank, so we evaluate those controls very closely at every examination. Usually, when we're finding a segregation of duty problem, it has to do with reassignment of employees from the prior year. So the bank just needs to go back and reevaluate or tweak the duties a little bit that they're heading.
Another item that pops up probably with the greatest frequency, though, is the need for the information security risk assessment to be updated. Threats and risks are always changing, and that needs to be updated at least during the annual review.
Account TakeoverFIELD: I want to ask you about account takeover. It's been an issue that's plagued institutions across the country. There have been some in Texas, certainly, that have been victims of this. What are you uncovering most commonly in your exams regarding account takeover?
HINKLE: There have been several in Texas. And I'm sure all across the United States there are those that never make the press. We consider corporate account takeovers to represent a significant threat to the banking industry because it has the potential to undermine public confidence in the banking system and it can create a very high reputation risk for individual institutions. What we're finding was that most of our larger banks are already implementing layers of security to address a threat, but we're also finding that too many smaller banks just simply don't have sufficient awareness of the threat, and the public or their customers also have a very low awareness of it as well.
FIELD: What do you find that financial institutions of any size can be doing now to reduce the incidence of account takeover?
HINKLE: First and foremost, they have to develop a plan to address the threat. If they don't focus attention on this growing threat, the bank and its customers will be vulnerable. As everyone knows, there's no single control that can effectively protect both the bank's system as well as the customer's system, and often the weak link in the whole payment stream is the customer's computer system. But certainly, educating their high risk customers is an important step for banks to take.
The banks also need to be evaluating options for protecting against this threat that works for them and their customer. Stronger authentication is talked about quite a bit, but it's simply one option in layered security, and it's by no means a silver bullet. Automated or manual monitoring of high risk transactions is a very important control option that needs to be considered by all banks.
In addition to educating their customers, the banks should also be educating and training their own employees to detect when an account hijacking might actually be occurring. Early detection is critical to blocking unauthorized transactions. Once they're detected, the bank has to have plans for responding to an account hijacking. They need a full response within minutes. Rapid response is probably the most critical thing in trying to prevent significant loss. This includes knowing how to reach their customers after hours and how to best retrieve any unauthorized transaction before the money gets further transferred to the point that it can't be retrieved at all. Since the needs of each bank and customer are different, developing and implementing the plan is fairly complicated, particularly for some of the smaller banks that don't hear about this as much and aren't aware of controls that can be put into place while the industry waits for vendors to develop more robust automated security. But the threat needs focused attention at each bank by senior management. That's probably the first and foremost thing they need to do, have a plan and an awareness level by senior management.
FIELD: Just to follow up on that, we've been talking about account takeover for almost two years now. What progress have you seen in that time by some of the financial institutions you encounter?
HINKLE: Among the larger ones, they're clearly putting into place some type of transaction monitoring. Some of it is manual because vendors haven't caught up completely. There are a number of vendors, though, who are stepping up to the plate on it. I'm seeing that as probably the biggest control that really helps mitigate the risk. All of that has been put into place because those institutions have a plan. Most of them have a three-step plan to protect, detect and respond against corporate account takeover, and they've implemented that at a high level of management.
FIELD: As you say, with some of the smaller institutions, this is still a challenge?
HINKLE: Absolutely, and part of it is they have often a fewer number of customers that are at risk. And in some cases, that makes it easier for them to address the issue. But they need an awareness level of it. Many of the smaller banks, the CEOs are wearing one hat, or multiple hats, and they're one person. They have a large number of issues crossing their desk, so it's difficult for them to take something that can be as challenging as this and focus on it.
Preparing for the Next IT Security ExamFIELD: If you could offer advice to institutions of all sizes, how best can they prepare for their next IT security exam?
HINKLE: There are several things they can do, but the foundational element is having a corporate culture of security from the top down. It has to be adopted by senior management. We find that once that occurs, everything else begins to fall into place year after year. The world has changed and IT security just can't be an afterthought. It has to be an integrated aspect of bank operations. Having a culture of security will help prepare for audits and examinations.
But if the banks want to know the most important thing they can do for an upcoming exam in a few months, they should ensure that their prior examination audit findings have been corrected. There's nothing that gets our attention faster than unresolved problems. If they have a formal tracking system that's reviewed at least quarterly, that's going to help ensure that each exception or finding from the prior audit or examination has been corrected.
The final thing that really helps in preparing for an audit, sort of a broad preparation measure, is having a qualified firm conduct regular IT security audits. This includes having general controls reviews, vulnerability assessments, and penetration tests. Banks that have good audit coverage and correct their audit and prior examination findings have the shortest IT examinations with the fewest recommendations by the examiner.