Off-Site Reviews, Virtual/Teleconference Training, and Management Consulting Support

Young & Associates, Inc. remains committed to keeping our employees, clients, and partners safe and healthy during the COVID-19 pandemic. During this difficult and unprecedented time, we have continued to successfully leverage technology to fulfill our commitments to our clients and partners through secure remote access for reviews, virtual/teleconference training, and other management consulting support.

Young &Associates’ commitment to virtual/teleconference training and remote access reviews date back well over five years. We see this ability as a win-win for everyone – the review and training get completed in a timely manner and the bank avoids paying any travel expenses. Concerned about security, please be assured that we use the latest secure technology.

We remain committed to helping our clients with all areas of their operations through off-site reviews and providing the most current regulatory updates through our virtual/teleconferencing training.

Contact one of our consultants today for more information about our off-site reviews or virtual/teleconferencing training:

Bill Elliott, Director of Compliance Education: or 330.422.3450

Karen Clower, Director of Compliance: or 330.422.3444

Martina Dowidchuk, Director of Management Services: or 330.422.3449

Bob Viering, Director of Lending: or 330.422.3476

Kyle Curtis, Director of Lending Services: or 330.422.3445

Aaron Lewis, Director of Lending Education: or 330.422.3466

Dave Reno, Director – Lending and Business Development: or 330.422.3455

Ollie Sutherin, Manager of Secondary Market QC Services: or 330.422.3453

Jeanette McKeever, Director of Internal Audit: or 330.422.3468

Mike Detrow: Director of Information Technology Audit/Information Technology: or 330.422.3447

Young & Associates, Inc.’s consultants provide a level of expertise gathered over 42 years. In our consulting engagements, we closely monitor the regulatory environment and best practices in the industry, develop customized solutions for our clients’ needs, and prepare detailed and timely audit reports to ease implementation moving forward. With backgrounds and experience in virtually all areas of the financial services industry, our consultants bring a broad knowledge base to each client relationship. Many of our consultants and trainers have come to the company directly from positions in financial institutions or regulatory agencies where they worked to resolve many of the issues that our clients face daily.

We look forward to working with you as you work to obtain your goals in 2021 and beyond.

Getting the Most Value from Your Information Security Risk Assessment

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Just like technology, we have seen information security risk assessments evolve over time. Initially, risk assessments were focused on the core system as the main repository of customer data, as well as paper documents and PCs. However, financial institutions continue to use new technologies to store or process customer data, such as the cloud and mobile devices. Risk assessments must evolve along with technology to ensure that the threats and vulnerabilities associated with each information asset are properly identified and mitigated.
Many financial institutions began the risk assessment process with threat-based risk assessments, but have now moved to asset-based risk assessments or a hybrid of the two types. We do however still see some financial institutions using only a threat-based risk assessment. The use of a threat-based risk assessment alone does not provide the same value as the use of an asset-based risk assessment. This article will describe the differences between the two types of risk assessments and the benefits of using an asset-based risk assessment.
Threat-Based Risk Assessment
A threat-based risk assessment starts with the identification of a threat, such as “Inadequate Logical Access Controls.” An inherent risk rating is assigned, mitigating controls are identified, and a residual risk rating is then assigned. Does this threat only apply to the core system or does it also apply to files stored on the file server which also contain customer data? Are the mitigating controls the same for all of the institution’s information systems or are there different controls for the core system and the file server? During a review of a threat-based risk assessment, it can be difficult for directors, auditors, and examiners to verify that all of the institution’s information assets were evaluated during the risk assessment process. It can also be difficult for the information security officer to update a threat-based risk assessment when a new information asset is introduced into the institution’s environment.
Asset-Based Risk Assessment
In contrast, an asset-based risk assessment fixes these problems by identifying the specific threats/vulnerabilities and mitigating controls that are applicable to each information asset.
The asset-based risk assessment development process consists of the following steps:

  1. Obtain an inventory of all of the assets that store or process non-public information. (Assets may include, but are not limited to, paper documents, servers, workstations, network devices, removable storage devices, and software applications.)
  2. Classify the data that the asset stores or processes.
  3. Identify threats and vulnerabilities.
  4. Identify the likelihood of occurrence and impact rating for each threat and vulnerability.
  5. Assign an inherent risk rating.
  6. Identify the controls in place to mitigate each threat and vulnerability.
  7. Assign a residual risk rating based on the mitigating controls.
  8. If the residual risk rating exceeds the institution’s risk appetite, identify additional mitigating controls to implement.

During the risk assessment development process, it is important to ensure that enough time is spent identifying all of the reasonably foreseeable threats for each asset. Otherwise, the effectiveness of the selected mitigating controls will not be properly evaluated.

During the risk assessment development process, it is important to ensure that enough time is spent identifying all of the reasonably foreseeable threats for each asset. Otherwise, the effectiveness of the selected mitigating controls will not be properly evaluated.

Some examples of reasonably foreseeable threats include:

  • Unauthorized Physical Access
  • Unauthorized Logical Access
  • Man-made/Environmental/Natural Disaster
  • User Error
  • Social Engineering
  • Malicious Code
  • Hardware Failure
  • Service Provider Issues

Some examples of mitigating controls include:

  • Antivirus
  • Data Backup
  • Encryption
  • End of Life Management
  • Asset Disposal Procedures
  • Multifactor Authentication
  • Physical Security
  • Environmental Controls
  • Firewalls
  • Patch Management
  • Policies
  • Monitoring Procedures
  • Vendor Management

The image below identifies the typical format for an asset-based risk assessment.

Benefits of an Asset-Based Risk Assessment

  • Provides a more detailed view of the institution’s environment. By identifying each asset that stores or processes non-public information, directors and outsiders can gain significant visibility into the complexity of the institution’s environment, including vendor-hosted assets.
  • Clearly documents the assets that were evaluated. Directors, auditors, and examiners can easily see that each of the institution’s assets was considered.
  • Includes a lower risk for errors. By assessing the threats/vulnerabilities and mitigating controls associated with each specific asset, there is less of a chance that assumptions will be made about the mitigating controls for a specific asset.
  • Is easier to update. If a new asset is introduced into the institution’s environment, a new line item is created in the risk assessment to identify the threats/vulnerabilities and mitigating controls associated with the new asset. In addition, if a threat intelligence source identifies a new threat, it is relatively simple to identify which asset(s) the threat applies to and to document the implementation of new mitigating controls.
  • Assists with audit scoping. Rather than performing a full-scope IT audit each year, management can focus audits on the highest risk assets or most critical controls.

While it may take some time to transition from a threat-based risk assessment to an asset-based risk assessment, the data obtained from an asset-based risk assessment will generally be more valuable to the institution by providing better visibility of current control deficiencies, simplification of updates, and more focused audits.
For more information on this article, or to find out more information on how Young & Associates, Inc. can assist your financial institution, contact Mike Detrow at or 330.422.3447.

A Look to the Future

By: Jerry Sutherin, President & CEO, Young & Associates, Inc.

On January 31, 2018, I was fortunate to have the opportunity to purchase Young & Associates, Inc. from Mr. Gary Young, the company’s founder and current Chairman. Nearly 40 years ago, Gary created this organization with a vision of providing community banks with consulting services that were typically cost-prohibitive to perform internally. Since its inception in 1978, Young & Associates has evolved from a small start-up organization offering select outsourcing and educational services to one of the premier bank consulting firms with clients nationwide and overseas. We now offer consulting, education, and outsourcing services for nearly every aspect of banking.

From the outset of our acquisition discussions, Gary and I agreed that the greatest asset of the company is its employees. Over the years, not only has Gary developed unique servicing platforms for the industry but more importantly, he has assembled an employee base that is second to none. These employees provide a level of expertise and service to our clients that remains unparalleled in the community banking industry.

To quote Gary, “I founded Young & Associates with the goal of assisting community banks while maintaining a family atmosphere that valued and respected the people that I work with.” Going forward, it is my primary objective to carry on this legacy that Gary has created. I look forward to making this a seamless transition building on the solid foundation that Gary has built over the years. With the work of our employees and support of our clients, there is no doubt that Gary’s legacy will continue for years to come.

Although the ownership of Young & Associates, Inc. has changed, the company’s name, mission, personnel, quality of service, and structure will not change in any way. Gary now serves as Chairman of the Board and will remain actively involved with the business through January 2019, providing the same high-quality service while also assisting me with the transition. In addition to ensuring a smooth internal transition, Gary and I remain focused on making sure that the relationship with our clients remains strong. Existing and new clients are encouraged to contact me, Gary, or any of our consultants to discuss this transition and how we might be able to earn your business.

Community Bank IT Staffing – Doing More with Less

By: Mike Detrow, Senior Consultant and Manager of IT

Over the past two years, we have seen a significant increase in the number of community bank IT managers that have voiced substantial concerns about the ability of their bank’s current staff to properly secure their information systems and maintain regulatory compliance. These concerns are the result of IT managers trying to meet the requirements of new regulatory guidance related to information security and working to prevent potential damage from evolving cyber threats without supplemental staffing or other resources.

Some of the potential risks for a community bank with insufficient resources to properly maintain and secure its information systems include:

  • A data breach resulting from inadequate configuration management or security monitoring
  • A system outage, disruption, or data loss due to inadequate maintenance or system monitoring
  • The resignation of an overwhelmed IT manager, leaving an unusable IT infrastructure for a bank with an insufficient succession plan
  • Regulatory compliance issues due to repeat audit and examination findings

In many cases, it will be difficult for a community bank to add internal staff to address these risks, especially those that are located in rural areas. However, there are a number of cost-effective ways for a community bank to make its current IT staff more efficient and its information systems more secure through the use of automation and by adding additional expertise through education and/or the use of service providers.

  1. Education. Providing opportunities for the bank’s IT staff to attend training classes or to participate in peer discussions during industry conferences or forums will help them to learn best practices and gain other valuable insights that will increase their efficiency and improve security practices. Many state banking associations host annual technology conferences that can be an invaluable resource for the IT staff of a community bank, especially those that do not have a formal IT background.
  2. Automation. Tools to automate labor-intensive tasks such as patch management, capacity and performance monitoring, and event management can be implemented. Many manual tasks can be automated by implementing a remote monitoring and management (RMM) solution. By installing a management agent on each of the bank’s workstations and servers, the bank’s IT staff can manage all of the servers and workstations through a single dashboard. Some of the features of an RMM solution include: patch management, antivirus management, event monitoring, software installation monitoring, automated tasks, email alerts, and remote access. An RMM solution also assists with proactive monitoring to identify issues before they cause downtime.
  3. Engage a Consultant. Engaging a consultant to assist with policy updates and other compliance tasks can provide valuable insight and eliminate hours of research time spent by the bank’s staff. An experienced consultant will be familiar with regulatory requirements and he/she will have valuable insight, sample templates, and policy language to share.
  4. Outsource Network Management. Outsourcing the management and monitoring of the bank’s in-house servers, workstations, and other network devices to a managed services provider (MSP) can free up a significant amount of time for the internal IT staff and also offers additional expertise for complex systems such as virtual servers. In addition, having a team of professionals from the MSP supporting the bank mitigates the risks associated with relying on a single bank employee to maintain the entire IT infrastructure. There are even service providers that can move all of the bank’s critical information systems to their secure datacenter, which can significantly enhance the ability for a bank to recover from and function during a disaster.
  5. Outsource Firewall Monitoring. While we still see some banks utilizing internal staff or their MSP to monitor their firewall, most lack the expertise and 24x7x365 availability to properly monitor this critical system. Early detection and eradication of a threat can drastically reduce the potential damage caused to the bank’s information systems and its reputation. A managed security services provider (MSSP) maintains the appropriate expertise and staffing levels within its security operations center to quickly identify a threat and follow agreed upon response procedures.
  6. Outsource Vendor Management. Gathering all of the required documents from each of the bank’s service providers and properly reviewing all of this documentation can require a significant amount of time and expertise. There are a number of service providers that can perform the majority of this work on the bank’s behalf and provide a summary of their findings for management’s review.

Just like moving from in-house to outsourced core processing, utilizing service providers to assist with the management of the bank’s IT infrastructure and compliance needs can provide additional expertise and allow the bank to operate efficiently and securely with limited internal resources. As with any outsourced relationship, it is critical for management to perform appropriate due diligence for any service providers that the bank may consider for the services listed above. During the due diligence process, it is very important to ensure that the service provider has experience working with financial institutions and understands the regulatory requirements that must be met.

With cyber risks remaining a significant concern for community banks for the foreseeable future, failing to address staffing limitations now will only compound these risks in the future. If you have any questions about this article or you would like to discuss the ways that Young & Associates, Inc. can assist your bank through a consulting relationship, please contact Mike Detrow at or 330.422.3447.

Network Vulnerability Management – Don’t Be a Soft Target for Attackers

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As the recent Equifax breach illustrates, failing to remediate known vulnerabilities in a timely manner can have significant consequences. In the case with Equifax, reports indicate that a patch was issued approximately two months prior to the May 2017 breach for the vulnerability that was exploited during this breach. While financial institutions have been quick to criticize Equifax for their vulnerability management practices, they should also take some time to evaluate their own vulnerability management practices and enhance them as needed to help prevent a breach at their own institutions.

During the vulnerability assessments that we perform for community banks, it is not uncommon to see systems that are missing patches that have existed for a year or more. While these are typically internal systems, this can still present a significant risk to the bank based on the role(s) of the affected systems. It should also be noted that vulnerability management for internal systems is as critical as ever, as attackers are able to use social engineering tactics to bypass perimeter controls such as firewalls and gain direct access to the internal network by compromising an employee’s workstation. In addition, many community banks are only having vulnerability assessments performed on an annual basis, which means that a number of vulnerabilities may go undetected for nearly a year.

Community banks need to improve their vulnerability management practices to remediate vulnerabilities in a timely manner rather than allowing them to exist for months or even years. We often hear community bankers comment that they are too small to be the target of an attack, but they must also consider that an attacker may purposely go after a soft target like a community bank with poor vulnerability management practices that makes it easier to accomplish his or her mission.

Patch Management Vs. Vulnerability Management
Patch management is a significant aspect of vulnerability management, but patch management alone will not mitigate every vulnerability on the bank’s network. An example of this is an internal server that houses reports from the core system and allows anonymous access, meaning that no username and password is required to access this data using a File Transfer Protocol (FTP) client. In this example, the server may be completely up-to-date with the latest security patches, but this insecure configuration may allow unauthorized access to the data on this system. Another concern is the systems and applications that may be missing from a bank’s patch management program. We still see banks that are only performing Microsoft and limited third-party patching. Failing to patch the software on other devices such as ATMs, routers, switches, and printers will leave these devices vulnerable to attacks.

Developing a Vulnerability Management Program
The process to develop a vulnerability management program starts with a complete inventory of the devices connected to the bank’s network. Even small community banks now have a significant number of network-connected devices such as ATMs, DVRs, alarm panels, time clocks, and environmental monitors in addition to the commonly known devices such as workstations, servers, printers, and routers. During this step, it may be helpful for the bank’s staff to scan the network with a network mapping tool to help identify devices that may not be included in the current network inventory. At a minimum, the inventory should identify the location, IP address, manufacturer, and model for each device. In the case of servers, workstations, and mobile devices, the bank must understand what applications are installed on each device to ensure that each application is patched in addition to the operating system.

The second step is to ensure that a comprehensive patch management program is in place at the bank. As noted above, a bank’s patch management program may not currently include all network-connected devices. Special attention should be given to devices that are connected to the bank’s network that are vendor-managed to ensure that the vendor has appropriate patch management procedures in place. Some examples of vendor-managed systems include: routers that are managed by the core system provider, DVRs, ATMs and alarm panels.

A comprehensive patch management program will include all devices that are connected to the network, and it will prescribe: ƒƒ

  • A method to identify the availability of new patches that apply to the devices on the bank’s network
  • An evaluation and testing process for each patch
  • A procedure to backup critical systems before installing a patch
  • Timing for the installation of each patch based on its risk rating

The third step is to identify the vulnerabilities that currently exist on each device. This is most easily accomplished by performing a vulnerability scan on the internal network and against any internet-facing devices that are owned by the bank. The vulnerability scan can be performed by a consulting firm or the bank’s staff can perform the scan using an automated vulnerability scanner.

There are typically two basic types of vulnerability scans that can be performed, credentialed and un-credentialed. A credentialed scan uses administrative credentials to log on to each device to perform a more in-depth evaluation of the vulnerabilities that may exist. An un-credentialed scan does not use credentials and therefore only identifies vulnerabilities that can be detected without logging on to each device.

The number of vulnerabilities identified by a credentialed scan will typically be significantly higher than those identified by an un-credentialed scan. It is important to note that if the bank only performs un-credentialed scans, the vulnerabilities that would have been identified by a credentialed scan will still exist on the network; they just will not appear in the un-credentialed vulnerability scan report. In addition, a credentialed scan will typically identify many privilege escalation vulnerabilities that an un-credentialed scan is unable to detect.

The results of the vulnerability scan will be provided within a report that the bank’s staff or managed services provider can work through to install patches or make configuration changes to remediate the detected vulnerabilities. The vulnerability scan report will assign a risk rating to each vulnerability that is identified to help the bank’s staff prioritize its response to each vulnerability.

As the bank’s staff or managed services provider works through the list of vulnerabilities, a tracking process should be in place to identify the patches that are installed and configuration changes that are made to remediate each vulnerability. Once the tracking document identifies that all of the vulnerabilities are remediated, it is time to perform another vulnerability scan to verify that all of the previously identified vulnerabilities are remediated. If this is the first or most recent vulnerability scan, this process will help the bank’s staff establish a baseline to work from as they continue to identify vulnerabilities and correct them.

The fourth step is to determine the frequency with which vulnerability scans will be performed. The scan frequency will be dependent on the size and complexity of the bank; however, based on the rate at which vulnerabilities are being discovered, a minimum scan frequency of once each quarter should be strongly considered. Monthly or even weekly vulnerability scans are highly recommended for more complex environments.

Once the steps listed above are complete, the bank should have established: ƒƒ

  • A complete network device inventory that must be maintained as changes occur within the bank’s network
  • A comprehensive patch management program
  • A schedule for performing automated vulnerability scans
  • Procedures to review the vulnerability scan reports and remediate the identified vulnerabilities

As I mentioned in “The Changing Role of the Community Bank IT Manager” in last quarter’s 90 Day Note, community banks must adapt to the changing threat landscape and budget for additional information security resources. While some may view these additional expenses as unnecessary, they will most likely be miniscule in comparison to the costs associated with a data breach at the bank.

Young & Associates, Inc. can assist your bank with its vulnerability management program by performing quarterly or monthly vulnerability assessments to identify the vulnerabilities that exist on your network and recommend remediation procedures. Please contact Mike Detrow for more information about our vulnerability assessment services at or 330.422.3447.

The Changing Role of the Community Bank IT Manager

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

At small community banks, the IT Manager role was once, and in some cases still is, one of many hats worn by the President or CFO. However, this role is quickly evolving into a nearly full-time position even at smaller community banks. There are a number of factors that are contributing to this change, including increased use and sophistication of technology, increased regulatory scrutiny for cybersecurity, and the rapidly changing threat landscape.

It was not long ago that the IT Manager only needed to support a few internal servers and workstations. Over time, technology and customer expectations have evolved, leading to increased network complexity through the requirement for additional internal servers to support new services, the use of server virtualization, and connectivity to additional outside networks. In addition, the use of mobile technology has expanded dramatically leading to employees using mobile devices to access internal network resources, and banking services being provided to customers through their mobile devices.

The amount of time required to properly manage and monitor a bank’s information systems has increased dramatically. However, in many cases, community banks have not significantly increased the human resources assigned to the management of their IT environment. We have had numerous discussions with bank IT personnel indicating that they do not believe that they have enough time and resources to properly address the changing IT regulatory requirements and new cyber risks. While some community banks have outsourced the management of their network and other systems to a service provider, this does not relieve the bank of its role in the oversight of these systems. Additionally, outsourcing increases the time that the bank must spend to manage these vendor relationships.

Here are some of the areas where we have seen community banks spending additional time to perform IT and information security functions:

  • Vendor Management. As the bank implements new services or engages service providers to manage existing services, additional time is required to monitor these vendors. Significant time is needed to obtain the required documentation from each vendor and to review and analyze this documentation.
  • Threat Intelligence. Threat intelligence sources are monitored to identify threat sources and their current activities to identify and implement mitigating controls that will limit the potential impact of these activities on the bank. Significant time can be spent analyzing the data from threat intelligence sources to determine its applicability to the bank and to then implement or modify mitigating controls.
  • Risk Assessment and Policy Maintenance. As the bank adds or changes technologies or services, risk assessments and policies must be created or updated to address their risks. In addition, risk assessments need to be updated periodically to ensure that the risks associated with new or changing threats are evaluated and mitigated. A cybersecurity assessment must be completed and reviewed periodically based on changes within the bank’s IT environment.
  • Ongoing Employee Information Security Awareness Training. With most banks providing external email access and internet access to all of their employees, each employee has become a critical link in the security chain where the result of one employee clicking on a malicious link in an email can be an organization-wide catastrophe. Annual training is no longer adequate to keep employees apprised of current threats such as ransomware and phishing scenarios. A significant amount of time can be spent developing training materials and distributing them to employees on an ongoing basis.
  • Event Management and Monitoring. Network devices, operating systems, and applications must be monitored to identify malicious activity. In the past, many banks were only monitoring perimeter devices such as firewalls and believing that the perimeter devices would stop any threats. However, many current attacks start with the installation of malicious code on an employee’s workstation to bypass the controls imposed by the firewall and then the attacker moves around, potentially undetected on the internal network. Monitoring for malicious activity on all of the bank’s internal network devices can require significant resources. ƒ ƒ Patch Management. Patch management is more than just patching Microsoft operating systems and applications such as Adobe Acrobat and Java. Patch management includes updating the software running on network devices such as firewalls, routers, switches, DVRs, and printers to address any known vulnerabilities. Additional time must be spent to identify the release of new patches, and in many cases the patches must be installed manually on each network device.
  • Disaster Recovery / Business Continuity Planning and Testing. A bank’s increased dependence on technology requires formal documentation for maintaining business continuity and testing the selected plans to ensure that the bank can recover from a disaster within a reasonable time frame to allow for the continued performance of its daily functions. Additional time is required to initially document recovery strategies and then modify the strategies based on system or vendor changes. Time is also required to prepare testing strategies, coordinate testing schedules with vendors, and analyze the test results. ƒ ƒ Incident Response Planning and Testing. Many experts say that it is not a question of if a business will be hit by some form of breach, but a question of when it will happen. Banks must have a well-documented plan in place to detect and respond to an information security incident. In addition, the plan needs to be tested periodically to ensure that all employees are aware of their roles to effectively and efficiently respond to an incident.

Potential Costs of a Breach
Why should changes to the technology used by the bank, changes to regulatory requirements, and the evolving threat landscape be a significant concern for the board of directors? The board of directors is ultimately responsible for the management of the information security program, and failing to provide the appropriate resources to manage the IT and information security functions at the bank can lead to regulatory enforcement actions, harm to the bank’s reputation, and significant costs associated with a data breach.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study: United States, performed June 2017, the average cost for each lost or stolen record containing sensitive and confidential information is $225. This study also indicated that breaches involving businesses within the financial services industry had a per capita cost of $336.

Insurance Coverage
Another consideration for the board of directors is insurance coverage. While a bank may have a cyber insurance policy, management needs to thoroughly understand the requirements for this policy and ensure that it is meeting all of the minimum security requirements of the policy. Insurance companies may reject a claim or even seek repayment of a settlement if defined controls were not in place at the bank at the time of a breach.

Using the example of a community bank with assets of 100 million and 12,000 customer records, a breach of those 12,000 records could cost the bank 4 million dollars. This would be a substantial loss for the bank if insurance coverage is not appropriate, and even more significant if an insurance claim is denied due to the bank’s failure to maintain the minimum security requirements defined within the policy.

Continuing Education
With the rapid changes in technology and the changing threat landscape, continuing education for the bank’s IT staff is also a critical consideration. A bank’s IT Manager must learn how to change the bank’s mitigation strategies to address evolving cyber threats rather than relying solely on the strategies that have been used in the past. There are numerous options for continuing education such as cybersecurity conferences sponsored by state banking associations and webinars.

Cybersecurity Assessment Tool Staffing Requirements
With the regulatory focus on cybersecurity, another illustration of the need to evaluate the human resources required to effectively manage the bank’s information systems can be found in the declarative statements within the staffing section of the FFIEC’s Cybersecurity Assessment Tool as shown below. Attainment of the baseline cybersecurity maturity level is required for all banks as this level identifies the minimum expectations required by law, regulations, or supervisory guidance. The declarative statements within the evolving cybersecurity maturity level will also need to be attained by small community banks as they increase their maturity level over time.

     Baseline ƒƒ

  • Information security roles and responsibilities have been identified.
  • Processes are in place to identify additional expertise needed to improve information security defenses.

     Evolving ƒƒ

  • A formal process is used to identify cybersecurity tools and expertise that may be needed.
  • Management with appropriate knowledge and experience leads the institution’s cybersecurity efforts.
  • Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
  • Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk.

In summary, the board of directors and senior management must carefully consider the resources required to appropriately manage its information systems based on the rapid technological, regulatory, and threat landscape changes. Strategic plans should consider the additional workload that will be created to support changes within the bank’s IT environment to achieve management’s strategic goals, and ensure that appropriate human resources are included within its plans.

For more information on this article or how Young & Associates, Inc. can assist you, contact me at 330.422.3447 or


FFIEC Cybersecurity Assessment Tool Update – New Version of the Cybersecurity Assessment Workbook Released

On May 31, 2017, the FFIEC announced an update to the Cybersecurity Assessment Tool which includes a change within the cybersecurity maturity section of the tool and an updated mapping of the baseline statements to the FFIEC IT Examination Handbooks.

The update to the cybersecurity maturity section of the tool allows institutions to select “Yes with Compensating Controls”, meaning that an institution has implemented a control or controls that protect an information system in a manner that is comparable or equivalent to a recommended security control within a declarative statement. Appendix A was revised to incorporate the updates to the Information Security and Management booklets.
Version 2.0 of the Cybersecurity Assessment Workbook (see below) incorporates the changes within the cybersecurity maturity section of the tool, as well as the content of Appendix A.

Cybersecurity Assessment Workbook
(#310) – $299

This electronic workbook allows a financial institution to easily complete the FFIEC Cybersecurity Assessment Tool and generate the needed summaries for analysis and board reporting. The workbook is setup with two main sections: 1) Inherent Risk Profile and 2) Cybersecurity Maturity.

Inherent Risk Profile. Includes five worksheets for the five categories of inherent risk identified in the Cybersecurity Assessment Tool. This section also contains a summary worksheet to assist the reviewer with the identification of an Overall Inherent Risk Profile.

Cybersecurity Maturity. Includes five worksheets for the five domains identified by the Cybersecurity Assessment Tool. A summary worksheet for each of the five domains allows the reviewer to identify the maturity level for each domain.

Easy to Use and Understand
All of the required data entry is completed through the use of drop down boxes and provisions are included to allow the reviewer to enter notes and comments as needed throughout the workbook. Colorful summaries are included to simplify analysis and include in a report to the Board.

The Cybersecurity Assessment Workbook is available for $299.

To Order: Click Here.

The Director’s Role in Information Security

By: Mike Detrow, Senior Consultant and Manager of IT

Technology has changed significantly at community banks over the past 15 years. For many years, banks only had to manage a core processing system, a standalone Fedline PC, and a few workstations that were used for word processing and maintaining spreadsheets. These systems were relatively easy to secure as data was maintained in-house and connectivity to external networks was limited. Fast forward to 2017 and community banks now have connections to numerous outside networks including the internet and those of core processing vendors. Services are being offered to customers through cell phones and tablets, customer data is processed through websites, and data is stored in many locations that are not controlled by the bank.

Whether making a loan, depositing a check, or checking a customer’s account balance, nearly every function within the bank now relies on some form of technology. To remain competitive, the implementation of new technology is necessary to meet the needs of customers and to reduce a bank’s operating expenses. However, information security has often been an afterthought rather than being incorporated during the implementation process.

Regulators are emphasizing the need for a change to the security culture within community banks to make information security a higher priority, and this change must begin with the board of directors. The board must take a more active role in the oversight of the bank’s information security program. All too often, information security is treated as something that only the “IT person” can understand, and directors do not properly scrutinize the decisions made by the IT Manager or an outsourced technology support provider. The board of directors is ultimately responsible for the security of the customer information maintained by the bank and the third parties that the bank uses. As such, directors must have a clear understanding of the regulatory requirements for protecting customer information, as well as defining and monitoring the bank’s information security program. While directors may not fully understand all of the technical aspects, I have provided some general recommendations for overseeing the information security program within this article.

Recommended Documents
The following documents should be reviewed and approved by the board of directors on an annual basis, or more frequently depending on the changes that occur within the bank. While much of the information in these documents will not change, there will typically be some changes each year due to employee turnover, technological changes, or new regulatory guidance. These changes should be clearly documented to allow directors to evaluate the changes before approving the updated documents. If there are no recommended changes to these documents over a period of several years, directors should request an explanation from management.

  • IT Strategic Plan. An IT Strategic Plan should be in place to align IT initiatives with the bank’s overall strategic plan. This may include the implementation of additional products and services to compete with other financial institutions or the implementation of technologies to create internal efficiencies. The IT Strategic Plan may also identify systems that are approaching the end of their manufacturer’s support lifecycle and identify upgrade/replacement strategies.
  • IT Budget. The budgeting process should include information technology and information security expenses such as hardware and software maintenance, technology service provider expenses, contract renewals, recently approved project expenses, training expenses, and risk mitigation expenses.
  • Information Security Program. The Information Security Program identifies the technical, physical, and administrative safeguards that must be implemented to maintain the confidentiality, integrity, and availability of the bank’s information systems.
  • Information Security Risk Assessment. The Information Security Risk Assessment should identify the information systems that are in use, classify the data that the information systems store or process, identify the threats and vulnerabilities associated with each information system, identify the likelihood and impact of the risks, identify the mitigating controls that have been implemented, and evaluate the effectiveness of the mitigating controls. The risk assessment should be updated before implementing new information systems and as new threats are discovered.
  • Incident Response Plan. The Incident Response Plan should identify the procedures to be performed in response to an incident involving loss of data availability, confidentiality, and/or integrity, such as a breach. The steps of this plan should include containing the incident, recovering from the incident, the investigation process, and the notification process. This plan should be tested on a regular basis to evaluate the effectiveness of the response procedures for various types of incidents.
  • Business Continuity/Disaster Recovery Plans. The Business Continuity and Disaster Recovery Plans identify procedures for performing the bank’s business processes during or following various types of operational interruptions. These procedures must be tested on a regular basis to ensure the continuity of these business processes during a variety of disruptive events, such as natural disasters, service provider interruptions, and cyber-attacks.
  • Cybersecurity Assessment. A formal Cybersecurity Assessment should be performed to evaluate the bank’s inherent cyber risk and the effectiveness of its cybersecurity controls. If the bank is utilizing the FFIEC’s Cybersecurity Assessment Tool, an understanding of the relationship between the Inherent Risk Profile and the Cybersecurity Maturity Level is required. Plans for attaining the recommended Cybersecurity Maturity Level should be developed and the status of this process should be monitored. The Cybersecurity Assessment should be reviewed annually and updated when changes occur that affect the bank’s Inherent Risk Profile.

Recommended Reports
The Information Security Officer should provide information security program status reports to the board of directors on at least an annual basis. These reports should identify the risk assessment process, risk management and control decisions, service provider arrangements, results of independent testing of the information security program, security breaches, and recommendations for updates to the program. While some of the content within these reports will not change, these reports should reflect the actual activity since the last report and should not just be the same report with a new date at the top.

While many community banks have implemented a steering committee to manage their information security programs, directors still need to ensure that the program is effectively managed. If a steering committee is used, a formal charter should be in place to define the committee’s purpose and responsibilities. The board of directors should receive copies of the steering committee’s meeting minutes to monitor committee activities and to ensure that it is fulfilling its requirements.

Information system reports and service provider reports should be regularly monitored to identify any events that require further investigation. Some examples of the reports that should be reviewed by the steering committee or the board of directors include: ƒƒ

  • Patch management
  • Firewall
  • Intrusion detection system
  • Intrusion prevention system
  • Anomalous operating system events
  • Malware/virus protection
  • Managed services provider tickets
  • Vendor management

If the reports that are provided never indicate any anomalous activity that requires further investigation, directors should question the validity of the reports and request a review of the reporting parameters for the system(s).

Independent Audits
To assist the board of directors with its evaluation of the effectiveness of the bank’s information security program, periodic independent audits should be performed. These audits are typically performed on an annual basis depending on the size and complexity of the bank and its risk assessment. The board of directors or the audit committee should be involved in the external auditor selection process and the audit scoping process. At least one director should participate in the auditor’s exit meeting to ensure an understanding of any recommendations made by the auditor.

The use of a top-down approach to manage information security and holding employees accountable for complying with the bank’s information security program will greatly strengthen the security culture within the bank. A strong security culture will help to enhance the bank’s reputation among its customers, community, and the financial industry.
For more information on this article or on how Young & Associates, Inc. can assist you in this process, contact me at 330.422.3447 or

Phishing: Understanding the Risks and Implementing an Effective Employee Training Program

By: Mike Detrow, CISSP, Senior Consultant and Manager of I.T.
Assessments show that the human element is always the weakest link in the security chain. It is not uncommon for a community bank to fare well during external network vulnerability scans due to appropriately configured firewall rules controlling inbound traffic and/or limited internally hosted services. While controls may be implemented to mitigate technical vulnerabilities, humans are still susceptible to social engineering attacks such as phishing. This vulnerability may be compounded by community banking values, such as customer service and employee accessibility. One example of employee accessibility is placing employee email addresses on the bank’s website. While it is not a bad practice to provide employee contact information on the bank’s website, placing email addresses directly within a webpage, rather than utilizing a contact form to hide the email address from automated tools and website visitors, simplifies the email address harvesting process.

One of the activities that we perform during the majority of our vulnerability assessments is a social engineering test, where we send a phishing email to the client’s employees to evaluate the effectiveness of the bank’s information
security training program. Through our assessments, we frequently demonstrate the ease with which an attacker can convince multiple employees to visit a malicious link or provide information system login credentials.

Many community banks utilize technology service providers for services such as email hosting, loan documentation, document imaging, and online mortgage applications. These services are often accessed through a web browser. As a result of the phishing emails that we send during our assessments, we are typically able to obtain email login credentials. If the bank is using a hosted email service with webmail capabilities, we can then use the provided login credentials to access an employee’s email account and view any non-public data that the employee has sent or received. You may be thinking, “No worries here, we have a policy that instructs employees not to send customer information through unencrypted email so they are surely following this policy.” Even so, it is very common to see customer information sent through unencrypted email between bank employees and in some cases between bank employees and customers.

Even if no customer information is sent through email, there is still plenty of other useful information within an employee’s email box. Some examples of this useful information include bank policies, employee schedules, and welcome emails with temporary login credentials for accessing web-based services. By obtaining a list of the web-based services available to the compromised email account’s owner, we can now access the websites for these services and use the password reset function which sends a link to the compromised email account to allow a new password to be set. We now have access to this web-based service which will provide access to a significant amount of customer information depending on the type of service provided. In addition, systems that rely on the user’s email address for the purpose of one-time passwords or password recovery would be compromised.

The compromised email account scenario above is just one example of the result of a phishing email. Some other examples of phishing emails include links to malicious websites for the purpose of installing malicious code onto the visitor’s workstation, and emails that instruct the recipient to perform a task such as sending a wire transfer to the attacker.

Phishing Training
While many community banks provide some form of phishing training to employees on an annual basis, this training usually consists of a policy review or a few examples of phishing emails during a presentation. This type of training is not as effective as exposing employees to actual phishing emails throughout the year.

To assist community banks with their employee training program, Young & Associates, Inc. offers a quarterly Phishing Training service. The intent of this service is to simulate real-world phishing scenarios during the normal business day and require each employee to respond individually to the email. Employees that respond negatively can receive additional training from a supervisor or materials can be provided after a link is clicked or after credentials are provided. Unlike do-it-yourself services that require someone at your institution to develop their own phishing scenarios, send emails and monitor the results, our consultants do all of the work. Our consultants will send the phishing emails, monitor the results, and provide a report of the results to your institution’s management team.
Our consultants will work with your institution to develop a customized phishing training program for your employees which will establish:

  • Expectations for the training program
  • A baseline of the effectiveness of the current employee training program based on the first quarterly email
  • A schedule for sending the remaining quarterly emails
  • Increases to the complexity of each remaining email
  • Development of ongoing training materials

For information about our Phishing Training service, please contact Mike
Detrow at 1.800.525.9775 or click here to send an email.

Implementing a Threat Intelligence Program

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As part of its continued focus on cybersecurity, the Federal Financial Institutions
Examination Council’s (FFIEC) September 2016 Information Security
Handbook emphasizes the need for institutions to implement procedures for
obtaining, monitoring, assessing, and responding to evolving threat and vulnerability

Institutions have typically implemented a number of preventative controls such as firewalls, intrusion prevention systems, and antivirus applications to protect their information systems. However, these systems are not always effectively managed and monitored. Even in cases where perimeter devices are well managed and monitored, it is not uncommon to see security weaknesses within the internal network such as missing patches, system misconfigurations, and default passwords. Advanced attacks may not be prevented by perimeter network controls alone and may only be identified through information obtained from external intelligence sources and by monitoring internal detection systems.

An advanced attack typically follows these general steps to achieve the attacker’s goal:

1. Active and passive reconnaissance is performed to learn about the target organization and to identify weaknesses.
2. Based on the identified weaknesses, the attacker obtains or develops malicious code and attempts to deliver this code to the organization through social engineering techniques, exploitation of vulnerable services or applications, or other means.
3. If the attacker is successful, malware and/or backdoors are then installed on the organization’s systems for the attacker to establish control.
4. If needed, privilege escalation is performed through exploiting vulnerable systems or misconfigurations.
5. The attacker performs the intended activities, such as data exfiltration from the organization’s information systems.

To comply with the FFIEC’s guidance, financial institutions must implement a Threat Intelligence Program that documents the following:ƒƒ

  • Employee Responsibilities. Employee responsibilities for monitoring, analysis, response, and reporting should be clearly defined to ensure accountability and appropriate approval for any recommended changes. In addition, the responsibilities for monitoring accounts with administrative capabilities should be documented to ensure independence.
  • Monitoring Threat Intelligence Sources. External threat intelligence sources may include the Financial Services Information Sharing and Analysis Center (FS-ISAC), hardware vendors, or software vendors. Internal sources may include intrusion prevention systems, intrusion detection systems, firewall logs, server event logs, antivirus alerts, or a Security Information and Event Management (SIEM) system. The process for monitoring internal systems begins with the development of a network activity baseline, or in other words, an understanding of the normal daily activity within the institution’s IT environment. Once the institution understands the baseline, monitoring systems can be implemented and tuned to provide alerts to activity that is outside of the baseline and requires additional analysis. A list of the intelligence sources that are monitored and the procedures for monitoring these sources should be documented. Monitoring procedures may indicate that emails are sent to specific employees when an alert is issued or they may indicate that an employee reviews a system management console on a daily basis. Monitoring procedures may also indicate the process for determining the applicability of an alert to the institution’s environment.
  • Analysis and Response. Analysis and response procedures should identify the steps to be taken to assess the risk of a specific threat, determine a mitigation strategy, and implement the mitigation strategy.
  • Reporting. Reporting procedures should identify the type and frequency of reports that will be provided to the board of directors to evaluate the effectiveness of the threat intelligence program. Reports may include a list of the threat notifications received, applicability to the financial institution, and management’s responses to the applicable threats.

By implementing a Threat Intelligence Program and actively monitoring evolving threats, institutions can prevent or limit a threat’s impact on the institution and its customers.

Young & Associates, Inc., has developed Threat Intelligence Program templates to assist with the implementation of a Threat Intelligence Program. For more information, click here.