How practical is an IT Security Exam?
It occurred to us that, while Wells Fargo experienced a “single point of failure” the other day, they were almost certainly passed on their latest FDIC IT Security Examination. They probably also had an outside audit firm come in and examine them. My question is how can Wells Fargo pass an FDIC IT exam and still experience a catastrophic failure? Like most (rhetorical) questions, there’s an answer. The FDIC exams have, in our experience (50 community banks and a few larger ones) gotten more and more bureaucratic over the past few years, just as the technical security requirements have risen exponentially. We notice more and more emphasis on whether policies and procedures are written down, whether the bank has activity logs, whether there’s a disaster recovery plan, a documented vendor management plan, etc., rather than how the bank actually follows the policies, acts to recover from a disaster, analyses the logs, chooses vendors, or follows IT security procedures on a day-to-day basis. Now, it’s difficult to imagine that the FDIC (or the FFIEC, or any of the state banking departments) would choose to accept responsibility for something as subjective as an examination of a bank’s actual electronic security, but it is becoming more and more important. When we perform an IT examination, we cover what’s covered on the various regulatory examinations, but we do a far more in-depth analysis of the business’ actual ability to prevent hacks, intrusions and system wide outages. We were actually criticized by an examiner for being too thorough! Fortunately (for us), after the examination, he re-thought our audit and admitted that it was a pretty good evaluation of the bank’s security position. So, I guess my point is, make sure that you and your data are REALLY secure…it’s up to you, not an examiner. After all, it’s your business (or job) at stake.