Pub. 3 2013-2014 Issue 6

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S May• June 2014 19 agencies have vamped up their CATO best practice standards. It looks like most are using the standards put out by the Texas Electronic Crimes Taskforce. We expect to see those Protect, Detect, Respond CATO standards implemented in more and more states in the future. The sooner you incorporate ATO/CATO security controls and expand incident response procedures to specifically address account takeover, the better.  Vendor Management – For the last several years, security and compliance consultants have enjoyed following the lone guidance surrounding vendor management program expectations – put out by the FDIC. In the last six months, though, the OCC and Federal Reserve have issued their own guidance standards for your vendor management program. All three have different requirements, so you need to just read through the guidance published by your regulatory agency and ensure you’re meeting their expectations. You may need to beef up your contract review and initial vendor significance assessments depending on what you are currently doing. Another difference in the OCC guidance that I’ve seen get some attention in the last few months is whether the bank needs or has a “contingency plan” for the vendor relationship, meaning are you prepared for what would happen if the relationship ended.  Distributed Denial of Service (DDoS) – DDoS attacks are on the rise, and so is examiner focus. From what we’ve seen, there aren’t any specific items they’re looking for…. just that you address DDoS attacks in your Information Security Program. I think the best thing you can do here is to look into DDoS protection services offered by your Internet Service Provider (or website/Internet banking vendor if you outsource Internet banking and your website) and also to prepare for how best to respond to a DDoS attack. Most DDoS attacks are meant to serve as a distraction while someone attempts to commit fraud (usually through ACH and wire services), so implementing/ lowering a call-back threshold for cash management services if you’re experiencing a DDoS attack could save your bank some trouble. Just like with all things, though, the best place to start is by assessing the risk. Of course, you’ll have other security controls and documen- tation to answer for on your next exam, but I wanted to let you know some of the new things we’ve noticed examiners wanting to see this year. Be prepared to answer them and good luck! n Stephanie Chaumont is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create andmaintain their Information Security Program. Visit our website at www.conetrix.com.