Pub. 5 2015-2016 Issue 4

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S January • February 2015 19 CEDCO Small Business Finance Corporation Your Best Soursce for SBA Real Estate Loans New Easier Qualification Uninterrupted access to money through a monthly SBA-backed bond auction Low fixed-rate financing Low down payments CEDCO Small Business Finance Corporation Colorado’s SBA 504 Loan Expert TM 1175 Osage Street, Suite 110 Denver CO 80204 Denver 303-893-8989 Grand Junction 970-243-1852 www.cedco.org  More stability for your operation  A stronger balance sheet  An asset to sell when you’re ready AS A LEADING SBA 504 LENDER WE MAKE IT EASY FOR YOU  Buy, Build, Remodel or Expand Real Estate  Purchase and install long-lasting equipment  Fast, expert processing - with low loan costs  Refinance may be an option  We lend up to $5 million: borrow up to $20 million when combined with bank financing  Interest rate as low as 5.25%, fixed for 20 years  Down payments range from 10% to 20%  Most small Businesses are Eligible STREAMLINED PROCESSING  Front Range and mid-mountains call Jeff or Mary Jane 303-893-8989  Western Colorado call Pat 970-243-1861 Leticia Saiid is a Security+ certified tandem Software Support specialist for CoNetrix. tandem is a security and compliance software suite designed to help financial institutions develop and maintain their Cybersecurity Assessments and overall Information Security Program. To learn more about how CoNetrix can help you with these areas, visit our website at www. CoNetrix.com or email info@CoNetrix.com . banks to receive non-compliant results from the assessment: Data flowdiagrams are in place and document information flow to external parties. (FFIEC Infor- mation Security Booklet, page 10) This declarative statement is the third item in the Connections component of the External Dependency Management domain. According to the FFIEC Infor- mation Security Booklet (as referenced on the statement): “A financial institution's outsourc- ing strategy also should be considered in identifying relevant data flows and information processing activities. The institution's system architecture diagram and related documentation should identify service provider relationships, where and how data is passed between systems, and the relevant controls that are in place.” More simply stated, your data flow diagram (or systemarchitecture diagram) should identify at what point(s) data is passed to service providers. What are the ways service providers obtain access to your data? Customer transactions gener- ating anomalous activity alerts are monitored and reviewed. (FFIEC Wholesale Payments Booklet, page 12 ) This declarative statement is the second item in the Anomalous Activity Detection component of the Cybersecu- rity Controls domain. According to the FFIEC Wholesale Payments Booklet, banks should: “Monitor and log access to funds transfer systems, maintaining an au- dit trail of all sequential transactions; and incorporate the funds transfer controls into the organization's infor- mation security program to ensure the integrity and confidentiality of customer information.” In layman’s terms, you should have a product or method in place to recognize abnormal transactions, and a plan to review the abnormal transactions. This will reduce potential damage of foul play. Processes are in place to mon- itor for the presence of unautho- rized users, devices, connections, and software. (FFIEC Information SecurityWorkProgram, Objective II: M-9) This declarative statement is the third item in the Event Detection component of the Cybersecurity Controls domain. According to the FFIEC Information Se- curityWork Program, banks should have: “Appropriate detection capabilities [for] Network related anomalies [and] Host-related anomalies.” For this statement, you need to identify or initiate a process to monitor any unau- thorized users, devices, connections, or software that may arise on the network. Documentation of this process can be part of many of your information security policies, including Removable Media and Data Transfer, User Access Control, and Hardware/Software Inventory. So, if you have already conducted the Cybersecurity Assessment, youmay want to go back and see how you answered these three statements. If you answered themas “No,” you are not alone. If you answered them as “Yes,” then congratulations! If you haven’t conducted the assessment yet, then be sure to keep these things in mind and good luck. 