risk evaluation in vendor relationships, including vendor risk classifications, annual assessments, committee reviews of critical vendors, and procedures for contract review, due diligence and acquisition. Effective vendor management optimizes costs, leverages vendor expertise, enhances agility, minimizes disruptions and improves customer experience. Poor practices, however, can lead to operational disruptions, security breaches and regulatory noncompliance. Organizations should adopt a comprehensive vendor management program to mitigate risks and ensure compliance. 6. MICROSOFT 365 CONTROLS ASSESSMENT SBS CyberSecurity began Microsoft 365 audits in 2021 due to discoveries by the network security team. An independent assessment is crucial for identifying and mitigating cyber threats within the Microsoft 365 environment. It should evaluate security controls for malware, third-party app access, data loss prevention, external sharing, advanced threat protection and permissions. Common security gaps within the Microsoft 365 environment include overly privileged administrator roles, misconfigured MFA, inadequate admin center settings, neglected audit and activity logs, and authorization issues. 7. ADEQUATE BACKUPS AND TESTING Disaster recovery measures are key to preventing and mitigating ransomware attacks. This includes maintaining multiple on- and off-site backups, replicating critical data, encrypting files and using air-gapped storage. Regularly testing backups ensures data can be recovered after an attack. Air-gapped backups, isolated from networks, protect against ransomware that seeks and deletes accessible backups. Keeping offline, up-to-date backups eliminates the need to pay a ransom. Depending on budget, immutable backups offer an additional layer of ransomware protection. These unchangeable backups ensure quick recovery by restoring the last clean version in case of an attack or data loss. As part of risk mitigation, organizations should create, maintain and exercise a cyber incident response and communications plan, including response and notification procedures for ransomware incidents. If a vendor manages your organization’s backups, verify that they follow best practices and formalize security requirements in contracts to safeguard data integrity. Additionally, regular testing — such as restoration testing, failover testing and simulations — builds confidence in an organization’s ability to recover data in an emergency. 8. BANK PROTECTION ACT OF 1968 The shift to remote audits has highlighted the importance of managing and monitoring physical security in line with regulatory expectations. Since remote assessments often rely on videos or photos, verifying security measures can be challenging. The Bank Protection Act of 1968 mandates that institutions uphold effective physical security measures. To further strengthen security, it is recommended that a dedicated security officer be appointed to oversee the program and deliver an annual report to the board. 9. SEGREGATION OF INFORMATION SECURITY FROM INFORMATION TECHNOLOGY Regulatory and audit scrutiny over IS and information technology (IT) role segregation increases once a financial institution reaches $750 million in assets. The ISO should be independent of IT operations and not report to IT management. Without proper segregation, risks include conflicts of interest, lack of oversight, operational bias and inefficient incident response. Separating IS and IT enhances accountability, risk management, compliance readiness and incident response efficiency. 10. UPDATED POLICIES The following policies should be documented within an IS program, as some are now formal regulatory recommendations: • End-of-Life (EOL) Policy: Defines EOL timeframes, tracks IT asset life cycles and ensures timely replacement to prevent security vulnerabilities and operational disruptions. • Imaging Policy: Establishes document storage guidelines to maintain readability, accuracy, responsibility, procedures and disposal of original documents. • ATM/Debit Card Management Policy: Covers application processes, authorized personnel, activation, PIN changes, returned cards, customer contact procedures and card retention timelines. • Instant Issue Policy: Defines security controls, authorized access, inventory management, dual control, monitoring and audit procedures for instant card issuance. • Internet Banking Policy: Specifies responsibilities, summarizes services, outlines risk assessment and transaction processes, determines training needs, ensures comprehensive program coverage, and references FFIEC Authentication and Access to Financial Institution Services and Systems as appropriate. These enhancements ensure institutions comprehensively address physical and digital security, aligning with evolving regulatory standards and cyber threats. Scan the QR code to read the original article from SBS CyberSecurity. https://sbscyber.com/blog/topics-to-consider-in-yournext-information-security-program-review SBS helps business leaders identify and understand cybersecurity risks to make more informed and proactive business decisions. For more information, contact Valerie Spicer at (605) 270-9381 or valerie.spicer@sbscyber.com. Learn more at sbscyber.com. 22 | INDEPENDENT REPORT
RkJQdWJsaXNoZXIy MTg3NDExNQ==