Hoosier Banker 39 plan should include testing the design and effectiveness of controls and include penetration testing and vulnerability assessments. It should also include a documented risk treatment plan with clearly articulated and assigned corrective actions, including a formalized and well-tested incident reporting and breach escalation process. 5. Are user access privileges granted only to authorized users on a must-have basis? Small banking institutions often assign the responsibility of granting user access privileges to IT. While IT staff might understand who works at the bank, they don’t necessarily understand who should have what levels of access. IT should provide lists of users, and business unit managers such as branch managers and loan department leaders should look at each user’s access to make sure access privileges are granted on a musthave basis. In addition, access rights of users should be reviewed whenever a user’s roles and responsibilities change or as they leave the organization. 6. Is your institution exercising effective control and monitoring over outsourced IT services or cloud-based service providers? Outsourcing IT services allows your institution to focus on its core banking competencies while saving money on tools and technical expertise. While IT services can be outsourced, however, governance of those services cannot. Your bank has the responsibility to understand what your vendors are doing and to manage them from a security perspective. You should have a well-documented process to verify if your vendors and their services are secure. For example you should know who is accessing which systems, and how your organization will be notified about issues. A comprehensive service-level agreement should address these issues and clearly set out performance metrics around information-security reporting. 7. How often do you receive executive communication and updates on how well your cybersecurity program is holding up? It’s critical to know whether your institution’s governance, risk management and oversight programs are working properly. This means knowing what the baselines are for different types of security controls and activities within your organization, and monitoring what typically happens on a month-to-month basis around information security and various weaknesses and vulnerabilities. If your monitoring shows spikes in activity that are beyond the baseline, there’s a responsibility by executives and oversight committees to understand what happened, and what your institution did to ensure that customer, employee and bank-sensitive information is secure. Detailed responses to these questions can provide deep insights to the state of cybersecurity within your organization, as well as your current internal and external compliance posture. HB MARY ALICE AVERY mavery@wilmingtontrust.com 302.636.6127 MINDY WALSER mwalser@wilmingtontrust.com 702.866.2203 TRUSTEE SERVICES FOR SENIOR AND SUBORDINATED DEBT AND TRUST PREFERRED SECURITIES INVESTMENT SUBSIDIARIES AND HOLDING COMPANIES CUSTODY PORTFOLIO ACCOUNTING INVESTMENT MANAGEMENT ©2019 Wilmington Trust Corporation and its affiliates. All rights reserved. Wilmington Trust is a registered service mark. Wilmington Trust Corporation is a wholly owned subsidiary of M&T Bank Corporation (M&T). 30340A 190731 VF RENOWNED DELAWARE AND NEVADA ENTITY MANAGEMENT EXPERIENCE
RkJQdWJsaXNoZXIy MTg3NDExNQ==