of returned debit cards, logging documentation, contacting the customer for pick up/address changes, length of time to hold cards prior to being logged and destroyed. • Instant Issue Policy: Describe the instant issue environment, authorized access, security controls (both physical and logical), dual control, inventory, monitoring, internal audits, and related procedures. • Internet Banking Policy: Designate responsibility of the program, summarize all Internet banking services, describe the risk assessment process, define transaction processes, determine appropriate training, and ensure all aspects of the Internet banking program are adequately addressed. Also, reference FFIEC Authentication and Access to Financial Institution Services and Systems (Aug. 2021) as appropriate. • Multi-Factor Authentication: Enhancing network security with MFA solutions helps increase data-center security, boosts cloud security for a safer remote working environment, and minimizes cybersecurity threats. Additional controls surrounding administrative access to directory services, network backup environments, network infrastructure, organization’s endpoints/servers, remote access (employees and vendors), and firewall management are recommended. Many cybersecurity insurance vendors are now requiring organizations to complete a self-attestation to renew policies. Included within the attestation is the verification of multi-factor authentication for remote access users and administrative users. Contract Review Procedures The vendor management program continues to evolve and requires diligent monitoring and research, especially for those vendors deemed critical to operations. Furthermore, the FFIEC has outlined contract review guidelines within the Information Security Booklet which should be used as a guide in evaluating new contracts and renewals for risk. Formal contract review procedures should be developed and include, but not be limited to, the following: scope of service, performance standards, security and confidentiality, controls, audit requirements, reports available for review, business resumption or contingency plans, subcontracting, ownership and license of data, dispute resolution, termination, assignment, regulatory compliance, and breach notification procedures. Microsoft365 Controls Assessment To mitigate multiple cyber threats, an independent assessment of the Microsoft365 environment should be performed after implementation and occasionally thereafter. The independent assessment should evaluate the environment and ensure the organization has implemented appropriate controls to mitigate risks including malware, third-party app access, data loss prevention, external sharing, advanced threat protection, and permissions. Backup Best Practices It is critical to maintain offline, encrypted data backups and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important to implement a range of disaster recovery measures to prevent and mitigate ransomware attacks, including keeping multiple backups on and off site, replicating critical data, encrypting data, and airgapped backup. An additional step is immutable backups. An immutable backup is a backup file that cannot be altered in any way. It should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss. By keeping an archive of immutable backups, you can guarantee recovery from a ransomware attack by finding and recovering the last clean backup you have on record. If a third party or managed service provider is responsible for maintaining and securing your organization’s backups, ensure they are following the applicable best practices. Using contract language to formalize your security requirements is also a best practice. For more information, contact Robb Nielsen at 605-251-7375 or robb.nielsen@sbscyber.com. SBS helps business leaders identify and understand cybersecurity risks to make more informed and proactive business decisions. Learn more at www.sbscyber.com. As data breaches trend up, organizations will be forced to spend more money to recover and ensure they have the appropriate solutions in place to prevent attacks without disrupting normal business. NEBRASKA BANKERS ASSOCIATION 21
RkJQdWJsaXNoZXIy ODQxMjUw