Pub. 19 2024-2025 Issue 1

5. Vendor Management Program The vendor management program continues to evolve and requires diligent monitoring and research, especially for those vendors deemed critical to operations. Adhering to FFIEC Guidance and Interagency Guidance ensures comprehensive risk evaluation in vendor relationships, comprised of due diligence procedures, acquisition procedures, defined vendor risk classifications, annual risk assessments, presentation of critical vendors to an authorized committee and adequate contract review procedures. Organizations should adopt a comprehensive vendor management program to address vendor risks and ensure adherence to legal and regulatory standards. 6. Microsoft 365 Controls Assessment An independent assessment is crucial for identifying and mitigating potential cyber threats within the Microsoft 365 environment. The independent assessment should evaluate the environment and ensure the organization has implemented appropriate controls to mitigate risks, including malware, third-party app access, data loss prevention, external sharing, advanced threat protection and permissions. Common security gaps within the Microsoft 365 environment include overly privileged administrator roles, incorrectly implemented multi-factor authentication, inadequate admin center settings, audit log and activity log neglect, and authorization misconfiguration. 7. Adequate Backups and Testing Implementing various disaster recovery measures to prevent and mitigate ransomware attacks is important, including keeping multiple backups on and off-site, replicating critical data, encrypting data and air-gapped backups. Regular testing of backup procedures is essential for ensuring data recoverability in the event of an attack. An air-gapped backup is not connected to a network, so it cannot be reached by hackers, as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is critical because there is no need to pay a ransom for data that is readily accessible to your organization. Regularly testing and validating backup processes can give an organization confidence in its ability to restore data in the event of an emergency. This includes restoration testing, functional failover testing — spinning up critical backup servers, and other emergency preparedness testing (tabletop exercises, simulations, etc.). 8. Bank Protection Act of 1968 The shift towards remote audits and examinations poses challenges for physical security verification, which often relies on videos or photographs for assessment. To bolster physical security measures, it is recommended that a dedicated security officer be appointed to oversee the comprehensive implementation of the security program and deliver an annual security report to the board of directors. Continued from page 16 18 NEBRASKA BANKER

RkJQdWJsaXNoZXIy MTg3NDExNQ==