How to Pass An IT Exam: 9 Steps

By Danny Johnston

Financial institutions house data that’s highly critical and private in nature. While there’s heightened security in all industries, regulators are examining information technology (IT) security in financial institutions with significantly greater scrutiny than in the past. It’s imperative for credit unions to understand examiners’ emphasis on IT security regulations and demonstrate that they’re doing everything possible to protect their members’ and their institutions’ confidential information.

Many financial institution executives aren’t aware of what constitutes proper IT security and the best practices for preventing negative exam items. Preparing for an IT exam can be an overwhelming and arduous task, which is why it’s crucial for financial institutions to identify key areas and incorporate specific actions.

The following steps will enhance your IT security—and your chances of receiving a strong performance rating on an IT security examination:

1) Manage technology properly
One of the primary motives of an examiner’s visit is to make sure institutions take IT security seriously. Consequently, it’s important to clearly define and maintain procedures that enforce system security, allow proactive decision making, and exhibit collaborative efforts at all levels of the credit union to ensure these processes are adhered to diligently.

2) Validate board and technology committees
The board of directors should fully understand its role in IT security, be aware of specific processes and procedures, and fully support measures taken to ensure IT security. Document the board’s participation and awareness of IT security by keeping detailed meetings records, including minutes of technology committee meetings. Hold regular IT security meetings with formal agendas and minutes for review and approval.

3) Separate duties
All IT employees should play an active and integral role in technology management, but it’s important for financial institutions to make distinctions between IT employees’ roles. Delegation of duties is a significant component of a comprehensive security program.

Clearly explain and divide information security officers’ and system administrators’ responsibilities. The system administrator’s primary responsibility is to keep systems running and ensure appropriate employees can access programs and data. An information security officer’s primary goal is to manage system security and ensure employees correctly follow security policies.

4) Create efficient reports
Generate, examine, and maintain internal reports to validate IT security efforts. And make sure these reports are user-friendly and easy to understand. Executive summaries should include pie charts, bar graphs, and linear graphs to assist nontechnical decision makers in better understanding the technical information provided.

5) Install multi-layer protection
Implementing multiple layers of security protection is crucial to protecting credit unions from threats and vulnerabilities. According to a recent Gartner study, internal employees are responsible for 70% of unauthorized access to information. Multi-layered security helps guard institutions from both external and internal threats.

Examiners want proof that institutions are addressing both the outside perimeter and the inside network, such as file servers and e-mail servers. Additionally, by regularly reviewing user rights and permissions, as well as disabling user IDs and passwords once an employee is terminated, institutions can improve standard internal control procedures.

6) Train and certify employees
Training should cover best practices and position an institution as proactive in setting high security standards. Systems administrators and information security officers should regularly attend information security-related training. Schedule security awareness training for all employees to accentuate pertinent rules and processes to prevent the accidental disclosure of private information.

For example, if someone calls the credit union and asks for a user name and password for an account, the employee handling the call should know not to give the information over the phone. Train employees to recognize that providing this information could endanger the credit union’s system security.

7) Administer independent vulnerability and penetration tests
Even if a credit union has properly addressed all of the previous points, examiners still need third-party validation. Hire independent consulting firms to perform vulnerability and penetration tests. These firms should create report cards grading various components, such as system configuration, monitoring responses, policies, and physical security. Having these independent reports provides both the credit union and the examiner with independent proof of compliance with industry standards.

8) Establish proper vendor management
Today’s complex technical environment requires credit unions to use trusted, expert partners to help them create and maintain secure systems. As a result, credit unions must ensure that their vendors adhere to Financial Federal Institution Examination Council expectations. Proper procedures include getting annual audited financial statements and contractual assurance that each vendor adheres to Gramm-Leach-Bliley Act standards. In addition, if the vendor holds or controls member information, examiners may request a Statement of Auditing Standards 70 report performed by a qualified third party. This report signifies that a service organization has had its control objectives and activities examined by an independent accounting and auditing firm.

9) Enforce policies and procedures
Set standard policies and procedures that, if followed properly, can guide employees to enforcing better IT security practices. Examiners regularly test certain procedures. For example, if an institution has a policy to test the complexity of passwords quarterly, the examiner will want to see reports documenting the tests and actions.

Implement network and Internet policies to include details for firewall typology and architecture, permissible traffic, and traffic monitoring. Create a business contingency plan and include how to secure member information during disasters.

Financial institutions operate in a world that demands continuous vigilance by everyone from the newest employee to the board chairman. When institutions follow these IT security procedures, not only will they likely pass examiners’ evaluations, they’ll also enjoy the knowledge that they’re doing an outstanding job of protecting their members’ resources and information.

Danny Johnston is president/CEO of Gladiator Technology Services Inc., an Alpharetta, Ga., managed security service provider for financial institutions. Contact him at 678-461-4620.