Recently IBM released its 2010 Global IT Risk Study.  According to the study 74% of those surveyed agreed that the greatest benefit of improving IT Risk Management is that it ensures business continuity.

The article goes on to define business continuity as more than a natural disaster preparedness plan. “It is really about building a risk-aware culture – making sure that the necessary tools, processes and methodologies are in place, and that every individual in the organization is aware of their responsibility in regard to the safety and integrity of data.”

What a clear picture this depicts. Every business continuity plan (BCP) should take care to:

• Infuse culture with risk awareness. This starts at the top and involves more than IT.
• Invest in the right applications that help manage and mitigate risk
• Ensure that processes and methodologies are accurate and documented. Always review, revise, rewrite
• Create a program that trains and retrains employees on risk awareness and holds everyone accountable. Each department needs to have policies in place that govern the risk in their department.

Though departments may claim that BCP and Risk Management are outside of their domain, every facet of the organization depends on data on some level. We live in a data driven, technological economy. It seems as if the more data we collect, the more we need and the more technologies evolve to capture, store, and share this data.  To ensure that we are adequately prepared let’s keep in mind these suggestions from the report.

When managing IT risks

• Examine and assess the organization’s IT risk capability
• Look for champions among senior leadership
• Determine how to heighten risk awareness at all levels, and within the organizational culture  itself
• Look for innovative ways to implement risk mitigation procedures
• Make sure safeguards are in place to help prevent unauthorized access to company data and systems

What is your organization doing to improve it’s Risk Management initiative? Do share. Learn how we can help!

If you’ve worked with us lately, you know we are really digging into ACH procedures due to all the fraud going around lately. We’ve often been quoted, “The only real compromises and penetrations we’ve seen lately has been ACH fraud.” And other than the ever annoying debit card fraud, the aforementioned quote is true.
We’ve been working on an ACH best practices post for a while now, but when we were asked by the Texas Bankers Electronic Crimes Task Force on our opinions about ACH best practices, it really got the ball rolling.

Keep in mind the following is from a technology and FFIEC controls point of view. There are obviously other NACHA and banking controls that you may employ, but if you are doing all the things listed below…your in good shape.

1) MULTI-FACTOR AUTHENTICATION: We aren’t talking about just authorizing a picture or answering security questions either. These controls are easily averted by keyloggers. The best multi-factor that we have seen is actually something you know (password) and something you have (token, One Time PINs from email or text).

2) DUAL CONTROL on CUSTOMER SIDE: Most financial institutions employ dual control for processing ACH much like the way wires are processed. However, not enough force dual control from cash management users. While the likelihood that one account is compromised is high, the likelihood that two accounts within the same cash management account are slim. This likelihood is even lessened when the enterer is using a different computer or network than the verifier.

3) ENDPOINT SECURITY on CUSTOMER SIDE: Computers at client sites aren’t always as secured as what we are used to within Financial Insitutions. AT MINIMUM, we recommend active anti-virus/anti malware, personal firewalls activated, current OS patch levels, network logins, screensaver timeouts and physically secured computers in low traffic areas.

4) IP RESTRICTION: One of the lesser used security measures is IP restriction where ACH requests and/or Cash Management authentications are only accepted from approved IP addresses. That way, if credentials are compromised, fraudulent files must still be sent from approved IPs.

5) TREASURY MANAGEMENT AGREEMENTS: I know lawyers are way better at reducing liability within these agreements, but consider putting language in your agreements that minimum security standards must be upheld and list these minimum controls (see #3). Bonus tip: Way too often we find that agreements aren’t fulled executed or are out of date. Be sure to include agreement reviews when reviewing limits and the customer relationship.

6) LIMITS: Customer usage of ACH should be a dynamic process and reviewed regularly on a risk based process. For example, a customer that sends 8 files a month worth millions should be reviewed more regularly than the company that does payroll twice a month at 50K.
Also, limits should be set at a reasonable level and adjusted if necessary. Just because the company that sends 50K payroll files monthly sends a 100K file once a year in December doesn’t mean their limits need to be 110K. The once a year file should be an exception instead of the rule.

7) OVER LIMIT PROCEDURES: Procedures need to be in place to send an ACH file over normal limits. This includes having the owner of the account sign an exception, approval from the officer on the account and placing holds on the funds. This all goes to say that your ACH staff is checking on ACH limits in the first place. Furthermore, too often limits are set daily. We like to see limits set on a daily AND monthly basis to reduce exposure. Potentially a 10K daily limit would allow fraudsters to expose much more than a 50K monthly limit.

8 ) ONSITE REVIEWS: Remote Deposit best practices have incorporated an onsite review at customer locations. This can be done for ACH as well considering the exposure here is much higher than with remote deposit. This onsite review should include everything noted on #3 and auditing user credentials to access cash management systems.

9) THIRD PARTY SECURITY SOFTWARE: To be honest, I’m weary of how well these applications work, but they are worthy of investigation. They claim to detect any viruses already on machines, disallow hijacked sessions and blocking sites known to harvest credentials. A couple to check out are Prevx and Iovation.

10) DISKS!?!?!?!? When all else fails, go old school and make your clients bring in NACHA formatted disks, run a virus check on it, check the totals and that it was brought in by legitimate clients.

Thanks to all that were able to attend our webinar last Friday on Social Media and Compliance Part 2 – Examples. Thanks again to James Robert Lay from PTPNewMedia for co-presenting with us this month.

Here are the assets from last months webinar: Presentation Slides | Sample Social Media Policy

Next month, October 1st, we will be moving on to another hot topic and speaking about the details of Reg E, hope to see you there.