Garland Group Blog

I know in previous blogs I mentioned I grew up in a small town here in Texas.  I even went to a small college in a  slightly larger, but still small country town (it had a Wal-Mart). I continue to live like I live in a small country town.  For example; I still like to wave at people when I drive by (even at night), I like to keep my back door unlocked just in case someone needs something, I like to leave my keys in my unlocked truck so I don’t loose them, I like to leave my truck running when I run into the grocery store for a quick trip and I really like to say howdy to all the folks I pass.  Do you notice there is a theme with my truck and/or doors?  Now, I’ve been told many a time that I’m asking for it, and I am just like my grandmother.  When we would ask her why she was speeding so fast and not wearing her seatbelt she would reply; “If the good Lord want to take me…I’ma ready.” Not really sure if “I’ma” is a word but I had a similar response for my friends and family; “If they want it that bad they must need it more than me.”

Well if that didn’t just bite me right in the rump a couple of weeks back while on site with a client, right in the middle of the day.  Someone decided they wanted my new CD deck more than I did.  I had just put it in my truck for my birthday.  But before you think to say that I should have locked my doors, well…..they were.  Apparently all it takes is a screwdriver and a 4th grade education to break into Ford pickups.  Should have stuck with Chevy, but that is neither here nor there.

This brings me back to my locked doors and possibly a point.  What I am beginning to realize is that you can not always trust the greater good.  You can sure as heck hope for it, but to bring a security spotlight into the equation: We can not always trust the minimum security standards.  I made the mistake of “just” locking my doors and relying on Ford’s basic security configurations. Well, we know how that worked out for me.

It is the same thing with the security of your network and overall environment. Most times we rely on the minimum standards within our environments. Don’t get me wrong, those are usually strong in a majority of the cases and they need to be in place.  What my concern is about is the thought of this won’t happen to us and no one is really going to take the time to figure out my environment.  We, as Garland Group, never set those as our auditing standards. We have always and will continue to push our clients to be proactive and go above and beyond best practice. The idea is to not just settle and become stagnant relying on controls that are quickly becoming the ways of our past.  This is just a friendly reminder when you are conducting your internal/external tests and risk assessments to spend a little extra time ensuring you are completely comfortable with your enterprise security.

So for the next person thinking about breaking into my car; I have recently installed a cloaking device with an electric forcefield….the forcefield is much like the electric fence in the first Jurassic Park….

Garland Group’s very own CEO, Brad Garland shares compliance cultures we have experienced over the years and will give you insight to different culture profile types and what you can do to shift that culture if you are looking for a change.

Here is the PDF presentation: Culture of Compliance

Our next monthly webinar will be on Friday, October 7th.  You can register by clicking this link:  Fri, Oct. 7th, 2011 11:00 AM – 11:30 AM CDT. Please join us for this free webinar!

Link to video here!

I think by now everyone knows that we review every booklet of the FFIEC guidelines, but sometimes there is some common confusion about where our audit scope checklist ends and begins. Let’s clear that up.

ACH Self Assessments: Our review does include ACH, however DOES NOT count toward your institutions’ ACH self assessment that needs to be submitted to NACHA by December 1st of every year. Our review is more security focused, such as: dual control, secure transmission out of the bank, secure transmission from the customer, customer limits, agreements, password requirements, etc. NACHA reviews are more transaction and compliance related. I’d go into more depth about those reviews, but as you know now, I DO NOT conduct them.

Red Flags: We touch on Red Flags for preventing identity theft but thats basically where it stops from an IT perspective. We basically just ensure there is a Board Approved policy in place, risk assessment and procedures. There are full audit procedures that need to be conducted according to examiners, but IS NOT part of our scope. Our FFIEC technology audit satisfies some Red Flag requirements, however IS NOT a full Red Flags audit.

Reg GG: Our reviews DO NOT currently include Reg GG compliance. I’ll be honest, there is not a lot of analysis on this regulation just yet but we do know that financial institutions need to have policies and procedures in place to block restricted gambling transactions according to Reg GG. I also know their are Payment Card BIN codes specifically for gambling institutions. Finally, our compliance experts just finished a Reg GG template in RiskKey, so feel free to conduct your own reviews using that template. Let us know what you think of the template.

Finally, rest assure that if it is related to technology compliance in any way, we will review it and include it in our scope of work.