Organization: Los Alamos National Bank (LANB)

Industry: Banking – LANB provides full-service banking (including deposit accounts, consumer, safe deposit box rentals; commercial and real estate loans; international services including currency exchange and wires; trust and investment services).

Solution:

• Comprehensive IT FFIEC/COBIT audit
• Vulnerability Testing
• Penetration Testing
• Review of technology department’s services, security, infrastructure and future objectives

Benefits:

• Improved Security — both physical and information
• Continuous Compliance with FFIEC
• Improved Risk Awareness Across the Bank
• Refined Business Processes, Standards and Policies

“The key to our success in any endeavor, whether regulatory requirement or need based, is the importance of finding a partner that understands our needs, collaborates and communicates well the needs and potential solutions to the challenges we are faced with.”  Michelle Sturgeon, IT Group of LANB

Los Alamos National Bank (LANB) was established in June 1963 by a group of local investors who saw the need for a convenient, full-service community bank.  Now one of the largest and strongest banks in the state of New Mexico, LANB continues to be locally owned and operated by Trinity Capital Corporation (TCC), a one-bank holding company.  LANB has 6 locations in Northern New Mexico, provides careers for over 300 banking professionals and current assets over $1.6 billion.  In November of 2000, Los Alamos National Bank was the first corporation in New Mexico, as well as the first bank in the nation, to be awarded the Malcolm Baldrige National Quality Award.  They are committed to their customers and to those activities that foster a better quality of life in the communities they serve.

“Like all financial institutions, we face ever changing regulatory requirements and pressures.” said Michelle Sturgeon of the LANB IT Group.  “…our organization was growing rapidly and the direction and complexity of our technology and services were also changing.  In an effort to ensure strong implementation, proper risk management and best practices were in place, it was determined that a knowledgeable 3^rd party should be brought in for an objective look at the services, security, infrastructure and future direction of the technology department.” LANB’s goal is to provide individuals with the best financial products available, combined with excellent customer service.  Excellent customer service entailed secure banking and ensuring they minimized any risks to their customer’s information. In an information age they needed to find a solution that would help them do this.

The Garland Group (TGG) delivered a comprehensive IT FFIEC/COBIT audit.  This included providing LANB with a thorough audit and risk management evaluation to ensure they were following effective information technology (IT) processes.  TGG also provided LANB with an overall risk profile of their bank so they could understand how their processes and technologies impact their business operations and implement measures to mitigate risk.  TGG has also completed internal vulnerability testing and external penetration testing for LANB.

“The turnaround time has always been satisfactory and we are very happy with the service [TGG] has provided us,” said Sturgeon. The key to our success in any endeavor, whether regulatory or need based, is the importance of finding a partner that understands our needs, then collaborates and communicates those needs and potential solutions to our challenges.  TGG is respected by our regulators, industry peers and are constantly up to date on industry trends, developments and solutions.”

The Garland Group used its expertise to deliver improved security – physical and information, business processes, configurations and policies at LANB.  Los Alamos National Bank also implemented RiskKey and employs it for their IT Audits to monitor and track supporting documents and create an audit history.

The Garland Group ensured that LANB was compliant with their changing regulatory environment. “…[The Garland Group] has made us better.” said Sturgeon. “Their solutions provided us with the competent advice we needed to maintain our edge in a dynamic regulatory environment.  Whether it has been in our approach, awareness or solution implementations,  TGG helps us maintain the edge we need to successfully operate in this dynamic environment filled with risks that did not exist a few years ago.”

Los Alamos National Bank has been a client for over five years and continues to use The Garland Group today for their annual third party information technology audits.

Thanks everyone!

Looking back, whenever it was time to prepare for an external audit, document preparation was always a major event! I would spend days, even weeks, gathering information and camping out at a copy machine, only to run out of paper! After all that copying, now it was time to arrange all this information in some logical order. Needless to say, having information in order before the auditors arrived would save a great deal of time and hopefully make the audit run smoother. As I have now experienced from the other side, that remains true. I can definitely say preparation sets the tone for the entire engagement.

My last engagement as an internal bank auditor introduced me to RiskKey provided by The Garland Group. This program truly cut down what use to be weeks of document preparation to simply only a few hours of downloading documents. It was simple, quick and efficient, and this is only one of the applications available within RiskKey. As a prior internal bank auditor, efficiency is the key to run a productive department and also in preparing for an external audit. Checkout RiskKey, it’s a tool that will increase your department’s efficiencies.

Appoint a CISO or organizational leader for information security:
Every project needs a champion. Your security and compliance program is no different. Security programs that garner support not just from IT but from departments across the enterprises improve their security outlook.

Initiate training and awareness programs on data protection and security for end-users:
Such great advice that many organizations take for granted. Policies and procedures cannot be followed and maintained if your staff does not know about them. Organizations must keep retraining as they hire new employees as well as to ensure security awareness is always at the forefront.

Achieve an organizational culture that respects privacy and data protection:
Cultural change does not happen overnight. Top level management must first define and document the organization’s desired security and compliance culture. They then need to implement programs and activities that communicate and reinforce this desired security compliance culture all departments across the enterprise.

Obtain executive-level support for security:
Agreed! Security compliance is not just the IT or Compliance department’s responsibility and transcends CIOs to the CEO and board of directors. The organization with top executive 100% engaged in its security compliance posture has an immediate advantage.

Deploy strong endpoint controls:
Choosing the right technology for your security programs is critical to achieving continuous compliance. Pick a solution that provides maximum security, automation, and flexibility.

Continuous Compliance means developing a pro-active, enterprise risk assessment and audit program. In the wake of our current economy, security threats, and the customer’s need for privacy, financial institutions must implement continuous compliance programs to be successful.

It enables transparency as organizations have a clear picture of the risks their organization may be exposed to and take measures to rectify. Organizations are able to:

• Implement an enterprise-wide approach to risk and compliance.
• Continuously manage and monitor risks across the enterprise.
• Understand their business environs and make insightful decisions.

It increases efficiency as organizations use less manpower and resources to complete audits and compliance requirements.  Organizations are able to:

• Automate risk, audit and compliance processes.
• Eliminate labor intensive tasks, thus maximizing resources and reducing cost.

It improves agility enabling organization to stay abreast of risks and threats. Organizations are able to:

• Be nimble and react quickly to any changes in business environs.
• Implement and enforce policies that govern the enterprise.

To learn more contact us or comment below!

[Video below]

Thanks everyone!

Hi everybody,

Hope you all had a great Memorial Day weekend. We wanted to share with you the updates that are coming out today. Along with a longer list of updates (see bottom of our dev updates post for details) we are happy to announce our newly organized reporting area within RiskKey.

With reports, we want to create a better alignment with the different project types that come within RiskKey (project mgmt, risk assessment, and audit workflows). So our reports reflect that with the new category headers. The only additional category we created was the ‘Recommendation Reports’ area due to the recommendations (AKA findings) are in both risk assessments and audit projects.

Reports Permissions by Project Type

With all that said, we also included the permissions to only be able to run reports depending on the type of project that you selected. Here’s an example of a ‘project management’ type project. See how the other reports are grayed out because they don’t apply:

You will be unable to run grayed out options.

New Reports Added

While we were at it, we added some new reports to use at your disposal. Here in a brief description of each of the new reports:

• Requested Documents – This is a printable document request list for the project you’re in. This will allow you to see the status of all files being requested and additional details like fulfilled, person responsible, and file name.
• By Starred Items – See screenshot below for where you can ’star’ an assessment or objective item. This report will run any assessment or objective report (depending on which report you run) and show you which items are currently starred. Great for going back to the ones that you need to follow back up on.



• By Current Status – This report was created in combination of our folks and some user feedback to create a report that will really knock your socks off. This allows you to see the current status of any recommendation within a project. The categories statuses include: Past Due, Outstanding, Incomplete, and Completed Recommendations. This is a recommendations report. See the screenshot.

Lastly, within the reports we spent some time improving the readability by increasing the font sizes, bolding some category headings, and reorganizing the information in a more easy, readable way.

We hope you like what we’ve done!

Organization: Lubbock National Bank (LNB)

Industry: Banking

Solution: Full Risk-Based Technology Controls Review & Risk Assessment

Benefits:

• Simplified risk and audit assessment process
• Clear picture of LNB’s compliance and security standards
• Standardized policies and procedures across locations

“RiskKey was great to use and simplified the entire assessment and audit process”  Eddie Schulz, COO of LNB

Lubbock National Bank (LNB) has operated in the Lubbock Market for over 90 years.  As a commercial bank it serves the Lubbock market as well as the Bryan/College Station and Austin markets under the name of Commerce National Bank.  With over 20,000 customers in these markets today, LNB is committed to growing their bank by providing small business customers with strong retail products.

An integral factor in LNB’s business strategy has always been to “provide customers with a trusted place to manage and grow their hard-earned money.” With the current business landscape this is even more challenging.  Everyday there’s a new security threat, new risk levels, as well as even more stringent regulations to comply with.  LNB needed to implement initiatives to ensure they stayed true to their mission.

“We needed to have a strong audit company to do an extensive audit on our technology,” said Eddie Schulz, COO of LNB. “We wanted to make sure that the bank was in compliance and practicing good security and technology standards.  The Garland Group offered the exact comprehensive audit the bank needed.”

The Garland Group delivered a Full Risk-Based Technology Controls Review & Risk Assessment to LNB. This included a thorough risk assessment and policy review. We also did a penetration test on their technology infrastructure and continue to day with quarterly penetration tests. LNB was able to utilize our SaaS application RiskKey to give them the assurance they needed that their customers could trust them to protect their investments.

“RiskKey was great to use and simplified the entire assessment and audit process,” said Schulz. “The Garland Group gave us a complete technology audit and penetration testing.  We were very pleased with the response from our compliance team.”

After the engagement LNB was able to know exactly how the bank measured up with regards to their technology standards and what they needed to do to close any gaps in those standards.  “The Garland Group allowed us to understand the overall scope of our technology issues and how to shape the banks standards in policy and procedures,” said Schulz. “We immediately implemented the recommended new standards on polices and standardized our procedures across locations.”

Well, I’ll tell you.  Let me start by saying I do think the overall benefits of Virtualization heavily outweigh the risks.
Since I don’t want this to be a doom and gloom blog, I’ll start with the positives of Virtualization.

• Less hardware costs for servers and maintenance, but routers and switches too with VLANing.
• Saving valuable physical space in server rooms.
• Going green with energy consumption and generator/battery backups.
• Normalizing platforms across multiple systems.
• Agility in an environment. Imagine if you had a server crash, you can just boot up a Virtual Machine and like that you are good to go!
• Saving money in licensing. I’m not an expert at all on licensing, but I know vendors have laxed on licensing because they are real sure how to manage it with virtualization.

Now, I’ll focus more on the potential risks of Virtualization because they aren’t discussed as much as the benefits, and we are security people…it’s what we do!

• Currently there are no definite standards yet, especially from the FFIEC, but we haven’t even gotten any standards to audit to from PCI or DISA. There are some some best practices docs from DISA in their Virtualization STIG (search Virtualization on DISA’s website) and VMWare’s best practices (Google: VMWare Best Practices)
• In virtualization transparency is reduced so it is hard to find where applications are running at a specific time. In other words, visibility within an environment is blurred.
• Applications must be secure within themselves. What I mean is that any piece of hardware that is compromised, and data on that server can be compromised as well. So if your football bowl picks.xls is compromised and it is on the same server as customer data, you may be S.O.L.
• Virtual Machine Managers have extreme access to the network like never before. Consider segregations of duties for different IT staff managing network and core servers on separate VM installs.
• VM migrations present risk because data may be changed during the migration. Consider encrypting channels, heavily restricing access to who can migrate VM’s, or isolate LAN’s from each other.
• With virtual security appliances Real Time Monitoring needs to always have dedicated resources. Or else Anti-Virus or internal Intrusion Detections may not be getting the resources to operate in real time.
• Cloud Computing is a risk in itself. I do believe there is risk in cloud computing. I don’t believe it is dire as CNET, but this is a good article.
• Currently there are multiple CVE’s associated with virtualization and may be mitigated. Just be sure your internal vulnerability scans check for virtualization risks.

Don’t let this scare you away! I’m excited about the potential of virtualization and the $$$ savings are hard to argue with. Good Luck Virtualizing and don’t forget about our upcoming June 4th webinar on Virtualization and the Compliance Around it!