Pub. 11 2020 Issue 1
www.wvbankers.org 10 West Virginia Banker Chris Joseph is a partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia, office. A CPA, certified information system auditor, certified in risk and information systems control, and a certified information technology professional, Mr. Joseph has over 35 years of experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@actcpas.com . Impact of the 3DES Retirement. Any solution that utilizes 3DES will be impacted. On April 18, 2019, Microsoft announced that Office 365 Skype for Business was being retired start- ing July 19, 2019. As part of the process, there was a plan for Microsoft to move the Office 365 Skype for Business online services to the Transport Layer Security (TLS) 1.2+ to increase the level of their security for the service. As a result, the use of 3DES was being retired beginning July 10, 2019. What did that announcement mean? All connections to Office 365 Skype for Business using 3DES will not work. Clients or computers that still required 3DES would not be able to log in to Office 365 Skype for Business. The announcement also stated that people should expect issues connecting to Office 365 Skype for Business services using 3DES. While this is only one announce- ment, more will be expected over the next few years. The Next Step. Now is the time to begin preparing for the upcoming retirement of 3DES. Financial institutions rely on venders to provide numerous services to their customers. A good first step is to revisit the Vendor Management Program. Within the Vendor Management Program, the products and services provided by the different vendors should be identi- fied. As part of the Vendor Management Program, consider beginning the process (if not already started) of assessing the identified vendor’s plans to address the 3DES retirement. Items to identify include what products currently rely on 3DES, the plan for moving away from that reliance, key dates, impact on the user banks, impact on customers, etc. In addition, based upon the results of vendor assessment, the bank should consider a customer education program to reduce the risk of interruption to customer services. For example, the XYZ Bank’s online banking solution utilizes or allows 3DES as it is currently configured. The plan will be to retire the use of 3DES to address security concerns and to address the upcoming 3DES retirement. XYZ Bank may have some customers that use older systems (i.e., Windows XP Pro- fessional, etc.) that may not work with a supported algorithm that currently has an “Acceptable” approval status from NIST (i.e., AES). Of course, during the vendor assessment process, identification of those possible systems is recommended to allow each bank to be more proactive with customers. Conclusion. As with many other areas with information security and technology, it is critical that a financial institu- tion conducts ongoing assessments of the infrastructure currently in place, including the security safeguards that are utilized. Ongoing monitoring of risks and changes is essential to ensure the currency and increase the effectiveness of the information security program. Lending Services Designed to Help Community Banks Reach Their Financial Targets Bank Stock Loans Holding Company Loans Mergers & Acquisition Loans O cer & Director Loans Commercial Real Estate Loans Purchase/Sell Loan Participations Mortgage Lending Financing Available: Take aim and contact us today to discuss your lending request. Our highly skilled team is ready to work for your bank. www.bbky.bank David Fletcher EASTERN KENTUCKY REGION dfletcher@bbky.com Continued from page 9
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2