Pub. 5 2014 Issue 4

www.wvbankers.org 12 West Virginia Banker access assigned was not changed in ac- cordance with the change. In other cases, an employee may have the same primary responsibilities but has experienced subtle changes that result in inappropriate logical access assigned. We have also seen up- dates to the core processing system which result in logical access issues. In other cases, the employee(s) in question serve as backup personnel in order to provide timely customer service. There are several controls that can be im- plemented to address the issues. One con- trol is the implementation of logical access administration controls. The logical access administration controls are those that assist the financial institution with requesting, approving and executing logical access changes resulting from new hires, termina- tions or changes in job duties and respon- sibilities. The control usually involves the use of request forms or communications to ensure the appropriate personnel are aware of the changes. Other controls include the implementation of compensation controls over activity conducted including reports review by independent personnel and peri- odic review of the logical access assigned to financial institution personnel. Patch Management. Effective patch man- agement controls are becoming an increas- ing issue with most financial institutions. It is not unusual for a financial institution to have an automated patch management solution in place but when the computers are tested for currency of patches, several computers have missing security updates and patches. Missing security updates and patches could expose the financial institu- tion’s network to various risks in the event a security issue is exploited by an intruder, an employee or a vendor. In other cases, the patch management solution may address Microsoft related products only. Non-Microsoft solutions are at risk for issues with their software code and an unpatched solution can expose the financial institution to the same risks as an unpatched Microsoft solution. To address the patch management issue, the solution should be tested on a regular basis. Do not assume that the solution is working as intended. Also, ensure that all computer systems are included in the patch management solution. Follow-up inquiry with the financial institution’s information technology department or service provider should be made upon discovery of an issue. I ntroduction. We are often asked about the information technology trends in the financial institutions industry. Many times the question is asked to gain our perspective on the latest regulatory “hot buttons” or trends that we have noticed or have read from publications and regulatory communication. Other times the question is asked from what we have seen at other financial institutions or how other financial institutions are handling a similar challenge or issue being encountered. In some cases, the financial institution is trying to address issues with implementing a new product or service. Regardless of the reason, we are encour- aged whenever questions are brought to our attention. From our perspective, we feel it is always a good idea to be proactive while addressing potential information technology issues. This article focuses on some of the chal- lenges, or issues, we have seen or have read about at various financial institutions. In addition to the challenges identified, we have listed compensating controls that could be implemented to assist in address- ing the specific challenge or issue. Please note the items listed are not an all-inclu- sive list. Logical Access. When utilizing a computer system to process significant transactions, it is important that the logical access assigned to financial institution per- sonnel promotes an adequate segregation of duties. In many cases, employees may not have the authority to process certain transactions per policy but the logical access assigned to them grants them that authority. In these cases, the financial institution would have a segregation of du- ties issue resulting from the logical access assigned to their personnel. The inappro- priate access assigned can occur for several reasons. In some cases, an employee may have new job duties and responsibilities resulting from a promotion but the logical Information Technology Common Issues Encountered By Chris Joseph, CPA, CISA, CRISC, CITP Arnett Foster Toothman PLLC