Pub. 5 2014 Issue 4

winter 2014 13 West Virginia Banker Chris Joseph is a Member of Arnett Foster Toothman PLLC, Certified Public Accountants, in theCharleston, West Virginia office. ACertified Public Accountant, Certified Information System Auditor, Certified in Risk and Information Systems Control and Certified Information Technology Pro- fessional, Mr. Joseph has twenty-nine years of experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601orthroughemail :chris.joseph@aftcpas.com. In addition, non-Microsoft product expo- sure should be assessed with consideration of obtaining a patch management solution that addresses both Microsoft and non-Mic- rosoft related solutions. Firewall Configuration. When imple- menting a firewall, it is important that the firewall is configured to promote the security desired by financial institution management. A firewall out of the box is not sufficient to provide the appropriate security. Areas where issues can occur include: • Outdated firmware • Inappropriate rules for incoming and outgoing traffic • Lack of or ineffective encryption • User accounts with excessive priv- ileges or user accounts for former employees or relationships • Ineffective password policies It is important that the features of the firewall are well understood and that the implementation of the features is in accordance with the financial institution’s policies. Do not assume that the firewall will satisfy the financial institutions needs “right out of the box”. Vendor Management. The financial insti- tution industry has seen a large increase of product offerings and services to custom- ers. These products and services include internet banking, mobile banking, remote deposit capture and mobile payments among others. In addition, many of the traditional services that were conduct- ed internally are now being outsourced including backup, patch management ad- ministration, anti-virus administration and network management and support. The trend has resulted in an increased reliance on outside service providers. The financial institution’s vendor management program is critical. The program begins with the identification of vendors that are consid- ered critical. Upon identification, the fi- nancial institution must effectively manage the relationship through monitoring the financial viability of the service provider, assessing their controls through the review of the SSAE 16 report, monitoring the ser- vice provider activity for compliance to the service level agreement, assessing service provider’s service from interviewing finan- cial institution employees and monitoring other areas the service provider is contrac- tually obligated to perform. A key point to remember is that accountability will always reside with the financial institution – while the responsibility for performing a task can be outsourced, the accountability cannot. Conclusion. Information technology is significant to the effective delivery of customer services. An increasing number of challenges are encountered with the increased reliance and use of information technology. A financial institution must ensure a dynamic approach is used to ad- dress these challenges and that the controls are assessed and tested regularly. n