January 11, 2018
2018 Security & Compliance Check List – WST
Yep, another year has flown by and 2018 is here. Now is a great time to take a close look at your 2018 schedule to make sure the critical elements of your information security & compliance programs are mapped out.
Items you may want to schedule:
- Policy Review, Updates & Approval (All policies should be done annually)
- IT Risk Assessment Update
- IT Security Report to the Board (GLBA)
- Program Training & Testing to include End user training, tabletop exercises, walk-through, and partial or full tests of the following:
- Business Continuity Plan
- Disaster Recovery Plan
- Business Impact Analysis
- Evacuation Plan
- Pandemic Continuity Plan
- Incident Response Plan
- External Security Assessment & Audits
- External Penetration Test (Required Annually
- External Vulnerability Assessment (Required Annually
- Social Engineering (Examiner Suggested Annually)
- Web Compliance (Recommended with upcoming ADA regulations)
- Independent IT Audit (Required Annually)
- Internal Assessment and Audits
- User account review/audit
- User permission testing and audits (Suggested Quarterly)
- Backup file Restoration testing
- Power Generator and UPS Testing
- Firewall Configuration and Rule Review (Required Quarterly)
- Vendor Management and Due Diligence
- Information Security Awareness Training (End user and Customers)
- Physical Security Training
- After-hours walk-through security review of branches
- Continuing Education for IT Security and IT Administration
- BSA/AML Training and Audit
- BSA/AML Model Validation
- ACH NACHA Audit
- Review and Finalize IT Security Budget
Other items that may need attention:
- Have you finished all of your remediation efforts for findings from your past audits and examinations?
- Have all your employees read and signed your Acceptable Use Policy, Employee Handbook, and Confidentiality Agreements?
- Have you reminded your users that you may perform Social Engineering Testing at any time?
- Will you attend any technology or compliance seminars or trade shows this year?
- Is your institution ready for InTREx?
- How is your ongoing management of the FFIEC Cybersecurity Self-Assessment Tool going?