January 11, 2018

2018 Security & Compliance Check List – WST

Yep, another year has flown by and 2018 is here. Now is a great time to take a close look at your 2018 schedule to make sure the critical elements of your information security & compliance programs are mapped out.

Items you may want to schedule:

  • Policy Review, Updates & Approval (All policies should be done annually)
  • IT Risk Assessment Update
  • IT Security Report to the Board (GLBA)
  • Program Training & Testing to include End user training, tabletop exercises, walk-through, and partial or full tests of the following:
    • Business Continuity Plan
    • Disaster Recovery Plan
    • Business Impact Analysis
    • Evacuation Plan
    • Pandemic Continuity Plan
    • Incident Response Plan
  • External Security Assessment & Audits
    • External Penetration Test (Required Annually
    • External Vulnerability Assessment (Required Annually
    • Social Engineering (Examiner Suggested Annually)
    • Web Compliance (Recommended with upcoming ADA regulations)
    • Independent IT Audit (Required Annually)
  • Internal Assessment and Audits
    • User account review/audit
    • User permission testing and audits (Suggested Quarterly)
    • Backup file Restoration testing
    • Power Generator and UPS Testing
    • Firewall Configuration and Rule Review (Required Quarterly)
  • Vendor Management and Due Diligence
  • Information Security Awareness Training (End user and Customers)
  • Physical Security Training
  • After-hours walk-through security review of branches
  • Continuing Education for IT Security and IT Administration
  • BSA/AML Training and Audit
  • BSA/AML Model Validation
  • ACH NACHA Audit
  • Review and Finalize IT Security Budget

Other items that may need attention:

  • Have you finished all of your remediation efforts for findings from your past audits and examinations?
  • Have all your employees read and signed your Acceptable Use Policy, Employee Handbook, and Confidentiality Agreements?
  • Have you reminded your users that you may perform Social Engineering Testing at any time?
  • Will you attend any technology or compliance seminars or trade shows this year?
  • Is your institution ready for InTREx?
  • How is your ongoing management of the FFIEC Cybersecurity Self-Assessment Tool going?

Past Weekly Security Tips – WST