2021 Security & Compliance Checklist - WST

Yep, another year has flown by and a new year is here. Now is a great time to take a close look at your 2021 schedule to make sure the critical elements of your information security and compliance programs are mapped out.

Items you may want to schedule:

• Information security awareness training
• Policy review, updates, and approval (annually)
• IT Risk Assessment review and update
• FFIEC Cybersecurity Self-Assessment Tool Review and update
• IT security report to the board (GLBA)
• Program Training & Testing:
  • End user training
  • Tabletop exercises
  • Walk-through exercises
  • Partial or full tests of the following:
    • Business Continuity Plan
    • Disaster Recovery Plan
    • Business Impact Analysis
    • Evacuation Plan
    • Pandemic Continuity Plan
    • Incident Response Plan
• External security assessment and audits
  • External penetration test (expected annually)
  • Vulnerability assessment (internal and external, expected annually)
  • Social engineering testing (expected annually)
  • Web compliance review (recommended with ADA regulations)
  • Independent IT audit (expected annually)
• Internal assessments and audits
  • User account review/audit
  • User permission testing and audits (suggested quarterly)
  • Testing backups
  • Power generator and UPS testing
  • Firewall configuration and rule review (expected quarterly)
  • Vendor management and due diligence
  • Physical security training
  • After-hours walkthrough security review of branches
• Continuing education for IT security and IT administration
• Review and finalize IT security budget
• BSA/AML & OFAC risk assessment (suggested annually to 18 months)
• BSA/AML & OFAC training (annually)
• BSA/AML & OFAC audit (annually to 18 months)
• BSA/AML model validation (suggested every 24 months, assuming no change in BSA risk)
• ACH NACHA audi (required annually)
• Lending, deposit, and administrative compliance audits
• VACATION!

A new thing we recommend this year is the Ransomware Self-Assessment Tool (https://www.csbs.org/ransomware-self-assessment-tool). It’s not required, but can help you understand your ransomware risk, and associated control needs.

Other items that may need attention:

• Have you remediated all findings from your past audits and examinations?
• Have all your employees read and signed your institution’s:
  • Acceptable Use Policy
  • Employee Handbook
  • Confidentiality agreements
• Have you reminded your users that social engineering testing can occur at any time?
• Will you attend any technology or compliance seminars, or trade shows this year?
• Have you visited 10-D Academy lately? (https://10dsecurity.com/10-D-Academy.html)

Link to our IT Security Services: https://10dsecurity.com/10-D-Security-services.html

Link to our Compliance Service: https://10dsecurity.com/10-D-Compliance-services.html