2022 Security & Compliance Check List - WST

Where did 2021 go? Happy New Year’s All!

It is time to take a close look at your 2022 schedule to make sure the critical elements of your information security and compliance programs are mapped out.

Items you may want to schedule:

• Information security awareness training Introduction – Customers
• Policy review, updates, and approval (annually)
• IT Risk Assessment review and updates
• FFIEC Cybersecurity Self-Assessment Tool review and updates
• Ransomware Self-Assessment Tool review and update
• IT security report to the board (GLBA)
• Program Training & Testing:
• End user training;
• Tabletop exercises;
• Walk-through exercises; and
• Partial or full tests of the following:
• Business Continuity Plan
• Disaster Recovery Plan
• Business Impact Analysis
• Evacuation Plan
• Pandemic Continuity Plan
• Incident Response Plan

• External security assessment and audits
• External penetration test (expected annually)
• Vulnerability assessment (internal and external, expected annually)
• Social engineering testing (expected annually)
• Web compliance review (recommended with ADA regulations)
• Independent IT audit (expected annually)
• ATM Physical Audit (recommended with ADA regulations, some states have lighting & safety requirements)
• Internal assessment and audits
• User account review/audit
• Cloud infrastructure review
• User permission testing and audits (suggested quarterly)
• Testing backups
• Power generator and UPS testing
• Firewall configuration and rule review (expected quarterly)
• Vendor management and due diligence
• Physical security training
• After-hours walk-through security review of branches
• FedLine Assurance Audit
• Continuing education for IT security and IT administration
• Review and finalize IT security budget
• BSA/AML & OFAC risk assessment (suggested annually to 18 months)
• BSA/AML & OFAC training (annually)
• BSA/AML & OFAC audit (annually to 18 months)
• BSA/AML model validation (suggested every 24 months, assuming no change in BSA risk)
• ACH NACHA audit (required annually)
• Lending, deposit, and administrative compliance audits
• VACATION!

Other items that may need attention:

• Have you remediated all findings from your past audits and examinations?
• Have all your employees read and signed your institution’s:
• Acceptable Use Policy;
• Employee handbook; and
• Confidentiality agreements?
• Have you reminded your users that social engineering testing can occur at any time?
• Will you attend any technology or compliance seminars, or trade shows this year?
• Have you visited 10-D Academy lately? https://10dsecurity.com/#academy

Who knows what will get added to the list in 2022.

Link to our IT Security Services: https://10dsecurity.com/10-D-Security-services.html

Link to our Compliance Service: https://10dsecurity.com/10-D-Compliance-services.html

Authored by: Philip VanMeerhaeghe, CISSP