May 26, 2022

Are You Still On Track?

Can you believe it, we are almost halfway through 2022! By now you should have most all your compliance/security assessments, audits, and reviews scheduled for the year. This is just a friendly reminder to look back at your 2022 audit plan and make sure all the necessary tasks have been placed on your calendar. The below list is a reminder of some of the typical items that need to be done every year.

  • Information security awareness training
  • Policy review, updates, and approval (annually)
  • IT Risk Assessment review and updates
  • FFIEC Cybersecurity Self-Assessment Tool review and updates
  • Ransomware Self-Assessment Tool review and update
  • IT security report to the board (GLBA)
  • Review and update the Business Impact Analysis
  • Information Security Program Training & Testing:
  • End user training;
  • Tabletop exercises;
  • Walk-through exercises; and
  • Partial or full tests of the following:
  • Business Continuity Plan
  • Disaster Recovery Plan
  • Evacuation Plan
  • Pandemic Continuity Plan
  • Incident Response Plan
  • External security assessment and audits
  • External penetration test (expected annually)
  • Vulnerability assessment (internal and external, expected annually)
  • Social engineering testing (expected annually)
  • Web compliance review (recommended with ADA regulations)
  • Independent IT audit (expected annually)
  • ATM Physical Audit (recommended with ADA regulations, some states have lighting & safety requirements)
  • Internal assessment and audits
  • User account review/audit
  • Cloud infrastructure review
  • User permission testing and audits (suggested quarterly)
  • Testing backups
  • Power generator and UPS testing
  • Firewall configuration and rule review (expected quarterly)
  • Vendor management and due diligence
  • Physical security training
  • After-hours walk-through security review of branches
  • FedLine Assurance Audit
  • Continuing education for IT security and IT administration
  • Review and finalize IT security budget
  • BSA/AML & OFAC risk assessment (suggested annually to 18 months)
  • BSA/AML & OFAC training (annually)
  • BSA/AML & OFAC audit (annually to 18 months)
  • BSA/AML model validation (suggested every 24 months, assuming no change in BSA risk)
  • ACH NACHA audit (required annually)
  • Lending, deposit, and administrative compliance audits

  • Other items that may need attention:
  • Have you remediated all findings from your past audits and examinations?
  • Have all your employees read and signed your institution’s:
  • Acceptable Use Policy;
  • Employee handbook; and
  • Confidentiality agreements?
  • Have you reminded your users that social engineering testing can occur at any time?
  • Will you attend any technology or compliance seminars, or trade shows this year?
  • Have you visited 10-D Academy lately?

  • And as summer gets started, don’t forget the most important task – scheduling a VACATION!

    Authored by: Phil VanMeerhaeghe, CISSP

    You May Want to Read More:

    The Scope of SARs - Something Old and Something New - WST

    January 28th, 2021

    Did you know that filing Suspicious Activity Reports...

    In with the new year, out with the Flash - WST

    January 21st, 2021

    The writing has been on the wall for a while now ...

    Back to Basics: Understanding Risk Concepts - WST

    January 15th, 2021

    People often make judgements and decisions about risk...

    Keep your institution off the evening news.

    Contact Us