Can you believe it, we are almost halfway through 2022! By now you should have most all your compliance/security assessments, audits, and reviews scheduled for the year. This is just a friendly reminder to look back at your 2022 audit plan and make sure all the necessary tasks have been placed on your calendar. The below list is a reminder of some of the typical items that need to be done every year.
Information security awareness training
Policy review, updates, and approval (annually)
IT Risk Assessment review and updates
FFIEC Cybersecurity Self-Assessment Tool review and updates
Ransomware Self-Assessment Tool review and update
IT security report to the board (GLBA)
Review and update the Business Impact Analysis
Information Security Program Training & Testing:
End user training;
Tabletop exercises;
Walk-through exercises; and
Partial or full tests of the following:
Business Continuity Plan
Disaster Recovery Plan
Evacuation Plan
Pandemic Continuity Plan
Incident Response Plan
External security assessment and audits
External penetration test (expected annually)
Vulnerability assessment (internal and external, expected annually)
Social engineering testing (expected annually)
Web compliance review (recommended with ADA regulations)
Independent IT audit (expected annually)
ATM Physical Audit (recommended with ADA regulations, some states have lighting & safety requirements)
Internal assessment and audits
User account review/audit
Cloud infrastructure review
User permission testing and audits (suggested quarterly)
Testing backups
Power generator and UPS testing
Firewall configuration and rule review (expected quarterly)
Vendor management and due diligence
Physical security training
After-hours walk-through security review of branches
FedLine Assurance Audit
Continuing education for IT security and IT administration
Review and finalize IT security budget
BSA/AML & OFAC risk assessment (suggested annually to 18 months)
BSA/AML & OFAC training (annually)
BSA/AML & OFAC audit (annually to 18 months)
BSA/AML model validation (suggested every 24 months, assuming no change in BSA risk)
ACH NACHA audit (required annually)
Lending, deposit, and administrative compliance audits
Other items that may need attention:
Have you remediated all findings from your past audits and examinations?
Have all your employees read and signed your institution’s:
Acceptable Use Policy;
Employee handbook; and
Confidentiality agreements?
Have you reminded your users that social engineering testing can occur at any time?
Will you attend any technology or compliance seminars, or trade shows this year?
Have you visited 10-D Academy lately? https://10dsecurity.com/#academy
And as summer gets started, don’t forget the most important task – scheduling a VACATION!
Authored by: Phil VanMeerhaeghe, CISSP
