Pub. 6 2016 Issue 2

vice providers perform effective risk management and control, and maintain regular testing of security. Financial institutions should ensure third parties are contractually obligated to provide the financial institution security incident reports in the event of a detrimental security incident. Protection and detection systems should be up to date, configured properly, and reviewed periodically. The FFIEC recommends a baseline environment be established to enable financial institutions the ability to detect atypical behavior. Systems should be monitored and alert the financial institution of atypical behavior. Financial institutions should perform due diligence, including review of third party services and software, follow industry practice for internally developed applications, penetration testing and vulnerability scans, and review of third party reports generated from monitoring sys- tems. Employees should also be trained on security awareness. For example, phishing attempts. Protection against unauthorized access should be employed. Financial institutions should limit the number of employees with privileged credentials and the ability to assign elevated privileges. Access rights should be periodically reviewed to ensure the access is commensurate with the respective employ- ee job function. Access rights should expire when unused or unnecessary. Geolocation controls and time of day authentica- tion rules are good practices for multifactor authentication. Other protections include restricting the amount of local administrators, frequent change to default password, preven- tion of personal computers on business systems, monitoring controls to detect unauthorized devices, and use of secured networks when accessing the business system remotely. Critical systems should have appropriate controls. Seg- regation of duties, audit, and fraud monitoring should be heightened based on risk. Examples of extra precautions include limiting sign-on attempts and locking accounts when a user over-attempts access, encrypting sensitive data, safe password recovery practices, regularly testing securities (e.g. firewalls), procedures to destroy sensitive information, internet access filtering, and backing up important data. In addition, the financial institution should have a plan set up with third parties to ensure the financial institution is able to quickly recover payment processing or other integral operations where any unforeseen event occurs. Financial Institutions should stay apprised of FFIEC rules and application with respect to fintech risk mitigation. Finan- cial institutions face regulatory, public and private exposure due to technological risk. Because the industry is constantly changing, financial institutions should engage in sharing forums. Examples of forums include the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the U.S. Computer Emergency Readiness Team (US-CERT). w 480.287.5242 TheTeam4Results.com Congratulations Results 21 ISSUE 2 . 2016