Eight folks from the Federal Reserve Bank made themselves at home earlier this month in the offices of Centennial Bank of the West in Fort Collins, Colo.
While they were checking that the front doors were secure, they also were checking the computer network. Needless to say, it was a busy week for Basil Blume, the bank's CTO. The Fed audits the bank every year, and auditors inspect IT departments like they do any other.
Centennial Bank is governed by the Fed and must comply with the Gramm-Leach-Bliley Act, a law passed in 1999 that orders banks, brokerage companies and insurance companies to securely store their customers' personal financial information. The Fed regulates about 970 state member banks, according to a spokeswoman.
Federal regulator guidelines state that financial institutions must "identify and assess the risks that may threaten customer information; develop a written plan containing policies and procedures to manage and control these risks; implement and test the plan; and adjust the plan to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security."
Government auditors inspected every facet of Centennial Bank, from physical security to Internet banking. When the work was done, the auditors held an "exit meeting," which was expected, said Blume, who used to be an internal auditor at a manufacturing company.
One area the auditors wanted Centennial Bank's IT department to shore up was the procedure for recording unauthorized, or failed, login attempts on the bank's network; this procedure results in "exception reports." Centennial Bank has such reporting technology in place to protect customer information stored in its financial software system. The Jack Henry & Associates system has an application that records and reports when users try and fail to enter the system.
But the bank's computer network of 225 PCs does not have this security software. For instance, when loan officers process loan applications at their workstations, they often include private customer information in Microsoft Word documents and Excel files.
Centennial Bank is compliant with the Graham-Leach-Bliley Act, Blume said, but the auditors want the bank to take security to the next level. The government didn't recommend software.
"The onus is on us to ensure we meet timelines or items we agreed to," Blume said. "They're not going to come in and baby-sit."
But Federal Reserve auditors will call and check on the bank's progress. In the few minutes Blume spent thinking about this network security measure before the auditors arrived, he came across two vendors: Somix Technologies Inc. and ScriptLogic Corp.
Blume anticipated the Fed's request. The upside is that management can't deny the regulator requests. The audit results give him leverage to seek funding and time for the project.
After all, he's under federal orders.