News Stay informed about the latest enterprise technology news and product updates.

Case study: Fed auditors visit CTO

A CTO hosted several Federal Reserve Bank auditors for an annual inspection. Here's how it went and what you can expect when Uncle Sam drops in for a visit.

Eight folks from the Federal Reserve Bank made themselves at home earlier this month in the offices of Centennial Bank of the West in Fort Collins, Colo.

Audit tips for IT Managers

  • Have a security consulting company audit the IT network six months before your date with auditors. It's money well spent.

  • Document all company policies and procedures, and prepare an overview of the IT department. This reduces auditor questions.

  • Comply with all requests for information during the audit.

  • When the audit is complete, expect an "exit meeting," during which the audit team presents a company with a sometimes-lengthy list of findings and recommendations.

  • Don't worry too much about getting management approval; federal requests for long-overdue projects meet little resistance in management ranks.
  • While they were checking that the front doors were secure, they also were checking the computer network. Needless to say, it was a busy week for Basil Blume, the bank's CTO. The Fed audits the bank every year, and auditors inspect IT departments like they do any other.

    Centennial Bank is governed by the Fed and must comply with the Gramm-Leach-Bliley Act, a law passed in 1999 that orders banks, brokerage companies and insurance companies to securely store their customers' personal financial information. The Fed regulates about 970 state member banks, according to a spokeswoman.

    Federal regulator guidelines state that financial institutions must "identify and assess the risks that may threaten customer information; develop a written plan containing policies and procedures to manage and control these risks; implement and test the plan; and adjust the plan to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security."

    Government auditors inspected every facet of Centennial Bank, from physical security to Internet banking. When the work was done, the auditors held an "exit meeting," which was expected, said Blume, who used to be an internal auditor at a manufacturing company.

    One area the auditors wanted Centennial Bank's IT department to shore up was the procedure for recording unauthorized, or failed, login attempts on the bank's network; this procedure results in "exception reports." Centennial Bank has such reporting technology in place to protect customer information stored in its financial software system. The Jack Henry & Associates system has an application that records and reports when users try and fail to enter the system.

    But the bank's computer network of 225 PCs does not have this security software. For instance, when loan officers process loan applications at their workstations, they often include private customer information in Microsoft Word documents and Excel files.

    Centennial Bank is compliant with the Graham-Leach-Bliley Act, Blume said, but the auditors want the bank to take security to the next level. The government didn't recommend software.

    "The onus is on us to ensure we meet timelines or items we agreed to," Blume said. "They're not going to come in and baby-sit."

    But Federal Reserve auditors will call and check on the bank's progress. In the few minutes Blume spent thinking about this network security measure before the auditors arrived, he came across two vendors: Somix Technologies Inc. and ScriptLogic Corp.

    Blume anticipated the Fed's request. The upside is that management can't deny the regulator requests. The audit results give him leverage to seek funding and time for the project.

    After all, he's under federal orders.

    Dig Deeper on Risk and compliance strategies and best practices

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.