This year I celebrated my 15th anniversary at Safe Systems. While in some ways this milestone snuck up on me, it’s given me a chance to reflect on the many changes our industry has experienced over the last decade and a half.  At Safe Systems we work exclusively with financial institutions. Throughout my career, I have had the luxury of working with some great clients at banks and credit unions. Working with these great people, supporting the role community institutions fill in their local economy and seeing the level of customer service these bankers provide their neighbors has fueled my own passion for the industry.

As time has gone by, we’ve seen pressure mount on these small institutions: pressure to compete with the services offered by big banks, pressure from regulators, pressure to survive dramatic economic change. Still, community banks are expected to provide the same level of personal service to their customers. I’d like to spend some time highlighting the challenges I’ve seen institutions face and share my thoughts on how to address them.

The Changing Face of Technology and Staffing

Fifteen years ago, institutions were just starting to access the Internet. Some still used DOS software. Only a handful of banks had real-time processing, and Novell was a common server platform. Just six years ago, Apple updated the iPhone, allowing access to Microsoft Exchange and connecting a new generation to their professional email accounts. Today, virtualization,  mobile devices, electronic banking and cloud services have connected us as users and service providers in ways that were impossible just a decade ago. As we’ve added these enhancements, our expectation for turnkey solutions with limited downtime has grown. Gone are the days when you could reboot a server in the middle of the day without causing issues for your staff and customers. We continue to leverage technology more and more to help serve our customers and employees, and the dependency on IT continues to expand.

I was able to sit in on a CEO panel at a recent conference. During the session, one question that came up was, “what is biggest challenge (or challenges) facing your institution.” One of the recurring themes was the difficulty in finding and keeping talent on staff. It’s something we all face as businesses. I’d add that, along with finding and retaining great employees, most institutions struggle with what role the technology team should have internally. In most cases, the IT manager plays a critical role, as the reliance on technology has continued to expand, and there is also a trend to add the position of CIO or CTO. The goal of these leadership positions is to allow for the institution to have technology and strategy intertwined.

Security is Front and Center

Looking back to the beginning of my career, information security was just starting to be on the forefront. It is hard to imagine today, but I remember dealing with banks that didn’t even have passwords for their network. Now financial institutions face an ever-expanding array of security threats, and they spend more resources to protect against these countless threats. It seems that just about every week we’re reading headlines about another high-profile breach, a new FFIEC update or some new malicious software targeting financial institutions’ valuable data.

Protecting your institution’s digital assets can feel like a full-time job. Not only are hackers constantly searching for undiscovered exploits, but new virus definitions and security updates are released every day, and it’s your responsibility to keep the institution’s machines up to date. Regulators expect financial institutions to be prepared should an incident occur at the bank or one of its many vendors.

Keeping Up with Compliance

At Safe Systems, we regularly help our more-than 300 clients with pre-exam and post exam support. This assistance gives us unique insight to examiner expectations and regulatory trends, and it has become clear that documentation and verification are focus areas for examiners. It is not uncommon for the examiners to take your IT policies and ask whether you can provide proof that your practices line up. This level of documentation is sometimes problematic for technology and operations teams. Particularly when you factor in the multiple hats they wear at the institution, the lack of time and the complexity of systems.

You can’t just tell an examiner you’re following the rules. You’ve got to be able to show your work.

Keeping the Institution Running

Today, financial institutions increasingly rely on technology. Resources are limited, the top talent is hard to find and keep on staff, and at the same time, security risks and examiner expectations continue to grow. These many challenges can seem daunting, but no financial institution has to do it all alone.

You can’t outsource responsibility. However, you can partner with companies that can provide the tools and resources necessary to help manage technology and reduce these burdens, as long as the bank can manage and verify the processes in place.

At Safe Systems, we often hear from clients who have experienced several advantages by implementing these network management solutions. The first of which is the benefit of automating tasks the IT team would otherwise have to perform manually, such as patch management, antivirus management, server hardening and security monitoring. We help supplement existing staff through our knowledge of the industry and by making available our own experts to help with technical configurations and product setups. Finally, these solutions provide greater visibility by having the documentation needed to verify the institution is adhering to its policies and procedures. Ultimately, network management solutions that are designed exclusively for community banks can assist in taking the pressure off of increased examiner expectations and the increase in technology complexity.

Technology, security and compliance don’t have to be a burden to your institution. With the right tools and an advocate on your side, your community bank or credit union can thrive in today’s complex world of banking, and continue to be able to provide the hands-on attention to customers that set small institutions apart from the competition.

Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway, promises to be a regulatory focus for the foreseeable future. But exactly what are they expecting from you, and how does that differ from what you may be doing already? More importantly, how should you demonstrate that you are cybersecurity compliant?

First of all it’s important to understand that at least initially regulators will be data gathering only. Don’t expect any written examination findings or recommendation at this time. What they will be doing is assessing the overall state of cybersecurity. It would appear that the regulators are following the NIST cybersecurity framework that came out earlier this year (also in response to the Presidential Executive Order that came out in February of 2013).  The  NIST framework provides a common mechanism for organizations to:

1. Describe their current cybersecurity posture;
2. Describe their target state for cybersecurity;
3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
4. Assess progress toward the target state; and
5. Communicate among internal and external stakeholders about cybersecurity risk.

It would appear that financial regulators are currently on step 1; gathering information in order to describe the current state of cybersecurity across the financial industry. Of course once current state has been established, I expect that “describing the target state for cybersecurity” (step #2) will involve additional regulatory expectations.

So what do you need to do now? Well, if you’ve kept your information security, business continuity, and vendor management policies and procedures up-to-date, probably not much. Cybersecurity is simply a subset of each of those existing policies.  In most cases, ‘cyber’ refers to either the source or nature of the attack or the vulnerability. Your InfoSec policies should already address this, and so should your business continuity plan. In other words, you should already have procedures in place to secure customer and confidential data and recovery of critical business processes regardless of  the source or nature of the threat.  Your policies should all be impact-based, not threat-based. That said, regulators will likely be looking for specific references to ‘cyber’, so it won’t hurt to make sure your policies include the term.

I’ll cover the cybersecurity risk management program in more detail in Part 2, but for me the biggest takeaway from the Presidential Directive, the NIST framework, the recent FFIEC joint statements on ATM and DDoS attacks, as well as the FDIC’s C-level cybersecurity webinar is this; for the vast majority of outsourced financial institutions, cybersecurity readiness means A). managing your vendors, and B). having a proven plan in place to detect and recover if a cyber-attack occurs.  

Watch for part 2 of Tom’s Cybersecurity post on ComplianceGuru.com.

Are you an email hoarder?  Do thousands of emails fill your inbox?  Is every message you ever received still in your inbox “just in case” you need it one day?  Or do you find a full inbox suffocating?  Do more than 20 emails make you feel stressed or overwhelmed?

Email and email management habits epitomize personality traits.  It’s similar to how someone manages their closets.  Is everything sorted, color coded and in its proper place? Or are clothes on the floor, in a hamper and only on a hanger if they came from the cleaners?  Just as different people’s closets exist in varying degrees of organization, their Outlook inboxes vary just as widely.  Some people naturally keep their Outlook tidy, while others choose to let messages stack up unchecked.  If you would like to hold employees to a standard, then you’ve got to set rules for email usage.  But if no one enforces these rules, expect a lot of unruly inboxes. Changing the way that people use email can ruffle some feathers, so you may be wondering if the effort is worth the reward.

Here are a few reasons why you and your employees should care about clean Outlook:

1) No email management means data will grow over time.

• Data growth almost always equals increased cost: cost for storage, cost for data backup, cost for disaster recovery and the cost involved with a hosting provider
• Data growth often means performance will degrade over time.  As data grows, the email database grows.  As the email database grows, the Exchange server’s performance could be affected if it isn’t monitored and managed accordingly.

2) Outlook problems:  Although no specific issue has been identified, there’s no end to the news articles and horror stories about what happens as the number of stored emails grows. These issues can range from Outlook becoming sluggish to email systems crashing under the weight of too much information.  Older versions of Outlook can present even more serious and frustrating problems, such as the loss of mail through PST file corruption, or Outlook locking up completely.  Outlook simply wasn’t designed to handle massive amounts of stored email.

Reigning in employee inboxes can be a daunting task. Where do you even start?  Here are some recommendations to help limit your institution’s email growth:

• Set mailbox size limits for all users.  Consider 1 GB per mailbox for heavy email users and .5 GB or .25 GB for lower volume email users.

o   Safe Systems employs these limits on its employees

• Encourage employees to use Outlook’s archive capability

o   Ensure user PST’s/archive files are stored on a server if their email contains important information

• As an alternative or complement to using Outlook archive, consider adopting an institution-wide email archival solution

o   These are great because they allow each user access to every email they have ever sent or received without keeping these emails in Outlook.

o   Can allow for tighter mailbox size limits

o   Safe Systems uses a hosted email archival program for internal employees

• Review reports of usage and address as needed

While you’ll never be able to control how each individual uses his or her email account, your policies and settings can make all the difference in terms of cost and performance of your institution’s systems. If you have any questions about your institution’s email management, please reach out to your Account Manager.

TrueCrypt is no longer secure. Just ask its makers.

As of May 2014 TrueCrypt’s official website began redirecting visitors to a SourceForge page with the ominous message “WARNING:  Using TrueCrypt is not secure as it may contain unfixed security issues.”  For anyone who is not familiar with TrueCrypt these words may barely register, but for a large population of security-minded organizations, analysts, and personal users this announcement was an unwelcome surprise. TrueCrypt was a hugely popular open source freeware application that provided encryption options to protect the data housed on a computer’s disks. Industries that are charged with protecting personal information, including the financial industry, embraced the software enthusiastically.  TrueCrypt was a major player in the encryption world, so what happened?

Originally released during the height of Windows XP’s popularity in 2004, TrueCrypt provided a level of encryption features above and beyond the Microsoft operating system’s capabilities. When Windows Vista was released a few years later, Microsoft began offering a built-in encryption tool named BitLocker that satisfied some of the same security needs as TrueCrypt. Microsoft support for Windows XP ended on April 8, 2014, and it’s no coincidence that TrueCrypt support ended a month later. In fact, the TrueCrypt download website (http://truecrypt.sourceforge.net) officially cites newer versions of Windows offering integrated support for encrypted disks as a reason software support was terminated.

A story like this normally doesn’t cause any waves. After all, TrueCrypt was a freeware application built and maintained by a largely-anonymous team of volunteers. This type of project is abandoned all the time, often without any fanfare. The difference with TrueCrypt is it worked well and had a loyal following.  Despite Windows XP’s retirement, TrueCrypt remained popular among users of more recent Windows versions. That popularity fueled speculation as to why its makers abruptly pulled the plug on an application still riding high on a swell of support. One popular conspiracy theory suggests TrueCrypt developers shuttered the program to prevent the NSA from compelling them to disclose encryption weaknesses; after all, infamous NSA-leaker Edward Snowden was a vocal TrueCrypt advocate. A more realistic theory is that TrueCrypt was a victim of its own success.  Many users did not consider TrueCrypt as merely a high quality free option, but as the best encryption solution on the market. As the user base continued to grow, so did the potential for a high-profile hack (and subsequent public backlash). Individuals and businesses relied on the software to protect sensitive information. If that protected data had been compromised, TrueCrypt’s users might have become litigious. In short, a wonderful hobby had turned into a high-pressure job – one for which the developers did not get paid.

It is important to note that there was no news of any major flaw in TrueCrypt encryption, so the security of the software as of the date of the last release remains intact. However, like any other software available, its security is only as strong as the most recent update. The simple fact that TrueCrypt will no longer be updated to fix bugs or address security holes means the software can no longer be considered secure. While current TrueCrypt users should plan to replace their encryption solution soon, the lack of a widely known exploit means data protected by TrueCrypt remains secure for now.

If you were a TrueCrypt user, then you must now choose a replacement solution based on your financial institution’s specific needs. This period of transition is an opportunity to reassess which devices require encryption.  As a general rule, if a device is portable – like a laptop – and likely to leave the protection of the network, then it should have some level of encryption. Depending upon your financial institution’s information security policy, some stationary devices may require encryption as another layer of security to protect especially sensitive data. The following is a brief description of the encryption options available:

1. Full Disk Encryption (FDE): Protecting the entire disk on a computer provides the most comprehensive level of security by protecting all files contained on the computer,  including the boot partition and temporary files. Generally, FDE solutions require a passphrase or PIN be entered each time a device is powered on – if the appropriate submission or key is not entered, then all files on the disk remain unreadable and Windows will not start.  If a user forgets or misplaces their passphrase, PIN, or token, then this FDE protection has the potential to cause data loss or lost productivity during recovery efforts. Critics also note that FDE products cause unnecessary processing overhead. However, performance degradation should be well less than 10% with proper configuration. This aspect of FDE solutions is most concerning for older laptops with slower processors and less available RAM. Microsoft’s BitLocker is classified as a full disk encryption solution and is built-in for devices running the premium Windows Vista and Windows 7 Ultimate or Enterprise editions.  This feature is also available for Windows 8 Pro devices. If your devices are not running an operating system with BitLocker, or simply require additional management features, there are a variety of third-party offerings available for purchase. Of these, Symantec’s PGP Whole Disk Encryption is perhaps the best known and most widely used.

2. File Level Encryption: While not as all-encompassing as using an FDE solution, File Level Encryption is typically lighter weight and less intrusive. File Level solutions protect individual files or folders rather than the entire disk. This requires less processing overhead for the computer, but the tradeoff is generally greater administrative overhead in order to configure and maintain this security feature. There is also a risk that sensitive data may be written to an unprotected folder, potentially leaving it open to exposure should the device become compromised. While there are third-party tool available to provide File Level Encryption, Microsoft offers an integrated tool names Encrypted File System. This feature can be managed at the individual workstation level or more widely enforced through group policy, but configuring EFS widely is no simple task. Financial institution administrators that wish to implement EFS should consider 3rd party software or services that provide a layer of enhanced central management capabilities. As an added bonus, third-party encryption services may also provide supplementary features that remotely disable laptops or lock down data on devices reported as lost/stolen.

Safe Systems Client Referral Program: iPad3 giveaway

1 Minute Customer NOC Surveys – $50 Gift Card

Recent Press, eGuides and Articles for Bankers written by Safe Systems

New Employees and Appointments

2014 Safe Systems’ National Users Conference: Only two months to go!
Be sure to learn more or register now for Safe Systems’ upcoming NetConnect 2014 Users Conference, which takes place Sept. 23-25 in Chattanooga, TN. There are only 20 spots remaining. Here’s a quick video of our last users conference so you can see it in action!

Safe Systems Client Referral Program: iPad3 giveaway
Just a reminder that we’re close to doing our next drawing for a new iPad right when we have 10 total referrals so please keep those referrals coming for your next 1-in-10 chance to win! www.safesystems.com/client-referral-program

One-Minute Customer NOC Surveys- $50 Gift Card
Please keep your NOC and project implementation survey responses coming- this will ensure that Safe Systems is always providing you with the best support possible. We just conducted our quarterly drawing for the Safe Systems NOC Survey and the 10 survey winners for the $50 Amazon gift card are: Karen West, Linda Gann, Nita Fulghum, Steve Pencarski, Ernie Rogers, Karen Mizzell, Linda Johnson, Bradley Henson, Sandra Tilton and Mary Ann Craddock. Our next quarterly drawing will be conducted in October so please keep answering those surveys for your next chance to win and to help Safe Systems enhance your client experience.

Recent Press, eGuides and Articles for Bankers written by Safe Systems this Quarter:
BankNews: Safe Systems Launches Personalized Customer Onboarding System

Bank Systems & Technology: 10 Components of a Comprehensive IT Security Foundation

eGuide: The Network Evaluation – Planning for Success

eGuide: Server 2003 – Lessons Learned in Microsoft Lifecycle Support

New Employees and Appointments

We are very excited to announce and welcome the addition of these new employees to the growing Safe Systems family:

Bryan Durrette is the new Manager of Client Services. He’s a graduate of Kennesaw State University and is currently enrolled in the University of Management and Technology for his Masters in IT. He comes to us with 20+ years in IT with his most recent experience managing an IT team in the Army National Guard.

Fray DeVore is our new Creative Brand Specialist for Safe Systems. He’ll be building and unifying the Safe Systems brand, including enhancing our corporate branding on every client touch point. Fray comes from Georgia State University with a BFA in Graphic Design.

Betsy Godfrey is our new Manager Services Analyst in our Managed Services department. Betsy attends Kennesaw State University and majors in Business Administration- Information Security and Assurance. Betsy’s certifications include Microsoft MCTS Windows 7 Configuration and CompTIA Security+ce.

Chris Walker is our new Network Analyst. Chris is a graduate of Georgia Southern with a degree in IT and a minor in Computer Engineering. While at GSU, Chris was involved in the American Society for Engineering Education, offered free computer repair/assistance for the elderly, and was a web design and Java tutor.

Stephen Osburn is our new Recovery Analyst. Stephen was a prior intern here at Safe Systems before accepting this position. He is a proud graduate from Georgia Southern University.

Tony Betivas is our new Network Operations Intern. He is currently a student at the University of South Carolina. We look forward to the positive feedback from our clients regarding Tony.

Anne Sikorski has joined Safe Systems as Education Manager, bringing to the team more than 20 years’ experience in instructional design and training.

Congratulations to these Safe Systems employees for their recent appointments

Tyler Saville has been promoted to Senior Recovery Engineer. Tyler’s many years of technical experience at Safe Systems make him the obvious technical lead for the Continuum group. He has been a force for process creation and organization in the Continuum group.

Holly Hooks has been promoted to Managed Service Engineer. Holly started with us as an Intern in the Spring of 2013 and then joined us full time upon graduating from Georgia Southern. She has quickly become an expert on all of our NetComply related services as well as the technical lead for C-Vault.

David Webber has been promoted to Managed Service Engineer. Now that he is in T2 as an Engineer we look forward to him further broadening his expertise in all of our Managed Services.

Steven Smith has been promoted to Network Engineer. Steven has made a big impact on or most recent workstation build projects and is never afraid to take on the most challenging issues, all while keeping a great attitude.

Dennis Barnett has been promoted to Network Engineer. Dennis came to us from Hometown Bank, and brought valuable knowledge in banking applications over to our team. Since then, he has become the GFI Endpoint Protection guru!

Kiel Motsinger has been promoted to Network Engineer. His innovation continues to prove his value through his workstation building scripts. He also provides unique Linux troubleshooting knowledge.

Ian Ray-Smith has been promoted to Network Engineer. Ian has supported our customer on the early shift for some time, tackling some of the most difficult server down situations before the banks open in the morning.

Eric Thomason has been promoted to Senior Network Engineer. Eric has risen to be one of our most technical engineers in Tier 2. He is able to perform any ProServ project with ease, and consistently receives excellent feedback from our clients.

Clay Davis has joined the Client Services team as a Senior Network Engineer in Tier 3. Clay brings many years of valuable experience to the Tier 3 group. As a battle hardened veteran in several Safe Systems departments, Clay is a true jack of all trades.

Over a year ago, Safe Systems began its initiative to prepare financial institution clients for the end of support for Windows XP on April 8, 2014.  In early April 2013, we were managing 8,788 Windows XP devices and our most recent numbers show 2,462 remaining.  Our professional services team has helped clients replace thousands of these devices and as the numbers show, significant progress has been made.  However, there is still work to be done to upgrade these remaining workstations.  Even now, while on the cusp of completing XP replacements, you should also begin preparations to replace any remaining servers that are running Microsoft Server 2003.  Microsoft will be ending support for Server 2003 on July 14, 2015 and currently we have 866 servers across our client base.

As a reminder, end of support means Microsoft will no longer provide security updates or technical support for these operating systems.  The discontinuation of security updates is the most notable change. It effectively means Microsoft will no longer patch vulnerabilities exploited by malware, which leaves these devices susceptible to attack.  In addition, the inability to receive paid support could leave you in a precarious situation if a device has downtime and it provides a critical function.

The FFIEC release a joint statement on October 7, 2013 regarding end of support for Windows XP and although not specific to Server 2003 it can be applied to both.  In this statement, the FFIEC wrote: “Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized addition deletions, and changes of data. Additionally, financial institutions and Technology Service Providers that are subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and continue to use XP after April 8, 2014, may no longer be compliant.”

The statement goes on to reference the risk management guidance documented in the FFIEC IT Examination Handbook which recommends you should perform a risk assessment, select appropriate mitigations, conduct appropriate planning, and ongoing monitoring/reporting of the effectiveness of such controls reported to Senior Management or Board of Directors.  Although the FFIEC doesn’t explicitly say replace these devices, you can effectively read between the lines and come to the conclusion that the risk is too great not to.  You can review the entire statement at the following URL: http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf.

Here are some things to keep in mind when replacing these legacy Operation Systems (OS):

1. Don’t forget about your ATM machines as these are typically Windows workstation OS and more than likely you have some Windows XP devices.  These are seemingly “out of sight out of mind” but an important part of your banking services.
2. Regarding Server OS, you have a choice to go with Server 2008 or Server 2012.  This is largely dependent on whether your banking core processor is supporting 2012.  Server 2008 has extended support available through January 14, 2020 so if your banking applications are not supported there is plenty of time remaining for Server 2008.  Also, consider that the average lifecycle for a server is four years so you will likely need to replace the server prior to the end of its support date.  Regarding workstation OS, you have a choice to go with Windows 7 or Windows 8.1.  This is largely dependent on whether your banking core processor is supporting 8.1.  But similar to Server 2012, Windows 7 has extended support available through January 14, 2020 so if your banking applications are not supported there is plenty of time remaining for Windows 7.  Also, keep in mind that the average life cycle for a workstation is three years so you will likely need to replace the workstation prior to the end of its support date.
3. It is never too early to start planning for Server 2003 replacements and certainly do not underestimate this process. Depending on the server in question, you could compare a server replacement to heart surgery as it requires additional preparation and is the cornerstone to so many important aspects of your banking operations.  Don’t procrastinate!

Lastly, feel free to reach out to your Account Manager and leverage our more than 20 years of professional services experience to make this a smooth transition.  Keep in mind our implementation calendar is first come first serve, so be sure that if you would like our experts to facilitate this process, to contact us well in advance. At times, our installation calendar has been sold out several weeks in advance.  If you do decide to leverage our team, our Technical Solutions department can help identify your business needs, align the appropriate technology and develop a plan that will minimize business interruptions.  From there, our Project Management and Engineering teams will develop a detailed project plan and execute that while minimizing any business interruptions.  This gives you the flexibility to focus on running your business of banking and depending on us as your technology partner to upgrade your key technologies.

As always, thank you for your business and our continued partnership.  We look forward to the future as technology and regulatory guidance continues to evolve.

Let’s talk about the weather. More importantly, let’s talk about how the weather might (or might not) impact your ability to manage your institution’s network.

Winter weather and spring storms can be disruptive events that cause nightmare traffic on the roads and stop bankers from doing business. Just this past winter, for instance, we experienced a pair of storms in the Southeast that caused major disruptions on our roads and on many businesses’ ability to operate. But that didn’t mean Safe Systems’ clients were cut off from their institutions’ networks. Safe Systems has been hard at work helping bankers – and the financial IT professionals who support them – access their institutions and provide support from remote locations.

When Winter Storm Pax settled in on Georgia and the Carolinas in February, we saw a record high number of concurrent telecommuters and administrators accessing their network assets through Safe Systems’ NetComply network management solution. What’s more, they were doing it in record time. Thanks to some recent improvements on our side, we’ve eliminated up to 49.9 seconds of delay across all flavors of remote control. For hundreds of banks and credit unions, it makes it that much easier to access and control the more than 25,000 devices we manage through NetComply, whether they’re working in the branch or not.

Remote control is apopular feature of Safe Systems’ NetComply service, allowing administrators to connect to any machine in their network via encrypted and logged sessions. It gives administrative personnel the tools to administer and manage a network, enabling increased productivity, heightened security, greater flexibility and centralized control that’s accessible from anywhere they have an Internet connection.

For those of you who want to prepare for the next big weather event – or who simply want to make the most out of your telecommute – there are a few steps you can take to improve the experience further. Here are three tips that will help improve the NetComply remote control process on your end.

1: Choose the right tools

Wherever possible, choose Remote Desktop Protocol (RDP) over Virtual Network Computing (VNC) for desktop access. This will help drive speed and efficiency in your remote sessions.

2: Private browsing

If you are experiencing errors or sluggishness, try using NetComply with Internet Explorer’s InPrivate browsing feature. A private browsing window can help keep other elements – cookies, temporary Internet files, or other data – from interfering with the remote control session. It’s especially helpful if you’re getting errors due to long stretches without rebooting your machine. Launch InPrivate by pressing Ctrl+Shift+P, through the IE Safety menu or from the tools menu.

3: Keep it simple

While you may take pride in your skills at multitasking, sometimes remote control features can leave your networked devices overworked. Try not to have multiple LiveConnect sessions connecting to the same machine.

What am I supposed to be doing for my mobile devices?  What should I be doing for my mobile devices?  What do you recommend I do with my mobile devices?

These are examples of what’s become one of the most common questions our clients ask Safe Systems employees. With the rise of smartphones and tablets, everyone’s trying to get a handle on how these devices fit within the financial institution’s IT strategy. These are great questions, and something we at Safe Systems have discussed ad nauseam for years.

The problem is that there is no correct answer.  So we respond by asking more questions. What are your goals?  Who owns the phone?  The mobile device discussion is not a simple one.  There are many philosophies, and hundreds of different companies offering many different flavors of mobile device solutions.  Which one should you choose?  The answer changes based on your institution’s needs and who owns the device.  There is no single technology or one company that has the answer to the mobile device conundrum.

That said, let’s take a look at the different options for deploying mobile devices to your employees, and the different management options available for those devices:

The first question you want to answer is who owns the phone?  Who bought the device?  Who pays for the monthly service?

Company-Provided Device: In the early days of mobile phones, many people had a “work phone” (typically a Blackberry) for business email and calls, and a “personal phone” to call and text friends and family.  Control typically followed ownership, so it was easy for the individual to understand that the business phone was for business purposes.  Often it was even controlled or locked down to some degree by the business provider, requiring a password to use, timeout after short times of inactivity, etc.  This was all acceptable because it was the company’s phone. It was theirs to control.

• Pros: Control; Clear line between work and personal
• Cons: Cost – Phone and service

Bring Your Own Device (BYOD): Over the last five years, it’s become increasingly more common for companies to allow their employees to use personal devices for business purposes.  This BYOD model gives the user the freedom to buy and use the phone they want.  The institution doesn’t force the employee to use a specific phone nor do they pay for the phone or service.  The user is often happier with this arrangement because they have the phone, case, and accessories they want.  Plus, they aren’t lugging two devices everywhere.  The institution typically has to trade some degree of control over mobile devices in return for the lower costs of purchase, administration, and maintenance.  The BYOD trend has also removed barriers to mobile device adoption for institutions that chose not to allow mobile devices strictly on a cost basis as costs of device ownership shifted to willing employees.

• Pros: Cheaper – The end user has choices and flexibility, potentially giving way to greater adoption
• Cons: Less control

The next question we usually ask is, what are your goals?  The answer is obvious, right?  Control my mobile devices.  But what does control mean?  This is not one of those politician’s questions where they quibble with you over the definition of “is.”  This a legitimate question due to the options available.

Device Management Options:

Mobile Device Management (MDM): This is what most people think of when they talk about controlling or managing mobile devices. Why? For one, it’s been around the longest.  While it might not have always been defined this way, MDM is basically what Blackberry was offering with their devices and service.  It was a proprietary package of both phones and software to enforce rules on those devices, since they were assumed to contain company data.  Chronologically speaking, the next MDM solution to gain traction was Microsoft’s ActiveSync.  Its popularity was based on its close, built-in integration with Microsoft Exchange and the ability for different phone software vendors to take advantage of its features. Now there are literally hundreds of options.  In just a few years we went from one company with one suite of phones to unlimited phone and MDM options.

MDM allows the IT department to control the device.  This is both its greatest strength and its biggest weakness.  In theory, the administrator of the software can enforce rules (passwords, timeouts, encryption, etc.), wipe a device clean, track a phone’s location, and know what applications are installed.  These management capabilities are great features for the most part, but have their problems as well.  Tracking a lost phone is great, but tracking an employee’s movement on the weekend, intentionally or unintentionally, may create problems.  Similarly, the ability to remotely wipe a lost phone is great, but what happens when an employee is terminated or takes a new job somewhere else?   Do you add insult to injury by wiping the phone of a devastated employee on their way out the door?  The wipe will remove sensitive company data and network access, but it could also eliminate all the person’s personal contacts, their spouse’s phone number and pictures of their kids.  So while many of these features are important and easy to implement if the bank owns the device, things may be a little stickier if the employee owns their device.  Also, you will want to compare the MDM’s features to what ActiveSync includes for free.  Many MDM’s are built off ActiveSync so there may be a few more features, more granularity, or better reporting.  The “what are your goals” question will play a key role in deciding if those add-ons are ones you need.

• Pros: Lots of control; lots of options to choose from; best fits where the institution owns the device
• Cons: Too much control – control over personal and business information; some features are OS or OS version specific

Mobile Application Management (MAM): This is a more granular approach to mobile management.  It focuses more on controlling applications used by the institution instead of the entire phone.  MAM may allow the institution to password-protect, encrypt, or remotely wipe only the applications containing institution information.  For many, this may be just controlling the email application on the device.  The institution no longer cares if the phone has a password or timeout feature.  The applications for business use are defined, secured and controlled.  The downside to this approach is often a limited selection of applications available that are securable in this fashion.  Conversations at our office centered around the question of if a client would be happy using a “second rate” email app just because it’s secure.  Currently, an iPhone user often has all their email in one application provided by Apple.  They see all communication in one screen and in one app.  Many MAM solutions are going to require the user to view their institution email in a separate app that was written from a security perspective rather than focusing on user-experience or aesthetic appeal.  So, the question becomes what apps do you need to perform securely?  What do the secure versions of these apps look like?  Will they be acceptable alternatives?

• Pros: Granular control; only control business function apps; may be a better fit in a BYOD environment
• Cons: Apps selection may be limited; Apps may not be as user friendly

Mobile Information Management (MIM): This is an even more granular approach to mobile management as it focuses on a specific type of application to secure mobile communication.  MIM typically refers to the ability to sync documents to different devices and operating systems.  Now that Dropbox, OneDrive (formerly SkyDrive), Box and Google Drive offer the ability to store and share information, what role do these play in company data?  How do you control and secure this information?  There are products out there under the MIM heading dedicated to answering this question.  MIM itself is most likely not a mobile solution; instead, it is a potential piece in your institution’s mobile security.  Think of MIM as MAM, but dedicated to file syncing.  In a similar vein, there are now a few products on the market that just secure email.  While I don’t know of a cool name similar to MIM currently, these products focus on using a MAM approach dedicated to securing company email.

• Pros: Simple; controls just one aspect/app on the phone
• Cons: Might need to be paired with other solutions

Who owns the device?  What are your management goals?  Answer those two questions and then find the technology that best fits your needs.  As these solutions mature, the lines between MDM, MAM, MIM and others will likely blur, as companies look to fill multiple needs under one solution.  Many institutions have decided to continue with ActiveSync for the short term until they have compelling evidence to add a layer of security.  Some institutions have chosen a direction and moved forward while others have chosen to use different MAM and MDM solutions together to obtain the functionality desired. From a compliance perspective, you will want to have a policy with defined expectations, management options/controls, and monitoring of controls. [See FFIEC IT Handbook – Information Security – Information Security Risk Assessment – “Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.”]

I have attached Gartner’s Magic Quadrant for MDM to note popular MDM and MAM tools.  **Gartner lumps these solutions together in their research**

Sourced from: http://www.sap.com/pc/tech/mobile/featured/offers/gartner/reports/mdm.html

Temperatures are rising, birds are chirping, lawnmowers are emerging from their winter slumber and the air is a 50-50 mix of oxygen and pollen.  Spring is officially upon us.  And in the tradition of spring cleaning, the season brings an almost innate desire to de-clutter our home and work lives. Could your servers use a little spring cleaning too?

Removing unnecessary files from your server frees up valuable resources and can shrink your backup footprint.  Both of these benefits translate directly to cost savings.  Below are some common file extensions that might be bloating your servers’ hard drives.

1. .bak files: These files are backups of SQL databases.  A .BAK file encapsulates the contents of a database, so its size is directly proportional to that database; often, this is a very large file.  These files are created through the SQL software itself either as a one-time task, or scheduled for creation at regular intervals in a database maintenance plan.  If designed poorly, database maintenance plans can cause significant data growth.  If the plan backs up the database too frequently or never overwrites old .bak files, then the accumulated .bak files can add up extremely quickly.  Depending upon the specifics of your backup processes or recovery plans, these files may not be necessary at all.  Consider searching your database servers for .bak files and be sure to evaluate any database maintenance plans when backup needs change.
2. .dmp files: Have you seen a blue screen of death on a server?  If so, then that server probably has a .dmp file somewhere in the file structure.  Referred to as “dump” files, these files are essentially a diagnostic tool created when the computer’s operating system experiences a critical failure.  These files are typically not huge, but accumulated files can add up over time.  By default these files will be generated in the Windows directory, but this location and a few additional settings can be changed through the Control Panel.  Clearing servers of any dump files occasionally should be considered a best practice.
3. .tmp files: Windows and many applications can create temporary files with the .tmp extension.  These files are essentially disposable, one-time use files for any number of functions.  A well-crafted application will clean up after itself by deleting any .tmp files that it creates, but if an application is untidy or terminates unexpectedly, then you may be left with some extraneous temporary files.  These files can generally be deleted on sight, but there are a few exceptions – namely if a file is actively being used by Windows or an application.  It is a pretty safe assumption that if a temporary file is more than a few days old, then it can be deleted without worry.  The same principles apply to any file type in the Windows temporary directory.  By default this folder is named “Temp” and is located in the Windows folder.
4. .log files: Log files are almost ubiquitous in computing, and can be attributed to many different applications or internal Windows functions.  Searching a server’s file structure for *.log will likely yield an avalanche of results.  The issue with log files is that some never truncate.  As a log file populates more and more data over time, its size naturally grows to accommodate the data.  The key here is to look for log files with large data sizes.  Some logs can be deleted to free up space, but this should be done with caution.
5. .MP3, .MP4, .AVI, . MOV, etc.: Media files such as images, music and videos are notorious space hogs.  These file types become an issue only when they are not work-related.  These files can most often be found in employee home or personal folders.  While there are definitely exceptions based on the nature of an employee’s work, typically media files are not critical enough to reside on network storage.  Instead, train employees to save such files that are not required for business purposes to their local disk or a directory that is specifically excluded from backups.

Hopefully this list helped you free up some disk space, but it is by no means exhaustive and may not take into account the specifics of your institution’s network.  In order to sustain that clean server feeling long term, consider build a data management plan tailored to your institution’s particular data needs. A management plan is highly unique and may encompass file maintenance, data retention, data backup, data archival or file destruction policies for your institution.  Having a solid plan to tackle your data might just mean less cleaning next spring.

In the world of banking, where institutions are governed by regulations and information security is of utmost importance, IT audits and penetration tests play a significant role in assuring an institution’s practices are aligned with business objectives and the letter of the law. Selecting the right auditor can play a significant part in maintaining the overall health of your IT controls and preparing your bank or credit union for its next regulatory examination.

Bankers are in the business of banking, and the IT professionals who support them are in the business of keeping networks, communications systems and workstations running. Because an IT audit is a deep dive into the nuts and bolts of the network infrastructure, it might sound like a scary proposition that takes up a lot of time and only exists to tell you what you’re doing wrong. But in reality, it is part of an ongoing process that serves to help banks and credit unions continually improve their controls and better understand – and correct – weaknesses. Selecting the right auditor is particularly important for smaller institutions that don’t have the budget or the staff to dedicate personnel to this role full-time.

At this point we should distinguish between and internal and external audit.  Some (mostly larger) institutions support their own internal audit departments.  Those that don’t have the size or complexity outsource the internal audit function.  In both cases the objectives are the same; to compare your IT management process to an accepted standard (FFIEC, ISO, COBIT, AICPA, etc.) and help you identify deviations from that standard.  If you support an internal audit department, you should periodically have an external (outside) audit firm attest to their process and findings.  If you outsource the internal audit function, there is no need for an external auditor.

“A financial institution should consider various factors when selecting a professional services firm to perform reviews, assessments and audits,” says Eric Gomez, managing director at Miramar, Fla.-based TruSec Consulting. “Some critical considerations should include independence, industry knowledge and overall business acumen.”

Independence helps ensure bias is not introduced in findings. Further, Gomez explains, financial institutions should seek firms that are familiar with the industry, as well as its operational, business and regulatory challenges. Finally, the IT security assessor or auditor should be well-versed in IT and physical security issues, have strong communication skills, and be able to make sound recommendations based on the available information.

“Probably the biggest issue that I run into is the misconception that all they need to do is go out there and get an audit without first assessing where the risk lies and what scope of testing is necessary,” says Matt Jones, a partner at Dublin, Ga.-based IS Audits and Consulting, LLC, a division of TJS Deemer Dana LLP. “And they view it as a commodity as opposed to what it is, which is: an extension of their own internal audit process.”

Selecting an auditor is more than simply checking a box. Jones warns against seeking an auditor as a reaction to an examiner’s write-up. “When you look at it from that viewpoint as a customer, you aren’t determining on the front end what your needs are, what your risks are, where they really need testing.”

According to the experts, here are three keys to finding the right auditor for your institution.

Do Your Research

Finding an auditor isn’t a matter of selecting the firm that’s closest to your bank or that offers the best price. Each firm is different, not only in cost and convenience, but also in their level of expertise and how they document findings.

“When you get a proposal from 10 different companies, they are all going to be totally different in terms of what they do, to what degree they do it, their experience level, their quality level and their price,” Jones explains. “If you go into it looking at the audit as a commodity, then the overbearing factor is going to be the price.”

Jones acknowledges that cost is always a consideration, but also cautions bankers to consider what they’re getting in return. Before selecting an auditor, the institution should first conduct an internal risk assessment process to determine what needs to be done, which areas need to be tested and what high risk areas exist. A basic understanding of your own institution’s needs will help you better select the appropriate services from an outside firm.

“In the industry the terms audit, review, assessment, penetration test – they get thrown around a lot and the lines get blurred,” Jones says. “You really have to dig in and look at the product and ask ‘is this what I’m looking for – is this testing the areas that I need tested.’”

When it comes to identifying candidates, ask around. Call peers at other banks, particularly those with similar size and complexity, to find out which auditors they’ve used and about their experiences. Ask trade associations for recommendations, or even your consultant or IT services provider. And when you do find an auditor, ask them.

“References should be obtained and consulted,” Gomez says. “Although [financial institutions] like to work with local providers, geographic location should not be a limiting factor, especially if talent is scarce locally.”

He also recommends that you ask to see deliverables from the auditor, and not just an outline – pay close attention to the auditor’s reporting structure and their flexibility to customize services to your institution. Remember, the report needs to satisfy the needs of multiple stakeholders.

“You are going to have different target audiences reading that report,” Jones says. “They may be board members who want a 50,000 foot view of what’s wrong and how to fix it – they don’t care about the nuts and bolts. Then you have the IT guy who’s tasked with fixing it that wants much more detail in terms of why a recommendation is a recommendation, and how you can fix it. You’ll also have regulators and other auditors who come in and read this report – they will base some of their own findings and recommendations on what is being said in this report too.”

It’s Not a Study Session

An audit might be something that’s done in advance of a regulatory exam, but experts warn against thinking of it as a last-minute study session. It’s just one part of a much larger IT program.

“’Preparing’ for an audit or a penetration test is the equivalent to going to the gym only in January because of a New Year’s resolution,” Gomez says. “Both tasks will make you feel better temporarily, but none are effective. IT security should not be treated as a transaction—it is a never-ending cycle that should improve with time.”

Auditors and assessors don’t thrive on finding issues, Gomez adds. The more they find, the more reporting they ultimately have to do.

“A good assessor will prepare you to attain and, more importantly, maintain high levels of security by providing sound guidance and recommendations,” Gomez says. “He or she should work with you to improve an ineffective patch management process and not simply provide you a list of missing patches.”

Indeed, a small number of institutions see the auditor as an adversarial relationship, Jones agrees. But having a vulnerability exposed through this process beats the alternative.

“You would rather have somebody that you’re paying to find it, giving you the chance to fix it before a regulator comes in and makes the same discovery,” Jones says. “Or in the case of a vulnerability assessment or a penetration test, you would rather these security vulnerabilities or potentials for a breach, you would rather have your assessor find it than a hacker in Russia.”

They Won’t Push Product

Independence and objectivity are the currency in which an auditor stakes his or her reputation. As such, their role is to provide an unbiased assessment that serves the institution’s best interest in maintaining secure, compliant IT operations.

“Auditors and assessors should carry out their work freely and in an objective manner,” Gomez says. “Aside from the engagement fees, there should be no financial interest or any benefits obtained from the findings and recommendations provided by the assessor or auditor.”

In any audit, the No. 1 rule of the game is independence, Jones adds. The auditor has to be 100% independent of the subject he or she is testing, and have no skin in the game on selling name brand products or service providers.

“Any vendor that performs administrative, management, or monitoring functions is likely not independent of the subject matter being tested. I would also shy away from any vendor that their whole m.o. when making a recommendation is to turn around and try to sell something to you,” Jones says. “The whole point of the audit is to try to identify control weaknesses and potentially offer suggestions for remediating the problem. The process is polluted if you’ve got an auditor that comes in and has an ulterior motive to actually profit on the back end from the remediation.”

That said, it’s not uncommon for an auditor to recommend speaking with peers at other institutions about their solutions and service providers, or even name some of the IT companies out there. As many community banks, credit unions and other financial institutions as there are out there, it can still feel like a small world. As Jones explains, it’s not unusual for the financial institutions he works with to know each other, whether it’s through another service provider, a state bankers association, the Community Bankers Association or even technology user groups. Often, if he gets questions on technology or a specific issue, he’ll refer them to a common acquaintance.

“That’s being a part of the community,” Jones adds. “By putting clients in touch with one another, I don’t think that we’re necessarily influencing a decision or making any sort of management call that would be an independence issue. I’ll even do the same thing with vendors.”

And according to the CAMELS composite ratings, your ability to work effectively with your auditor to promptly identify and resolve issues can make the difference between a composite score of 1 or 2, or something worse.  Simply stated—proactively engaging a trusted advisor to help you discover potential weaknesses and vulnerabilities is a sign of diligent management and great leadership.

“When the opinion of an examiner or the compromise of your information systems becomes the trigger for action, you are not only perceived as a weak manager but can potentially become the scapegoat,” Gomez says.