Pub. 4 2015 Issue 9

December 2015 33 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s • Data wiping and physical destruction of all devices at end of life 5. Is all critical data encrypted? Encrypting data in use, in transit and at rest provides protection against data compromise: • Encrypt all hard drives on workstations and portable devices, including tablets and telephones • Data in transit, backups and archival information should be strongly encrypted to prevent interpretation should data fall into unauthorized hands 6. Do we have an effective patch management program? All systems—regardless of function or impact—must have the most recent patches applied. Best practices for patch management include: • Evaluating and testing critical patches in a timely manner • Applying patches for the riskiest vulnerabilities first • Using Windows Server Update Services (WSUS) to manage Windows patches • Thorough management of third-party applications, e.g., Java, Adobe and Flash 7. Does our IT risk assessment address the current environment? An information security risk assessment must reflect the existing environment and consider the following: • Identification of foreseeable threats • Assignment of inherent risk rating • Likelihood of occurrence • Magnitude of impact • Implementation of mitigating controls • Determination of residual risk rating • Updates annually or when significant IT environment changes occur 8. Are our employees trained and held accountable? Organizations must provide ongoing staff training on security best practices, internal policies and new security threats to all officers and employees. At a minimum, do the following: • Educate all personnel at least annually on data security requirements • Communicate frequently through email, monthly newsletters, seminars and employee meetings • Include security training and appropriate signed acknowledgments in onboarding process 9. Does our organization routinely audit and assess IT controls? Security controls only provide value when they are audited and monitored for compliance and maintenance. Organizations should complete internal and independent reviews. 10. Is our organization equipped to take immediate action when incidents occur? Management’s ultimate goal is to minimize damage to the institution and its customers, both by containing the incident as outlined in the incident response program and following a business continuity plan that addresses restoration of information systems. An effective, well-organized and well-communicated cybersecurity program requires involvement from the board, senior management and all employees to prevent and respond to incidents. We are entrusted with highly sensitive and personally identifiable information, and it is our responsibility to safeguard it. Here are some additional resources on the topic: FFIEC Self-Assessment tool Krebs on Security SANS Institute This article is for general information purposes only and is not to be consid- ered as legal advice. This information was written by qualified, experienced BKD professionals, but applying this information to your particular situation requires careful consideration of your specific facts and circumstances. Consult your BKD advisor or legal counsel before acting on any matter cov- ered in this update. Article reprinted with permission from BKD, LLP, bkd.com . All rights reserved.