Pub. 8 2019 Issue 2

March/April 2019 29 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s • Notification of Regulators and Law Enforcement  Required only under certain situations, such as known loss of institution or customer data/funds. • Restoration of compromised data  Whether the data has been simply unavailable or if the integrity has been fully compromised, restoring from known, good backups is a vital process of both types of tests. • Documentation  If it isn’t written down, it didn’t occur. Additionally, it’s easy to forget details as time passes once the situation has been resolved. WRITE IT DOWN. • Lessons learned and Plan modification  A plan is only effective if it has been tested and changed based upon test results. Did the current process function as intended or were there hiccups or additional steps that need to be taken? Adjust as needed. • Board reporting  Just as the Board needs to be aware of any impact to business processes, the members of the Board should also be educated on not only any incidents that did occur, but also on the outcomes and what changes were made as a result. After all, the modified plan has to be approved by them anyway, right? Test! Test! Test! The BCP and IRP should be tested for a variety of situations, and both planned and unplanned tests should be included. For members of FS-ISAC, the Cyber-Attack Against Payment Systems 4 (CAPS) Exercise is available as a walkthrough test. Additionally, the FDIC has some videos 5 available that address different scenarios and include questions to help discuss how the institution would handle the same scenario. It’s not a question of if, but when, an incident affects important organization or customer data, and ensuring the plans and procedures are effective when that time comes is the best way to be prepared. Daniel Lindley is a Security and Compliance Consultant for CoN- etrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security con- sulting, IT/GLBA audits, security testing, cloud hosting and recov- ery solutions, and Tandem software, used by over 1400 financial institutions to help manage their information security programs, cybersecurity, and more. Visit our website at www.conetrix.com . 1 https://ithandbook.ffiec.gov/it-booklets/business-continuity-plan- ning/other-policies,-standards-and-processes/incident-response.aspx 2 https://ithandbook.ffiec.gov/it-booklets/information-security/iii-se- curity-operations/iiic-incident-identification-and-assessment.aspx 3 https://ithandbook.ffiec.gov/it-booklets/information-security/ iii-security-operations/iiid-incident-response.aspx 4 https://www.fsisac.com/Exercises-CAPS 5 https://www.fdic.gov/regulations/resources/director/technical/ cyber/purpose.html How do you picture Kansas? We want your snapshots of Kansas events, landscapes, weather, wildlife and more. Pictures to be submitted for the 2020 calendar need to be taken June 1, 2018 – May 31, 2019. E-mail high-resolution digital files (300 dpi at 4” x 6” in TIFF or JPEG format) to Julie Taylor at jtaylor@ksbankers.com . To order official KBA ‘Scenes of Kansas’ calendars, contact Julie Taylor at jtaylor@ksbankers.com . Peggy Smith, Bank of the Flint Hills, St. Mary’s submitted this photo for the 2019 photo contest of a butterfly resting on Zinnias at her home in Pottawatomie County. PICTURING KANSAS