2010 has been an exciting period for Safe Systems as we’ve seen continued growth, a big step forward in the expansion of our network infrastructure, additions to the team, and a long held company goal realized.

From a financial perspective, we have experienced an 18% revenue growth over the same period last year. The expansion of our existing support services and the addition of new services have been key contributors to this growth.   Our hosted email service (SafeSysMail), hosted disaster recovery solution (Continuum), and hosted data backup/vaulting service (CVault) have been extremely well received by our clients.  The overall goal in the development of these new services was to address client needs from the perspective of cost, maintenance and ease of use.   The initial deployments and ongoing tests of the Continuum service have gone extremely well for our clients, coordinating and simplifying a required annual process that was consuming from a time and resource standpoint into an organized and efficient exercise.  Likewise, CVault has provided a more reliable and redundant alternative to tape backup and SafeSysMail has proven an overall lower cost of ownership to in-house mail servers.

We have added several new clients this year and have grown our staff internally to ensure that we continue to provide prompt and high quality attention to your support needs.  As I’ve said many times, finding and hiring people who best fit our model, our mission and our values is one of the most difficult but important tasks that we face and we are pleased to have recently completed our search for several new additions in Support and Sales.   We hope you will have the opportunity of meeting the new members of the team in the coming weeks.

As a result of the tremendous growth in our hosted services offerings, Safe Systems completed the integration of a second data center in Salt Lake City, Utah this past April.  The addition of this site is an important step in our evolution.  This facility adds redundancy and geographic diversity in order to increase the availability of all of our existing services.  Additionally, we are working on many new and exciting ways for our customers to leverage our redundant cloud infrastructure without incurring the significant expenses that are typically required with in-house or internal solutions.

To further support our clients and to keep you up-to-date with the ever-changing industry, we have also launched a couple of new ways to connect with us online.  First, we have recently launched a new blog/website, www.ffiecguru.com.  The intent was to create a somewhat less formal website focused on providing information on current auditor and examiner trends and the latest FFIEC updates.  This is an interactive site maintained by our in-house Director of Regulatory Compliance, Tom Hinkel, where you can go to stay informed, read the latest articles and whitepapers and launch a question for the “guru”.  We all know that this is a constantly changing world and we hope this dedicated site proves beneficial in your ongoing attempts to stay on top of all things compliance! Additionally, you can now follow us on twitter by visiting twitter.com/SafeSystems.  Again, this is a great way to access real-time news, updates and educational tools relevant to our community and our industry.  We look forward to your feedback on these new communication methods and hope you will find them to be helpful resources.

Lastly, in March we achieved our long held company goal- successfully hosting our first Safe Systems Users Conference in Callaway Gardens, Georgia.  We had a great showing of attendees and with the positive responses that we received from our clients, we will be sure to make this an annual event.  Highlights included interactive and educational sessions with our internal and third-party experts and peer-to-peer networking events, benefiting from other’s experiences and best practices.  Most importantly for us, this event gave our team the opportunity to connect with each client and to hear your suggestions for better serving you.  We are currently planning next year’s conference and we hope to see everyone at Callaway Gardens March 23^rd-25^th, 2011.

Thank you again for your support so far in a great 2010. Having been a part of this industry for over 17 years, we realize that a core value of the community financial industry is its dedication to the individualized client relationship and that confidence and trust are the foundation of that relationship.  We share that value and as we continue to grow we will keep that at the center of every decision that we make.  Thank you for the many ways that you continue to support us and for your confidence in Safe Systems as your technology partner.

Kindest regards,

Darren Bridges
President

Utility Computing
In the latter half of the 19^th century, one of the key differentiators for any major business was its effectiveness in producing electric power.  Companies within industries as diverse as printing, manufacturing, agriculture, and food processing had to create their own electric power in order to produce the goods and services that drove their businesses.  This meant that they had to employ experts who were educated in the latest advancements in electrification if they wanted to gain an edge over their competitors.  Additionally, they had to employ maintenance workers to keep their complicated electric generators running.  Any unplanned downtime in the flow of power to their machines meant hundreds of hours of lost productivity.  Over time, companies had to deal with issues such as ensuring old equipment could work with newer machines and how to integrate new electric power technology with their existing systems.  Looking back on this era, it is easy to see the inefficiencies in this model.  It is also simple to observe the astonishing similarities with the state of information technology today.

This is precisely the comparison made by Nicholas Carr in his book, “The Big Switch – Rewiring the World, from Edison to Google.”  In this book, Carr describes the transition from locally produced power in the late 1800’s to the creation of a power grid capable of generating massive amounts of electricity and delivering it across long distances as a utility service.  He then relates this evolution to the current shift in software and computing power from locally installed servers, software, and workstations to hosted IT services and cloud computing.  Virtually every business today has purchased and installed its own computer network.  Most of these individual networks share the same or similar types of technology and software packages that are installed over and over again.  Each organization must incur significant capital expenditures to obtain these tools to run their business.  Additionally, operating expenditures must be incurred to keep systems up-to-date and running efficiently.  Carr predicts that, in the near future, most computing power and software will be provided by technology service providers and paid for as a service fee based on consumption, with little upfront expenses and no ongoing management burden placed on the end-user organization.  This model is very similar to the way we now consume electricity and other utilities.  Although a more accurate and descriptive term for this model may be utility computing, it is most widely known as either cloud computing or hosted services.

Assuming this prediction is correct, a logical question for any financial institution may be, “Should we move to a cloud model now rather than investing more money in hardware and software resources within our institution?”  The answer to this question, however, is not so easy to determine.  Every business must develop its own strategy for taking advantage of the benefits “the cloud” can provide.  Each strategy should be based on the business goals of the individual institution.  For some, adopting a complete cloud-based IT model will help support their business goals.  For others, it may make more sense for the institution to run their own systems that are deemed mission critical while supplementing with hosted services to add additional capabilities and efficiencies in less critical areas.  The following five questions can help guide financial institutions in developing a cloud strategy that best supports the unique goals of their business:

1. Do we have a firm understanding of where we’re going to be in 3 – 5 years?

The past few years have been a turbulent time for financial institutions.  Many institutions are still recovering from budget cuts and are hesitant to commit future resources until the financial outlook has improved.  For these institutions, hosted services may be a good fit to provide the flexibility they need without a large upfront investment.  Hosted services may also be a good fit for institutions that have emerged from the past two years with plans for aggressive growth.  One of the benefits of a cloud-based solution is that additional users can be easily added at any time, eliminating the need for long-term infrastructure planning and building an internal solution to address future capacity.  If, however, your institution has already invested in a technology and does not have short-term growth plans, you may be better off riding out your capital investments to maximize your return on those assets.

2. Is IT a strategic differentiator for our business?

Does your institution distinguish itself from the competition by providing technology solutions that are unique to your organization?  If so, it may be difficult to deliver this differentiation with a cloud-based solution.  Hosted services offerings are built to provide a repeatable, affordable solution to meet the needs of the market.  If your institution competes by providing the next generation of services, you may be forced to implement the technology that drives these services as an internal solution in order to provide the unique attributes that will set your institution apart.  Alternatively, many institutions may find that utilizing a hosted service solution provides access to technology that would otherwise be out of reach, either due to the cost or expertise needed to effectively deliver it internally.

3. Does our current IT budget support our risk tolerance and margin for downtime?

Ask any financial institution these two questions: What is your maximum allowable downtime for your most critical applications?  How quickly can you recover your most critical applications after a major disaster to your primary IT facility?  For community financial institutions, the answers to these questions are almost always out of sync.  This problem is most often due to the prohibitive cost of delivering high availability and business continuity to smaller environments.  Robust disaster recovery capabilities can involve utilizing specific technologies to protect individual applications, each with its own required investment.  Management costs to ensure the proper operation of these technologies can add additional overhead.  This scenario often forces smaller institutions to forgo the recovery requirements identified in their business impact analysis in order to remain financially sound.  Hosted services can be an ideal way to avoid compromising your business continuity goals.  Because a hosted services provider’s success is based on their reputation for delivering reliable services, any reputable service provider must build in robust disaster recovery by default.  Therefore, utilizing hosted services can allow financial institutions to minimize the cost and complexity involved in addressing their disaster recovery objectives by relying on their service provider to do much of the heavy lifting.  Of course, do not just assume this is being done.  Request a copy of your service provider’s DR test results and ensure they specifically address the hosted services they are providing for you.

4. Is our IT infrastructure outdated?

The last few years have forced many organizations to minimize or delay IT spending, resulting in production hardware infrastructures that have become increasingly unreliable and out of warranty.  Additionally, these organizations are now faced with a larger than usual hardware refresh to get back to a stable foundation.  Although this is not an ideal situation, it does provide a great opportunity for revising your strategic IT plan.  A significant change in IT strategy can be cost-justified more easily when facing a large capital outlay.  Financial institutions in this environment can evaluate overhauling their traditional infrastructure to include options such as virtualization, storage area networks, and cloud solutions.  Institutions whose strategic plans call for retaining or developing in-house systems can use this opportunity to build toward that strategy.  Those institutions looking to focus their attention on streamlining their business can migrate toward a hosted services model without having to incur significant write-offs on existing capital expenditures.

5. Are we willing to invest the required resources to build a staff of IT experts?

The effect on staffing is one of the most important aspects of the decision to outsource or co-source IT services.  A decision to grow internal IT capabilities must also include a plan to increase both the number and expertise of internal staff.  Utilizing hosted services for all or part of your technology needs will also impact your staffing needs.  Typically, the greater your institution’s use of hosted services to provide your IT capabilities, the fewer requirements you will have to expand your internal staff.  This can result in significant long-term cost savings for a financial institution considering the cost of salaries, benefits, and ongoing education.  However, do not make the mistake of believing you will not need any internal technical staff.  Even in an environment that takes full advantage of hosted services and cloud computing, there is still a need to have resources capable of identifying your IT needs and managing your IT service provider relationships.  The responsibility for managing risk cannot be outsourced, so you must be able to rely on internal employees to provide this critical role.  The staffing benefits with hosted solutions are that you can achieve much greater business scalability without needing to acquire additional IT experts to manage new technology and a growing IT infrastructure.

Computing power is as important today as electric power.  Making efficient and strategic use of information technology is critical to an organization’s success, much like the creation of electric power was in late 1800’s.  Whether or not “the cloud” is the right strategy to create these efficiencies for your institution depends on whether your business strategy aligns with the benefits this model can provide.  Undoubtedly, a cloud-based IT strategy is a business decision.  For this reason, it is also imperative that executive leadership recognize the importance of their involvement in this issue and take an active role in selecting the right strategy for their institution.

As I have discussed in previous newsletters, we have incorporated a compliance topic to the Quarterly System Review that we perform with your financial institution; the main objective being to present you with information on the latest compliance trends that we see throughout our customer base. Our goal this year is to incorporate topics that address the latest IT trends, goals and challenges for financial institutions and give you the tools and suggested solutions to help meet these common challenges.

What I’ve seen in the field is that many of my clients have implemented new technology in their institution without first addressing and documenting any risk the institution might incur with the new product or software installation.  Financial institutions are required to ensure the security of customer data, protect data against known or anticipated risks and secure data to protect it from unauthorized access.  In order to protect themselves against internal and external risks, it is imperative that the institution complete an assessment to identify the possible risks that could compromise their systems.

This quarter we have developed an assessment tool to assist you in assessing your new technology project pre and/or post implementation. Your Safe Systems Account Manager is available to help guide you through this assessment tool and if you need further assistance, the Safe Systems Compliance Department is available as well.  Additionally, please contact me directly if you have a compliance topic suggestion that you would like us to incorporate into the Quarterly System Review.

Risk Assessment Matrix

In last quarter’s installment, we looked at ten ways computer users can help prevent malware as a human supplement to the electronic security layers deployed at your financial institution.  Those guidelines are also helpful in thwarting email born phishing attacks that slip past security, but they are essentially useless against vishing or smishing.  Phishing attacks are known as vishing when a criminal attempts to trick their victim into revealing private information over the phone; the smishing method uses text messages.

Because vishing/smishing attacks occur outside the electronic fortress protecting your computer network, the human factor may be the only barrier in preventing successful exploits.  Effective defense for vishing/smishing and the more common phishing requires a strong commitment toward customer education, not just employees. Educate your customers about the various methods used to trick them into revealing private information.  Use your website to explain what the different attacks are and how they work.  If you become aware of a trend in your area or a direct attempt, publish that information on your website along with a general statement that your financial institution is taking action.

Use more confidential methods to reveal how you will and will not communicate to your customers.  I suggest revealing as little as possible publicly about the specifics concerning how your financial institution communicates to its customers.  Instead of  advertising these details to anyone on the Internet, including would-be hackers and data thieves, I recommend using more secure methods such as Internet banking, account statements, and other direct mailings.

Besides these proactive ideas, you also should  be prepared for a potential event.  BankInfoSecurity.com posted an article in April (Linda McGlasson, 2010) that outlines a good vishing incident response plan created by two banking/security leaders from a state hit by a vishing spree.  Here is a summary of that plan:

1. Set Procedures to Report Calls – Have a procedure for employees to report at the time of first (and subsequent) notification.  Employees need to know what information to gather.
2. Alert Customers – Explain phone and text message phishing.  Consider initiating a news article. Place a banner on your website to inform customers about the scam.
3. Run Down the Source – Find out where the attack came from and the numbers customers are requested to call.  Have the number shut down by determining the carrier and contacting them.
4. Notify Telecomm Carriers such as AT&T, Verizon, Sprint, Qwest, Alltel, TMC, and Level 3 via their published abuse/fraud email addresses.  Ask to have the number(s) shut down due to suspected fraudulent criminal activity.
5. Make Customer Education a Priority – Use your webpage, account statements, automated phone systems, and newsletters.

Please take the time to visit http://www.bankinfosecurity.com/articles.php?art_id=2457&pg=2 and read the entire article that includes important details for an effective response.  Afterward, meet with your technology committee to create your own specific plan and incorporate it into your broader information security policy.  Plan and implement a strategy to keep employees and customers educated about threats directed at them.  Sign up to receive newsletters from sources like BankInfoSecurity.com and CUInfoSecurity.com.  CUInfoSecurity.com has an excellent article on yet another method used to “phish” private information, phishing via fax.  These two sites are excellent sources of security information for community financial institutions.  Increased awareness is our best defense in an information age that attracts new criminals who engage in an ever-evolving array of increasingly sophisticated white collar crime.  We should strive to educate people with the same tenacity we use to secure computers.

While the traditional email phishing is most common, a number of factors make the vishing/smishing derivatives an attractive new tool for crafty information thieves:

-          Most phishing attacks are filtered out by today’s advanced email scanners that provide no protection from voice or text driven attacks.

-          People’s growing suspicion of email is improving the identification of traditional phishing attempts, but people may not be as keen to phone or text based attacks.

-          Criminals realize that highly regulated financial institutions must continually evolve their electronic security to protect sensitive information.

-          Financial institutions can train employees more effectively than they can inform customers.

-          The anonymity of using VOIP technology has emboldened the vishing criminals much like email does for phishing.

There are thirty-three reported breaches in 2010 for financial institutions as of the first of June.  These thirty-three breaches have led to 1,817,328 known records being compromised and many more unknown at this time.  Here is a breakdown of where these breaches originated:^[1]

What the numbers above represent is who or what was at fault.  I’ve always theorized that employees are the greatest threat to information security for financial institutions.  These numbers strongly back up this premise.  Sixty-one percent of the breaches examined related in some way to an employee’s actions.  If the data above holds true for the rest of 2010, the number one threat to information security is not a phishing scam, nor your network being hacked, not even a social engineering scheme; It is simply your employees not following procedures or being allowed access to too much information without the appropriate controls and monitoring.

Think back to the past year. How much did you spend on firewalls, IPS, security monitoring, vulnerability testing, etc.?  Probably thousands of dollars were spent in services, hardware, maintenance fees, etc.  How much did you spend on training your employees?  How much did you spend on software, hardware, and services to limit and monitor employee access?  In many cases, this number is much less.  You could argue that those thousands of dollars spent on the security of your communications have led to the lack of issues in this area.  I would agree.  With breaches in this area being low, this is money well spent in the information security of your institution.  You could argue that the cost to the institution of being “hacked” is much higher than most employee related issues that occur.  In many circumstances this is true also.  If you include the financial loss, reputation hit, and customer reaction to a notification of being hacked, your investment is well spent.

The numbers above represent a definite need for more focus on the employee risks.  If the following recommendations had been done, many of the employee issues above could have been avoided:

• Change Control process followed when employees leave the financial institution
  • Appropriate documentation sent to the administrator, other key employees, and appropriate vendors in a timely manner
• Antivirus and malware software installed and monitored on all machines
• Laptops encrypted and stored appropriately
• Backup tapes/drives logged, tracked, and encrypted
• Employees only given access to folders and software they need to perform their job duties
• Employees trained and tested on appropriate procedures
• Limit access to end points like USB drives
  • At least two of the breaches dealt with employees downloading data to external hard drives and walking out the door with the data

Furthermore, how many of these quotes below could potentially happen to your institution?^[2] *Note institution names were removed from quotes*

“unencrypted portable drives was stolen from an employee’s vehicle”

“could not locate a CD containing customer information, including names, dates of birth, and Social Security numbers”

“A former employee took customer information and gave it to accomplices”

“A financial advisor reported that a laptop was missing from his desk… contained sensitive customer data.”

“laptop stolen that contained customer account information, names, and Social Security numbers. Although the data were encrypted it is possible that security access information may also have been stolen with the computer.”

“unauthorized use of their database of clients”

“former employee had accessed customer information on its network”

“former employee stole bank customers’ names, addresses, dates of birth and social security numbers”

“A backup hard drive containing the names, social security numbers and bank account information for 953 customers was stolen”

“former employee had downloaded a report with customer’s personal and financial information before leaving his employment”

“delivered CDs containing personal shareholder information to another financial institution client”

“An employee who worked for 6 weeks stole enough mortgage application information to steal nearly 100 people’s identities”

“a mortgage broker discarded consumers’ personal financial records in a publicly- accessible dumpster”

“A former switchboard operator took customer information and gave it to accomplices who in turn withdrew more than $200,000 from 13 bank customers’ accounts”

“notified some of its 28,000 members that members names, addresses, phone numbers, account numbers and Social Security numbers were compromised when files were not properly moved during an office relocation.”

Performing a risk assessment on your employees may be the first step in resolving this issue.  Define all the risks your employees pose and then define controls and monitoring criteria.  This may be your most comprehensive and detailed risk assessment as you think about each aspect of your employees’ interaction with data and the appropriate controls for each.  The results should be a map or plan of all the changes, additions, and implementations needed to fully secure information.  This may involve some cost in implementing the appropriate controls.  However, if you compare this cost to the potential cost of issuing new checks, debit cards, security monitoring/fraud protection, etc. to all the customers compromised by a rogue employee, the cost might not seem that high.  If you also weigh in the reputation hit and lack of customer trust that would ensue from such an incident, you may not even consider it a “cost” at all.

In conclusion, there are two keys when it comes to breaches.  One key is prevention.  The second key is how your institution responds to a breach.  Lou Holtz once said, “Life is ten percent what happens to you and ninety percent how you respond to it.”  How your institution responds to a breach will determine the level of success experienced in the future.  If you turn a negative into a positive and work proactively and aggressively in protecting your customers, this could trigger a reciprocal reaction in them- that you are concerned for them and their safety, which could build a higher level of trust and loyalty than ever before.

[2] Quotes from BankInfoSecurity.com

Telecommute has proven to be a vital role in a successful disaster recovery plan. During the floods in Nashville a few months ago, we had numerous customers utilize their telecommute licenses to allow their employees to work remotely, while their institution was largely unreachable. Telecommute allows users at the institution to connect remotely to their office machines via an encrypted connection from anywhere, provided that they have an Internet connection. As long as the institution’s Internet connection is still running, the user will be able to work effectively from wherever they may be, be it at a conference across the country, or stuck at home due to flooding.

In addition to Telecommute, Network Administrators unable to reach the office are able to use SafeConnect, which allows for administration of users working remotely. This is crucial when users are (often for the first time) performing their jobs from a remote location. Admin Remote Control, which allows for remote administration of servers and workstations at the office, is also a useful tool during a disaster. The use of all of these services allows for an effective way to maintain uptime for the institution, even when the institution cannot be physically reached by the employees.

If you’re interested in a Remote Control Bundle, which includes all of these services, please contact your Safe Systems Account Manager.

Up until just shortly before it failed, Washington Mutual had received either average or above average CAMELS ratings from their primary federal regulator (PFR). According to the post-mortem report by the Department of the Treasury, “WaMu failed primarily because of management’s pursuit of a high-risk lending strategy that included liberal underwriting standards and inadequate risk controls.”^[1] Certainly the declining economy and real estate market contributed, as did a sudden flood of customer withdrawals as the crisis began to unfold, but it’s instructive to note that the Treasury’s report primarily faulted Bank management.

Likewise, when Indy Mac Bank failed in 2008, their PRF (OTS) gave Indy Mac Bank favorable CAMELS ratings right up to the time it failed.^[2] In their report, the Office of Inspector General stated in part that they were allowed by regulators to pursue their strategy of rapid asset growth and risky lending practices until the real estate market started to collapse, only then invalidating the fundamentals of managements’ growth strategy.

Both of these examples point to inadequate management of strategic risk as the core issue. Strategic risk is defined as that associated with the financial institution’s mission and future business plans. It primarily arises from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. It can also stem from inaccurate information or analysis that causes management to make poor strategic decisions. Therefore, strategic risk can really be defined as management risk.

The ability of management to respond to changing circumstances and to address the risks that may arise from changing business conditions, or the initiation of new activities or products, is an important factor for regulators in evaluating a financial institution’s overall risk profile and the level of supervisory attention warranted. For this reason, “the Management component is given special consideration when assigning a composite rating.”^[3]

CAMELS is the acronym for the six essential components used to rate an institution’s financial condition under the Uniform Financial Institution Rating System. The rating system was adopted by the FFIEC in 1979 (revised to add the “S” in 1996), and is based on the following components of an institution’s condition:

• (C) Capital adequacy,
• (A) Asset quality,
• (M) Management,
• (E) Earnings,
• (L) Liquidity and
• (S) Sensitivity to market risk

CAMELS ratings include a numeric score for each of the six components, and an overall numeric composite rating. The numeric ratings range from 1 (best) to 5 (worst) and generally mean:

1. Sound in every respect
2. Fundamentally sound
3. Some degree of supervisory concern
4. Unsafe and unsound practices or conditions
5. Extremely unsafe and unsound practices or conditions

Disclosure of CAMELS ratings by the financial institution to the public is prohibited, in part because regulators fear that unfavorable ratings could lead to increased reputation risk, resulting in excessive withdrawals and the inability of the institution to effectively compete in their market, resulting in further exacerbation of the problem. Even so, management generally considers anything other than a “1” or “2” to be suboptimal, perhaps because it does reflect on their overall management ability.

But there is also a financial aspect to the CAMELS ratings. For most institutions in Risk Category I (generally, those institutions with less than $10 billion in assets and those with $10 billion or more in assets that do not have long-term debt issuer ratings), base FDIC deposit insurance assessment rates are based on a combination of financial ratios and CAMELS component ratings, with the largest weight applied to Capital and Management (25% each).

Additionally, the FFIEC has identified management as a critical component in ALL of the IT Examination Handbooks, for example:

• Audit - The board of directors and senior management are responsible for ensuring that the institution’s system of internal controls operates effectively.^[4]
• Business Continuity Planning – It is the responsibility of an institution’s board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process .^[5]
• Information Security – Information security is a significant business risk that demand engagement of the Board of Directors and senior business management.^[6]
• Operations - Senior management and the board of directors are responsible for ensuring IT operates in a safe, sound, and efficient manner throughout the institution.^[7]
• Outsourcing - The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management.^[8]

In fact, management is so important that the ability of management to identify, measure, monitor, and control the risks of its operations is also taken into account when assigning each of the other CAMELS component ratings as well:

• Capital Adequacy
  • … The ability of management to address emerging needs for additional capital.
• Asset Quality
  • …The ability of management to properly administer its assets…
• Earnings
  • …The ability (of management) to provide for adequate capital through retained earnings…
• Liquidity
  • … The capability of management to properly identify, measure, monitor, and control the institution’s liquidity position…
• Sensitivity to Market Risk
  • …The ability of management to identify, measure, monitor, and control exposure to market risk…

The Management component of the CAMELS rating reflects the governance capability of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of an institution’s activities and to ensure a financial institution’s safe, sound, and efficient operation in compliance with applicable laws and regulations. All things considered, it follows logically that management is generally regarded as the most important element for a successful operation of a financial institution.

So, given its overwhelming importance to the safety and soundness of the institution, let’s take a closer look at the “M”, and what it takes to demonstrate compliance.

These are the elements that make up the CAMELS management component rating:^[9]

1. The ability of the board of directors and management, in their respective roles, to plan for, and respond to, risks that may arise from changing business conditions or the initiation of new activities or products.
2. The adequacy of, and conformance with, appropriate internal policies and controls addressing the operations and risks of significant activities.
3. The accuracy, timeliness, and effectiveness of management information and risk monitoring systems appropriate for the institution’s size, complexity, and risk profile.
4. The adequacy of audits and internal controls to: promote effective operations and reliable financial and regulatory reporting; safeguard assets; and ensure compliance with laws, regulations, and internal policies.
5. Compliance with laws and regulations.
6. Responsiveness to recommendations from auditors and supervisory authorities.
7. Management depth and succession.
8. The extent that the board of directors and management is affected by, or susceptible to, dominant influence or concentration of authority.
9. Reasonableness of compensation policies and avoidance of self-dealing.

How can management demonstrate sufficient progress in these areas? Two words; delegation and documentation. Delegate the day-to day responsibilities to committees consisting of both employees and (when necessary to add expertise) external consultants. Clearly define the scope and mission of each committee, and always document every meeting. This may seem daunting, but in a smaller institution, the technology steering committee (or equivalent) can serve multiple functions, addressing IT strategic planning, information security, and regulatory compliance (items 1-8 above). Chances are this committee already exists; all that’s necessary is to expand the agenda^[10] a bit to include discussion of the items listed above. Larger organizations may want to keep IT related items in tech steering, but address the compliance items (2, 4, 5, and 6) in a separate compliance or audit committee. Further segmentation may separate strategic planning items (1, 7, 8 and 9) into their own group.

The issue of management will continue to be at the forefront of regulatory safety and soundness scrutiny, and given the on-going challenges in the industry, will only increase in importance going forward.

Note: The Safe Systems QSR/ASR/Account Manager process, which is included in every NetComply contract, is designed to align with the regulatory best practice of the “control self-assessment (CSA)” when presented and documented in an appropriate committee setting. This CSA (with the account manager as the facilitator) goes significantly beyond the standard “check-list” compliance response to information security and, when combined with the other agenda items^[11], effectively addresses elements 1-8 of the CAMELS management component.

[2] Office of Inspector General, The FDIC’s Role in the Monitoring of Indy Mac Bank, August 2009

[3] http://www.fdic.gov/regulations/laws/rules/5000-900.html – Overview

[4] Audit Booklet – August 2003, page 3

[5] Business Continuity Planning Booklet – March 2008, page 3

[6] Information Security Booklet – July 2006, page 5

[7] Operations Booklet – June 2004, page 3

[8] Outsourcing Technology Services Booklet – June 2004, page 3

[9] FDIC, UNIFORM FINANCIAL INSTITUTIONS RATING SYSTEM, source; 62 Fed. Reg. 752, January 6, 1997, effective January 1, 1997

[10] See your account manager for our most current version.

[11]See your account manager for our most current version.

Risk & Security Workshops

The following workshops will be held at our office in Alpharetta, Georgia.

Register today!

FFIEC Guru is here!
Please bookmark this great new site www.ffiecguru.com! Safe Systems is excited to announce our new great resource designed just for you. FFIEC Guru will help keep you informed of current auditor & examiner trends & the latest FFIEC updates. You can even visit our discussion board for answers to your compliance questions or to chat with other financial institutions. And if you’re wondering, “The Guru” is Safe Systems’ Director of Compliance, Tom Hinkel, with over twenty-five years of compliance expertise!

Safe Systems is now on Twitter!
If you’re currently on Twitter, we’d love if you could follow us, or if you have any friends in the banking community who are currently on Twitter, please recommend our Twitter page to them. There will be plenty of educational tools, news, & updates (exclusive to financial institutions). Follow us today! http://twitter.com/SafeSystems

Safe Systems’ National Users Conference-Save the date
Please save the dates for our 2011 National Users Conference – March 23rd – 25th, 2011! Due to the luxurious accommodations at such a great price point, we will once again hold our conference at Callaway Gardens and we promise to make the conference more informative and fun than our conference this year (if that’s possible!). More information coming soon!

Job Openings
Safe Systems is growing! We’re seeking a highly qualified customer focused Network Operation Center Analyst for our growing network consulting and support team. The ideal candidate has a strong knowledge of Microsoft Windows Networks and experience in the community financial institution environment. A Bachelor’s degree in Information Systems or Information Technology is required. If you know any great candidates, send them our way! info@safesystems.com

Recent Awards and Accolades
Safe Systems is excited to announce that we are a finalist for the BankNews 2010 Innovative Solutions Awards. In order to win, we would love to have your votes! Voting begins on August 15th. Please click this link to view the entry as well as others: http://www.banknews.com/New-2010-Entries.905.0.html. We are in the category “Online/Remote/Mobile Solution” and our solution is titled “Safe Systems’ Continuum for Disaster Recovery.” The winners will be featured in the December issue of BankNews. Thanks so much for your support!

Safe Systems is very proud to announce that Joe Scott, our CFO, was selected as a top 3 finalist for Atlanta Business Chronicles’ CFO of the Year (selected by judges out of hundreds of nominations)! The CFO of the Year Awards recognized the achievements of the very best CFOs in Atlanta. The announcement was made on June 4th in the Atlanta Business Chronicle Newspaper and online. Congratulations Joe!

Safe Systems is very pleased to announce that we were awarded one of CRN’s Most Innovative MSPs for 2010. CRN selected the Most Innovative MSPs this year to recognize companies that have found success offering managed solutions to customers, helping them become more efficient and reduce costs. The Most Innovative MSPs list will appear in the August issue of CRN as well as online.

On June 3rd, Safe Systems was honored to receive the Kaseya Cutting Edge Award at this year’s Kaseya Connect National Users Conference in Nevada. This award selection process was based on companies whose outstanding initiatives with their MSP/automation products are helping their clients become more efficient.

Safe Systems is proud to have once again ranked on the Inc 5000 list of Fast Growing Companies in America! The 2010 Inc 5000 list is comprised of privately held, for profit, independent companies across the US. Thank you for helping us to achieve this prestigious award!

Safe Systems is pleased to announce that Tom Hinkel, our Director of Compliance, has received the CISA (Certified Information Systems Auditor) certification from ISACA! CISA is globally recognized as the mark of excellence for the IS audit professional. CISA combines the achievement of passing a comprehensive exam with recognition of work and educational experience. Congratulations Tom!

New Employees and Appointments
We’re excited to announce and welcome the following employees to our growing company:

Safe Systems is excited to welcome Kane Martin and Philip Preast to our Network Operations Center. As Network Analysts for Safe Systems, both Martin and Preast will be assisting you with your support issues. Martin has several years of experience in IT help desk support and is an MIS graduate from the Florida Institute of Technology. Preast was previously a Network Design Engineer at Unisys and a graduate of West Virginia Institute of Technology.

The Safe Systems Sales Department is also happy to announce two new employees. Andy Mills is our new Regional Sales Manager for the West and Midwest states. Mills has advanced technology and web portal experience within financial institutions and is a graduate of Ball State University in Indiana. Stacey Appelson is our new Pre-Sales Coordinator and will be developing the proposal/RFP process and Channel Partnerships of Safe Systems. A graduate of the University of Georgia, Appelson’s financial institution expertise includes digital communication, Internet banking, bill payments and was a previous employee at COIN Financial Systems (alongside Danny Johnston, Ralph Sikes, and Darren Bridges).

Congratulations to Stephanie Foerst for her recent promotion to Internet Marketing Specialist. Her new responsibilities will include web/online marketing, SEM, SEO, and Website Content Management. We’re proud that she has proven her strengths and initiative in these areas- great job Stephanie!

Safe Systems is also proud to announce in the Network Operation Center that Tyler Saville and Chad Ingersoll have both been recently promoted to the role of Team Lead Engineer. Tyler and Chad’s experience and dedication to customer service has been and will continue to add value in the future. Congratulations to these well-deserved promotions!

Simple end user education may be a financial institution’s best defense against cyber attacks and social engineering.  Our clients employ numerous security layers on their computer networks to thwart dubious activity; however, no amount of technology can prevent every attack because the possibilities are practically limitless and ever-changing.  End users armed with a few basic concepts can serve as another powerful security layer to help prevent malware infestation on their machines and to outsmart scammers.  I have compiled a list of simple things your users can do to help protect the best interest of your financial institution with regard to common questionable activity they may encounter.  By no means does this list cover everything, but I believe training works best in small increments.  Consider passing this list out to all of your users and even to other people you know.

Follow these 10 Steps to Help Protect Your Desktop from Malware and Avoid Leaking Private Information:

1. Keep on the lookout for any suspicious activity. For example, a recent email attack attempted to coax end users into opening an attachment by informing the recipient that her mailbox settings needed updating.  A common sign of suspicious email is format and grammar.  The subject of the email message read this way:  “Subject:  Setting for your mailbox are changed.”  Notice “Setting” and “are” are grammatically incompatible here.  The common verbiage would say “Subject: Settings for your mailbox have changed.”  Unusually incorrect grammar and misspellings are very common in dubious email.  Another oddity in this example was the attachment itself.  It was an Adobe .pdf file that the email claimed was instructions, but instead it launched a program when the user opened it.  The program ran the actual attack against the computer if the user answered the prompt to continue after opening the .pdf attachment.  Immediately report any suspicious activity to the appropriate personnel such as your manager, security officer, Systems Administrator, or Safe Systems, Inc.  If you make a mistake, do not be embarrassed and decide to keep it quiet.  The scammers are experts in the art of deception, so anyone can fall prey to their tricks.  Report it immediately to minimize damage and help others do the same.
2. Never click on any pop-up message that asks to scan your machine. For example, a notorious piece of malware appeared as a legitimate antivirus scan but it was actually a rogue program designed to lure users into buying the full version (example shown below).  It would also negatively affect the performance of infected computers.  Note that your actual corporate antivirus solution typically does not prompt you to perform any action.  It occurs “behind the scenes” unless your administrator has notified you otherwise.  Thus, if you are ever prompted to run a virus scan, cancel the operation and contact your Systems Administrator.
   

   Fake antivirus scan.

3. Only open legitimate email.  Permanently delete spam. Carefully highlight and permanently delete using <shift> delete like this:  After highlighting the message(s), right click the selection(s) so the menu appears.  Hold down the <shift> key before clicking the delete option from the menu.  Choose Yes to permanently delete the messages.
4. Do NOT click links found in email messages or other documents even in legitimate looking email. Instead, carefully copy the text and paste it into the address field of Internet Explorer, or better yet just type it out.  A link appearing to be a perfectly legitimate web address can actually take you to a fake website that mimics the real one.  A fake website designed to mimic the actual website in order to steal information is a form of Phishing.
5. Never (ever) give out usernames or passwords in an email or over the phone. A hacker can easily impersonate email or voice from someone you trust such as your Systems Administrator or even a CEO.  Guard other private information using the same logic.
6. Avoid transmitting any private information electronically through medium such as email, phone, instant messengers (chat), text messages, or social networks (Facebook). If your institution has encrypted email, be sure you understand how to use it.  Encrypted email is an exception to this rule as long as it is encrypted using the right system.
7. Do not click on any pop-up window that asks you to download, run, install or update unless you have been notified otherwise by your administrator. This practice dramatically reduces the chance of any rogue software infiltrating your computer.
8. Avoid non-business related websites when using corporate owned equipment. Understand that most financial institutions monitor all websites you access.  Avoid any embarrassment or worse by keeping it business related.  Risk of infection increases exponentially when surfing any non-business related website or when using any non-business related software.
9. If you’re allowed to use chat software at work such as Yahoo Instant Messaging or Microsoft Live Messenger, be cautious.  Do not click on any links within chat sessions or type any private information even when speaking with a trusted source. Much like email, a link may appear to be unsuspicious but may actually be a cyber attack.  Type it out manually instead.  Never download or install anything over a chat session.  Use chat software only for its original intent, chatting.  If it is something private, use an alternate medium such as the phone or an encrypted email.  Hackers can impersonate chat contacts as well.
10. Do not download or install any software on your machine without management approval.

Download a .pdf version that you can give your employees.