TOPIC: Information Technology

The Best things to do with Microsoft 365 – Microsoft Secure Score

Most small- to medium-sized institutions don’t have a full-time employee available to devote to Microsoft 365 administration and security.  If you are the person spinning about two dozen plates including administration of 365, you know this. Also, you probably know through your vendor management program what Microsoft is (and is not) responsible for.  For example, Microsoft supplies the administration of a global cloud infrastructure to host your resources; however, Microsoft does not manage the security and access to your data. There’s a learning curve to understanding what configuration changes to make in order for you to ensure the data and access are properly configured.  Sure, you can Google-fu things like best practices for cloud security, and likely implement some good strategies.  But how do you know you haven’t missed something, or worse, taken bad advice? Microsoft has provided tools to help assess your security posture.  Tools like Microsoft Secure Score which provides “a measurement of an organization's security posture…”  That’s right, they have designed a tool that analyzes your configuration efforts and spits out a number to “score” your efforts. Even if you’re a 365 expert, or if you’re not and unsure of your security posture in 365, use this tool.  Glean from it what you can and make decisions.  Information can only help manage the limited sanity left for spinning plates.  You can access your score at https://security.microsoft.com/securescore. Also, get familiar with https://docs.microsoft.com.  Microsoft is changing things all the time.  Administrator resources that were once in one admin portal or Azure blade a month ago are often moved and consolidated somewhere else.  It can be frustrating trying to keep up with the changes or even find current documentation.  There is also a lot of good information outside of Microsoft documentation, so Google is your friend.  Microsoft also has RSS and Twitter feeds to help keep you up to date on changes that are occurring.  You can find this info at https://docs.microsoft.com/en-us/teamblog/.  Also consider signing into the Microsoft documentation with your 365 credentials and updating your account settings to get content update notifications sent to your email.

    8 Features to Look for in a Business Continuity Solution

    Good morning, Bankers! Today we are discussing the importance of business continuity planning as well as the top eight features to look for in a business continuity management (BCM) solution. This post was originally published on the Ncontracts blog.

    Your financial institution must ensure it has a business continuity plan (BCP) that is clearly defined and regularly reviewed and tested—but there are a lot of moving parts.

    Business continuity solutions and services exist to facilitate this process, helping ensure your financial institution is prepared to weather any disruption. Here are the top eight features to look for in a business continuity management (BCM) solution...

    READ THE FULL ARTICLE: Download the attached PDF

      Audit and Examination Tips

      Excerpt from 10-D Academy's Essential ISO course materialHere are some helpful tips for audit and examination preparation to hopefully make the process go smoother for your institution and staff.
      • Prepare documentation as soon as the document request list arrives. Separate the list out and assign collection responsibilities and deadlines to the respective knowledgeable parties.
      • If something (e.g. policies) on the request list hasn’t been created, ask us here at 10-D Security if we have a sample. Don’t rush to get it finalized or approved. During an audit, we will review policies and standards awaiting planned board approval and likely give credit where credit is due.
      • Try and return documents in the same organized manner they were requested. Although not generally required it does make the process a whole lot smoother.
      • Make sure that institution staff are aware of all audit and examination schedules, and expectations. Make the audit and exam schedule is an agenda item for committee and board meetings.
      • At least one individual, preferably the ISO, should be the point of contact for the IT security portion of audits and exams.
      • Clear calendars and set expectation that managers and key staff may be tapped for interviews. In the same vein, don’t make a rigid to-the-minute schedule. Keep things flexible as it’s likely that some conversations will run longer than others.
      • Examiners and auditors will often use basic investigative techniques. Keep in mind that the goal is to collect information, and not catch institution staff in a gotcha moment.
      • Audits are meant to be informative as much as they are meant to uncover security issues. If there are questions before, during, or after, just ask.
      • It’s not personal. Defend your position, as there is always room for reasonably objective conversation. However, there are some things that allow for greater flexibility and some that don’t.
      • It’s okay to say, “I don’t know,” or “I don’t have that.” But remember, repeat findings are not great. A documented and objective explanation for all accepted risk and repeat findings, as well as proof of board approval, is necessary.
      These helpful tidbits are resultant of audits with past and repeat customers and our own experiences with exams. They also culminate from decades of combined experience of our auditors and engineers. Let 10-D Security know if you have any questions. We hope they help you in your future endeavors!

        The Solar Winds Breach: Future Impacts and Lessons Learned | The Ncast Episode 12

        The Ncast podcast highlights industry thought leaders talking about hot topics and trends in risk and compliance. We hope this podcast is a valuable resource for you and your industry peers!  We recently released Episode 12, The Solar Winds Breach: Future Impacts and Lessons Learned. This episode is an interview with Tara Swart, Director of Compliance Services, Financial Division at All Covered consulting firm. Our guest discussed different frameworks for information security, the impacts of the recent Solar Winds breach, and how it will affect risk management going forward. We invite you to listen, share, and tell us what you think!

        Listen and subscribe on your favorite podcasting platform here.

          Call Center Authentication Process

          Employee at a credit_union ($1.1BUSA)
          Hello: We are looking to update our call center authentication process. I was wondering if anyone would be willing to share their current process. Also, does anyone utilize automation with the core to validate their member? Any information you are willing to share would be greatly appreciated. 
          Thank you!
          Stacey

            Digital Banking Providers - Q2 and Architect

            Chief Compliance Officer at a bank ($904MUSA)
            Good Morning and Happy Friday!  We are searching for a new digital banking provider and have narrowed our search down to Q2 or Architect.  I've seen posts from others on this forum and wanted to see if anyone would be willing to speak with us candidly about your experiences, positive and negative.  I'm sure we were provided good references but I really like to speak with others outside provided references.  Our core is Fiserv DNA by the way if anyone is on the same platform and using either.  Thank you.  

              Microsoft Exchange Server - Patch Now!

              On Tuesday, March 2, 2021, Microsoft released out-of-band advisories detailing serious vulnerabilities in Microsoft Exchange Server that are currently being exploited in the wild.  These vulnerabilities only affect the on-premises version of Exchange, so if you are using Exchange Online through Microsoft 365 (formerly Office 365) you do not need to take action.  If you are running Exchange Server on-premises, it is highly recommended that you patch your servers as soon as possible.  More detailed information can be found at the Microsoft blog post here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ and the US-CERT CISA alert here: https://us-cert.cisa.gov/ncas/alerts/aa21-062a