The regulators have become seriously serious about IT, going beyond once "routine" IT compliance reviews to make certain you and your IT people actually know what vulnerabilities the bank faces and how to manage them. That means vulnerability scanning of your bank's IT system should be part of a well-layered approach to managing your risk to denial of service attacks, theft of confidential bank information, theft of customer identities and information, and knowing just what is connected on the inside of your network as well.

If the Pentagon's e-mail system can be hacked, as it has been; if customers can be unwittingly whisked to look and enter their information in fraudulent look alike bank websites, as they have been; if the credit information stored on large retail computers can be accessed, which has happened; then it should be no surprise that federal examiners are looking more closely at bank IT systems and how they manage their vulnerabilities. Unfortunately, not every bank knows what is on its system. Here's a real life example:

A bank was saddled with a regulatory supervisory agreement relating to a lack of intrusion prevention and detection devices on its network. TCA was called in to do a vulnerability scan and IT audit. What we discovered, much to the bank's surprise, was that the institution actually had an intrusion prevention and detection system - installed but not configured to run. (Apparently the configuration changed at the approximate time an IT employee left over a year earlier.) In some ways worse, the institution was paying the provider a fee on a long term agreement for the service adding up to over $20,000- which no one in executive management knew existed.

To discover what's on your network, an IT compliance examination should include vulnerability mapping and scanning so you actually know, and can prove to regulators, what is on your system. TCA uses a three-step approach to testing your vulnerability management program. 1 Mapping - or identification of all systems on your internal and external network. Each PC in your bank has 65,536 ports - all vulnerable in one way or another to unauthorized access.

We identify systems and equipment that are on your network by using an application that detects every device - those that are authorized and such rogue devices as unauthorized wireless devices; printers; routers; servers; network-attached storage; computers and other devices - attached to your network and turned on.

We detect and identify all of your networked IT assets - servers, desktops, routers and other networked devices. The result is a powerful and highly accurate baseline survey of your IT network - including every attached device.

The network map can be used to classify the business value of each device and to obtain information about how well security efforts are improving over time. This authoritative representation of your network also can be used to initiate ondemand or pre-scheduled scans to examine the security of each asset or area of your network.

2 Scanning the devices for known vulnerabilities against a database that is updated as new vulnerabilities are discovered by the security industry. TCA is a Qualys Certified Consultant. Consequently, bankers have access, through TCA, to Qualys' immense vulnerabilities database and state-of-the-art scanning capabilities. (QualysGuard has the largest knowledge base of vulnerability signatures in the industry and performs more than 150 million IP audits per year, with a Six-Sigma (99.997%) accuracy rate.) With its Qualys partnership, TCA has the ability to both find and provide you with the fix to remove the vulnerabilities.

3 Reporting to the bank in two formats, one a technical and the other an executive format. The technical format is browser compatible and will lead your IT department or consultants through the actual process of removing the vulnerabilities found on each device. This includes links to your vendor's pages to load patches if necessary to fix vulnerabilities. The executive report is a summary for non-tech readers.

Because vulnerability is quickly becoming one of those hot-button regulatory issues, here in summary form are related questions TCA professionals most often are asked:

* Question: Just what is a "vulnerability?"

* Answer: A vulnerability is an IT system weakness that allows an attacker to violate the confidentiality, integrity, availability, access control, consistency, or audit mechanisms of the system, or the data and applications it hosts.

* Question: Can TCA perform a vulnerability scan as part of its IT compliance review or GLBA review?

* Answer: Yes. We recommend a vulnerability scan. TCA reviews your IT and GLBA compliance based on the 12 FFIEC workbooks and GLBA regulations to fully understand whether your bank has mitigated the risks to unauthorized access to your customer information, as well as to the bank's confidential information. Our third-party network auditing and reporting meets the compliance needs of HIPAA, GLBA, SB 1386 and Sarbanes-Oxley - among others. GLBA compliance is mandatory; non-compliance can trigger civil liability and penalties to institutions, and personal liability and penalties to officers and directors.

* Question: Will scanning cause a disruption in our services?

* Answer: Not likely. Although there are no guarantees, TCA's provider has tested the vulnerability scans against many operating systems, hardware vendors, platforms, servers, switches, and routers and performs over 1 million scans a day with very few issues. We believe we have one of the most reliable vulnerability scan review programs available today. TCA has undertaken exhaustive testing which, with actual scans we have run for our client banks and knowledge of the use of the product in the banking industry, gives us high confidence in the scan system.

* Question: What does an IT audit need to provide so the bank is compliant?

* Answer: The audit program should address IT risk exposures throughout the institution, including areas of IT management and strategic planning; data center operations; client/server architecture; local and wide area networks; tele-communications; physical and information security; electronic banking; systems development, and business continuity planning.

TCA is the KBA's endorsed provider of compliance services. If you would like additional information about IT vulnerability scans, IT audits, GLBA audits, business resumption planning or any other IT related need, call Randy Blackburn on TCA's toll-free Compliance hotline, 1-800-934-7347.