Wouldn’t it just be easier if everyone was exactly alike? We’d all drive the same car, live in the same color house and wear the same size shoes. Things would be so much easier, right? And boring.
One of the reasons there are so many small community banks is because, just like people, each one is different. Every bank brings its own unique personality and way of doing business to the marketplace.
This ‘uniqueness’ often makes designing IT compliance to mandated regulations difficult for small banks. What works for one bank may not work for another just a few blocks away. If you’re struggling with where to start, here’s a simple 3-step process to developing a plan that works for every bank.
1. Develop Policies and Procedures
Everything begins with having the correct policies and procedures in place and documented. These will be the foundation for your IT compliance. Apolicyis a generalized strategy, a statement of the direction in which you are going to go while a procedure is how you are going to get there. For example a policy may state “We will use strong passwords to protect our network” and the procedure might state, “We will use passwords that are 8 characters long, with at least one alpha, capital and numeric character.”
2. Develop Proper Reporting
Policies and procedures are useless unless they are followed and how will you know they are followed if you don’t have a method of reporting? Reports need to be reviewed (not just filed away for the bank auditor) and either dropped or modified as regulations change. Supporting our previous password policy, we would add a procedure stating ‘We will review the failure audit report to see if anyone is attempting to log onto the server and being denied.” Reports are designed to make your policies better.
3. Document Everything
The last step in compliance is regularly following a To-Do list of information tasks and documenting your activity. While reports are designed to help you improve your IT compliance, documentation is designed to show how you are taking action based on your reports.
Regulators are looking not just for you to ‘dot your I’s and cross your T’s’, they are looking to see if you have a process in place and are following it. They want to be assured that your policies and procedures will lend themselves to preventing problems from occurring at your bank. They also want to see that you are constantly making efforts at improvement.