• Identify and assess risk to their customer information
• Design and implement a program to control these risks
• Test key controls
• Train bank personnel
• Adjust risk management program on a continuing basis to account for changes in technology and internal/external threats to their information security

Phase I of Metavante Banking Solution’s iFortress solution can significantly lower your risk percentage and prepare your institution to meet OCC/FDIC mandates by taking the following steps:

1.Issue Preliminary Questionnaire - Metavante Banking Solution will provide you with a questionnaire to complete before the on-site visit. This will be completed by bank personnel with assistance from Metavante Banking Solution technical and sales staff.

2.Review Documents - Metavante Banking Solution will review copies of your existing documentation including existing information security plans, polices and procedures, disaster recovery plans, vendor contracts and incident reports.

3.Perform Inquiry and Observation Analysis - Metavante Banking Solution will conduct an on-site visit to your main office and all branches. At this time we will gather information and make observations on your information systems. An extensive proprietary checklist is completed to ensure that a thorough review is conducted and documented. Main topics addressed on this checklist include:

• Physical Security
• Environmental Controls
• Personnel Considerations
• Computer Usage
• Hardware Considerations
• Software Considerations
• Access/Data/File Controls
• Communications/Network Considerations
• PBX & Voice Mail
• Contingency Planning
  

4.Systems Inventory - A comprehensive inventory of all hardware and software is performed, resulting in a list of all networked computers and all software residing on those computers.

5.Network Layout - A schematic of your network is designed that will assist bank personnel in gaining a better understanding of systems in place and the interconnectivity of those systems.

6.Wardialer - Metavante Banking Solution technical staff conducts “wardialer” intrusion attempts to in order to detect modems that are not properly secured against unauthorized access.

7. Vulnerability Scan - This is a scan of your network that identifies any hundreds of known vulnerabilities using sophisticated network scanning technology. This technology allows for the prioritizing of such vulnerabilities in order to provide for a risk-based and cost-effective response plan.
Upon completion of all of these items, Metavante Banking Solution will prepare a risk assessment of your bank’s information systems along with a list of action items to be performed. This will provide you with a risk assessment approach as required by the Gramm-Leach Bliley Act. The information will also provide a risk assessment that facilitates developing a tailored course of action for bank management to respond to risks identified. The information will be provided to you both in a manual form and electronically on a cd-rom.

Phase II of iFortress consists of the implementation of action items determined in Phase I, including completing items on the List of Action Items as approved by Bank management,retesting information system controls after completion of approved List of Action Items and
completing a written Information Systems Security Plan and Procedures Manual. Phase II also consists of training Bank personnel on continued monitoring of controls and identification of breaches and attacks.

Phase III entails ongoing annual on-site network vulnerability assessments, annual update to network security assessment manual, annual Information Security Policy review, annual refresh of hardware and software inventory, delivery of alerts and position papers on latest regulatory changes, delivery of latest news and changes on technology security, and one on-site two (2) hour customer information security awareness seminar for employees