What is Management Responsible For?

Transcription

1 What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C.

2 About Wolf & Company, P.C Regional firm established in 1911 Provide Audit, Tax, Business Consulting & Risk Management services PCAOB Registered & Inspected Member of AICPA Center for Audit Quality Member of PKF North America 200 Professionals Offices located in: Boston, Massachusetts Springfield, Massachusetts Albany, NY Livingston, NJ 2

3 Financial Institution Expertise Provide services to over 250 financial institutions Approximately 50 FIs with assets > $1 billion Approximately 30 publicly traded FIs Constant regulatory review of our deliverables Provide Risk Management Services in 27 states and 2 U.S. territories IT Assurance Services Group Internal Audit Services Group Regulatory Compliance Services Group WolfPAC Solutions Group 3

4 Definitions Per NIST Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks. Cyberspace: A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. SOURCE: NIST IR 7298 Revision 2, Glossary of Key Information Security Terms 4

5 In the News 5

6 What we worry about? 5

7 What we worry about? 6

8 What we worry about? 7

9 What we worry about? 9

10 2015 Verizon Data reach Investigation Report Incident Frequency by Industry 10

11 What Banks Need to Know 1. Hackers increasingly have more than one motive and method of attack. 2. The use of memory scraping in data breaches has increased. 3. More cyber threat information is being shared, but there is a need for faster sharing. 4. Too many people still fall for phishing attacks. 5. Old software vulnerabilities are going unpatched. 6. Mobile malware is not statistically significant yet, but it's still a concern. 7. Ongoing Web app attacks point to a need for two-factor authentication. American Banker Bank Technology News: April 16,

12 The Regulators 12

13 The Regulators 9

14 FFIEC Wants Banks Setting the tone from the top and building a security culture Identifying, measuring, mitigating, and monitoring risks Developing risk management processes commensurate with the risks and complexity of the institutions Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future Creating a governance process to ensure ongoing awareness and accountability Ensuring timely reports to senior management that include meaningful information addressing the institution s vulnerability to cyber risks 10

15 Current Guidance Available FFIEC IT Booklets NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) FFIEC Cybersecurity Assessment Tool 15

16 Cybersecurity Preparedness Risk management and oversight Threat intelligence and collaboration Cybersecurity connection types Cybersecurity controls Enhancements to Vendor and BCP programs 16

17 Risk Management and Oversight Governance More frequent Board and Senior management education Define roles and responsibilities that assign accountability regarding cyber risks Reporting structure of CISO/ISO Management of cyber security issues (interaction between information security and core business functions) Allocation of resources Time and energy Training and awareness of employees Onboarding and ongoing training More frequent and relevant training Training for information security professionals Test training effectiveness 17

18 Threat Intelligence External sources of threat intelligence Media reports Third party service providers Financial Services Information Sharing and Analysis (FS-ISAC) InfraGard Secret Service US Cert Internal sources of threat intelligence Fraud detection tools Anti-Money Laundering/Office of Foreign Assets Control/Bank Secrecy Security information and event management (SIEM) Sharing information with law enforcement 18

19 Connections Connection types From mobile devices (BYOD) VPNs Internet Portals sites, web based applications, telnet, FTP Wireless networks Direct connections to other networks or ISP s Product and services Target a specific product or service (i.e. Business Online Banking, Wire Transfer system) Technologies Used Each type of technology introduces its own set of vulnerabilities 19

20 Cybersecurity Controls Preventive controls Identity and access management systems (includes multifactor authentication) Restricting access (i.e. network segmentation, ACL s, web filtering) CISO or ISO reporting lines Data Classification Patch management program Secure software development life cycle Encryption Detective controls Increased security testing and monitoring, penetration testing Incident detection and monitoring Corrective controls Incident response Cyber security insurance BCP/DRP (incorporate security into plan) 20

21 Changes to other programs Key Indicators of Compromise Vendor Management BCP Enterprise Risk Management 21

22 Important Resources FFIEC Cybersecurity guidance- NIST Cybersecurity Framework- Executive Order FBI InfraGard- U.S. Computer Emergency Readiness Team- U.S. Secret Service Electronic Crimes Task Forcehttp:// Department of Homeland Security- NY State Department of Financial Services Memohttps:// 0Committee/NY%20Cyber%20Security%20Exam%20Process.pdf

23 Thank You! Questions? Matthew J. Putvinski, CPA, CISA, CISSP Director, IT Assurance Services twitter.com\mattputvinski linkedin.com\in\mattputvinski