Top 10 Baseline Cybersecurity Controls Banks Aren't Doing
|
|
- Theodora Reeves
- 7 years ago
- Views:
Transcription
1 Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1
2 Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC Cell: (605) SBS Institute
3 Background 11 Years Community Bank Consulting at SBS Experience in Risk Management, ISP Development, and Auditing SBS has worked with over 800 banks in 45 states Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security 3
4 Our Experience PROCESS: Information Security Program design and roll out IT Risk Management Vendor Management Technology Selection Business Continuity/ Disaster Recovery Incident Response Information Security Consulting IT Audit ISP Audit Controls Audit Wire Transfer Audit ACH Audit Internet Banking Audit TECHNOLOGY: Penetration Testing Vulnerability Assessment System Configuration Assessment Acceptable Use Scanning PEOPLE: Social Engineering Awareness Programs ISO Training CATO Training TRAC Risk Mgmt. Suite Verify ACH Whitelisting Cyber Risk Anti Phishing 4
5 Agenda 1. Cybersecurity Background 2. Top 10 Missing Baseline Controls 3. Beyond Completion of Assessment 5
6 What is Cybersecurity? Cyber Risk the increased probability that the very high impact, internet based risks and threats we once thought were improbably will harm our networks Cybersecurity the controls and processes in place to protect our networks and customer information from cyber risk How does it relate to Information Security? discipline of Information Security, which not only encompasses Cybersecurity, but also all of the traditional things we ve done to protect our confidential customer information; including IT Risk Assessment, Vendor Management, Business Continuity Planning, Vulnerability Assessment, IT Audit, and much more Images courtesy of ISACA and member Menny Barzilay Center/Blog/Lists/Posts/Post.aspx?ID=296 6
7 Technology & Cybercrime New Products/Services Mobile Solutions Mobile Cash Management Mobile Payments Mobile Capture Virtualization Electronic Payments Cloud Online Account Opening Interactive Teller Machines Bank Technology Cybercrime Third Party Customer 7
8 GLBA Interpretation A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer Ensure the proper disposal of customer information and consumer information html 8
9 Federal Reserve SR 15 9 In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles. Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions cybersecurity preparedness in information technology and safety and soundness examinations and inspections. 9
10 OCC Bulletin The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution s inherent risk, risk management practices, and controls related to cybersecurity. OCC examiners will begin incorporating the Assessment into examinations in late issuances/bulletins/2015/bulletin html 10
11 FDIC FIL Use of the Cybersecurity Assessment Tool is voluntary. FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions. 11
12 FFIEC CAT Overview 12
13 Do we need to do the CAT? What does GLBA require? Are we asking the right question? 13
14 Risk Management Approach Tier 1 FFIEC CAT = Organizational Risk Assessment Cyber Risk: risk.protectmybank.com/ Tier 3 TRAC = Asset Based Risk Assessment TRAC: risk assessment/ 14
15 SBS Cyber Risk Web based FFIEC Cybersecurity Assessment Tool Complimentary Access 1311 active users 717 completed assessments 100% Follows FFIEC CAT 15
16 Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 49% 35% 12% 3% <1% Number shows average ratings for the 700+ assessments completed 16
17 Risk Ratings per Category 17
18 Baseline Controls Domain 1Domain 2Domain 3Domain 4Domain 5Total Baseline Evolving Intermediate Advanced Innovative
19 #1 Firewall Rules (22%) Firewall rules are audited or verified at least quarterly. (FFIEC Information Security Booklet, page 82) High risk systems should be subject to an independent test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution s network and other networks should be audited and verified at least quarterly. The quarterly auditing and verification need not be by an independent source. (NIST ) Each review should include a detailed examination of all changes since the last regular review, particularly who made the changes and under what circumstances. It is also useful to occasionally perform overall ruleset audits by people who are not part of the normal policy review team to get an outside view of how the policy matches the organization s goals. Suggestions: Formal configuration management process Quarterly change review Quarterly rule evaluation 19
20 #2 Diagrams (22%) Data flow diagrams are in place and document information flow to external parties. (FFIEC Information Security Booklet, page 10) The institution s analysis should include a system characterization and data flow analysis of networks (where feasible), computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems. Some systems and data stores may not be readily apparent. For example, backup tapes, portable computers, personal digital assistants, media such as compact disks, micro drives, and diskettes, and media used in software development and testing should be considered. 20
21 #3 Testing Patches (18%) Patches are tested before being applied to systems and/or software. (FFIEC Operations Booklet, page 22) Management should establish procedures to stay abreast of patches, to test them in a segregated environment, and to install them when appropriate. Suggestions: Documented Approach Non production testing environment Dedicated environment Reductant backup site Duplicate VM s Staged Deployment Back Out Plan 21
22 #4 Unauthorized Devices (17%) Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. (FFIEC Information Security Work Program, Objective II: M 9) Determine whether appropriate detection capabilities exist related to: Network related anomalies, including: Blocked outbound traffic Unusual communications, including communicating hosts, times of day, protocols, and other header related anomalies Unusual or malicious packet payloads Host related anomalies, including: System resource usage and anomalies User related anomalies Operating and tool configuration anomalies File and data integrity problems Anti virus, anti spyware, and other malware identification alerts Unauthorized access Privileged access Sans Top 20 (CIS CSC standard, #1 control) 22
23 #5 Network Baseline (16%) A normal network activity baseline is established. (FFIEC Information Security Booklet, page 77) Pg. 84 (typo?) Network Intrusion Detection Systems The anomaly based detection method generally detects deviations from a baseline. The baseline can be either protocol based, or behaviorbased. The protocol based baseline detects differences between the detected packets for a given protocol and the Internet s RFCs (Requests for Comment) pertaining to that protocol. 23
24 #6 Customer Awareness (16%) Customer awareness materials are readily available (e.g., DHS' Cybersecurity Awareness Month materials). (FFIEC E Banking Work Program, Objective 6 3) Review the website content for inclusion of the following information which institutions should consider to avoid customer confusion and communicate customer responsibilities: Security policies and customer usage responsibilities (including security disclosures and Internet banking agreements); Suggestions Website and Process: DHS: Cybersecurity Month: cyber security awareness month NIST 7621: pdf Annual CATO Training Phishing Brochures Self Assessments: risk/ 24
25 #7 Removable Media (15%) Controls are in place to restrict the use of removable media to authorized personnel. (FFIEC Information Security Work Program, Objective I: 4 1) Review security policies and standards to ensure that they sufficiently address the following areas when considering the risks identified by the institution. If policy validation is necessary, consider performing Tier II procedures. Authentication and Authorization Acceptable use policy that dictates the appropriate use of the institution s technology including hardware, software, networks, and telecommunications. Administration of access rights at enrollment, when duties change, and at employee separation. Physical controls over access to hardware, software, storage media, paper records, and facilities Media handling procedures and restrictions, including procedures for securing, transmitting and disposing of paper and electronic information 25
26 #8 Elevated Privileges (14%) Elevated privileges are monitored. (FFIEC Information Security Booklet, page 19) The concepts of least permissions and least privileges are used to provide functionality while limiting potentially harmful actions. They generally involve restricting authorizations at the network, server, and client level. For example, a user could be allowed access to only certain network resources and denied access to others. A user could be allowed access to some program functions or file areas and not allowed access to others. A program could be allowed access to some of a computer s or network s resources and disallowed access to others. Authorization for users most often is managed by assigning a user to a group, and granting permissions to the group. Suggestion: limiting privileges gives fewer areas to monitor that have privileges needed to successfully compromise systems and data. Focus log monitoring and review to elevated accounts. Your (Local Admin) User Gets Admin Rights Gets Virus 26
27 #9 Anomalous Activities (13%) The institution is able to detect anomalous activities through monitoring across the environment. (FFIEC Information Security Booklet, page 32) Pg.37 (typo?) Network Access Institutions should: Group network servers, applications, data, and users into security domains (e.g., untrusted external networks, external service providers, or various internal user systems); Establish appropriate access requirements within and between each security domain; Implement appropriate technological controls to meet those access requirements consistently; and Monitor cross domain access for security policy violations and anomalous activity. Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident response efforts. Network administrators implement the policies, standards, and procedures in their day to day operational role. (More in the New Management Booklet) 27
28 #10 Policies (13%) The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC EBanking Booklet, page 28) Summary: Implement security program that, 1) identified and assess risk 2) written policies/procedures to control risk 3) Implement plan and test 4) adjust (Plan, Do, Check, Act). Ongoing knowledge of attack sources, scenarios, and techniques. Financial institutions should maintain an ongoing awareness of attack threats through membership in information sharing entities such as the Financial Services Information Sharing and Analysis Center (FS ISAC), Infragard, the CERT Coordination Center, private mailing lists, and other security information sources. Risk Assessment Audit Policy (ISP) 28
29 Improving ISP INFORMATION SECURITY PROGRAMS 29
30 Next steps? 1. Determine Inherent Risk 2. Determine Domain Maturity 3. Identify Goals 4. Identify Gaps 5. Implement additional controls 6. Increase maturity 7. Repeat 30
31 Identify Gaps Y Identify Gaps Y N Y Y Y Y Y Y 31
32 Build Action Plan 32
33 Overall Process Cybersecurity Plan Board Involvement Create Cybersecurity Policy Board level education Establish Risk Appetite Management level education Complete FFIEC Cybersecurity Assessment Remediation Conduct Gap Analysis Build Action Items Report to Board Monthly Action Items Report Update existing Information Security Program FFIEC Cyber Tool Education and Awareness Additional Employee, management, and board training Cybersecurity Focused Audit Updated components of ISP Cybersecurity Policy effectiveness Annual Board Cybersecurity Report 33
34 Cybersecurity Plan 34
35 Cybersecurity Policy Roles/Responsibilities Board CEO ISO or Cybersecurity Officer Management ne_2015_pdf1.pdf Cybersecurity Assessment Inherent Risk Assessment Cybersecurity Maturity Integration with Information Security Program Verification with Audits Education for board, management, and employees 35
36 Board Roles and Responsibilities FFIEC Management Book While the board may delegate the design, implementation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities and should provide a credible challenge to management. The role of the board, or an appropriate board committee, may include the responsibility to do the following: Engage management in establishing the institution s vision, risk appetite, and overall strategic direction. Approve plans to use the Assessment. Review management s analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results. Review management s determination of whether the institution s cybersecurity preparedness is aligned with its risks. Review and approve plans to address any risk management or control weaknesses. Review the results of management s ongoing monitoring of the institution s exposure to and preparedness for cyber threats. 36
37 CEO Roles and Responsibilities FFIEC Management Book Executive management, including the chief executive officer (CEO), the chief operating officer (COO), and often the chief information officer (CIO), plays a significant role in IT management at a financial institution. Executive management develops the strategic plans and objectives for the institution and sets the budget for resources to achieve these objectives. To carry out its responsibilities, executive management should understand at a high level the IT risks faced by the institution and ensure that those risks are included in the institution s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance. The role of the chief executive officer (CEO), with management s support, may include the responsibility to do the following: Develop a plan to conduct the Assessment. Lead employee efforts during the Assessment to facilitate timely responses from across the institution. Set the target state of cybersecurity preparedness that best aligns to the board of directors (board) stated (or approved) risk appetite. Review, approve, and support plans to address risk management and control weaknesses. Analyze and present results for executive oversight, including key stakeholders and the board, or an appropriate board committee. Oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk. Oversee changes to maintain or increase the desired cybersecurity preparedness. 37
38 Cybersecurity Policy 38
39 39
40 Cybersecurity Policy Types DIAGRAM Cyber Risk Man. Governance REQUIREMENTS Need Policy to Govern Cyber (right side) Risk Management Controls Cybersecurity Governance Of Cyber Cybersecurity Policy Requires Cybersecurity Assessments (left side) Cybersecurity Assessment drives ISP improvements. ISP improvements documented in ISP Policies/Procedures. ISP Policy/Procedures ISP Controls Audit Cyber security Policy/Program Cyber Annual Report ISP Controls (specifically Cyber) need auditing. Need Overall Annual Cyber Report Cyber Governance Policy needs auditing. Cyber Governance Audit 40
41 Results of GAP Likely create new policies or controls in existing policies Improvements to existing programs, plans, procedures Implementation of action technology, physical, or administrative controls 41
42 Formalize Action Tracking Audits Conduct Activities Exams Cyber Risk Assessment IT Audit Findings Penetration Test Findings Incident Reports/SARS Action List Risk Assessments IT Risk Assessment Policy Reviews Committee Actions Contract Reviews 42
43 Track to Completion Assign an owner Assign a due date Periodically report on the status Report when it is completed Close the item Action List Difference between Managed and Chaos: You will literally have hundreds of security tasks to track each year. Do you have a well managed process? 43
44 Monthly Board Report 44
45 Education and Awareness Annual Cybersecurity Training Board / Executive Team Training Employee Training Customer Acceptable Use Training Social Engineering Testing/Training Regular/Monthly Updates Security Posters October Cybersecurity Month Regular Quizzes & Tips Threat Alerts securingthehuman.org 45
46 1) Audit Cyber Policy 2) Audit Cyber ISP Controls 46
47 Annual Cybersecurity Report 47
48 Overall Process Diagram 48
49 Basic Questions to Directors Can Ask 1) Were is this in our Risk Assessment, ISP, and Audit processes 2) How are we, our third parties, and our customers addressing it? Risk Assessment Bank Audit Policy (ISP) Third Party Customer 49
50 50
51 Education How to monitor Cyber Security Issues and Take Action? Conferences and Conventions Technology & Security Conferences from your Association Webinars Regular Hot Topics from your Association Banking Schools Graduate Banking Schools such as Certifications: Deep dive into Cybersecurity: Management Level: Cybersecurity Manager (CBCM) Security Executive (CBSE) Security Manager (CBSM) Vendor Manager (CBVM) Incident Handler (CBIH) Technical Level: Security Technical Professional (CBSTP) Ethical Hacker (CBEH) Mobile Administrator (CBMA) Forensic Investigator (CBFI) And more info at /sbsinstitute/ 51
What Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCYBERSECURITY HOT TOPICS
1 CYBERSECURITY HOT TOPICS Secure Banking Solutions 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationCertification Programs
Registration Questions? Please contact us directly. 507 S. Grand Ave., Lansing, MI 48933 sfisher@mibankers.com (517) 342-9057 Certification Programs 2015 Following the lecture on day 2, students have the
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationCybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com
Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationCertification Programs
Certification Programs 2014 The SBS Institute serves community banks by providing educational programs that will certify a banker has the knowledge and skills to protect against todays information security
More informationAppendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook
Appendix A: to FFIEC IT Examination Handbook The purpose of this appendix is to demonstrate how the declarative statements at the baseline maturity level correspond with the risk management and control
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationEllucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant
Ellucian Cloud Services Joe Street Cloud Services, Sr. Solution Consultant Confidentiality Statement The information contained herein is considered proprietary and highly confidential by Ellucian Managed
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationIT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski
IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationManaged Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?
Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security
More informationby: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy
Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT
More informationCYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS
October 21, 2015 CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS Cerone F. Cy Sturdivant Managing Consultant csturdivant@bkd.com 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls
More informationCyber Security 2014 SECURE BANKING SOLUTIONS, LLC
Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More information7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationCurrent Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com
Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationAchieving SOX Compliance with Masergy Security Professional Services
Achieving SOX Compliance with Masergy Security Professional Services The Sarbanes-Oxley (SOX) Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (and commonly called
More informationEnterprise Risk Management Process Improvement. Secure Banking Solutions, LLC
Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com
More informationTHE EVOLUTION OF CYBERSECURITY
THE EVOLUTION OF CYBERSECURITY Identifying Best Practices June 2, 2015 Cerone F. Cy Sturdivant Managing Consultant Nashville, TN 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationReport on CAP Cybersecurity November 5, 2015
Agenda Number 7. Report on CAP Cybersecurity November 5, 2015 Phil Cook CISSP, CISM Manager, Information Technologies Risk #1 External Attacks PR 81 Protect and secure CAP's Information Technology assets
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationGet on First Base with your Regulators and Cyber Security
Get on First Base with your Regulators and Cyber Security Secure Banking Solutions Chad Knutson 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationCybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More information8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day
Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354 2015 FRWA Annual Conference Don t Wait Another Day 1 SCADA Subsystems Management Physical Connectivity Configuration Mgmt.
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationAnatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow
Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security
More informationExam 1 - CSIS 3755 Information Assurance
Name: Exam 1 - CSIS 3755 Information Assurance True/False Indicate whether the statement is true or false. 1. Antiquated or outdated infrastructure can lead to reliable and trustworthy systems. 2. Information
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationCybersecurity Awareness
Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationINFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire
Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology
More informationCybersecurity Governance Update on New FFIEC Requirements
Cybersecurity Governance Update on New FFIEC Requirements cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, Professional Services Firm
More informationSeptember 20, 2013 Senior IT Examiner Gene Lilienthal
Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank
More informationDeveloping the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationTABLE OF CONTENTS INTRODUCTION... 1
TABLE OF CONTENTS INTRODUCTION... 1 Overview...1 Coordination with GLBA Section 501(b)...2 Security Objectives...2 Regulatory Guidance, Resources, and Standards...3 SECURITY PROCESS... 4 Overview...4 Governance...5
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationEnterprise Cybersecurity: Building an Effective Defense
: Building an Effective Defense Chris Williams Scott Donaldson Abdul Aslam 1 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationUnified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES
Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES SOX COMPLIANCE Achieving SOX Compliance with Professional Services The Sarbanes-Oxley (SOX)
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationCybersecurity Awareness. Part 2
Part 2 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat
More informationThe Role of Security Monitoring & SIEM in Risk Management
The Role of Security Monitoring & SIEM in Risk Management Jeff Kopec, MS, CISSP Cyber Security Architect Oakwood Healthcare Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director, IT Security & Risk Services CareTech
More informationAppendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises
Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More information