PACB One-Day Cybersecurity Workshop
|
|
- Rose Hood
- 8 years ago
- Views:
Transcription
1 PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1
2 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance - DSU Phone: jon@protectmybank.com 2
3 My Experience 9 Years Information Security Information Security Program Design and Implementation IT Risk Assessment Penetration Testing Vulnerability Assessments Awareness Programs Vendor Management Business Continuity Technology Selection Info Security Consulting IT Audit ISP audit Controls audit ISP GAP Analysis Internet banking audit Anything else you can imagine! 3
4 Secure Banking Solutions Offshoot of the national center of excellence in bank security at Dakota State University Provides the help bank needs to have good security and successful IT exams Experience in Risk Management, ISP Development, and Auditing 45 states; 850 community banks across the US 4
5 Dakota State Nationally Recognized National Security Agency Department of Homeland Security 4,000 universities in the country Only 100 named national centers in the past 10 years National Center of Excellence in Information Assurance 5
6 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents? 6
7 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents? 7
8 Overall Threats Bank Internal & External System & Organizational Third Party Vendors Business Partners Downstream Partners Commercial Merchant Correspondent Banking ACH Origination etc. Consumer Phone Banking Internet Banking Mobile Banking Consumer Capture etc. 8
9 Capability Maturity Model 9
10 Assessment Maturity 4 Commercial Threats Goal 3 3 rd Party Threats Goal Bank Threats Goal Level of Assessment (CMM Levels) Consumer Threats Goal Consumer Low Threats Medium High Level of Risk Bank Threats 3 rd Party Threats Commercial Threats 10
11 Gramm-Leach-Bliley Act 501 (b) FINANCIAL INSTITUTIONS SAFEGUARDS. In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. 11
12 FDIC - Appendix B to Part 364 A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4. Ensure the proper disposal of customer information and consumer information. 12
13 Apply to ISP Bank Risk Assessment Third Party Customer Audit Policy (ISP) 13
14 Cybersecurity WHAT IS CYBER SECURITY? WHAT DOES REGULATION SAY? 14
15 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents? 15
16 What is Cybersecurity? Cyber Risk the increased probability that the veryhigh-impact, internet-based risks and threats we once thought were improbably will harm our networks Cybersecurity the controls and processes in place to protect our networks and customer information from cyber risk How does it relate to Information Security? discipline of Information Security, which not only encompasses Cybersecurity, but also all of the traditional things we ve done to protect our confidential customer information, including IT Risk Assessment, Vendor Management, Business Continuity Planning, Vulnerability Assessment, IT Audit, and much more Images courtesy of ISACA and member Menny Barzilay 16
17 Cybersecurity America s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas. President Obama 17
18 Nation Security Summary Cybersecurity Information Sharing Act of 2015 encourage the sharing of data between private companies and the government to prevent and respond to cybersecurity threats funnel corporate intelligence about cybersecurity threats and breaches through the Department of Homeland Security The Personal Data Notification & Protection Act This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. The proposal also criminalizes illicit overseas trade in identities. 18
19 Growth in Banking New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Bank Customer 19
20 APT vs Organized Crime 20
21 New York State DFI Boards receiving updates less often than senior management. Specifically, 73% of institutions reported that the Board received information security updates quarterly or annually, whereas 33% of institutions reported that senior managers received monthly updates. The frequency of information security updates to CEO s varied dramatically amongst institutions, ranging from annually (30%), quarterly (24%), and monthly (22%) _cyber_security.pdf 21
22 New York State DFI Key pillars: 1) a written information security policy 2) security awareness education and employee training 3) risk management of cyber-risk, inclusive of identification of key risks and trends 4) information security audits 5) incident monitoring and reporting. General Statistics: only 62% of small institutions audit compliance of third party relationships 57% of small institutions have a DLP solution, compared to 78% of large institutions most reporting incidents involving malicious software (malware) (22%), phishing (21%), most frequent wrongful activity resulting from a cyber intrusion were account takeovers (46%) 22
23 CSBS Conference of State Banking Supervisors: The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEOs that management of a bank s cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue. 23
24 FFIEC Cybersecurity Assessments (2014) Main Site: Board/Senior Management Video: Observations: sessment_observations.pdf 24
25 Cybersecurity Asst s 2 nd Half of 2014 Targeted Regulatory Exams June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) Approximately 500 assessments on banks with $1 billion or less in assets approx man-hours = big deal! Information gathering and learning mode Finalized report in December 2014 for all exams moving forward 25
26 Cybersecurity Assessment Scope Exams build upon key aspects of existing supervisory expectations addressed in the FFIEC IT Handbook Assesses an institution s current practices and overall cybersecurity preparedness, with a focus on the following key areas: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 26
27 Summary of Results Must develop a strong risk management program Enhanced vulnerability assessment program Share and collaborate cyber security information with other institutions Enhanced vendor management program Enhanced incident response plans Training and education on information (cyber) security is going to be emphasized Board participation and education involving information security is going to be EXAMINED and REGULATED Are you keeping your Boards appraised of cyber security issues and how your institution is responding? 27
28 Lots of Questions The Cybersecurity General Observations document was only four pages, and quite broad Three MAJOR take-aways: Board of Directors are going to be EXPECTED to be MUCH more involved in Information Security Program activities Banks are going to have to have comprehensive, valuable, and repeatable Risk Management processes More regulation is to come! 28
29 Additional Cybersecurity Guidance FFIEC released two (2) additional pieces of guidance in March 2015: Statement on Destructive Malware Cyber attacks are focusing on businesses and increasing in frequency and severity and predominantly involve malware, which comes in many forms Cyber Attacks Compromising Credentials Attacks that aim to steal credentials are increasing; not just going after passwords, but all types of information Attacks involve phishing, malvertizing, watering holes, and webased attacks 29
30 Similarities between statements Half of these two statements are IDENTICAL but WHY? Process reinforcement! This is a very deliberate statement on behalf of the FFIEC to make sure that institutions are: Following strong risk management practices Identifying risk, making decisions to mitigate risk, documenting those decisions in an ISP, and implementing those decisions within their institution Testing those decisions (risk mitigating controls) regularly Training and educating their employees (especially the Board and senior management) Collaborating and sharing information with other institutions What do those general statements align with? Cybersecurity Assessment General Observations? 30
31 Which leads us to the present FFIEC Cybersecurity Assessment Tool released on Tuesday June 30th, 2015 Not really a tool, as we have traditionally defined software or hardware More of a process to help banks perform a self-assessment on their Cybersecurity Preparedness Based on size-and-complexity Resulting from the 2014 Cybersecurity Assessment lessons-learned 31
32 Overview 32
33 FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity. 33
34 Cybersecurity Inherent Risk Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats 34
35 Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 35
36 36
37 Cybersecurity Maturity Measure Maturity in 5 Domains (+ Assessment Factors) 1. Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training 2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing 3. Cybersecurity Controls Preventative, Detective, and Corrective controls 4. External Dependency Management External Connections and (Vendor) Relationship Management 5. Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting 37
38 What is Cybersecurity Maturity? Determining whether an institution s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? 38
39 How does Cybersecurity Maturity work? Measured by 5 Cybersecurity Maturity Levels 1. Baseline 2. Evolving 3. Intermediate 4. Advanced 5. Innovative 39
40 Determining Maturity Level Within each component, declarative statements describe activities supporting the assessment factor at each maturity level All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain s maturity level What this actually means: Identify the controls you have in place, starting with baseline controls and escalating up in order to determine maturity levels 40
41 41
42 Determining Maturity 42
43 Domains and Assessment Factors 43
44 Inherent Risk vs. Maturity All good Risk Management processes help make decisions and set goals How does one determine Inherent Risk versus Cybersecurity Maturity? And more importantly, what is the right Inherent Risk vs. Maturity level? 44
45 Inherent Risk vs. Maturity Guide to determining Inherent Risk vs. Maturity: Step 1: Determine organizational Inherent Risk What was your Inherent Risk after completing the first part of the assessment? Step 2: Determine Cybersecurity Maturity Level for each Domain (there are 5 of them) Use the following Risk vs. Maturity Relationship chart to determine where your organization falls There are a range of goals for each Domain vs. Inherent Risk; do you meet those goals? 45
46 Increasing Maturity 46
47 Meeting goals Now that you ve determined your goals, does that mean you re done? Nope! Are you meeting these goals? Are you the bottom rung? Is that ok? How to you continue to increase your maturity? 47
48 Inherent Risk vs. Maturity No single expected level for an institution An institution s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. Management should consider reevaluating the institution s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile. 48
49 Other IMPORTANT takeaways Is this new FFIEC Cybersecurity Assessment Tool (CAT) a replacement for my IT Risk Assessment? Absolutely not! This FFIEC CAT is a self-assessment of cybersecurity preparedness only, not a determination of risks and controls around your confidential customer information The assessment process is not a one-time project or process, but rather an ongoing assessment that the institution will be expected to keep up and utilize on an ongoing basis. 49
50 Who is responsible for the CAT? It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity The President/CEO will be expected to DRIVE this Cybersecurity Assessment process (read: not necessarily complete each question), and the Board of Directors needs to understand what the results of this Cybersecurity Assessment mean from a high-level 50
51 How much does the Board need to know? Board involvement was a major point of the FFIEC Cybersecurity Assessment that were performed in the second half of 2014 and heavily mentioned in the General Observations The Cybersecurity Assessment Tool specifically mentions Board involvement TWENTY-ONE (21) times in the Cybersecurity Maturity section, just in case you didn t think the FFIEC is taking Board involvement seriously. Domain 1 - Cyber Risk Management and Oversight talks about Board involvement on an increasing frequency to go with increasing maturity, particularly in the Oversight component of the Governance factor, mentioning the Board fourteen (14) times alone. So pretty involved, at least with knowing what is going on 51
52 What is the goal of this CAT? 1. Highlight areas of weakness and strength regarding how you are or will be able to handle a cybersecurity attack Also highlight how you can mitigate this risk and implement additional controls 2. Give regulators and examiners an idea of how capable your institution is regarding cybersecurity preparedness Based on size and complexity! Also seriously your institution is taking this new cybersecurity initiative. 52
53 What should I expect from examiners? The FFIEC says this is optional, but I think we know better The FDIC states that participation is voluntary However, the OCC and Federal Reserve have stated that they WILL begin including this in their exam procedures yet in
54 Next steps? 1. Determine Inherent Risk 2. Determine Domain Maturity 3. Identify Goals 4. Identify Gaps 5. Implement additional controls 6. Increase maturity 7. Repeat 54
55 Ties to NIST The FFIEC has mapped all of the processes in the Cybersecurity Assessment tool to the NIST Cybersecurity Framework 55
56 SBS Cyber-RISK tm Tool Goals of the FREE Cyber-RISK tm tool: 1. Automate the Cybersecurity Assessment Tool 2. Save you from creating your own spreadsheet 3. Make your life easier and more efficient 4. Provide you with one-click reports 5. Improve the process by tying the Inherent Risk and Cybersecurity Maturity processes together more intuitively 6. Get you peer comparison data (down the road) 7. Access to your own personal Information Security Expert if you need us! 56
57 Additional Cyber Security Resources SBS Cybersecurity Assessment Blog: Sign up for the FREE Cyber-RISK tool: SBS Institute Certifications: 57
What Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More informationCYBERSECURITY HOT TOPICS
1 CYBERSECURITY HOT TOPICS Secure Banking Solutions 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationTop 10 Baseline Cybersecurity Controls Banks Aren't Doing
Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1 Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationCybersecurity Awareness. Part 1
Part 1 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat
More informationCyber Security 2014 SECURE BANKING SOLUTIONS, LLC
Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationCybersecurity Issues for Community Banks
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationGet on First Base with your Regulators and Cyber Security
Get on First Base with your Regulators and Cyber Security Secure Banking Solutions Chad Knutson 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationCybersecurity Awareness
Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationData Breaches and Cyber Risks
Data Breaches and Cyber Risks Carolinas Credit Union League Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary Reproduction,
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationEnterprise Risk Management Process Improvement. Secure Banking Solutions, LLC
Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com
More informationCybersecurity. Are you prepared?
Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationThe FDIC s Supervisory Approach to Cyberattack Risks
Why We Did The Evaluation Executive Summary Information is one of a financial institution s (FI) most important assets. Protection of information is critical to establishing and maintaining trust between
More informationCYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts
CYBER SECURITY ADVISORY SERVICES Governance Risk & Compliance Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts The Financial Services Industry at Crossroads: Where to From Here? WELCOME What
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationWSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons
WSECU Cyber Security Journey David Luchtel VP IT Infrastructure & Opera:ons Objec:ve of Presenta:on Share WSECU s journey Overview of WSECU s Security Program approach Overview of WSECU s self- assessment
More informationTHE EVOLUTION OF CYBERSECURITY
THE EVOLUTION OF CYBERSECURITY Identifying Best Practices June 2, 2015 Cerone F. Cy Sturdivant Managing Consultant Nashville, TN 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationTESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the
For Release Upon Delivery 10:00 a.m., December 10, 2014 TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY Before the COMMITTEE ON BANKING, HOUSING,
More informationCybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationCyber-Security. FAS Annual Conference September 12, 2014
Cyber-Security FAS Annual Conference September 12, 2014 Maysar Al-Samadi Vice President, Professional Standards IIROC Cyber-Security IIROC Rule 17.16 BCP The regulatory landscape Canadian Government policy
More informationCybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com
Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationSOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness
SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper Safeguarding data through increased awareness November 2015 1 Contents Executive Summary 3 Introduction 4 Martime Security 5 Perimeters Breached
More informationChairman Johnson, Ranking Member Carper, and Members of the committee:
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
More informationCyber Risk to Help Shape Industry Trends in 2014
Cyber Risk to Help Shape Industry Trends in 2014 Rigzone Staff 12/18/2013 URL: http://www.rigzone.com/news/oil_gas/a/130621/cyber_risk_to_help_shape_industry_trends_i n_2014 The oil and gas industry s
More informationOCIE Technology Controls Program
OCIE Technology Controls Program Cybersecurity Update Chris Hetner Cybersecurity Lead, OCIE/TCP 212-336-5546 Introduction (Role, Disclaimer, Background and Speech Topics) SEC Cybersecurity Program Overview
More informationNew York State Department of Financial Services. Report on Cyber Security in the Banking Sector
New York State Department of Financial Services Report on Cyber Security in the Banking Sector Governor Andrew M. Cuomo Superintendent Benjamin M. Lawsky May 2014 I. Introduction Cyber attacks against
More information2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP
2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf
More informationCybersecurity and the Threat to Your Company
Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationData Breaches and Cyber Risks
Data Breaches and Cyber Risks MD/DC Credit Union Association 2015 Volunteer Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary
More informationCYBERSECURITY EXAMINATION SWEEP SUMMARY
This Risk Alert provides summary observations from OCIE s examinations of registered broker-dealers and investment advisers, conducted under the Cybersecurity Examination Initiative, announced April 15,
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationCYBERSECURITY: Is Your Business Ready?
CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring
More informationCyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?
Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? August 27, 2014 Presented by: Terry Ammons, Partner, Porter Keadle Moore Tim Davis, Senior,
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationNew York State Department of Financial Services. Report on Cyber Security in the Insurance Sector
New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial
More informationSeptember 20, 2013 Senior IT Examiner Gene Lilienthal
Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationWRITTEN TESTIMONY OF
WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More information2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP
2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif,
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationTime Is Not On Our Side!
An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationDON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?
HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS? Gregg Sommer, CAIA Head of Operational Risk Assessments St. Louis MERCER 2015 0 CYBERSECURITY BREACHES
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationRemarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the 10 th Annual Community Bankers Symposium Chicago November 7, 2014 Good morning, it s a pleasure to be here today and to have this opportunity
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationSCAC Annual Conference. Cybersecurity Demystified
SCAC Annual Conference Cybersecurity Demystified Me Thomas Scott SC Deputy Chief Information Security Officer PMP, CISSP, CISA, GSLC, FEMA COOP Practitioner Tscott@admin.sc.gov 803-896-6395 What is Cyber
More informationCybersecurity: A View from the Boardroom
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
More informationExecutive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3
GLOBAL ADVANCED THREAT LANDSCAPE SURVEY 2014 TABLE OF CONTENTS Executive Summary 3 Snowden and Retail Breaches Influencing Security Strategies 3 Attackers are on the Inside Protect Your Privileges 3 Third-Party
More informationCyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte
Cyber security Time for a new paradigm Stéphane Hurtaud Partner Information & Technology Risk Deloitte 90 More than ever, cyberspace is a land of opportunity but also a dangerous world. As public and private
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationTHE WHITE HOUSE Office of the Press Secretary
FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationWhere insights lead Cybersecurity and the role of internal audit: An urgent call to action
Where insights lead Cybersecurity and the role of internal audit: An urgent call to action The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could
More informationQuestions You Should be Asking NOW to Protect Your Business!
Questions You Should be Asking NOW to Protect Your Business! Angi Farren, AAP Senior Director Jen Wasmund, AAP Compliance Services Specialist 31 st Annual Conference SHAPE YOUR FUTURE April 23, 2013 Regional
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationRemarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 It s a pleasure to be with you back home in Boston. I was here just six weeks ago
More informationDON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?
HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? FREEMAN WOOD HEAD OF MERCER SENTINEL NORTH AMERICA GREGG SOMMER HEAD OF OPERATIONAL RISK ASSESSMENTS MERCER
More informationCYBER SECURITY INFORMATION SHARING & COLLABORATION
Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers
More informationCYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES. second edition
CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES second edition The information provided in this document is presented as a courtesy to be used for informational purposes only.
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More informationCyber Risk Management with COBIT 5
Cyber Risk Management with COBIT 5 Marco Salvato CISA, CISM, CGEIT, CRISC, COBIT 5 Approved Trainer 1 Agenda Common definition of Cyber Risk and related topics Differences between Cyber Security and IS
More informationNCUA LETTER TO CREDIT UNIONS
NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA DATE: August 2001 LETTER NO.: 01-CU-11 TO: SUBJ: ENCL: Federally Insured Credit Unions Electronic Data
More informationCombatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation
Combatting the Biggest Cyber Threats to the Financial Services Industry A White Paper Presented by: Lockheed Martin Corporation Combatting the Biggest Cyber Threats to the Financial Services Industry Combatting
More informationWho s Regulating Whom & What are the Requirements: Banks As Payment Services Providers
Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Tony DaSilva, AAP, CISA S&R Senior Technical Expert Federal Reserve Bank of Atlanta Disclaimer The opinions expressed
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationCybersecurity Awareness
Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management
More informationSURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April 2016. An Osterman Research Survey Report.
SURVEY REPORT Gaps in Database An Osterman Research Survey Report sponsored by Published April 2016 SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel:
More informationCybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More information