A Crisis Response, Information Sharing View of FFIEC Appendix J?

Transcription

1 A Crisis Response, Information Sharing View of FFIEC Appendix J? Susan Rogers (MBCP, MBCI) Financial Services Information Sharing and Analysis Center FS-ISAC, Business Resiliency Director

2 A Crisis Response, Information Sharing View of FFIEC Appendix J BC Manager Action Items 1. Correlate Appendix J Objectives to Crisis Response 2. Connect to your Industry s ISAC 3. Engage in Sector and Cross-Sector Exercises 2

3 Action Items for BC Managers 1. Correlate Appendix J Objectives to Crisis Response Testing Prioritize Critical Third Party Risk Testing Due Diligence and Contract Review Testing Capacity and Cyber Resilience 2. Connect to your Industry s ISAC 3. Engage in Sector and Cross-Sector Exercises 3

4 Background on FFIEC BC Handbook, Appendix J On February 6, 2015, the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance for examiners, financial institutions, and technology service providers (TSPs) to explain the components of an effective third-party management program that can identify, measure, monitor, and control the risks associated with outsourcing. The guidance, which is included in the FFIEC Information Technology Examination Handbook, is an update to the "Business Continuity Planning Booklet," issued in March A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP for all types of adverse events. 4

5 Appendix J - Testing Key Element The testing program should be based on a financial institution s established risk prioritization and evaluation of the criticality of the functions involved. Testing with third parties should disclose the adequacy of both organizations ability to recover, restore, resume, and maintain operations after disruptions, consistent with business and contractual requirements. Any test results that impact the financial institution are to be provided to the board. A financial institution should ensure that it understands its TSP's testing process to ensure that the testing is adequate to meet its continuity expectations. Testing 3 rd Party Mgmt 3 rd Party Capacity Prioritize Critical Third Party Risk Cyber Resilience 5 Regional Business Continuity Conference

6 6 Appendix J - Testing Key Element Testing frequency should be driven by the financial institution s risk assessment, risk rating, and any significant changes to the operating environment. To the extent that a test is unsuccessful, any issues identified should be tracked and resolved in a timely manner, according to the severity of the issues. The scope of BCP testing with third parties should be commensurate with the level and criticality of services provided and, in some cases, requires an end-to-end exercise. Finally, the right to perform or participate in BCP testing with third parties should be described within the contract governing the third-party relationship. Regional Business Continuity Conference Testing 3 rd Party Mgmt 3 rd Party Capacity Prioritize Critical Third Party Risk Cyber Resilience

7 Appendix J 3 rd Party Management Due Diligence An institution should review the TSP s BCP program and its alignment with the financial institution s own program, including an evaluation of the TSP s BCP testing strategy and results to ensure they meet the financial institution s requirements and promote resilience. Contracts Right to audit BCP Testing Data Governance Security Issues Testing 3 rd Party Mgmt 3 rd Party Capacity Testing Due Diligence and Contract Review Cyber Resilience 7

8 Appendix J 3 rd Party Capacity Testing Complexity & Strategic Considerations 8 Third Party Capacity & Alternatives The significant size & client concentration of larger TSPs increases the potential impact of service disruptions across major segments of the financial industry. TSP s should assess the impact on their customers and take the necessary steps to minimize the impact of the event. Cyber Resilience Malware Insider Threats Data or System Destruction/Corruption Communication Infrastructure Disruption Regional Business Continuity Conference Testing 3 rd Party Mgmt 3 rd Party Capacity Cyber Resilience

9 Action Items for BC Managers 1. Correlate Appendix J Objectives to Crisis Response Testing 2. Connect to your Industry s ISAC Connect to Your Industry ISAC (Point of Contact) Register on Threat & Alert Systems Join Working Groups 3. Engage in Sector and Cross-Sector Exercises 9

10 Connect to Your Industry ISAC (Point of Contact) FS-ISAC Mission The FS-ISAC: Financial Services Like a Information Neighborhood Sharing and Watch Analysis Center (FS-ISAC) is a non-profit corporation that was established in 1999 and is funded by its member firms. The FS-ISAC is a member-driven organization whose mission is to help assure the resilience and continuity of the global financial services infrastructure. FS-ISAC helps members defend against acts that could significantly impact the sector s ability to provide services critical to the orderly function of the global economy. The FS-ISAC is not a service provider, it s a community Like neighborhood watch for cyber and physical hazards. A Longtime Member 10

11 Sharing Across Critical Infrastructure Sectors Connect to Your Industry ISAC (Point of Contact) Members Worldwide And growing weekly International Members 50% Are top tier international FIs Countries Represented 38 On the ground staff in 7 11

12 PRIVATE SOURCES CROSS SECTOR SOURCES GOVERNMENT SOURCES FS-ISAC Intelligence Flow Register on Threat & Alert Systems Information Sources CERTs FS Regulators FS-ISAC 24x7 Security Operations Center Member Communications Information Security Law Enforcement Other Intel Agencies isight Partners Info Sec Physical Security Business Continuity/ Disaster Response 12 Secunia Vulnerabilities Wapack Labs Malware Forensics NC4 Phy Sec Incidents MSA Phy Sec Analysis Cross Sector (other ISACS) Open Sources (Hundreds) Alerts Member Submissions Fraud Investigation s Payments/ Risk

13 Understanding FS-ISAC s and Alerts Register on Threat & Alert Systems Alert Types Step 1: Understand the Alert Type ANC: Announcements CYT: Cyber Threat CYI: Cyber Incidents COI: Collective Intelligence CYV: Cyber Vulnerability PHT: Physical Threats PHI: Physical Incidents Depending on your role, you don t have to follow every update, but FS-ISAC recommends following these key reports. Doing so will limit s to about 10/day Step 2: Understand the Criticality and Priority ANC = Priority 1-10, 8-10 is high priority CYV = Risk 1-10, 8-9 is Urgent, 10 is Crisis CYT = Risk 1-10, 8-9 is Urgent, 10 is Crisis COI No Criticality Metric PHT = Risk is Urgent, 10 is Crisis Step 3: Make Choices Based on Role Analysts and those involved in risk assessment or vulnerability/patch management should receive CYV alerts. Intelligence analysts may also want to participate on the Cyber Intel listserv. POCs are automatically added, but a portal account is not necessary if you wish to add additional analysts to the distribution Provide portal accounts to your staff based on each individual s role. This will allow them to employ portal filtering for their unique assignments We provide summary reports for mangers and technical reports for analysts. Making informed choices based on your role eliminates unneeded s 13

14 Types of Information Shared Register on Threat & Alert Systems Cyber Threats, Incidents, Vulnerabilities Physical Threats, Incidents Malicious Sites Threat Actors, Objectives Threat Indicators Tactics, Techniques, Procedures Courses of Action Exploit Targets Denial of Service Attacks Malicious s: Phishing/Spearphishing Software Vulnerabilities Malicious Software Analysis and risk mitigation Incident response Terrorism Active Shooter Hurricanes Earthquakes Other meteorological events Geopolitical impacts Pandemic Type, location, severity Impact analysis and risk mitigation Business resilience preparation and incident response 14

15 Circles of Trust Join Working Groups IRC Asset Mgr. CHEF PRC CYBER INTEL FS- ISAC PPISC TIC BRC CIC Broker Dealer CAC Clearing House and Exchange Forum (CHEF) Payments Risk Council (PRC) Payments Processor Information Sharing Council (PPISC) Business Resilience Committee (BRC) Threat Intelligence Committee (TIC) Community Institution Council (CIC) Insurance Risk Council (IRC) Compliance and Audit Council (CAC) Cyber Intelligence Listserv Asset Manager Council Broker-Dealer Council Member Reports Incident to Cyber Intel list, or via anonymous submission through portal Members respond in real time with initial analysis and recommendations SOC completes analysis, anonymizes the source, and generates alert to general membership 15

16 FS Crisis Information Sharing Notional Model Join Working Groups Central resource for trusted crisis information sharing Facilitate private & government crisis support for financial sector SIFMA Market Response Committee Financial Services Firms Domestic & International FS-ISAC member and non-member organizations have direct lines of communication with trade groups government organizations and their regulators FSSCC SIFMA ABA The Clearing House FS Roundtable BITS FS-ISAC Coordinate Financial Sector Information Sharing & Crisis Communication International Partners CERTS, Finance Ministries, Law Enforcement... Independent Regulatory Agencies: OCC, FDIC, SEC... Federal Executive Branch Agencies White House U.S.Treasury Law Enforcement (FBI, USSS...) DHS Exercise to develop trusted peer relationships for crisis preparedness ChicagoFIRST North Carolina Financial Recovery Coalition RPCfirst New York/NJFIRST Southern California (SoCalFIRST) Bay Area (BARCfirst) Montgomery CountyFIRST (PA) 22 Regional Coalitions Develop Relationships with State, Local EMS on behalf of Coalition Members State OEM City/Local OEM Emergency Services National Council of ISACS Multi-State ISACs International ISACS Emerging Info Sharing Entities FBIIC Partnership for Critical Infrastructure Security (PCIS) State, Local, Tribal & Territorial Government Coordinating Council (SLTTGCC) NICC NCCIC Cyber UCG Infrastructure Protection Federal Senior Leadership Council 16

17 Action Items for BC Managers 1. Correlate Appendix J Objectives to Crisis Response Testing 2. Connect to your Industry s ISAC 3. Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership 17

18 Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership Examples: SIFMA Quantum Dawn I, II, III FSSCC Hamilton Series FS-ISAC CAPP Annual Exercise ACTION: Identify other exercises? 18

19 Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership Exercise Planning Include BIA results Demonstrate expanded planning Build into 3 rd Party contracts Engage business decision makers ACTION: Identify challenges? 19

20 Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership 20

21 Conclusions: Action Items for BC Managers 1. Connect to your Industry s ISAC Connect to Your Industry ISAC (Point of Contact) Register on Threat & Alert Systems Join Working Groups 2. Correlate Appendix J Objectives to Crisis Response Testing Prioritize Critical Third Party Risk Testing Due Diligence and Contract Review Testing Capacity and Cyber Resilience 3. Engage in Sector and Cross-Sector Exercises 21 Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership

22 Questions / Discussion Resources 1. FFIEC BC Booklet 2. Federal Reserve SR 15-3, February 6, 2015, 3. FDIC Publication 4. DHS National Infrastructure Protection Plan (NIPP) 5. DHS Critical Infrastructure Sector Partnerships 22 Regional Business Continuity Conference

23 Contact Information Susan Rogers (MBCP, MBCI) Financial Services Information Sharing and Analysis Center FS-ISAC, Business Resiliency Director Regional Business Continuity Conference