Vendor Risk Management Financial Organizations

Transcription

1 Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security

2 Bob Justus Chief Security Officer, Allgress Current As the director of the governance, risk and compliance services practice, our mission is to vigilantly protect our customer s business. Through partnership we achieve compliance and security program goals by administering a proven mix of automation, services and security reference architecture. Chief Information Security Officer 13 Years Responsible for all aspects of the corporate wide Information Security Program, including network wired & wireless, systems, applications, architecture, mobile devices, remote access, data at rest, in transit, in use, security awareness, risk assessment, mitigation, control design, monitoring, disaster recovery, litigation support, third party & vendor risk management and incident response. Established written, monitored and measured security policies based on ISO standards, risk management based on COSO and COBIT and overall program compliance with the Federal Financial Institutions Examination Council (FFIEC), National Institute of Standards & Technology (NIST), PCI, HIPAA, Sarbanes Oxley (SOX 302 & 404) and state privacy mandates. Chief Enterprise Architect 2 Years Established and published standards, assured architectural discipline, approved exceptions and kept projects on time and on budget. Oversaw the establishment of application automated build environment for all java based programs, published open source development policies, and maintained architecture according to The Open Group Architecture Framework (TOGAF). VP Technology Operations 5 Years Supported all enterprise applications on Unix systems including, , DNS, load balancing, web servers, imaging, messaging, , web, transaction processing, customer support, firewalls, IPS/IDS, proxy, remote access, FTP, sftp, Transmissions and SNA Terminal Servers. IS Audit Manager 6 Years Performed and led audit examinations for all business applications, operating systems, support systems and technology operations. Developed key findings and recommendations to manage risk and create operational integrity.

3 Randy Potts Randy has more than 25 years of information security experience. Prior to FishNet Security, Randy served as a Chief Information Security Officer, Cyber Crime Advisory Board, Homeland Security Commission Cyber Terrorism committee, and as a Public Information Officer for State and Federal agencies. Randy has provided both legislative support, established organizational and industrial standards and testified in matters pertaining to security, governance, risk and compliance. Most recently, Randy has been focused on the private sector advising organizations on the establishment and integration of international security governance and privacy regulations for Fortune 100 companies. Randy holds advanced degrees in Business Administration and Technology with specialization in Information Security. In addition, Randy is recognized as an industry leader with numerous security, privacy and disaster preparedness certifications.

4 Comptroller of the Currency Remarks by Thomas J. Curry, Comptroller of the Currency, before a Meeting at Consumer Electronics Show on April 16, Today, the global nature of the Internet means hackers can target bank systems from almost anywhere. That includes countries with regimes that, at a minimum, act as criminal havens by turning a blind eye toward illicit activities, and at their worst, sponsor attacks. As a result, financial institutions today face cyber threats not only from insiders and individuals acting alone, but from global networks of well organized nation states, criminals and so called hacktivists. Managing these vendor relationships is especially important in the realm of IT systems and information security, particularly with respect to smaller banks and thrifts. Third party relationships have been a significant area of concern for years, and not just in the area of cybersecurity. We ve unfortunately found it necessary to take serious enforcement actions against some of our large institutions for problems brought on by poorly managed third party relationships, from debt collection companies to telemarketers. I m not trying to discourage the use of third party vendors. They provide important services to both large and small banks, and community banks in particular often use outside contractors to leverage expertise and resources that they can t support internally. But we do expect the banks and thrifts we supervise to recognize that third party relationships also pose significant risks, and any institution that supplements its own resources with outside providers needs to have risk management practices in place that are commensurate with that risk.

5 FFIEC April 10 Financial Regulators Expect Firms to Address OpenSSL Heartbleed Vulnerability The Federal Financial Institutions Examination Council (FFIEC) members expect financial institutions to incorporate patches on systems and services, applications and appliances using OpenSSL and upgrade systems as soon as possible to address vulnerability. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action. Q1: How do you know which 3 rd Party Service to contact? Q2: How do make sure they are aware? Q3: How do you document appropriate action?

6 Enforcement Action MRA FundTech December 2013 VENDOR MANAGEMENT PROGRAM 5. (a) Within 30 days designate a Vendor Management Coordinator with an appropriate level of due diligence and vendor risk modeling experience shall be vested with sufficient executive authority to fulfill the duties shall report directly to the Board. (b) Within 45 days shall develop, adopt and implement a written vendor management program that meets the requirements and guidance of the FFIEC's IT Examination Handbook, Outsourcing Technology Services Booklet and provides a comprehensive inventory, assessment and ongoing evaluation of all key services providers. LETTER TO CLIENT BANKS - At the same time shall send a letter ( Letter ) to the TSP s client banks accurately detailing the actions the TSP has taken during the quarter to secure compliance with this ORDER. SHAREHOLDER DISCLOSURE - Within 30 days shall furnish a description of this ORDER which shall fully describe the ORDER in all material respects. Must include: Inventory Due Diligence Selecting Vendor Risk Assessment Model Risk Based Policies to control outsourcing actions Contract Negotiations Implementation SLA Procedures Monitoring that identifies and evaluates changes in Risk

7 Updated Guidance OCC Fed Reserve Dec. 5, 2013 Guidance A bank should: Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships. Ensure comprehensive risk management and oversight of third-party relationships involving critical activities. Effective risk management process throughout the life cycle of the relationship includes: Plans that outline the bank s strategy, identify the inherent risks of the activity and detail how the bank selects, assesses and oversees the third party. Proper due diligence in selecting a third party. Written contracts that outline the rights and responsibilities of all parties. Ongoing monitoring of the third party s activities and performance. Contingency plans for terminating the relationship in an effective manner. Clear roles and responsibilities for overseeing and managing the relationship and risk management process. Documentation and reporting that facilitates oversight, accountability, monitoring and risk management. Independent reviews that allow bank management to determine the bank s process aligns with its strategy and effectively manages risks. I. Purpose II. Risks from the Use of Service Providers III. Board of Directors and Senior Management Responsibilities IV. Service Provider Risk Management Programs A. Risk Assessments B. Due Diligence and Selection of Service Providers 1. Business Background, Reputation and Strategy 2. Financial Performance and Condition 3. Operations and Internal Controls C. Contract Provisions and Considerations D. Incentive Compensation Review E. Oversight and Monitoring of Service Providers F. Business Continuity and Contingency Considerations G. Additional Risk Considerations

8 Vendor Risk Management Streamlined processes Centralized repository Assess controls Identify and track remediation tasks through automated workflow. Multiple dashboards and metrics to better illustrate overall compliance posture. Mapping displays correspondence between standards and controls. Gap Analysis compares organization s actual performance with potential performance. Task Timeline depicts overall completion status of projects.

9 Modular Solution Vulnerability Analysis Security & Compliance Assessment Risk Analysis Incident Management Policy & Procedures Vendor Management Hosted SaaS or On-Premise

10 Why the Need? What are the top three barriers to achieving an organization s GRC-related goals? Lack of resources Lack of cooperation and collaboration Complexity of existing technologies Lack of clear leadership Organizational change Inability to set priorities Lack of C-level support Difficulty in hiring skilled personnel Inability to get started (inertia) Inadequacy of existing technologies Complexity of the program Lack of organizational maturity 4% 3% 3% 2% 20% 19% 19% 15% 11% 31% 44% 52% Source: Ponemon Research % 10% 20% 30% 40% 50% 60%

11 GRC Product Innovations What We Offer: Allgress Professional Services for Tool & GRC Process Implementation: Multi week evaluation of GRC Use Cases Evaluate GRC business process maturity such as vendor risk program Recommend / Design / Implement Allgress solution and mature client business processes Develop Use Cases to determine business process matches for automation and to mature other related GRC processes Identify and Establish Program Priorities and Values Assessment Development / Dashboard Refinement Provide a prioritized and detailed Roadmap to mature and/or expand GRC tool usage

12 What Processes are Important 7 Value vs. Priority Map GRC Solutions Reports & Dashboards Communication Workflows Performance Measurement Awareness Training 6 Change Control 7 Identity & Access Control Priority (Low to High) Staffing Methodology Technology 8 9 Data Integration SaaS / Cloud

13 Develop Processes and Workflow Vendor Risk Management Solution W W W W Planning & Analysis/Design Development Vm Testing & Implementation Loss Events Metrics Quarterly Risk Review Risk Register Engagements Remediation Plans Risk Assessments Question Library Vendor Profile Facilities Exception Requests Findings Vendor Risk Assessments Contacts Contracts Vendor Risk Management

14 Summary Together FishNet Security and Allgress enable enterprise risk, security and compliance professionals the ability to efficiently manage their risk posture. Reduces the complexity and cost of vendor risk management. Provides advanced visualization, automation, streamlined workflows and the integration of existing data feeds.

15 Bob Justus CSO Allgress Randy Potts Managing Director FishNet Security For more information: Randy Pringle Solutions Marketing FishNet Security