Cyber Risk Management Guidance for FHFA Regulated Entities

Transcription

1 Cyber Risk Management Guidance for FHFA Regulated Entities Anne E. Paulin, Examination Manager Federal Housing Finance Agency ISACA NCAC Conference November 18, 2014 Arlington VA

2 About FHFA On July 30, 2008, the Housing and Economic Recovery Act of 2008 (HERA) was enacted, creating FHFA with the combined responsibilities of the Office of Federal Housing Enterprise Oversight (OFHEO), the Federal Housing Finance Board (FHFB) and the HUD GSE mission team. HERA also provided FHFA with additional authority to regulate Fannie Mae, Freddie Mac and the 12 Federal Home Loan Banks. 2

3 Advisory Bulletin AB Purpose: Considerations and expectations for cyber risk management at the regulated entities (Fannie Mae, Freddie Mac, 12 Federal Home Loan Banks) and the Office of Finance Describes characteristics of a cyber risk management program to enable these entities to successfully perform their responsibilities and protect their environments Aligns with similar guidance from peer financial and other regulators, but is not meant to duplicate or supplant industry standards Principles-based, technology-neutral 3

4 Principles Proportionality Risk Management Risk Assessments Monitoring and Response System, Patch, and Vulnerability Management Third-party Management Privacy and Data Protection 4

5 Considerations and Expectations, 1 of 4 Proportionality Cyber risk management program should be commensurate with institution s cyber risk and prevailing technology, industry, and government standards cyber risk management program developed out of a risk assessment process prioritization of cyber risk management efforts in line with institution s objectives consider ISO 27000, NIST Cyber Security Framework, CObIT, etc. Risk Management Governance and risk management leverage existing practices Board-approved cyber risk management policy, governance structure, and reporting documented risk tolerance levels and escalation procedures program implemented by management within business operations program should consider insider threats 5

6 Considerations and Expectations, 2 of 4 Risk Assessments Identify, understand, and prioritize cyber risks risk assessment specific to cyber security or within information security revisit risk assessment as needed and after material changes to risk profile cyber risk management program and proportionality stem from risk assessment Monitoring and Response Monitor and respond to identified cyber risks sustainable and repeatable processes monitoring and response commensurate with risk tolerance and proportionality periodic tests of incident response plans 6

7 Considerations and Expectations, 3 of 4 System, Patch, and Vulnerability Management Regular assessment and timely repair of vulnerabilities sustainable and repeatable processes mitigating processes and controls for unsupported legacy systems Third-party Management Identify, monitor, and prioritize cyber risks arising from third parties that have access to institution assets or upon which the institution materially relies consider third parties in risk assessments and patch management consider third parties in business continuity planning review SSAE-16 reports 7

8 Considerations and Expectations, 4 of 4 Privacy and Data Protection Protect sensitive, confidential, or personally identifiable information risk management program that identifies where such information resides; how it is used, transmitted, and managed; and how it is protected in transport and in storage cyber risk assessments consider threats to such information 8

9 Conclusions Risk-based approach to cyber security management Policies, procedures, and/or technology solutions should be tailored to address the risks faced by each institution Does not prescribe specific technology solutions All seven inter-related principles should be addressed Cyber-Risk-Management-Guidance.aspx 9