FFIEC Cybersecurity Assessment Tool

Transcription

1 6/9/2016 Tim Segerson, Deputy Director Office of Examination & Insurance FFIEC Cybersecurity Assessment Tool LSCU Cyber Breakout June 17, 2016 Continuing saga of lost sensitive data Every event enhances criminals ability to cross reference personal information. new government data breach includes sensitive military intelligence personnel data/ Cyber risk management is a volatile and fluid environment LSCU CYBER 2 1

2 New and Troubling Credit unions, community banks and healthcare are under routine attack. Low and moderate level hackers and fraudsters know to look for low hanging fruit Advanced are surveilling and cataloging Supply chain can be tricky, hard to control and full of sand traps. LSCU CYBER 3 Emerging Threats Payment systems attacks can be devastating Key credential compromise System Compromise Malware to hide transactions (delay detection) Malware to erase/hide tracks Some similar characteristics to Sony attack, sophisticated TTPs These are not all big banks and other payment systems may have similar risks LSCU CYBER 4 2

3 Congressional Scrutiny LSCU CYBER 5 Critical Infrastructure Overview US Critical Infrastructure Chemical DHS Defense Industrial Base DOD Commercial Facilities DHS Emergency Services DHS Communications DHS Critical Manufacturing Dams DHS DHS Financial Services Energy DOE Treasury Food & Agriculture DHS&DOA&HHS Government Facilities DHS &GSA Transportation Systems DHS&DOT FBIIC Participation Healthcare & Public Health HHS Water and Wastewater Systems EPA American Council of State Savings Supervisors Federal Reserve Bank of New York Commodity Futures Trading Commission Federal Reserve Board State Liaison Committee National Association of Insurance Commissioners Consumer Financial Protection Bureau National Association of State Credit Union Supervisors Department of the Treasury National Credit Union Administration Farm Credit Administration North American Securities Administrators Association Federal Deposit Insurance Corporation Office of the Comptroller of the Currency Federal Housing Finance Agency Securities and Exchange Commission Federal Reserve Bank of Chicago Securities Investor Protection Corporation Legend FBIIC Chair FFIEC Members Other FBIIC Members Information Technology DHS FBIIC FFIEC TFOS CCIWG Nuclear Reactors, Materials, Waste DHS Ongoing Cyber Security Initiative Cyber Security is a Key Subset of the Critical Infrastructure for most Sectors LSCU CYBER 6 3

4 Cybersecurity Assessment History June 2013: FFIEC CCIWG established June 2014: FFIEC pilots Cybersecurity Assessment exam work program Informed Strategic Vision/Objectives ( Observations Report Issued Target Statements and Guidance 3 rd Party Service Providers June 2015: CCIWG releases financial institution Cybersecurity Assessment Tool LSCU CYBER 7 FFIEC Cybersecurity Assessment Tool Objective To help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides a repeatable and measureable process to inform management of their institution s risks and cybersecurity preparedness. LSCU CYBER 8 4

5 Strong Industry Foundation and Benchmark Comprehensive with a Relevant and Cross Referenced Foundation Public & Industry Guidance and Models U.K. Prudential Regulation Authority 2014 cybersecurity assessment Canada s Office of Superintendent of Financial Institutions 2013 cybersecurity assessment Department of Energy s Cybersecurity Capability Maturity Model Program (C2M2) Capability Maturity Model (CMM) Payment Card Industry Data Security Standard (PCI DSS) Many others including SEC, FINRA, and NY DFI FFIEC IT Handbook and Guidance Cybersecurity Assessment Tool NIST Cybersecurity Framework Common Structure to: Communicate between Board and Management Communicate Throughout Organization Communicate with Service Providers Effective Cyber Risk Management Common Structure to: Identify strengths and weaknesses (gaps) Optimize your cybersecurity Investment Evaluate Existing and New Products, Services and Vendors LSCU CYBER 9 Cyber Risk Management Practice Cyber Risk vs level of investment/ effort Highest Security Program Development Lowest Acceptable Security Enterprise Approach Toward Cyber Risk Management Lowest Risk Optimal Organizational Risk Exposure Higher Investment Possible Inefficiencies Optimal Optimal Highest Risk Under Investment Too Much Risk For Measures taken Beyond Minimum Basic Regulatory Requirements and Agency Guidance RM approach should scale to the credit unions level of risk exposure, appetite, complexity and percieved impact. LSCU CYBER 10 5

6 FFIEC Cybersecurity Assessment Tool Consists of two parts Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity LSCU CYBER 11 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats LSCU CYBER 12 6

7 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile Risk Levels Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Type, volume, and complexity of operations and threats directed at the institution LSCU CYBER 13 FFIEC Cybersecurity Assessment Tool Domain Assessment Factors 1Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture 2Threat Intelligence & Collaboration Intelligence Sourcing Monitoring and Analyzing Information Sharing 3Cybersecurity Controls Preventative Controls Detective Controls Corrective Controls 4 External Dependency Management Connections Relationships Management 5CyberIncident Management & Resilience Incident Resilience Planning and Strategy Detection, Response and Mitigation Escalation and Reporting LSCU CYBER 14 7

8 FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity Domains Assessment Factors Components Declarative Statements LSCU CYBER 15 Cybersecurity Maturity/Risk Relationship Highest Risk Institutions Innovative Advanced Intermediate Evolving Lowest Risk Institutions Baseline LSCU CYBER 16 8

9 Additive Model Structure Items to review List of threat intelligence resources (e.g. industry groups, consortiums, threat and vulnerability reporting services). Management reports on cyber intelligence. Verify FI has conducted interviews with vendors as needed. BASELINE Threat Info Source(s) Active Monitoring Enhance Risk Management EVOLVING Analyze Tactics, Perform Risk Mitigation INTERMEDIATE Formal Threat Intelligence Program Collection Protocols Read only repository ADVANCED Cyber Intelligence Model Multi source Real Time Threat Intelligence Threat Intel on Geopolitical Events INNOVATIVE Threat Analysis Team Investment in Transformational Threat Intelligence Technology LSCU CYBER 17 FFIEC Cybersecurity Assessment Tool Supporting Materials User s Guide Overview for CEOs and Boards of Directors Appendix A: Mapping Baseline Statements to FFIEC IT Handbook Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework (CSF) Appendix C: Glossary LSCU CYBER 18 9

10 Cyber Risk Management & Oversight Cyber risk management and oversight addresses the board s development and implementation of an effective enterprise wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. Nine Components, 31 Baseline Statements Strategy/Policy Audit Staffing IT Asset Management Risk Assessment Training Oversight Risk Management Culture LSCU CYBER 19 Threat Intelligence & Collaboration Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. Three Components, 8 Baseline Statements Threat Intelligence and Information Monitoring and Analyzing Information Sharing LSCU CYBER 20 10

11 Cybersecurity Controls Ten Components, 51 Baseline Statements Preventative Controls Prevent a threat from exploiting an associated weakness. May be physical (door locks, card access) or logical (firewalls, antivirus, website filtering/whitelisting. Detective Controls Identify the presence of a vulnerability or threat. Includes scanning for vulnerabilities, intrusion detection or prevention systems, log monitoring, independent vulnerability assessments or pen tests Corrective Controls Assist with recovering from unwanted occurrences or mitigate the effects of a threat being manifested. Includes patch management and timely resolution of penetration test findings. LSCU CYBER External Dependency Management External dependency management involves establishing and maintaining a comprehensive program to oversee external connections and third party relationships with access to the organization s technology assets and information. Four Components, 16 Baseline Statements Connections Due Diligence Contracts Ongoing Monitoring LSCU CYBER 22 11

12 Cyber Incident Management & Resilience Cyber incident management includes establishing processes to identify and analyze cyber events, prioritize the organization s response to contain or mitigate, and escalate information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident. Five Components, 17 Baseline Statements Planning Detection Testing Escalation & Reporting Response & Mitigation LSCU CYBER 23 Assessment Process 1. Identify Critical Functions & Vendors 8. Report Progress To Board 7. Adjust Program Establish Risk Appetite 2. Complete Inherent Risk Profile 3. Assess Maturity 6. Allocate Resources 5. Develop Plan to Address Gaps 4. Determine Target State LSCU CYBER 24 12

13 Cyber Risk Mitigation Approaches Change risk profile (streamline risk) Increase Cybersecurity Investment (staff, infrastructure, services) Increase Capital (accept the risk) Alternative risk management approaches Transfer Cyber Insurance (insure, what you can t control) You will usually use most or all of these options in a comprehensive risk management process. LSCU CYBER 25 Agency Objectives Build Internal Awareness and Capacity Drive Industry Awareness and Resilience Structured approach toward resilience and industry hardening using expert systems/tools Stimulate an ongoing industry dialogue Improved knowledge and data to make informed supervisory decisions What The Other Guys are up to LSCU CYBER 26 13

14 NCUA Game Plan Phased Implementation Training, training and more training March 2016 Extensive examination support tools Building capacity with experience Review, revise, retrain Implement Exam Approach Third Quarter 2017 LSCU CYBER 27 Big Picture Evolutionary Process Takes Time and Repetition Right size time, procedures, and selection methodology Initial Training March Intro Training April Live Training June December Immersion Training September Exam Guide Tool and process training October 2016 Mar 2017 Practice Reviews (exam reviews without formal findings) Focus Feedback loop(s) Guide/Exam Aid updates March 2017 June 2017 Exam guide update Final Policy Approach Final Launch Training LSCU CYBER 28 14

15 NCUA Support Support: LSCU CYBER 29 THANKS FOR LISTENING! Tim Segerson, Deputy Director Office of Examination and Insurance National Credit Union Administration LSCU CYBER 30 15