FFIEC Cybersecurity Assessment Tool
|
|
- Quentin Austin
- 7 years ago
- Views:
Transcription
1 6/9/2016 Tim Segerson, Deputy Director Office of Examination & Insurance FFIEC Cybersecurity Assessment Tool LSCU Cyber Breakout June 17, 2016 Continuing saga of lost sensitive data Every event enhances criminals ability to cross reference personal information. new government data breach includes sensitive military intelligence personnel data/ Cyber risk management is a volatile and fluid environment LSCU CYBER 2 1
2 New and Troubling Credit unions, community banks and healthcare are under routine attack. Low and moderate level hackers and fraudsters know to look for low hanging fruit Advanced are surveilling and cataloging Supply chain can be tricky, hard to control and full of sand traps. LSCU CYBER 3 Emerging Threats Payment systems attacks can be devastating Key credential compromise System Compromise Malware to hide transactions (delay detection) Malware to erase/hide tracks Some similar characteristics to Sony attack, sophisticated TTPs These are not all big banks and other payment systems may have similar risks LSCU CYBER 4 2
3 Congressional Scrutiny LSCU CYBER 5 Critical Infrastructure Overview US Critical Infrastructure Chemical DHS Defense Industrial Base DOD Commercial Facilities DHS Emergency Services DHS Communications DHS Critical Manufacturing Dams DHS DHS Financial Services Energy DOE Treasury Food & Agriculture DHS&DOA&HHS Government Facilities DHS &GSA Transportation Systems DHS&DOT FBIIC Participation Healthcare & Public Health HHS Water and Wastewater Systems EPA American Council of State Savings Supervisors Federal Reserve Bank of New York Commodity Futures Trading Commission Federal Reserve Board State Liaison Committee National Association of Insurance Commissioners Consumer Financial Protection Bureau National Association of State Credit Union Supervisors Department of the Treasury National Credit Union Administration Farm Credit Administration North American Securities Administrators Association Federal Deposit Insurance Corporation Office of the Comptroller of the Currency Federal Housing Finance Agency Securities and Exchange Commission Federal Reserve Bank of Chicago Securities Investor Protection Corporation Legend FBIIC Chair FFIEC Members Other FBIIC Members Information Technology DHS FBIIC FFIEC TFOS CCIWG Nuclear Reactors, Materials, Waste DHS Ongoing Cyber Security Initiative Cyber Security is a Key Subset of the Critical Infrastructure for most Sectors LSCU CYBER 6 3
4 Cybersecurity Assessment History June 2013: FFIEC CCIWG established June 2014: FFIEC pilots Cybersecurity Assessment exam work program Informed Strategic Vision/Objectives ( Observations Report Issued Target Statements and Guidance 3 rd Party Service Providers June 2015: CCIWG releases financial institution Cybersecurity Assessment Tool LSCU CYBER 7 FFIEC Cybersecurity Assessment Tool Objective To help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides a repeatable and measureable process to inform management of their institution s risks and cybersecurity preparedness. LSCU CYBER 8 4
5 Strong Industry Foundation and Benchmark Comprehensive with a Relevant and Cross Referenced Foundation Public & Industry Guidance and Models U.K. Prudential Regulation Authority 2014 cybersecurity assessment Canada s Office of Superintendent of Financial Institutions 2013 cybersecurity assessment Department of Energy s Cybersecurity Capability Maturity Model Program (C2M2) Capability Maturity Model (CMM) Payment Card Industry Data Security Standard (PCI DSS) Many others including SEC, FINRA, and NY DFI FFIEC IT Handbook and Guidance Cybersecurity Assessment Tool NIST Cybersecurity Framework Common Structure to: Communicate between Board and Management Communicate Throughout Organization Communicate with Service Providers Effective Cyber Risk Management Common Structure to: Identify strengths and weaknesses (gaps) Optimize your cybersecurity Investment Evaluate Existing and New Products, Services and Vendors LSCU CYBER 9 Cyber Risk Management Practice Cyber Risk vs level of investment/ effort Highest Security Program Development Lowest Acceptable Security Enterprise Approach Toward Cyber Risk Management Lowest Risk Optimal Organizational Risk Exposure Higher Investment Possible Inefficiencies Optimal Optimal Highest Risk Under Investment Too Much Risk For Measures taken Beyond Minimum Basic Regulatory Requirements and Agency Guidance RM approach should scale to the credit unions level of risk exposure, appetite, complexity and percieved impact. LSCU CYBER 10 5
6 FFIEC Cybersecurity Assessment Tool Consists of two parts Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity LSCU CYBER 11 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats LSCU CYBER 12 6
7 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile Risk Levels Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Type, volume, and complexity of operations and threats directed at the institution LSCU CYBER 13 FFIEC Cybersecurity Assessment Tool Domain Assessment Factors 1Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture 2Threat Intelligence & Collaboration Intelligence Sourcing Monitoring and Analyzing Information Sharing 3Cybersecurity Controls Preventative Controls Detective Controls Corrective Controls 4 External Dependency Management Connections Relationships Management 5CyberIncident Management & Resilience Incident Resilience Planning and Strategy Detection, Response and Mitigation Escalation and Reporting LSCU CYBER 14 7
8 FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity Domains Assessment Factors Components Declarative Statements LSCU CYBER 15 Cybersecurity Maturity/Risk Relationship Highest Risk Institutions Innovative Advanced Intermediate Evolving Lowest Risk Institutions Baseline LSCU CYBER 16 8
9 Additive Model Structure Items to review List of threat intelligence resources (e.g. industry groups, consortiums, threat and vulnerability reporting services). Management reports on cyber intelligence. Verify FI has conducted interviews with vendors as needed. BASELINE Threat Info Source(s) Active Monitoring Enhance Risk Management EVOLVING Analyze Tactics, Perform Risk Mitigation INTERMEDIATE Formal Threat Intelligence Program Collection Protocols Read only repository ADVANCED Cyber Intelligence Model Multi source Real Time Threat Intelligence Threat Intel on Geopolitical Events INNOVATIVE Threat Analysis Team Investment in Transformational Threat Intelligence Technology LSCU CYBER 17 FFIEC Cybersecurity Assessment Tool Supporting Materials User s Guide Overview for CEOs and Boards of Directors Appendix A: Mapping Baseline Statements to FFIEC IT Handbook Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework (CSF) Appendix C: Glossary LSCU CYBER 18 9
10 Cyber Risk Management & Oversight Cyber risk management and oversight addresses the board s development and implementation of an effective enterprise wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. Nine Components, 31 Baseline Statements Strategy/Policy Audit Staffing IT Asset Management Risk Assessment Training Oversight Risk Management Culture LSCU CYBER 19 Threat Intelligence & Collaboration Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. Three Components, 8 Baseline Statements Threat Intelligence and Information Monitoring and Analyzing Information Sharing LSCU CYBER 20 10
11 Cybersecurity Controls Ten Components, 51 Baseline Statements Preventative Controls Prevent a threat from exploiting an associated weakness. May be physical (door locks, card access) or logical (firewalls, antivirus, website filtering/whitelisting. Detective Controls Identify the presence of a vulnerability or threat. Includes scanning for vulnerabilities, intrusion detection or prevention systems, log monitoring, independent vulnerability assessments or pen tests Corrective Controls Assist with recovering from unwanted occurrences or mitigate the effects of a threat being manifested. Includes patch management and timely resolution of penetration test findings. LSCU CYBER External Dependency Management External dependency management involves establishing and maintaining a comprehensive program to oversee external connections and third party relationships with access to the organization s technology assets and information. Four Components, 16 Baseline Statements Connections Due Diligence Contracts Ongoing Monitoring LSCU CYBER 22 11
12 Cyber Incident Management & Resilience Cyber incident management includes establishing processes to identify and analyze cyber events, prioritize the organization s response to contain or mitigate, and escalate information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident. Five Components, 17 Baseline Statements Planning Detection Testing Escalation & Reporting Response & Mitigation LSCU CYBER 23 Assessment Process 1. Identify Critical Functions & Vendors 8. Report Progress To Board 7. Adjust Program Establish Risk Appetite 2. Complete Inherent Risk Profile 3. Assess Maturity 6. Allocate Resources 5. Develop Plan to Address Gaps 4. Determine Target State LSCU CYBER 24 12
13 Cyber Risk Mitigation Approaches Change risk profile (streamline risk) Increase Cybersecurity Investment (staff, infrastructure, services) Increase Capital (accept the risk) Alternative risk management approaches Transfer Cyber Insurance (insure, what you can t control) You will usually use most or all of these options in a comprehensive risk management process. LSCU CYBER 25 Agency Objectives Build Internal Awareness and Capacity Drive Industry Awareness and Resilience Structured approach toward resilience and industry hardening using expert systems/tools Stimulate an ongoing industry dialogue Improved knowledge and data to make informed supervisory decisions What The Other Guys are up to LSCU CYBER 26 13
14 NCUA Game Plan Phased Implementation Training, training and more training March 2016 Extensive examination support tools Building capacity with experience Review, revise, retrain Implement Exam Approach Third Quarter 2017 LSCU CYBER 27 Big Picture Evolutionary Process Takes Time and Repetition Right size time, procedures, and selection methodology Initial Training March Intro Training April Live Training June December Immersion Training September Exam Guide Tool and process training October 2016 Mar 2017 Practice Reviews (exam reviews without formal findings) Focus Feedback loop(s) Guide/Exam Aid updates March 2017 June 2017 Exam guide update Final Policy Approach Final Launch Training LSCU CYBER 28 14
15 NCUA Support Support: LSCU CYBER 29 THANKS FOR LISTENING! Tim Segerson, Deputy Director Office of Examination and Insurance National Credit Union Administration LSCU CYBER 30 15
FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationAnthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:
Andrew M. Cuomo Governor Anthony J. Albanese Acting Superintendent FROM: TO: Anthony J. Albanese, Acting Superintendent of Financial Services Financial and Banking Information Infrastructure Committee
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationWSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons
WSECU Cyber Security Journey David Luchtel VP IT Infrastructure & Opera:ons Objec:ve of Presenta:on Share WSECU s journey Overview of WSECU s Security Program approach Overview of WSECU s self- assessment
More informationWhat Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationTESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the
For Release Upon Delivery 10:00 a.m., December 10, 2014 TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY Before the COMMITTEE ON BANKING, HOUSING,
More informationCyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?
Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? August 27, 2014 Presented by: Terry Ammons, Partner, Porter Keadle Moore Tim Davis, Senior,
More informationIT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski
IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More information2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP
2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationTop 10 Baseline Cybersecurity Controls Banks Aren't Doing
Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1 Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationCONCEPTS IN CYBER SECURITY
CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationGEARS Cyber-Security Services
Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationPCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com
PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationData Breaches and Cyber Risks
Data Breaches and Cyber Risks MD/DC Credit Union Association 2015 Volunteer Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary
More informationCybersecurity Awareness
Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationCybersecurity. Are you prepared?
Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data
More informationCyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015
Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationDesigning & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012
Designing & Implementing Enterprise Security Programs MBA Bank Expo 2012 April 11, 2012 Session Purpose G R O U P Premise: Security is institutionalized, but the enterprise is evolving. the enterprise
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationCybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security
More informationA MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS
A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS CYBER ATTACKS INFILTRATE CRITICAL INFRASTRUCTURE SECTORS Government and enterprise critical infrastructure sectors such as energy, communications
More informationCybersecurity and the Threat to Your Company
Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September
More informationCYBERSECURITY EXAMINATION SWEEP SUMMARY
This Risk Alert provides summary observations from OCIE s examinations of registered broker-dealers and investment advisers, conducted under the Cybersecurity Examination Initiative, announced April 15,
More informationData Breaches and Cyber Risks
Data Breaches and Cyber Risks Carolinas Credit Union League Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary Reproduction,
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationKeynote Speech. Beth Dugan Deputy Comptroller for Operational Risk. The Clearing House s First Operational Risk Colloquium
Keynote Speech by Beth Dugan Deputy Comptroller for Operational Risk at The Clearing House s First Operational Risk Colloquium February 11, 2015 Washington, D.C. Thank you. It s an honor to be invited
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationUpdate on U.S. Critical Infrastructure and Cybersecurity Initiatives
Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationWater Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary
Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary May 2007 Environmental Protection Agency Executive Summary
More informationKeeping the Lights On
Keeping the Lights On Fundamentals of Industrial Control Risks, Vulnerabilities, Mitigating Controls, and Regulatory Compliance Learning Goals o Understanding definition of industrial controls o Understanding
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationTechnology and Cyber Resilience Benchmarking Report 2012. December 2013
Technology and Cyber Resilience Benchmarking Report 2012 December 2013 1 Foreword by Andrew Gracie Executive Director, Special Resolution Unit, Bank of England On behalf of the UK Financial Authorities
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationCybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com
Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationCyber Security An Exercise in Predicting the Future
Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures
More informationRE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity
October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure
More informationCybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationCyber Incident Response Management: Breaking Glass. Presented by Darrell Switzer Sr. Director Incident Response Services BAE Systems
Cyber Incident Response Management: Breaking Glass Presented by Darrell Switzer Sr. Director Incident Response Services BAE Systems About BAE Systems $25B Annual Revenue 80,000+ Employees Operates in 40+
More informationNIST Cybersecurity Initiatives. ARC World Industry Forum 2014
NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More informationCyber and Data Risk What Keeps You Up at Night?
Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks
More informationHow To Protect Water Utilities From Cyber Attack
Cybersecurity in the Water Sector Copyright 2015 American Water Works Association Overview Reality of the Threat Environment Water Sector Cyber Risk Management Key Resources Connectivity = Exposure Process
More informationTime Is Not On Our Side!
An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More informationAnthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown
Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown 1 Protected networks are continuously being successfully attacked
More informationCyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis
Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationAUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationClient Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs
1 Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs NEW YORK Byungkwon Lim blim@debevoise.com Gary E. Murphy gemurphy@debevoise.com Michael J. Decker mdecker@debevoise.com
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationHow To Improve Your Cyber Security
Cybersecurity and Data Security Richard Cook Director IT Audit & Security May 2015 Elliott Davis Decosimo, PLLC Cybersecurity and Data Security This material was used by Elliott Davis Decosimo during an
More informationWater Sector Approach to Cybersecurity Risk Management
Water Sector Approach to Cybersecurity Risk Management Wasser Berlin International March 24, 2015 Copyright 2015 American Water Works Association Cyber Threats are Real Director of National Intelligence
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationINFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE
promontory.com INFOCUS JUNE 3, 2015 BY EARL CRANE Five Questions to Guide Cybersecurity Risk Management The quick transformation of cybersecurity risk management from obscure specialty to top-of-thehouse
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationTHE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, 2013. February 12, 2013
THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The
More information