The Intersection of Internal Controls and Cyber Security

Transcription

1 The Intersection of Internal Controls and Cyber Security Ralph Mosios Chief Information Security Officer Federal Housing Finance Agency ISACA NCAC Conference November 18, 2014 The Federal Housing Finance Agency (FHFA), as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the FHFA or of the author s colleagues upon FHFA s staff.

2 About FHFA, Part 2 FHFA is an independent agency with a unique mission responsible for providing oversight of the housing government-sponsored enterprises (GSEs). FHFA s mission is to promote GSE safety and soundness and ensure that the GSEs serve as a reliable source of liquidity and funding for housing finance and community investment. GSEs provide more than $5.5 trillion in funding for U.S. mortgage markets and financial institutions. FHFA is not subject to Federal Financial Management Improvement Act (FFMIA) of FHFA adheres to internal control requirements of the Federal Managers Financial Integrity Act (FMFIA) of 1982 and OMB Circular A-123. FHFA adheres to Title III of the Electronic Government Act of 2002, commonly referred to as the Federal Information Security Management Act (FISMA). 2

3 Internal Controls Who Cares? What are Internal Controls? 1 Management processes, policies, and procedures that help to ensure Efficient, effective operations Reliable financial reports Legal and regulatory compliance Internal controls must be documented, routinely tested, and auditable JPMorgan, HSBC, Enron, Worldcom, and other scandals, perceived in part as a result of poor internal controls Internal controls are at the heart of Sarbanes-Oxley Act (Section 404) OMB Circular A-123 Federal Information Security Management Act Bottom Line: Internal Controls is an FHFA Agency-wide Priority 1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO), see 3

4 Federal Information Security Management Act (FISMA) Requires Federal Agencies to develop and implement an agency-wide information security program. Establishes a framework to protect agency information, operations, and assets. Requires each agency to perform an annual, independent evaluation of their information security program and practices to determine its effectiveness. Consolidates many security requirements and guidance into an overall framework. Establishes the National Institute of Standards and Technology (NIST) role in developing information standards and guidelines. 4

5 Key Drivers for FHFA s Cyber Program NIST developed a significant number of standards for Federal Agencies that helps shape internal controls. NIST SP Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, is a driving force behind FHFA s compliance program. NIST Special Publication (SP) , Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. NIST SP , Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. 5

6 Components of FHFA s Cyber Security Program NIST NIST CISO NIST STIG FIPS-199 CIS Policy & Compliance Continuous Monitoring Engineering & Operations Develop Policy & Procedures Continuous Monitoring Program Plans of Actions & Milestones (POA&M) Tracking Risk Assessments Training & Awareness Security Outreach Internal Controls/Audit Support Security Technical Implementation Guides (STIG) Center for Internet Security (CIS) Federal Information Processing Standards (FIPS) Security Operations Center Incident Response Manage Security Devices Monitoring Events Forensic Analysis Network Scanning Application & Database Scanning Vulnerability Management Security Testing Penetration Testing 6

7 Implementing an Effective Cyber Security Program There are no silver bullets with implementing an effective cyber security program with internal controls: Combination of management, operational, and technical controls are required. Not an inexpensive venture! Know relevant legislation and corresponding compliance frameworks (e.g., FISMA, FISCAM, SOX). Senior management support is critical. A cultural change may be required. Establish a relationship with your auditors! Eat the elephant one piece at a time. 7

8 References 2013 Federal Housing Finance Agency Performance and Accountability Report, The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 8