Click to edit Master title style

EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES

TECHNOLOGY THE DARK SIDE

AGENDA Defining cybersecurity Assessing your cybersecurity preparedness Cybersecurity program development Regulatory expectations Cost effective strategies to reduce risk data breach

DEFINING CYBERSECURITY In recent security discussions, there are references to both cybersecurity and information security. The terms are often used interchangeably, but in reality, cybersecurity is a part of information security. Note: The interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities. All of these factors have influenced the shift from information security to cybersecurity.

DEFINING CYBERSECURITY (CONT.) Information security deals with protecting information, regardless of its format: physical documents, digital, intellectual property in people s minds and verbal or visual communications Cybersecurity is concerned with protecting digital assets everything from networks to hardware and information processed, stored or transported by internetworked information systems

DEFINING CYBERSECURITY (CONT.) NIST has a very appropriate definition for institutions The process of managing cyber threats and vulnerabilities and for protecting information and information systems by identifying, defending against, responding to and recovering from attacks

DEFINING CYBERSECURITY (CONT.) The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Identifying attacks: Employee training & customer awareness are key

DEFINING CYBERSECURITY (CONT.) The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Defending against attacks is in design & operation of network & application environment

DEFINING CYBERSECURITY (CONT.) The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Responding to attacks refers to your institution s incident response plans

DEFINING CYBERSECURITY (CONT.) The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Recovering from attacks should be covered by your Disaster Recovery/Business Continuity Plan

FFIEC Click CYBER to PREPAREDNESS edit Master title ASSESSMENT style Pilot cybersecurity examination work program (Cybersecurity Assessment) conducted in June 2014 Approximately 500 assessments on community financial institutions with $1 billion or less in assets Information gathering and learning mode Finalized report December 2014 11

FFIEC Click CYBERSECURITY to edit Master ASSESSMENT title style SCOPE Exam built upon key aspects of existing FFIEC IT Handbook Assessed financial institutions current practices & overall cybersecurity preparedness BREAKING NEWS - Preliminary observations indicate most banks do not fully understand specific threats that face them 12

FFIEC Click CYBERSECURITY to edit Master ASSESSMENT title style TOOL FFIEC Cybersecurity Assessment (CA) Tool released June 30, 2015 Not really a tool as we have traditionally defined software or hardware More of a process to help banks perform a selfassessment on their Cybersecurity Preparedness Based on size and complexity Resulting from the 2014 Cybersecurity Assessment lessons learned

FFIEC CA TOOL - 3 MAJOR COMPONENTS 1. Inherent Risk Profile - rating your inherent risk for cybersecurity threats based on your size and complexity, before implementing controls 2. Cybersecurity Maturity - rating your cybersecurity maturity regarding how prepared you are to handle different cybersecurity threats includes domains, assessment factors, components and individual declarative statements across five maturity levels to identify controls and practices in place 3. Interpreting and analyzing the results by understanding how your inherent risk ties to your cybersecurity maturity, and where you SHOULD be regarding risk vs. maturity

CYBERSECURITY INHERENT RISK Assesses your institution s inherent risk profile based on five inherent risk profile categories: Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats

CYBERSECURITY MATURITY Evaluates your institution s Cybersecurity Maturity level for each of five domains: Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience While management can determine the institution s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level

CYBERSECURITY Click to edit MATURITY Master title LEVELS style

INTERPRETING AND ANALYZING RESULTS There is no single expected level for an institution An institution s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change Management should consider reevaluating its inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile

FFIEC Click CA TOOL to edit GOAL Master title style Highlight areas of weakness and strength regarding how you are or will be able to handle a cybersecurity attack Also highlights how you can mitigate this risk and implement additional controls Provide regulators and examiners an idea of how capable your institution is regarding cybersecurity preparedness Based on size and complexity

CYBERSECURITY Click to edit PROGRAM Master title style A cybersecurity program should integrate all aspects of banks existing programs GLBA Information Security Program Business Continuity and Disaster Recovery Incident Response and Crisis Management Plans Third-party (Vendor) Risk Management

EXAMINER Click to EXPECTATIONS edit Master title style Incorporate cybersecurity into all existing programs & policies Enhance IT-related risk assessments to identify & address cyber-specific threats Enhance training efforts employees, board & customers Strengthen monitoring controls Strengthen incident response efforts

CONCLUSION Click to edit Master title style Be Careful - Don t be tempted to make your reviews for cyber-resilience a checkbox compliance exercise. Ensure cyber-resilience of internal networks & people Consider and evaluate networks of your third-party service providers & vendors Go beyond simply implementing recommendations in new guidelines

TOP 10 COST-EFFECTIVE STRATEGIES TO REDUCE THE RISK OF A DATA BREACH

#1 Click KNOW to WHERE edit Master YOUR DATA title IS style Document and maintain accurate information asset inventories, including all relevant assets that store or transmit sensitive data Conduct, document & maintain current data flow analysis to understand location of your data, data interchange & interfaces, as well as applications, operating systems, databases & supporting technologies that support & impact your data Understand Cloud Data Relationships (Use white board to create flow charts to document processes, etc.) Locate & consolidate all valuable data into most singular storage possible; by reducing footprint of your data you create fewer potential vulnerabilities, as well as minimize effort of monitoring & tracking access to that data

#2 TAKE ADVANTAGE OF SECURITY CONTROLS Click to edit Master title style Establish, implement and actively manage security configuration settings for all hardware and software for servers, workstations, laptops, mobile devices, firewalls, routers, etc. System/device hardening Strong password security Limit administrative privileges Grant only the minimum required access to perform job functions 25

#3 KNOW Click to WHO edit CAN Master ACCESS title YOUR style DATA Align logical and physical access authorization, establishment, modification & termination procedures applicable to networks, operating systems, applications & databases Screen employees prior to employment Document additions and modifications with standard change management Timely removal of terminated employees Limit vendor remote access

#4 IMPLEMENT DATA LOSS PREVENTION CONTROLS Click to edit Master title style Organizations must limit access to removable media, CD ROMs, email & file transfer websites Leverage group policies & existing software such as content filtering, email filters, etc. Companies should write clear, well-planned policy that encompasses device use & disposal of information When devices are no longer in use, data should be wiped & then physically destroyed 27

#5 ENSURE ALL CRITICAL DATA IS ENCRYPTED Click to edit Master title style Adoption of data encryption, for data in use, in transit and at rest, provides mitigation against data compromise Encrypt all hard drives on all portable devices, conducted in conjunction with #1 Data backup, retention and archival information should all be under protection of strong encryption to ensure such data that may fall into malicious hands cannot be interpreted and/or otherwise utilized Note In event you lose device, compliance mandates may require to prove the device was encrypted

#6 EFFECTIVE PATCH MANAGEMENT Ensure all systems, regardless of function or impact, have recent operating systems, application patches applied and any business-critical applications are maintained at the most current feasible level for your organization Evaluate & test critical patches in timely manner Apply patches for riskiest vulnerabilities first Use WSUS to manage Windows-related patches Third-party applications (Java, Adobe, Flash, etc.) must also be managed Be strategic & plan for end of life events (Windows XP & Server 2003)

#7 Click PERFORM to edit RISK Master ASSESSMENTS title style Perform an information security risk assessment that is flexible and responds to changes in your environment. Specific focus should be on all protected information & protected health information (if applicable). Asset-based format Identify foreseeable threats Assign inherent risk rating Determine likelihood of occurrence Determine magnitude of impact Input mitigating controls Determine residual risk rating Update annually to adjust for new threats 30

#8 EDUCATE PERSONNEL & HOLD THEM ACCOUNTABLE Click to edit Master title style Provide staff training on security best practices, internal policies & new threats. Focus on social engineering, phishing & physical security concerns. Educate all personnel, at least annually, on your company's data security requirements Education can be as simple as email reminders, brown bag lunch & learns, etc. Make sure new hire onboarding process includes this topic Accountability includes ALL personnel especially senior management who must lead by example

#9 AUDIT & ASSESS CONTROLS Conduct vulnerability scans and penetration tests to identify and evaluate security vulnerabilities in your environment Security controls provide most value when they are audited & monitored for compliance and/or maintenance Annual audits provide necessary insights into keeping security controls optimized & properly fitted to environments employed to protect

#10 MINIMIZE IMPACT BY TAKING Click to edit Master title style IMMEDIATE ACTION Management's ultimate goal should be to minimize damage to the institution and its customers through containment of the incident and proper restoration of information systems Conduct analysis of past incidents & applicable responses to determine successful & unsuccessful areas Use an incident response team to ensure immediate action is taken following security event to minimize impact on operations & loss of data Determine who will be responsible for declaring an incident and restoring affected computer systems once the incident is resolved

CYBERSECURITY Click to edit RESOURCES Master title style FFIEC Cybersecurity Awareness - http://www.ffiec.gov/cybersecurity.htm Bank Info Security - http://www.bankinfosecurity.com/ ABA Center for Payments and Cybersecurity - http://www.aba.com/tools/function/pages/centerpayments-cybersecurity.aspx NIST Framework - http://www.nist.gov/cyberframework/index.cfm FS-ISAC - http://www.fsisac.com/

CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org. The information in BKD seminars is presented by BKD professionals for informational purposes only. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered herein or in these seminars.

PHILIP DIEKHOFF// IT RISK SERVICES // PDIEKHOFF@BKD.COM

PHILIP DIEKHOFF// IT RISK SERVICES // PDIEKHOFF@BKD.COM