THE EVOLUTION OF CYBERSECURITY



Similar documents
Click to edit Master title style

CYBERSECURITY INVESTIGATIONS

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity Issues for Community Banks

Cybersecurity. Are you prepared?

Cybersecurity: What CFO s Need to Know

Ed McMurray, CISA, CISSP, CTGA CoNetrix

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cybersecurity Awareness. Part 2

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

What Directors need to know about Cybersecurity?

Cybersecurity Awareness. Part 1

Cybersecurity Awareness

Vendor Management. Outsourcing Technology Services

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Information Technology

NIST Cybersecurity Framework & A Tale of Two Criticalities

FFIEC Cybersecurity Assessment Tool

Cybersecurity The role of Internal Audit

Data Breach Response Planning: Laying the Right Foundation

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

Remarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Lessons from Defending Cyberspace

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

INFORMATION SECURITY STRATEGIC PLAN

10/13/2015 THE SAGA CONTINUES. An Update on Fraud Issues. Angela R. Morelock, CPA, CFE, CFF, ABV Partner

Cybersecurity: Protecting Your Business. March 11, 2015

To Receive CPE Credit

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

ACA IRS INFORMATION REPORTING: WHAT DO I NEED TO KNOW?

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

CYBERSECURITY HOT TOPICS

The Center for Strategic Business Integrity (CSBI) and Hall Consulting, Inc. (HCI) NASBA Continuing Professional Education (CPE) Program Policies

Cybersecurity Awareness

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

SECURITY CONSIDERATIONS FOR LAW FIRMS

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

PREPARING FOR EMR PROGRAM SUCCESS IN /10/2015. December 15, Travis Skinner, CPA Senior Managing Consultant

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

How To Write A Cybersecurity Framework

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Vendor Risk Management Financial Organizations

Data Breaches and Cyber Risks

Report on CAP Cybersecurity November 5, 2015

A Crisis Response, Information Sharing View of FFIEC Appendix J?

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

FINRA Publishes its 2015 Report on Cybersecurity Practices

OCIE Technology Controls Program

Cyber Risks in the Boardroom

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

The PNC Financial Services Group, Inc. Business Continuity Program

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

Cybersecurity and Privacy Hot Topics 2015

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

Cyber-Security. FAS Annual Conference September 12, 2014

Cybersecurity Workshop

White Paper on Financial Institution Vendor Management

Information Security Program

Cybersecurity Awareness for Executives

Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com

VENDOR MANAGEMENT. General Overview

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Happy First Anniversary NIST Cybersecurity Framework:

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Transcription:

THE EVOLUTION OF CYBERSECURITY Identifying Best Practices June 2, 2015 Cerone F. Cy Sturdivant Managing Consultant Nashville, TN 1

TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided If you are viewing this webinar in a group Complete group attendance form with Title & date of live webinar Your company name Your printed name, signature & email address All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar Answer polls when they are provided If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar TODAY S AGENDA Formally defining cybersecurity Assessing your cybersecurity preparedness Cybersecurity program development Regulatory expectations 2

DEFINING CYBERSECURITY In recent security discussions, there are references to both cybersecurity & information security. The terms are often used interchangeably, but in reality, cybersecurity is a part of information security Note: The interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities. All of these factors have influenced the shift from information security to cybersecurity DEFINING CYBERSECURITY Information security deals with protecting information, regardless of its format: physical documents, digital, intellectual property in people s minds & verbal or visual communications Cybersecurity is concerned with protecting digital assets everything from networks to hardware & information processed, stored or transported by internetworked information systems 3

DEFINING CYBERSECURITY NIST has a very appropriate definition for financial institutions The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Identifying attacks: For financial institutions, employee training & customer awareness are key 4

DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Defending against attacks is in design & operation of network & application environment; most banks we work with do this well DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Responding to attacks refers to your institution s incident response plans 5

DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Recovering from attacks should be covered by your Disaster Recovery/Business Continuity Plan CYBERSECURITY CONCEPTS Objective of cybersecurity is threefold, involving the critical components of confidentiality, integrity & availability Confidentiality Integrity Availability 6

CONFIDENTIALITY, INTEGRITY & AVAILABILITY Confidentiality is protection of information from unauthorized access or disclosure Integrity is protection of information from unauthorized modification Availability ensures timely & reliable access to & use of information & systems FFIEC Cyber Preparedness Assessment Pilot cybersecurity examination work program (Cybersecurity Assessment) conducted in June 2014 at over 500 community financial institutions with less than $1 billion in assets to evaluate their preparedness to mitigate cyber risks FFIEC regulators released initial results of their assessment in November 2014 14 7

CYBERSECURITY PREPAREDNESS In addition to cybersecurity inherent risk, the Cybersecurity Assessment reviewed financial institutions current practices & overall preparedness, focusing on the following Risk management & oversight Threat intelligence & collaboration Cybersecurity controls External dependency management Cyber incident management & resilience BREAKING NEWS - Preliminary observations indicate most banks do not fully understand specific threats that face them 15 CYBERSECURITY PREPAREDNESS UTILIZING NIST FRAMEWORK Framework can be used to help identify & prioritize actions for reducing cybersecurity risk, & it is a tool for aligning policy, business & technological approaches to managing that risk Framework enables organizations regardless of size, cyber risk or cybersecurity sophistication to apply principles & best practices of risk management to improving cybersecurity & securing critical infrastructure 16 8

NIST FRAMEWORK OVERVIEW 17 CYBERSECURITY PROGRAM A cybersecurity program should integrate all aspects of bank s existing programs GLBA Information Security Program Business Continuity & Disaster Recovery Incident Response & Crisis Management Plans Third-Party Risk Management 9

EXAMPLE OF A CYBER ATTACK WIRE FRAUD Money Israel Bank United States Bank Money Manufacturer: Israel Product Money Re-Seller: United States 19 EXAMPLE OF WIRE FRAUD PART TWO Kuala Lumpur Bank What Money??? Israel Bank United States Bank Where is my money??? Money Manufacturer: Israel Product Re-Seller: United States What did I do????? 20 10

CYBER ATTACK WHAT COULD HAVE BEEN DONE? Technical Content/spam filter to prevent phishing People Awareness training Management review of change to wiring instructions Phone verification of change INCIDENT RESPONSE Technical Design of network and infrastructure Monitoring IDS/IPS Testing People Training to recognize attack Don t get distracted Recognize it for what it is Management oversight 11

BUSINESS RESUMPTION Technical Separate DR site Additional equipment Backup strategy Regular testing Vendor management People Third-party resources, if needed, on call Core & IT engineers Training in resumption EXAMINER EXPECTATIONS Incorporate cybersecurity into all existing programs & policies Enhance IT-related risk assessments to identify & address cyber-specific threats Enhance training efforts employees, board & customers Strengthen monitoring controls Strengthen incident response efforts 12

CONCLUSION Financial institutions have to be careful they aren't tempted to make their reviews for cyber-resilience a checkbox compliance exercise. Ensuring cyber-resilience of their internal networks & people, as well as networks of their third-party service providers & vendors, requires going beyond simply implementing recommendations in new guidelines CYBERSECURITY RESOURCES FFIEC Cybersecurity Awareness - http://www.ffiec.gov/cybersecurity.htm Bank Info Security - http://www.bankinfosecurity.com/ ABA Center for Payments and Cybersecurity - http://www.aba.com/tools/function/pages/centerpayments-cybersecurity.aspx NIST Framework - http://www.nist.gov/cyberframework/index.cfm FS-ISAC - http://www.fsisac.com/ 13

QUESTIONS? CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org. The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars. 14

THANK YOU! FOR MORE INFORMATION Cerone F. Cy Sturdivant, CISA Managing Consultant BKD, LLP One American Center 3100 West End Ave, Suite 850 Nashville, TN 37203-1320 615.988.3600, Ext 32614 www.bkd.com 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information