A Crisis Response, Information Sharing View of FFIEC Appendix J?

Similar documents
Cybersecurity Awareness. Part 2

FS-ISAC CHARLES BRETZ

Cybersecurity Awareness

Cybersecurity Awareness

FIA Webinar Cybersecurity Threats: Preparation & Response June 29, 2015

Cybersecurity Panel. ABA Mutual Community Bank Conference Marriott Marquis Hotel, Washington, D.C.

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

FINANCIAL SERVICES INFORMATION SHARING & ANALYSIS CENTER (FS-ISAC) OPERATING RULES

Financial Services. Information Sharing & Analysis Center FS ISAC

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

NIST Cybersecurity Framework & A Tale of Two Criticalities

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Testimony of John W. Carlson on behalf of the. The Financial Services Information Sharing & Analysis Center (FS-ISAC)

FFIEC Cybersecurity Assessment Tool

THE EVOLUTION OF CYBERSECURITY

Quantum Dawn 2 A simulation to exercise cyber resilience and crisis management capabilities. October 21, 2013

The PNC Financial Services Group, Inc. Business Continuity Program

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Business Continuity for Cyber Threat

Report on CAP Cybersecurity November 5, 2015

Ed McMurray, CISA, CISSP, CTGA CoNetrix

National Cybersecurity & Communications Integration Center (NCCIC)

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Water Security in New Jersey: Partnership and Services

Vendor Management. Outsourcing Technology Services

Overview. Emergency Response. Crisis Management

Lessons from Defending Cyberspace

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

The Aviation Information Sharing and Analysis Center (A-ISAC)

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Business Continuity at CME Group

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Information Technology

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Managing Cyber Attacks

CYBER SECURITY GUIDANCE

PROPOSED INTERPRETIVE NOTICE

Click to edit Master title style

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

El Camino College Homeland Security Spring 2016 Courses

Cybersecurity: What CFO s Need to Know

Business Continuity Plan

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

The PNC Financial Services Group, Inc. Business Continuity Program

Identifying and Managing Third Party Data Security Risk

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

U.S. Cyber Security Readiness

Business Resiliency Business Continuity Management - January 14, 2014

Get the most out of Public Sector Cyber Security Associations & Collaboration

INFRAGARD.ORG. Portland FBI. Unclassified 1

Why Should Companies Take a Closer Look at Business Continuity Planning?

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Preventing and Defending Against Cyber Attacks November 2010

Cybersecurity and Technology Update. Paul Rainbow, Information Security Supervisor, Umpqua Bank Francis Tam, Partner, Moss Adams LLP

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Testimony of. Edward L. Yingling. On Behalf of the AMERICAN BANKERS ASSOCIATION. Before the. Subcommittee on Oversight and Investigations.

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Enterprise Security Tactical Plan

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Business Continuity Planning Preparing Your Organization

White Paper on Financial Institution Vendor Management

OCIE CYBERSECURITY INITIATIVE

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Pandemic Planning. Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA

Into the cybersecurity breach

Above My Pay Grade: Incident Response at the National Level

Interagency Statement on Pandemic Planning

Banking and Finance Sector-Specific Plan An Annex to the National Infrastructure Protection Plan

Data Breach Response Planning: Laying the Right Foundation

Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach

Transcription:

A Crisis Response, Information Sharing View of FFIEC Appendix J? Susan Rogers (MBCP, MBCI) Financial Services Information Sharing and Analysis Center FS-ISAC, Business Resiliency Director srogers@fsisac.us; 610-389-1271 1

A Crisis Response, Information Sharing View of FFIEC Appendix J BC Manager Action Items 1. Correlate Appendix J Objectives to Crisis Response 2. Connect to your Industry s ISAC 3. Engage in Sector and Cross-Sector Exercises 2

Action Items for BC Managers 1. Correlate Appendix J Objectives to Crisis Response Testing Prioritize Critical Third Party Risk Testing Due Diligence and Contract Review Testing Capacity and Cyber Resilience 2. Connect to your Industry s ISAC 3. Engage in Sector and Cross-Sector Exercises 3

Background on FFIEC BC Handbook, Appendix J On February 6, 2015, the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance for examiners, financial institutions, and technology service providers (TSPs) to explain the components of an effective third-party management program that can identify, measure, monitor, and control the risks associated with outsourcing. The guidance, which is included in the FFIEC Information Technology Examination Handbook, is an update to the "Business Continuity Planning Booklet," issued in March 2008. A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP for all types of adverse events. 4

Appendix J - Testing Key Element The testing program should be based on a financial institution s established risk prioritization and evaluation of the criticality of the functions involved. Testing with third parties should disclose the adequacy of both organizations ability to recover, restore, resume, and maintain operations after disruptions, consistent with business and contractual requirements. Any test results that impact the financial institution are to be provided to the board. A financial institution should ensure that it understands its TSP's testing process to ensure that the testing is adequate to meet its continuity expectations. Testing 3 rd Party Mgmt 3 rd Party Capacity Prioritize Critical Third Party Risk Cyber Resilience 5 Regional Business Continuity Conference

6 Appendix J - Testing Key Element Testing frequency should be driven by the financial institution s risk assessment, risk rating, and any significant changes to the operating environment. To the extent that a test is unsuccessful, any issues identified should be tracked and resolved in a timely manner, according to the severity of the issues. The scope of BCP testing with third parties should be commensurate with the level and criticality of services provided and, in some cases, requires an end-to-end exercise. Finally, the right to perform or participate in BCP testing with third parties should be described within the contract governing the third-party relationship. Regional Business Continuity Conference Testing 3 rd Party Mgmt 3 rd Party Capacity Prioritize Critical Third Party Risk Cyber Resilience

Appendix J 3 rd Party Management Due Diligence An institution should review the TSP s BCP program and its alignment with the financial institution s own program, including an evaluation of the TSP s BCP testing strategy and results to ensure they meet the financial institution s requirements and promote resilience. Contracts Right to audit BCP Testing Data Governance Security Issues Testing 3 rd Party Mgmt 3 rd Party Capacity Testing Due Diligence and Contract Review Cyber Resilience 7

Appendix J 3 rd Party Capacity Testing Complexity & Strategic Considerations 8 Third Party Capacity & Alternatives The significant size & client concentration of larger TSPs increases the potential impact of service disruptions across major segments of the financial industry. TSP s should assess the impact on their customers and take the necessary steps to minimize the impact of the event. Cyber Resilience Malware Insider Threats Data or System Destruction/Corruption Communication Infrastructure Disruption Regional Business Continuity Conference Testing 3 rd Party Mgmt 3 rd Party Capacity Cyber Resilience

Action Items for BC Managers 1. Correlate Appendix J Objectives to Crisis Response Testing 2. Connect to your Industry s ISAC Connect to Your Industry ISAC (Point of Contact) Register on Threat & Alert Systems Join Working Groups 3. Engage in Sector and Cross-Sector Exercises 9

Connect to Your Industry ISAC (Point of Contact) FS-ISAC Mission The FS-ISAC: Financial Services Like a Information Neighborhood Sharing and Watch Analysis Center (FS-ISAC) is a non-profit corporation that was established in 1999 and is funded by its member firms. The FS-ISAC is a member-driven organization whose mission is to help assure the resilience and continuity of the global financial services infrastructure. FS-ISAC helps members defend against acts that could significantly impact the sector s ability to provide services critical to the orderly function of the global economy. The FS-ISAC is not a service provider, it s a community Like neighborhood watch for cyber and physical hazards. A Longtime Member 10

Sharing Across Critical Infrastructure Sectors Connect to Your Industry ISAC (Point of Contact) Members Worldwide 6500+ And growing weekly International Members 50% Are top tier international FIs Countries Represented 38 On the ground staff in 7 11

PRIVATE SOURCES CROSS SECTOR SOURCES GOVERNMENT SOURCES FS-ISAC Intelligence Flow Register on Threat & Alert Systems Information Sources CERTs FS Regulators FS-ISAC 24x7 Security Operations Center Member Communications Information Security Law Enforcement Other Intel Agencies isight Partners Info Sec Physical Security Business Continuity/ Disaster Response 12 Secunia Vulnerabilities Wapack Labs Malware Forensics NC4 Phy Sec Incidents MSA Phy Sec Analysis Cross Sector (other ISACS) Open Sources (Hundreds) Alerts Member Submissions Fraud Investigation s Payments/ Risk

Understanding FS-ISAC Emails and Alerts Register on Threat & Alert Systems Alert Types Step 1: Understand the Alert Type ANC: Announcements CYT: Cyber Threat CYI: Cyber Incidents COI: Collective Intelligence CYV: Cyber Vulnerability PHT: Physical Threats PHI: Physical Incidents Depending on your role, you don t have to follow every update, but FS-ISAC recommends following these key reports. Doing so will limit emails to about 10/day Step 2: Understand the Criticality and Priority ANC = Priority 1-10, 8-10 is high priority CYV = Risk 1-10, 8-9 is Urgent, 10 is Crisis CYT = Risk 1-10, 8-9 is Urgent, 10 is Crisis COI No Criticality Metric PHT = Risk 1-10. 8-9 is Urgent, 10 is Crisis Step 3: Make Choices Based on Role Analysts and those involved in risk assessment or vulnerability/patch management should receive CYV alerts. Intelligence analysts may also want to participate on the Cyber Intel listserv. POCs are automatically added, but a portal account is not necessary if you wish to add additional analysts to the distribution Provide portal accounts to your staff based on each individual s role. This will allow them to employ portal filtering for their unique assignments We provide summary reports for mangers and technical reports for analysts. Making informed choices based on your role eliminates unneeded emails 13

Types of Information Shared Register on Threat & Alert Systems Cyber Threats, Incidents, Vulnerabilities Physical Threats, Incidents Malicious Sites Threat Actors, Objectives Threat Indicators Tactics, Techniques, Procedures Courses of Action Exploit Targets Denial of Service Attacks Malicious Emails: Phishing/Spearphishing Software Vulnerabilities Malicious Software Analysis and risk mitigation Incident response Terrorism Active Shooter Hurricanes Earthquakes Other meteorological events Geopolitical impacts Pandemic Type, location, severity Impact analysis and risk mitigation Business resilience preparation and incident response 14

Circles of Trust Join Working Groups IRC Asset Mgr. CHEF PRC CYBER INTEL FS- ISAC PPISC TIC BRC CIC Broker Dealer CAC Clearing House and Exchange Forum (CHEF) Payments Risk Council (PRC) Payments Processor Information Sharing Council (PPISC) Business Resilience Committee (BRC) Threat Intelligence Committee (TIC) Community Institution Council (CIC) Insurance Risk Council (IRC) Compliance and Audit Council (CAC) Cyber Intelligence Listserv Asset Manager Council Broker-Dealer Council Member Reports Incident to Cyber Intel list, or via anonymous submission through portal Members respond in real time with initial analysis and recommendations SOC completes analysis, anonymizes the source, and generates alert to general membership 15

FS Crisis Information Sharing Notional Model Join Working Groups Central resource for trusted crisis information sharing Facilitate private & government crisis support for financial sector SIFMA Market Response Committee Financial Services Firms Domestic & International FS-ISAC member and non-member organizations have direct lines of communication with trade groups government organizations and their regulators FSSCC SIFMA ABA The Clearing House FS Roundtable BITS FS-ISAC Coordinate Financial Sector Information Sharing & Crisis Communication International Partners CERTS, Finance Ministries, Law Enforcement... Independent Regulatory Agencies: OCC, FDIC, SEC... Federal Executive Branch Agencies White House U.S.Treasury Law Enforcement (FBI, USSS...) DHS Exercise to develop trusted peer relationships for crisis preparedness ChicagoFIRST North Carolina Financial Recovery Coalition RPCfirst New York/NJFIRST Southern California (SoCalFIRST) Bay Area (BARCfirst) Montgomery CountyFIRST (PA) 22 Regional Coalitions Develop Relationships with State, Local EMS on behalf of Coalition Members State OEM City/Local OEM Emergency Services National Council of ISACS Multi-State ISACs International ISACS Emerging Info Sharing Entities FBIIC Partnership for Critical Infrastructure Security (PCIS) State, Local, Tribal & Territorial Government Coordinating Council (SLTTGCC) NICC NCCIC Cyber UCG Infrastructure Protection Federal Senior Leadership Council 16

Action Items for BC Managers 1. Correlate Appendix J Objectives to Crisis Response Testing 2. Connect to your Industry s ISAC 3. Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership 17

Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership Examples: SIFMA Quantum Dawn I, II, III FSSCC Hamilton Series FS-ISAC CAPP Annual Exercise ACTION: Identify other exercises? 18

Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership Exercise Planning Include BIA results Demonstrate expanded planning Build into 3 rd Party contracts Engage business decision makers ACTION: Identify challenges? 19

Engage in Sector and Cross-Sector Exercises Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership 20

Conclusions: Action Items for BC Managers 1. Connect to your Industry s ISAC Connect to Your Industry ISAC (Point of Contact) Register on Threat & Alert Systems Join Working Groups 2. Correlate Appendix J Objectives to Crisis Response Testing Prioritize Critical Third Party Risk Testing Due Diligence and Contract Review Testing Capacity and Cyber Resilience 3. Engage in Sector and Cross-Sector Exercises 21 Identify Sector and Multi-Sector Exercises Include critical 3 rd party SME s and critical Business Leaders Identify critical decisions and gaps in decision leadership

Questions / Discussion Resources 1. FFIEC BC Booklet http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx 2. Federal Reserve SR 15-3, February 6, 2015, http://www.federalreserve.gov/bankinforeg/srletters/sr1503.htm 3. FDIC Publication https://www.fdic.gov/news/news/financial/2015/fil15009.html 4. DHS National Infrastructure Protection Plan (NIPP) http://www.dhs.gov/national-infrastructure-protection-plan 5. DHS Critical Infrastructure Sector Partnerships http://www.dhs.gov/critical-infrastructure-sector-partnerships 22 Regional Business Continuity Conference

Contact Information Susan Rogers (MBCP, MBCI) Financial Services Information Sharing and Analysis Center FS-ISAC, Business Resiliency Director srogers@fsisac.us; 610-389-1271 www.fsisac.com 23 Regional Business Continuity Conference

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information