A Practical Guide to Conducting an Enterprise-wide Information Security Risk Assessment

Similar documents

Information Security Risk Assessment Methodology

Cloud Security and Managing Use Risks

Security Controls What Works. Southside Virginia Community College: Security Awareness

Performing Vendor Risk Assessments

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Technology

Information Security Awareness Training

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

Securing Your Business with Managed File Transfer

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Enabling Compliance Requirements using ISMS Framework (ISO27001)

ISO Controls and Objectives

Department of Management Services. Request for Information

ISO27001 Controls and Objectives

Vendor Management Panel Discussion. Managing 3 rd Party Risk

White Paper on Financial Institution Vendor Management

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Congregation Identity Theft Education Program

March 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Top Ten Technology Risks Facing Colleges and Universities

Washington Metropolitan Area Transit Authority Board Action/Information Summary

Request for Proposal. Business Continuity Planning Consulting Services. Questions and Answers. February 18, 2015

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

INFORMATION TECHNOLOGY SECURITY STANDARDS

Privacy and Data Breach Protection Modular application form

Data Privacy & Security: Essential Questions Every Business Must Ask

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Service Children s Education

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

Using Continuous Monitoring Information Technology to Meet Regulatory Compliance. Presenter: Lily Shue Director, Sunera Consulting, LLC

How To Protect Yourself From A Hacker Attack

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

AlienVault for Regulatory Compliance

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Business Resiliency Business Continuity Management - January 14, 2014

How To Manage A Privileged Account Management

University of Pittsburgh Security Assessment Questionnaire (v1.5)

What We ll Cover. Assessing Risk. Common elements in risk assessments NCUA categories of risk Risk assessments required by law

REGULATORY COMPLIANCE. Dynamic Solutions. Superior Results.

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

Cyberprivacy and Cybersecurity for Health Data

Word Secure Messaging User Guide. Version 3.0

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

NCUA LETTER TO CREDIT UNIONS

How To Build A Disaster Recovery Testing Program

McLennan Community College

Privacy and Outsourcing

Technology Consulting Services

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Identity Theft Prevention Program

Purchase College Information Security Program Charter January 2008

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

COMPLIANCE MANAGEMENT SYSTEM

Security Information Lifecycle

Good Internal Controls for Small Businesses

3 rd Party Risk Management is Broken Critical Vendors Should be Exam-Ready.

Data Masking Best Practices

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Internal Audit RFP 2013 Questions and Answers

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Advance Your Practice with the Body of Knowledge for Medical Practice Management Heather McHugh, MBA, sr strategist for professional development,

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

OCC 98-3 OCC BULLETIN

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

TABLE OF CONTENTS INTRODUCTION... 1

Coventry Privacy and Security. Protecting Everyone s Privacy

INCIDENT RESPONSE CHECKLIST

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

Information Technology Risk

Ed McMurray, CISA, CISSP, CTGA CoNetrix

& DePaul University. Financial Institutions Risk Management Conference. Chief Risk Officer Panel Discussion

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

Accelerating Insurance Legacy Modernization

Compliance and Ethics at the Federal Reserve Bank of New York

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Transcription:

A Practical Guide to Conducting an Enterprise-wide Information Security Risk Assessment Copyright 2008 this presentation may not be reproduced without the express written consent of

Why Conduct an Enterprise-wide Information Security Risk Assessment? Copyright 2008 this presentation may not be reproduced without the express written consent of

1999: Gramm-Leach-Bliley Act Section 501(b) 2001: You Must Comply!!!! Protect the Institution Protect your Customers Smart Business Copyright 2008 this presentation may not be reproduced without the express written consent of

A Bank Must: Identify & assess risks to customer information Design & implement a program to control risks Board review & approval required Test key controls Train personnel Adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal/external threats to information security. Copyright 2008 this presentation may not be reproduced without the express written consent of

I. PROTECTION Five Key Points of GLBA 2) Evaluation of the Risk Assessment Process - Multiple Criteria & Dimensions - Enterprise-wide Copyright 2008 this presentation may not be reproduced without the express written consent of

2 Types of Risk to Assess Process-level Risk System-level Risk Copyright 2008 this presentation may not be reproduced without the express written consent of

Process-level Risk Policy DR Plan BCP with BIA Incident Response Plan IT General Controls Audit Security Awareness Training Data Classification Information Minimization Data/Media Destruction Location of NPPI Technology Acquisition IT Asset Inventory Staffing Segregation of Duties Red Flags ID Theft Program DR Test & Results Pen Test/Vuln. Assmt/Soc Eng Vendor Management INVOLVEMENT OF THE BOARD Copyright 2008 this presentation may not be reproduced without the express written consent of

System-level Risk Critical Applications & Systems Core Banking Telephone Banking Online Banking Accounts Payable Payroll Fedline/Advantage/FedWire HR IS Lending Benefits Perimeter Protection Web/Surf Control Network (password strength) Internal Protection (SEIM) Copyright 2008 this presentation may not be reproduced without the express written consent of

Process-level Risk Definitions High Risk: documentation and/or program and/or process and/or policy and/or procedure is non-existent or highly lacking in sufficient detail to ensure that the process controls protect sensitive data and critical systems. Moderate Risk: documentation and/or program and/or process and/or policy and/or procedure might be incomplete or meet minimum requirements but could be improved to reduce the bank s risk. Procedures may be lacking sufficient detail. Low Risk: documentation, program, process, policy and procedure are well defined and show due diligence in understanding and managing risk. Copyright 2008 this presentation may not be reproduced without the express written consent of

System-level Risk Definitions High Risk: controls are lacking or highly insufficient based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its customers Moderate Risk: controls meet minimum requirements based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its customers Low Risk: controls meet Best Practices or exceed minimum requirements based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its customers Copyright 2008 this presentation may not be reproduced without the express written consent of

Dimensions of Risk Compliance risk. Maintaining legal compliance with various appropriate regulations as well as compliance with the organization s various governance guidelines and policies. Transaction/Financial risk. Impacting earnings, cash flow, revenue or capital due to problems with or interruptions in service or product delivery. Operational risk. The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Reputational risk. Developing and retaining marketplace confidence in handling customers financial transactions in an appropriate manner, within an acceptable time frame, as well as meeting the emerging needs of the customer base and community, which are important to protecting the safety and soundness of the Institution. Copyright 2008 this presentation may not be reproduced without the express written consent of

Annual Requirements DR Plan Review Policy Review Incident Response Plan Review Security Awareness Training DR Test & Results Pen Test/Vuln. Assmt/Soc Eng BCP with BIA Review IT General Controls Audit Copyright 2008 this presentation may not be reproduced without the express written consent of

Administrative Issues Segregation of Duties Technology Acquisition IT Asset Inventory Information Minimization Data Classification Data/Media Destruction Location of NPPI Red Flags ID Theft Program Vendor Management Staffing Involvement of the Board Copyright 2008 this presentation may not be reproduced without the express written consent of

Incident Response Plan Monitor Analyze Investigate Incident Definition Forms Internal Contact Legal Contact Respond Copyright 2008 this presentation may not be reproduced without the express written consent of

See DR TOC Copyright 2008 this presentation may not be reproduced without the express written consent of

See BCP/BIA Copyright 2008 this presentation may not be reproduced without the express written consent of

Vendor Management Program Due Diligence Risk Rating Contract Review Periodic Review Policy Contract Tracking Ongoing Monitoring Reporting Vendor Inventory Copyright 2008 this presentation may not be reproduced without the express written consent of

QUIZ!!!!!!!! Copyright 2008 this presentation may not be reproduced without the express written consent of

Internet-based Consumer Lending System Threat? NPPI: Yes Criticality Impact H H H H Controls: 3 people with access, complex PW + Token L Residual Risk? Copyright 2008 this presentation may not be reproduced without the express written consent of

In-house Consumer Lending System Threat? NPPI: No Criticality Impact L L H M Controls: 5 people with access, strong PW M/L Residual Risk? Copyright 2008 this presentation may not be reproduced without the express written consent of

Regulatory Specialists Domain Expertise Regulatory Expertise: GLBA 501(b), NCUA Part 748, SOX, HIPAA, PCI Information Security Expertise Technical Expertise Copyright 2008 this presentation may not be reproduced without the express written consent of