WSECU Cyber Security Journey David Luchtel VP IT Infrastructure & Opera:ons
Objec:ve of Presenta:on Share WSECU s journey Overview of WSECU s Security Program approach Overview of WSECU s self- assessment on the new NCUA Cybersecurity Assessment Tool (CAT)
About WSECU 2 nd Largest Washington state based Credit Union 233,000 members and $2.4B assets 550 employees and 20 branches Roots in Public Services Original charter: Washington state public employees
Agenda WSECU Journey Influencers to our journey WSECU s Security Program CAT self assessment
Our Journey
Our Journey Me Too Era (>2014) Goal: Be as good as our Peers Benchmark: Pass our audits Feedback loop: What are our peers doing Security is a Top Priority Era (2015+) Goal: Protect member confiden:al data is a top priority Benchmark: Follow security industry best prac:ces Feedback loop: Test ourselves like hackers do
Influencers to our Journey The world changed Regulators are reac:ng to the changing world Added exper:se
Number of breaches over :me Number of Banking breaches over :me Number of Payment breaches over :me The World Has Changed Based on 2014 Verizon Data Breach report
Aeacker Tac:cs Changed Targeted Sophis:cated
How are our Regulators Changing? Responding to public concern Becoming more targeted and sophis:cated Developed a new cyber security technical security audit star:ng in 2H2016 Cybersecurity Assessment Tool (CAT)
Added Exper:se David joined WSECU in 2013 Sr. Security Engineer in 2014 Sr. Security Analyst in 2015
WSECU Security Program Framework Administra:ve Awareness INPUTS Regulatory Program Performance ERM Industry Technical Member Informa:on Compliance Controls Training Controls OUTPUTS Roadmap Architecture Assessments Policies Incident Plans
Governance Framework Responsibili:es: Regulatory compliance Voice of the member Responsibili:es: Strategic decisions Security Tone Alignment to business Monitor performance Info Security Governance Commieee Board and Supervisory Commieee Security Program
WSECU Security Roadmap Priority Broad Focus Area 2013 2015 2016 2017 2019 HIGH MEDIUM LOW Vulnerabiltiy mgmt Malware mgmt Monitoring/analysis Security Training Incident Mgmt Identity mgmt Application security Data security Security perimeter Security governance Security architecture Evaluate New Threats
We Test Ourselves Internally: Scan our environment monthly Scan web apps before produc:on Test our controls Grade the effec:veness of our controls End user tes:ng and learning program Hire external experts to test us Social engineering test Aeempt to hack our systems Self- assess to the NCUA Cybersecurity Assessment Tool (CAT)
NCUA Cybersecurity Assessment Tool (CAT) FFIEC goal repeatable and measureable process to inform management of their ins:tu:on s risk and cybersecurity preparedness Published July 2015 and will be used by NCUA auditors star:ng 3Q2016 All agencies of the FFIEC are adop:ng the tool NCUA has stated use of the Assessment Tool is not mandatory by FIs. Auditors will be using it for guidance and consistency.
Overview of Assessment Tool Two parts to tool: 1) Inherent Risk Profile 5 categories, 39 risk aeributes to assess 2) Cybersecurity Maturity 5 domains, 493 assessment ques:ons Your Inherent Risk Profile determines your desired maturity level
WSECU Inherent Risk Inherent Risk Profile (by Category) Inherent Risk Level 1. Technologies and Connection Types Minimal 2. Delivery Channels Moderate 3. Online/Mobile Products and Technology Services Least 4. Organizational Characteristics Minimal 5. External Threats Minimal Composite - Inherent Risk Results Minimal
WSECU Inherent Risk
Domain Maturity Domain 1: Cyber Risk Management & Oversight 2: Threat Intelligence & Collaboration 3: Cybersecurity Controls 4: External Dependency Management 5: Cyber Incident Management & Resilience 1: Governance 2: Risk Management 3: Resources 4: Training & Culture 1: Threat Intelligence Assessment Factor 2: Monitoring & Analyzing 3: Information Sharing 1: Preventative Controls 2: Detective Controls 3: Corrective Controls 1: Connections WSECU 2019 Current Maturity WSECU 2019 Sub-Baseline Baseline Advanced Baseline Evolving Evolving Advanced Sub-Baseline Sub-Baseline Intermediate Sub-Baseline 2: Relationship Management Sub-Baseline 1: Incident Resilience Planning & Strategy Baseline 2: Detection, Response, and Mitigation Sub-Baseline 3: Escalation and Reporting Intermediate Intermediate Intermediate Intermediate Evolving Intermediate
CAT Self- Assessment Observa:ons How will CAT be used by the examiners? Did we interpret the ~500 ques:ons the same as examiner? CAT is very detailed and prescrip:ve to what we should be doing Gepng consensus we meet the what This increases risk of more technical examiners being prescrip:ve in how our controls meet the requirements Need to meet all requirements to be at Maturity level Board oversight of the Security Program Baseline maturity vs announcement memo
CAT Self- Assessment Lessons Learned Ra:ng scale is based on FI industry, not CU No guidance on sepng Maturity level based on Inherent Risk Will the examiners agree with the domain maturity levels we set? Some maturity categories have a higher bar for baseline than we expected How will CAT influence or direct your Security Program
Learnings from our Journey Have a collabora:ve approach to security focused on the business Have dedicated staff focused on security Use industry best prac:ce frameworks to organize your program Don t assume, test yourself Be prepared to respond