Cyber Risk Management Guidance for FHFA Regulated Entities



Similar documents
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

FINRA Publishes its 2015 Report on Cybersecurity Practices

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB MORTGAGE SERVICING TRANSFERS. Purpose

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

Operational Risk Management Program Version 1.0 October 2013

Subject: Safety and Soundness Standards for Information

PROPOSED INTERPRETIVE NOTICE

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Cybersecurity Framework: Current Status and Next Steps

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

Information Technology Risk Management Program

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Vendor Risk Management Financial Organizations

The Intersection of Internal Controls and Cyber Security

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Integrated Risk Management. Balancing Risk and Budget

Program Overview and 2015 Outlook

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

NIST Cybersecurity Framework & A Tale of Two Criticalities

Italy. EY s Global Information Security Survey 2013

Legislative Language

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

Information Security and Risk Management

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Vendor Management Best Practices

Framework for Improving Critical Infrastructure Cybersecurity

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

ICBA Summary of FFIEC Cybersecurity Assessment Tool

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

STREAM Cyber Security

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

CISM ITEM DEVELOPMENT GUIDE

Information Security Risk Management

Trends in Information Technology (IT) Auditing

Cybersecurity Enhancement Account. FY 2017 President s Budget

HUD s AFFORDABLE LENDING GOALS FOR FANNIE MAE AND FREDDIE MAC

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Cyber Education triangle clarifying the fog of cyber security through targeted training

Business Continuity Planning

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Why you should adopt the NIST Cybersecurity Framework

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Anypoint Platform Cloud Security and Compliance. Whitepaper

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Baseline Cyber Security Program

Information Technology

Freddie Mac Relief Refinance Mortgages SM Supporting HARP. Laurie Redmond Vice President, Offerings Effectiveness Freddie Mac January 17, 2013

[STAFF WORKING DRAFT]

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

Framework for Improving Critical Infrastructure Cybersecurity

HITRUST CSF Assurance Program

Framework for Improving Critical Infrastructure Cybersecurity

Summary of the Housing and Economic Recovery Act of 2008

Why you should adopt the NIST Cybersecurity Framework

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

An Overview of Large US Military Cybersecurity Organizations

SECURITY RISK MANAGEMENT

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

FFIEC Cybersecurity Assessment Tool

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Understanding the NIST Cybersecurity Framework September 30, 2014

Enterprise Security Tactical Plan

The Next Generation of Security Leaders

Third-Party Risk Management for Life Sciences Companies

Certified Information Security Manager (CISM)

Develop an Effective Control Environment. W. Wade Sapp CUNA Mutual Group February 11, 2015

THE EVOLUTION OF CYBERSECURITY

The NIST Cybersecurity Framework

Utica College. Information Security Plan

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

How To Write A Cybersecurity Framework

Guidance for Addressing Cybersecurity in the Chemical Sector. Version 2.0 December 2004

How To Transform It Risk Management

Transcription:

Cyber Risk Management Guidance for FHFA Regulated Entities Anne E. Paulin, Examination Manager Federal Housing Finance Agency ISACA NCAC Conference November 18, 2014 Arlington VA

About FHFA On July 30, 2008, the Housing and Economic Recovery Act of 2008 (HERA) was enacted, creating FHFA with the combined responsibilities of the Office of Federal Housing Enterprise Oversight (OFHEO), the Federal Housing Finance Board (FHFB) and the HUD GSE mission team. HERA also provided FHFA with additional authority to regulate Fannie Mae, Freddie Mac and the 12 Federal Home Loan Banks. 2

Advisory Bulletin AB 2014-05 Purpose: Considerations and expectations for cyber risk management at the regulated entities (Fannie Mae, Freddie Mac, 12 Federal Home Loan Banks) and the Office of Finance Describes characteristics of a cyber risk management program to enable these entities to successfully perform their responsibilities and protect their environments Aligns with similar guidance from peer financial and other regulators, but is not meant to duplicate or supplant industry standards Principles-based, technology-neutral 3

Principles Proportionality Risk Management Risk Assessments Monitoring and Response System, Patch, and Vulnerability Management Third-party Management Privacy and Data Protection 4

Considerations and Expectations, 1 of 4 Proportionality Cyber risk management program should be commensurate with institution s cyber risk and prevailing technology, industry, and government standards cyber risk management program developed out of a risk assessment process prioritization of cyber risk management efforts in line with institution s objectives consider ISO 27000, NIST Cyber Security Framework, CObIT, etc. Risk Management Governance and risk management leverage existing practices Board-approved cyber risk management policy, governance structure, and reporting documented risk tolerance levels and escalation procedures program implemented by management within business operations program should consider insider threats 5

Considerations and Expectations, 2 of 4 Risk Assessments Identify, understand, and prioritize cyber risks risk assessment specific to cyber security or within information security revisit risk assessment as needed and after material changes to risk profile cyber risk management program and proportionality stem from risk assessment Monitoring and Response Monitor and respond to identified cyber risks sustainable and repeatable processes monitoring and response commensurate with risk tolerance and proportionality periodic tests of incident response plans 6

Considerations and Expectations, 3 of 4 System, Patch, and Vulnerability Management Regular assessment and timely repair of vulnerabilities sustainable and repeatable processes mitigating processes and controls for unsupported legacy systems Third-party Management Identify, monitor, and prioritize cyber risks arising from third parties that have access to institution assets or upon which the institution materially relies consider third parties in risk assessments and patch management consider third parties in business continuity planning review SSAE-16 reports 7

Considerations and Expectations, 4 of 4 Privacy and Data Protection Protect sensitive, confidential, or personally identifiable information risk management program that identifies where such information resides; how it is used, transmitted, and managed; and how it is protected in transport and in storage cyber risk assessments consider threats to such information 8

Conclusions Risk-based approach to cyber security management Policies, procedures, and/or technology solutions should be tailored to address the risks faced by each institution Does not prescribe specific technology solutions All seven inter-related principles should be addressed http://www.fhfa.gov/supervisionregulation/advisorybulletins/pages/ab-2014-05- Cyber-Risk-Management-Guidance.aspx 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information