Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Similar documents

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Information Technology

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Vendor Management. Outsourcing Technology Services

Cybersecurity The role of Internal Audit

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Internal audit value optimization for insurance organizations

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Western Australian Auditor General s Report. Information Systems Audit Report

FFIEC Cybersecurity Assessment Tool

Identifying and Managing Third Party Data Security Risk

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Click to edit Master title style

Cybersecurity Issues for Community Banks

PCI Compliance Just the Facts. Rick Dakin President ext. 7001

Instructions for Completing the Information Technology Officer s Questionnaire

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

Vendor Risk Management Financial Organizations

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Logging In: Auditing Cybersecurity in an Unsecure World

How to ensure control and security when moving to SaaS/cloud applications

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

PCI Compliance for Cloud Applications

Cybersecurity: What CFO s Need to Know

IT Security & Compliance Risk Assessment Capabilities

Developing National Frameworks & Engaging the Private Sector

Risk Management of Outsourced Technology Services. November 28, 2000

An article on PCI Compliance for the Not-For-Profit Sector

Data Breach Response Planning: Laying the Right Foundation

Third Party Risk Management 12 April 2012

The PNC Financial Services Group, Inc. Business Continuity Program

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Third-Party Cybersecurity and Data Loss Prevention

PCI Compliance: How to ensure customer cardholder data is handled with care

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

What Directors need to know about Cybersecurity?

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

Cybersecurity. Are you prepared?

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Cloud Security and Managing Use Risks

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

THE EVOLUTION OF CYBERSECURITY

PCI Compliance. Top 10 Questions & Answers

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Big Data, Big Risk, Big Rewards. Hussein Syed

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Vendor Management Best Practices

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

External Supplier Control Requirements

Cyber Liability Insurance: It May Surprise You

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

VENDOR MANAGEMENT. General Overview

Cyber Security and the Board of Directors

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

PCI Compliance Top 10 Questions and Answers

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Information Security Program CHARTER

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

PCI Compliance Overview

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

White Paper on Financial Institution Vendor Management

NSW Government Digital Information Security Policy

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Address C-level Cybersecurity issues to enable and secure Digital transformation

Operational Risk Management Policy

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Transcription:

Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015

Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from an: Internal audit department s role Independent External Security Auditor s Role The role and effects of the IT Risk Assessments in a Cyber Security Audit Program

Introduction Jim Soenksen-CEO PIVOT Group LLC A National Independent Audit, Assessment and Compliance Firm providing exclusively Data Privacy and Protection Services Offices Atlanta Orlando Dallas Chicago- Coming Soon!

Cyber Security Audit Program DNA

Your Obligations Protect Member s Data Compliance Awareness Communication Well Informed Policy Assumptions Reliable Reporting Attestation of Results Current and Relevant Risk Based Program and Assessment

Internal Auditor s Role Develop Enterprise Audit Program Compliance Policies Internal Controls Independence Risk Base Leverage Departments Reporting Outsource as Required or Needed

Independent External Auditor s Role Information Security Program-Independent Attestation Testing areas of program where resources or expertise does not exist Compliance-ISO, PCI Special Situations Validate BC/DR Insider Fraud Incident Response Vendor Management

2015 Data Privacy Regulations GLBA/NCUA Reg 748 A&B FFIEC Authentication FFIEC Social Media PCI TR-39/TG-3 State and Federal Data Breach Notification Laws CISPA 2015 Enterprise Risk Management

2015 NCUA Examination Focus New Cyber Security Risk Exam IT Exam DDoS Incident Response BC/DR Enterprise Risk Management Vendor Management Remediation Progress

Check Lists Examination Preparation FFIEC Authentication Self Assessment New Cybersecurity Exam Questionnaire New Cyber Security Risk Assessment PCI SAQ

Biggest Voids-Internal Audit Expertise/Knowledge Interdepartmental Coordination Auditing Tools Changing Regulations/Exam Requirements Incident Response Back Up and Disaster Recovery IT Expertise Physical Security Board Awareness Risk Based Risk Analysis Tools

External vs. Internal Develop Enterprise Audit Plan Determine In-House Expertise and Resources Outsource or Train where Lack of Expertise Determine Required Outsource Financials Information Security Program Website/Marketing Compliance PCI

How does IT Risk Assessments Fit?

Risk Based Program Data Breach/Leakage Asset Protection Non-Compliance Reputation System Compromise Increase Costs Misused Resources Uniformed Decisions Missed Opportunities

Major Data Breach Prevention IT Controls Encryption Vulnerability Management Social Engineering Vendor Management Training Internal Fraud Mobile Applications Control Incident Response Program Info/Sec Control Testing Independent Security and Compliance Audits

Credit Union s Biggest Threats Social Engineering Vendor Management Mobile Disasters Physical Disasters Insider Fraud Credit/Debit Cards Unencrypted Data Incident Response

FFIEC Cyber Risk Assessment Tool Benefits to the Institution For institutions using the Assessment, management will be able to enhance their oversight and management of the institution s cybersecurity by doing the following: Identifying factors contributing to and determining the institution s overall cyber risk. Assessing the institution s cybersecurity preparedness. Evaluating whether the institution s cybersecurity preparedness is aligned with its risks. Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state. Informing risk management strategies

Cyber Risk Domains

FFIEC Cyber Risk Assessment Tool

Inherent Risk Ratings

Maturity Model

Risk/Maturity Relationship Matrix

Implementation

Who does What???

Linkage to ERM

Your Risk Appetite & Profile Reputation Customer Changes Product/Services Management & Development Competition Qualified Personnel Transaction Processing Errors & Interruptions Access to Complete, Accurate & Valid Information (Internal Reporting) Third-Party Vendor Management Credit Liquidity Investment Counterparty Exchange Rates Legal & Regulatory Requirements Rating Agency Requirements External Performance Reporting Disclosure of Non-Public Information 26

Take Aways Including Cyber Security in Internal Audit Programs When to Outsource Information Security Basics Cybersecurity Risk Assessments Integrating into ERM

Thank you! Contact PIVOT Group. Jim Soenksen, CEO Call: 404-419-2163 Email: jsoenksen@pivotgroup.com www.pivotgroup.com