ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK



Similar documents
Cybersecurity: What CFO s Need to Know

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Ed McMurray, CISA, CISSP, CTGA CoNetrix

NIST Cybersecurity Framework. ARC World Industry Forum 2014

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

NIST Cybersecurity Framework & A Tale of Two Criticalities

Identifying and Managing Third Party Data Security Risk

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

How To Write A Cybersecurity Framework

Happy First Anniversary NIST Cybersecurity Framework:

Framework for Improving Critical Infrastructure Cybersecurity

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Vendor Management Panel Discussion. Managing 3 rd Party Risk

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Click to edit Master title style

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Cybersecurity Framework: Current Status and Next Steps

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Trends in Information Technology (IT) Auditing

F G F O A A N N U A L C O N F E R E N C E

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Service Organization Control Reports

Information Security for the Rest of Us

Developing National Frameworks & Engaging the Private Sector

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

NATIONAL CYBER SECURITY AWARENESS MONTH

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Vendor Risk Management Financial Organizations

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

NIST Cybersecurity Framework What It Means for Energy Companies

Italy. EY s Global Information Security Survey 2013

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

FFIEC Cybersecurity Assessment Tool

Critical Controls for Cyber Security.

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Applying IBM Security solutions to the NIST Cybersecurity Framework

Cybersecurity as a Risk Factor in doing business

FINRA Publishes its 2015 Report on Cybersecurity Practices

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Compliance and Cloud Computing

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

Vendor Management Best Practices

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Cybersecurity Framework Security Policy Mapping Table

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cybersecurity The role of Internal Audit

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Leveraging Regulatory Compliance to Improve Cyber Security

Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com

SECURITY RISK MANAGEMENT

Building an Effective

Intelligence Driven Security

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

User Documentation Web Traffic Security. University of Stavanger

Cyber Security From The Front Lines

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Automation Suite for NIST Cyber Security Framework

Professional Services Overview

National Institute of Standards and Technology Smart Grid Cybersecurity

Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0%

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Logging In: Auditing Cybersecurity in an Unsecure World

Framework for Improving Critical Infrastructure Cybersecurity

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

Cybersecurity Issues for Community Banks

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Frequently Asked Questions about the HITRUST Risk Management Framework

Ecom Infotech. Page 1 of 6

Information Security Management System for Microsoft s Cloud Infrastructure

Transcription:

ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Dan Banning Director of Marketing Quantivate 425.947.5894 dan.banning@quantivate.com linkedin.com/in/danbanning Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Randy Lindberg Managing Partner Rivial Security (Quantivate Partner) 888-777-5529 randy@rivialsecurity.com linkedin.com/in/randyslindberg 1

Agenda Vendor Due Diligence NIST Cybersecurity Framework Integrate with IT Risk Assessment 1 2 3 4 5 6 Vendor Security Controls Assess Vendor Security Questions & Resources Due Diligence Requirements 2

IT Service Providers Contract Language Data Ownership Cloud Services Cyber Resilience You must know the vendor s cybersecurity Posture. SSAE 16 Reports Report Formats o SOC 1: Internal Controls over Financial Reporting (ICFR). o SOC 2: Controls relevant to security, availability, processing integrity, confidentiality, or privacy. Type 1: Management s description of system and the suitability of the design of controls. Type 2: Management s description of system and the suitability of the design AND operating effectiveness of controls. 3

Vendor Security Controls SSAE 16 SOC 2 Type 2 IT Security Assessment SSAE 16 o SOC 1 Type 2* o SOC 1/2 Type 1 o SOC 3 Self Assessment Vendor Questionnaire Information Security Policy Interview Higher Quality Lower Quality Executive Order 13636 Improving Critical Infrastructure Cybersecurity o Directed NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructure. 4

Parts Core o Functions o Categories o Subcategories o Informative References Implementation Tiers o Maturity of risk management program Profile o Selection of the right subcategories Framework Core 5

Basic SSAE 16 Review Pinpoint findings without adequate management responses Provide complementary user entity controls to system owner and/or IT Advanced SSAE 16 Review To be a Jedi, use the Framework you must Review description of system Search for subservice Use function, category, or sub category to ensure control objectives are covered o Amount of rigor will vary 6

Subservice Organizations Controls DE.CM 4: Malicious code is detected Search for malicious code. malware anti virus. anti. mal. Doh!!!! It s a SOC 1 7

Controls DE.CM 4: Malicious code is detected Search for malicious code. Scoring the Report 8

Integration with IT Risk System Controls o Organizational o System specific o Vendor Complimentary User Entity Controls Integration with IT Risk Sub Category Effectiveness Organizational Controls System Controls Vendor Controls DE.CM 4: Malicious code is detected Fully Effective Perimeter web and email anti virus in place; user workstations have antivirus, updated every 24 hours Users are trained on anti phishing tactics SSAE 16 Servers have antivirus, updated every 24 hours DE.CM 8: Vulnerability scans are performed 9

Recap Vendor Due Diligence Vendor Security Controls NIST Cybersecurity Framework Perform an SSAE 16 Review Integrate with IT Risk Assessment Resources FFIEC Handbooks o http://ithandbook.ffiec.gov/ NCUA Guidance o http://www.ncua.gov/resources/documents/lcu2008 09ENC.pdf FDIC Guidance o https://www.fdic.gov/news/news/financial/2008/fil08044a.html SSAE 16 Details o http://www.ssae16.org NIST Cybersecurity Framework o http://www.nist.gov/cyberframework/ Future Considerations o https://www.ffiec.gov/press/pr031715.htm Technology Service Provider Strategy The FFIEC s members will expand their focus on technology service providers ability to respond to growing cyber threats and vulnerabilities. 10

Next Steps Learn about Quantivate GRC Software: www.quantivate.com Download a Free Vendor Assessment Template www.rivialsecurity.com/vendor cybersecurity template Questions? Q & A 11

Thank you! Dan Banning, Director of Marketing dan.banning@quantivate.com Randy Lindberg, Managing Partner, Rivial Security (Quantivate Partner) randy@rivialsecurity.com Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management. Learn more at www.nafcu.org/quantivate. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information