Enterprise Risk Management for Community Banks

Similar documents
NEC Managed Security Services

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

{Are you protected?} Overview of Cybersecurity Services

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Governance and Management of Information Security

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

Terms of Reference for an IT Audit of

Think like an MBA not a CISSP

How To Use Risk It

Hans Bos Microsoft Nederland.

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.

HOW SECURE IS YOUR PAYMENT CARD DATA?

HP Cyber Security Control Cyber Insight & Defence

How to Lead the People in a Program Based Environment

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Executive's Guide to

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Database Security and Auditing

IT Insights. Managing Third Party Technology Risk

Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks

AUDIT LOGGING/LOG MANAGEMENT

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

KEY TRENDS AND DRIVERS OF SECURITY

Information Security, Privacy and Compliance Convergence

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Why SDLC Controls are important for a project. Jason D. Lannen CISA, CISM August 21, :15 AM

SECURITY RISK MANAGEMENT

State of Information Security

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning

Introduction to Enterprise Risk Management at UVM DRAFT

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

SecureVue Product Brochure

fs viewpoint

Compliance Risk Management IT Governance Assurance

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

CFPB Readiness Series: Compliant Vendor Management Overview

Achieving Security through Compliance

National Railroad Passenger Corp. (AMTRAK) Session 1 Threats and Constraints. Continuous. - Continuous Monitoring. - Continuous Assessment

Information Security Management Systems

ERIC M. WRIGHT, cpa, citp

ISACA ON-SITE TRAINING DELIVERS EXPERT INSTRUCTION AT YOUR WORKPLACE

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Major Project Governance Assessment Toolkit

Implementing Practical Information Security Programs

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

GAINING CONTROL: Building Your Existing Framework into an ERM Model

Feature. Developing an Information Security and Risk Management Strategy

Auditing Data Access Without Bringing Your Database To Its Knees

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Our Background. Consulting Services. Founded in Synergistic. Securing the Mission of Care

Governance Simplified

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

Happy First Anniversary NIST Cybersecurity Framework:

IT Senior Audit Leader

Chayuth Singtongthumrongkul

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

An Introduction to the Information Security Program Model (ISPM)

March 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

How Secure is Your Payment Card Data?

Profil stručnjaka za informacijsku sigurnost - certificirati se ili ne? Biljana Cerin, CISA, CISM, CGEIT, CBCP, PMP

Using Strategic Risk Management to Gain Assurance and Communicate More Effectively

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Security Risk Management Strategy in a Mobile and Consumerised World

HITRUST CSF Assurance Program

Cloud Computing An Auditor s Perspective

Performance Measures for Internal Auditing

Secure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services

Cybercrime & Cybersecurity: the Ongoing Battle International Hellenic University

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

State of South Carolina InfoSec and Privacy Career Path Model

How To Improve Your Cyber Security

Internal Auditing Guidelines

The Evolution of Application Monitoring

ISACA S CYBERSECURITY NEXUS (CSX) October 2015

Happy First Anniversary NIST Cyber Security Framework:

for Information Security

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.


Fraud Risk Management

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

IT Audit in the Cloud

Enterprise Risk Management: Taking the First Steps

This article describes how these seven enablers have contributed towards better information security management at HDFC Bank.

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

Metrics that Matter Security Risk Analytics

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Impact of New Internal Control Frameworks

Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions

Achieving Security through Compliance

Big Data: Impact, Benefits, Risk and Governance

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

Transcription:

Enterprise Risk Management for Community Banks Brian T. O Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com http://www.linkedin.com/in/brianohara/ Twitter: @brian_t_ohara

The Mako Group, LLC IT & Info Sec Auditing IT Risk Assessments Security Training Vulnerability Assessments Social Engineering PCI DSS 3 FISMA Audits Penetration Testing Gap Assessments SOC 1 and SOC 2 SOX 404 HIPAA Virtual CISO

The Mako Group, LLC 1570 Woodward Ave. Detroit, MI 48266 Phone: 313.355.0538 Email: detroit@makopro.com 110 West Berry Street - Suite 2400 Fort Wayne, IN 46802 Phone: 260.267.5999 Email: fortwayne@makopro.com 8555 River Road - Suite 315 Indianapolis, IN 46240 Phone: 317.941.MAKO (6256) Email: indianapolis@makopro.com

BIO CISO of The Mako Group, LLC ISSA Fellow Program Chair, CINT Ivy Tech NE Adjunct Faculty Indiana Tech CISSP - Certified Info Systems Security Prof. CISA - Certified Information Systems Auditor CISM - Certified Information Security Manager CRISC - Certified Risk Info System Controls

BIO CAE of The Mako Group, LLC CPA MSA Masters of Accountancy ISACA Detroit Chapter CISA - Certified Information Systems Auditor Previously ran the Sarbanes-Oxley and FDICIA programs for Ally Bank

What Is ERM? Enterprise Risk Management ( ERM ) is a strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (http://www.rims.org/erm/pages/whatiserm.aspx)

ERM Elements? Tied to Bank s Strategic Plan Chief Risk Officer (Top Down Approach) Correlations (non-silo) Target Objectives Measurable Focus on Outcomes

ERM Principles Not just about Risk Mitigation It is a management system Management Model that leads to action Unified Approach Answers Key Questions

Quiz 1 Who Invented the World Wide Web? Tim Berners-Lee

ERM Key Questions Do we understand risk across the enterprise? What is the reward? Is the risk acceptable? Is the reward great enough? Does it link strategies? Is it supported from the top down? Are discussions made with input to business as opposed to protecting lines of business?

Who Is ERM Designed For? Community Banks? Size? Complexity? Affordability? Value Add?

Examples Larger Banks Publicly Traded Companies (SOX) Service Providers (CORE)

ERM Value? Provides a more robust picture of risk Corrects Silo Risk Mentality Provides Greater Transparency Delivers Effective Resource Allocation Shifts Focus from Reactive to Proactive Examiner Expectations

Sound ERM IT Risks Rolled Up NO Risk Silos Integrated with Business Strategy Provides More Accurate Picture of Tolerance More Effective Resource Allocation Proactive v Reactive Helps Identify Key Controls

Poor ERM Risk Silos Poor View of Overall Risks Reactive rather than Proactive Examples Target TJ Max Heartland Payment Processors

Quiz 2 What was the first commercial web browser?

ERM Frameworks? COSO RIMS ISO COBIT FFIEC Guidance Johnson and Johnson NIST

Risk Management Frameworks? CyberSecurity (Exec Order 13636) NIST COBIT COSO ISO FFIEC Guidance

Communicating ERM Across Enterprise Quantitative v & Qualitative $ to Risk to Exposure Opportunities

How To Implement ERM Pick a framework Get top management buy in Establish Enterprise stakeholders

How to Discuss with Sr. Mgmt Cost Risk Opportunity

How to Explain Quantitative v Qualitative Information

Quiz 3 Who sent the first official email over the internet? Mark Tomlinson

When is ERM not a good fit? Lack of Sr. Management Buy in Size and complexity of operations Too expensive, cost v benefit

ERM Problems Lack of single unifying framework Remains reactive Discounts insiders (relies on experts ) Does not calculate mitigation costs Fails to rank risk Lack of academic studies showing effectiveness

Cybersecurity Framework NIST Creation Fits smaller community banks Easily tailored and scalable Encompasses ERM key components Provides control mappings to standards Above and beyond examiner expectations Affordable implementations

The Mako Group s Approach (Hybrid) Guided (organization is the expert) Holistic Eclectic Customized based on organization needs Based on value added Built to optimize resource allocation

Conclusions ERM is not always a good fit Can be costly Can add unforeseen visibility Can add predictive value Can still provide guiding principles

Summary ERM value still unclear ERM is a holistic approach More Complex More about choosing pieces that work for you Hybrid approaches using models like Cybersecurity Framework provides best of both worlds

THANKS Brian T. O Hara CISA, CISM, CRISC, CISSP CISO The Mako Group, LLC btohara@makopro.com http://www.linkedin.com/in/brianohara/ Twitter: @brian_t_ohara

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information