Leveraging Slide Heading Frameworks to Develop an Effective Control Environment W. Wade Sapp CUNA Mutual Group February 11, 2015
Introductions Company CUNA Mutual Group, Madison Wi CUNA currently utilizes a hybrid financial reporting control framework to satisfy Model Audit Rule requirements, issues a SOC1 for their Pension Operations, and issues three separate SOC2 reports for various product lines Presenter Wade started his professional career as a financial institution examiner during the end of the Savings and Loan crisis. Regulating suffering financial institutions provided a rich environment to analyze, learn from and mitigate failed internal controls. Past successful projects include designing and implementing general ledgers, information system conversions and internal control framework implementation and testing.
Agenda Review of 2014 Events Framework Definition Slide Where to begin Heading Basic Framework principles Popular Frameworks
Looking Back at 2014 783 (reported) U.S. data breaches 27.5 percent increase over 2013 18.3 percent increase over the previous high of 662 breaches tracked in 2010 Medical/Healthcare industry topped the list at 42.5 percent of reported breaches Business Sector 33 percent Military 11.7 percent Education 7.3 percent Banking/Financial 5.5 percent
Looking Back at 2014 Hacking generated 29.0 percent of 2014 breaches Subcontractor/Third Party 15.1 percent Accidental Exposure of information 11.5 percent Data in Transit 7.9 percent Hardware Loss, Employee Negligence, Accidental Web Exposure, Paper Breaches and Other 36.5 percent Without a doubt, 2015 will see more massive takedowns, hacks, and exposure of sensitive personal information like we have witnessed in years past, Adam Levin, founder and chairman of IDT911
2015 Predictions In the past 12 months, GM reported more than a $3.8 billion hit for vehicle repairs and compensation for accident victims from its 71 recalls covering close to 30 million vehicles Forrester predicts an even more challenging risk and compliance business environment in 2015 with even greater corporate blunders, stricter regulatory enforcement, and executives who will continue to fail to address their most important customer-facing risks In 2015, a single corporate risk event will lead to losses topping $20Billion JPMorgan Chase & Co. (JPM) Chief Executive Officer Jamie Dimon said the biggest U.S. bank will probably double its $250 million annual computer-security budget within the next five years. The GRC Playbook by Christopher McClean, Nick Hayes, and Renee Murphy November 12, 2014
Technology Challenges The Grand Balancing Act Keep the lights on SLA s ROI Value Delivery Manage Costs Budget vs Actual Master Complexity DCO, Cloud, Mobile, BYOD Align Technology with Business Objectives Regulatory Compliance Risk Management Security Patching, Securing without Breaking
What is a Framework? Framework Definition The basic structure of something A set of ideas or facts that provide support for something A supporting structure: a structural frame, foundation, skeleton, holds everything up When you decide to not pick a public framework, you will end up with a framework anyway: your own Ryan Florence 2014
Framework Relevance Frameworks are used against you every day Regulatory Compliance Requirements Elected Frameworks, PCI Certification, ISO 27001 Process Improvement Risk Mitigation Failed to meet objectives Breach, Fraud Just good business
Framework Advantages Provide a comprehensive and systematic approach to more proactive and holistic risk and opportunity management Provide a standardized dictionary of key risk and control terminology and acronyms Require that organizations examine their complete portfolio of risks, consider how those risks interrelate, and that management develops an appropriate risk mitigation approach to address these risks in a manner that is consistent with the organization s strategy and risk appetite
Ethical Hacking Framework
Hacking Framework
Hacking Framework
Hacking Framework
Framework Complexity
Framework Complexity
Framework Project Risks May be difficult to gain momentum Does not completely eliminate all risk, can only provide reasonable assurance that risk will mostly remain within acceptable risk parameters Does not guarantee regulatory compliance Does not guarantee Return On Investment Could be a career limiting move Inadequate planning and project management could escalate framework costs, waste resources
Framework Comparison
Framework Comparison
Where to Begin Develop a high level scope Inventory relevant processes, assets, vendors, stakeholders, roles and responsibilities Don t reinvent the wheel Leverage existing frameworks and controls Conduct a readiness assessment, identify gaps Develop and Information and communication plan
Policies and Procedures Policies Define expected standards of behavior Establish high level structures and processes Set fundamental requirements, limits and allocates responsibilities Establish control mechanisms Procedures Describes in detail the process or steps to be taken in order to implement a policy Apply to a specific area or process
The COSO Principles Control Environment 1. The organization demonstrates a commitment to integrity and ethical values 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment of objectives 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives
The COSO Principles Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives 7. The organization identifies risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives 9. The organization identifies and assesses change that could significantly impact the system of internal control
The COSO Principles Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels 11. The organization selects the develops general control activities over technology to support the achievement of objectives 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action
The COSO Principles Information and Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control 15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control
The COSO Principles Monitoring Activities 16.The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors as appropriate
Commonizing Controls
Commonizing Controls Security Policy Controls Requirement Control An information security policy document shall be approved by management, and published and ISO A.5.1.1 Information security policy document communicated to all employees and relevant external parties. Management has established policies and procedures to describe security and confidentiality requirements and standards of the firm. Security and confidentiality SOC2 Confidentiality Trust Principle policies, procedures, and standards are reviewed, updated, and approved on an annual basis. IT General Control SOC1 A comprehensive security policy exists, and is supported by a framework of security standards that supports the objectives of the organization's security policy. CA #2.1 A security policy exists and is supported by a framework of security standards. The policy and security standards are reviewed annually and updated as necessary.
Commonizing Controls Management has established and maintains an information security framework which is supported by documented policies, procedures and standards. The framework and supporting documents are reviewed and approved by management at least annually. All relevant documents are published and communicated to all employees and relevant third parties.
Framework Auditing Frameworks are written for business operations, not for auditors Auditors need to be competent in the framework to effectively review and comment on attributes May need to engage a subject matter expert May want to consider attorney client privilege Need to remain independent and objective
Framework Auditing Internal auditors must refrain from assessing specific operations for which they were previously responsible Frameworks must be sustainable, controls must be effective every day If a certification is a deliverable, must be qualified / certified through the certifying organization, have received a certificate of approval at the appropriate level
PCI DSS
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
Dashboard-PAT-Locker Linkages
PCI Dashboard Detail
PCI Assessment Tool Detail
Evidence Locker Detail
Evidence Locker Detail Rqmt # Description Testing Procedure Comments 12.3.09 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use 12.3.9 Verify that the usage policies require activation of remoteaccess technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. N/A. CMFG does not provide vendor access to any PCI zone systems. This was confirmed through review of VPN users and active accounts permitted to access PCI zone through the jump host.
Prescriptive Detail in PCI DSS
PCI DSS Updates 2.0 3.0 1.1.3 - Clarified what the network diagram must include and added new requirement at 1.1.3 for a current diagram that shows cardholder data flows. 2.4 - New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. 3.5.2, 3.6.x - Split requirement 3.5.2 into two requirements to focus separately on storing cryptographic keys in a secure form (3.5.2), and in the fewest possible locations (3.5.3). Requirement 3.5.2 also provides flexibility with more options for secure storage of cryptographic keys. 5.3 - New requirement to ensure that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis.
PCI DSS Updates 2.0 3.0 6.5.10 - New requirement for coding practices to protect against broken authentication and session management. Effective July 1, 2015 8.6 - New requirement where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism. 9.3 - New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination. 9.9.x - New requirements to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Effective July 1, 2015
PCI DSS Updates 2.0 3.0 11.1.x - Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an alreadyexisting testing procedure, for incident response procedures if unauthorized wireless access points are detected. 11.3.4 - New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective. 11.5.1 - New requirement to implement a process to respond to any alerts generated by the change-detection mechanism (supports 11.5)
PCI DSS Updates 2.0 3.0 12.8.5 - New requirement to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. 12.9 - New requirement for service providers to provide the written agreement/acknowledgment to their customers as specified at requirement 12.8. Effective July 1, 2015 12.10.x - Renumbered requirement and updated 12.10.5 to clarify the intent is for alerts from security monitoring systems to be included in the incident response plan. Clarification
COBIT Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
COBIT 5 Self Diagnostic COBIT5 Assessment Scoping Tool COBIT 5 Self-Assessment Template
Cybersecurity Information Sharing Act of 2014 Purpose: To authorize private entities to prevent, investigate, and mitigate cybersecurity threats, to authorize the sharing of cyber threat indicators and countermeasures, and for other purposes.
Cybersecurity Information Sharing Act of 2014 Executive Order 13636; February 12, 2013 Cyber threat information sharing Focus is on vital infrastructure Voluntary critical infrastructure cybersecurity program NIST to develop a cybersecurity control framework
NIST Cybersecurity Framework NIST Cybersecurity Framework - Created in conjunction with the Cybersecurity Act of 2014 The Framework, (V1 released February 12, 2014) was created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
NIST Cybersecurity Framework The framework is largely a process it s designed to help organizations start a cybersecurity program or improve an existing one. It features a number of industry vetted actions that businesses can take to assess and strengthen their state of security over time using risk-based methods. It is not meant to be prescriptive or impose new regulatory requirements on industry.
NIST Cybersecurity Framework Framework Core Divided into Functions (Identify, Protect, Detect, Respond, and Recover) 22 related Categories (e.g., Asset Management, Risk Management, etc. very similar to sections in ISO 27001 Annex A) 98 Subcategories (very similar to controls in ISO 27001 Annex A) Subcategories refer to other frameworks such as ISO 27001, COBIT, NIST SP 800-53, etc.
NIST Cybersecurity Framework Like ISO/IEC 27001, the Cybersecurity Framework is based on risk management Both are technology neutral Both provide a methodology on how to implement information security Both have the purpose of achieving business benefits while observing legal and regulatory requirements
NIST Cybersecurity Framework
NIST Cybersecurity Framework
An Exploration of the New Cybersecurity Framework May 22, 2014 Ann M. Beauchesne, Vice President, National Security and Emergency Preparedness Department, U.S. Chamber of Commerce Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, the White House Dr. Patrick D. Gallagher, Under Secretary for Standards and Technology and Director, U.S. Department of Commerce Troy Land, Assistant to the Special Agent in Charge, Electronic Crimes Task Force, U.S. Secret Service Eric D. Shiffman, Supervisory Special Agent, FBI Chicago Division, Cyber Task Force
An Exploration of the New Cybersecurity Framework May 22, 2014 U.S. companies are losing trade secrets to cyber-attacks which will be devastating to the economy long-term Risk management is a term that management simply does not understand Cyberspace defense is warfare, companies need to adequately organize, train and equip their security professionals, each company needs a fully trained team of cyber warriors Either fund Cybersecurity before the attack or you will fund it after the breach
An Exploration of the New Cybersecurity Framework May 22, 2014 It is a given that corporate security professionals are allotted limited resources (underfunded) Companies need to implement an evolving security framework Threat detection and analysis is critical to protecting sensitive data Security frameworks must be driven by the respective industry to be effective, not by the government
An Exploration of the New Cybersecurity Framework May 22, 2014 Most of the U.S. infrastructure is privately held, the Government is looking for industry leaders to be part of their cyber team One of the biggest risks to companies is actually the loss of utility-related U.S. infrastructure Cybersecurity is not an ad-on to a company s processes, it must be part of the organization s Governance strategy
An Exploration of the New Cybersecurity Framework May 22, 2014 Companies are encouraged to conduct a cyberresiliency review, and map existing cyber controls to the framework Cyber data sharing is voluntary today, but regulatory authorities are becoming more conscious of the framework No single strategy can prevent advanced and persistent threats popularly known as APTs
Lessons Learned Tone at the top is critical to your success Don t forget vendors and other third parties when scoping Stakeholders should represent all material areas, and represent the proper level of authority Clearly understand your team s skillsets and gaps Utilize professionals for key activities if needed, will improve the probability of project success Be sure to work with the business area professionals (those who know) Think the deliverables through, establish consistent documentation and formats
Lessons Learned Embed compliance into corporate documentation Clearly communicate control ownership and responsibilities Understand up front how maintenance of the framework will be operationalized and transferred from the project team Communicate expectations, provide awareness training Don t reinvent the wheel leverage what controls and frameworks you already have in place Always know your audience and manage you message appropriately Anticipate future control framework needs
Questions? wade.sapp@cunamutual.com