Cybersecurity Awareness. Part 2

Similar documents
Cybersecurity Awareness

Cybersecurity Awareness

A Crisis Response, Information Sharing View of FFIEC Appendix J?

FS-ISAC CHARLES BRETZ

FFIEC Cybersecurity Assessment Tool

Ed McMurray, CISA, CISSP, CTGA CoNetrix

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity Issues for Community Banks

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Click to edit Master title style

Cybersecurity: What CFO s Need to Know

ICBA Summary of FFIEC Cybersecurity Assessment Tool

FINANCIAL SERVICES INFORMATION SHARING & ANALYSIS CENTER (FS-ISAC) OPERATING RULES

THE EVOLUTION OF CYBERSECURITY

Financial Services. Information Sharing & Analysis Center FS ISAC

Vendor Management. Outsourcing Technology Services

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com

Information Technology. A Current Perspective on Risk Management

Report on CAP Cybersecurity November 5, 2015

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

CYBERSECURITY INVESTIGATIONS

NIST Cybersecurity Framework & A Tale of Two Criticalities

Data Breach Response Planning: Laying the Right Foundation

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Appendix J: Strengthening the Resilience of Outsourced Technology Services

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Enterprise Security Tactical Plan

Information Technology

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

U.S. Cyber Security Readiness

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Cybersecurity The role of Internal Audit

Vendor Risk Management Financial Organizations

Cybersecurity Panel. ABA Mutual Community Bank Conference Marriott Marquis Hotel, Washington, D.C.

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

OCIE CYBERSECURITY INITIATIVE

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

Cybersecurity. Are you prepared?

Cisco Advanced Services for Network Security

Big Data, Big Risk, Big Rewards. Hussein Syed

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Instructions for Completing the Information Technology Officer s Questionnaire

NERC CIP Compliance with Security Professional Services

North American Electric Reliability Corporation (NERC) Cyber Security Standard

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com

Working with the FBI

The Aviation Information Sharing and Analysis Center (A-ISAC)

The Protection Mission a constant endeavor

What Directors need to know about Cybersecurity?

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

Actions and Recommendations (A/R) Summary

CYBER SECURITY GUIDANCE

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Defending Against Data Beaches: Internal Controls for Cybersecurity

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

Program Overview and 2015 Outlook

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Into the cybersecurity breach

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

September 20, 2013 Senior IT Examiner Gene Lilienthal

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Certified Information Systems Auditor (CISA)

GEARS Cyber-Security Services

Cybersecurity and internal audit. August 15, 2014

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

Identifying and Managing Third Party Data Security Risk

CYBER SECURITY INFORMATION SHARING & COLLABORATION

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

Appendix B: Mapping Cybersecurity Assessment Tool to NIST

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

THE TOP 4 CONTROLS.

Cybersecurity Awareness. Part 1

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Critical Controls for Cyber Security.

FINRA Publishes its 2015 Report on Cybersecurity Practices

Transcription:

Part 2

Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat Intelligence Third-Party Management Cyber-Resilience Incident Response Describe Cybersecurity Assessment Tool & Other Available Resources Part 2

Information Security Program Governance Structure and Policies Corporate Governance Resilience/ Restoration Threat Intelligence Business Continuity/ Disaster Recovery Information Security Program Audit Program Patch Management Incident Response Risk Assessment and Control Structure Third-Party Management Security Awareness Training

Governance Board and Senior Management Duties and Responsibilities s Ensuring strategic planning and budgeting provide sufficient resources. s Providing sufficient authority, resources, and independence for information security. s Ensuring policies and procedures address cybersecurity. s Incorporating cyber risk into the risk-based audit plan. s Providing reports to reassure the Board the ISP is working. Cyber Risk is a Business Risk!

Control Structure Security Awareness Training s Enterprise-wide s Role-specific s Customers/Merchants s Third Parties s Cybersecurity Culture Think Before You Click

Control Structure Patch Management s s Formal written policies and procedures Develop system for identifying, prioritizing, applying, and testing patches Create/maintain asset inventories Software (e.g., Microsoft and non-microsoft) Firmware (e.g., routers and firewalls) Integrate threat intelligence Establish strategies to migrate from unsupported products Report to board and senior management Audit and internal reviews should validate

Information Security Program: Refocused Resilience/ Restoration Governance Structure and Policies Threat Intelligence Business Continuity/ Disaster Recovery Information Security Program Audit Program Incident Response Risk Assessment and Control Structure Third-Party Management

Information Security Program: Refocused FFIEC Guidance: Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement, dated November 3, 2014 s s Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly. Participation in Financial Services Information Sharing and Analysis Center (FS-ISAC) is encouraged. FFIEC Business Continuity Planning Booklet, Appendix J released on February 6, 2015 Strengthening the Resilience of Outsourced Technology Services

Information Security Program: Refocused Resilience/ Restoration Governance Structure and Policies Threat Intelligence Business Continuity/ Disaster Recovery Information Security Program Audit Program Incident Response Risk Assessment and Control Structure Third-Party Management

Threat Intelligence: FS-ISAC Information Sources Member Communications Department of Homeland Security Information Security Treasury and FS Regulators FBI, USSS, NYPD Other Intel Agencies Government Sources Physical Security Business Continuity/ Disaster Response isight Partners Secunia Wapack Labs NC4 Phy Sec MSA Phy Sec Private Sources Cross Sector (Other ISACs) Open Sources (Hundreds) Cross Sector Sources Fraud Investigations Payments/Risk Alerts Member Submissions

Threat Intelligence: FS-ISAC Alert Types Step 1: Understand the Alert Type ANC: Announcements CYT: Cyber Threat CYI: Cyber Incidents COI: Collective Intelligence CYV: Cyber Vulnerability PHT: Physical Threats PHI: Physical Incidents Step 2: Understand the Criticality and Priority ANC = Priority 1-10, 8-10 is high priority CYT = Risk 1-10, 8-9 is Urgent, 10 is Crisis CYI = Risk 1-10, 8-9 is Urgent, 10 is Crisis COI = No Criticality Metric CYV = Risk 1-10, 8-9 is Urgent, 10 is Crisis PHT = Risk 1-10, 8-9 is Urgent, 10 is Crisis PHI = Informational, Minimal Impact, Moderate Impact, Significant Impact, Major Business Disruption Step 3: Determine Distribution Analysts and those involved in risk assessments, vulnerability/ patch management, and intelligence gathering should receive CYV alerts. Provide portal accounts to bank staff based on each individual s role. This will allow them to employ portal filtering for their unique assignments. Provide summary reports for managers and technical reports for analysts. Making informed choices based on each person s role eliminates unnecessary emails.

Threat Intelligence: FS-ISAC Alert The abbreviation and criticality level will always appear in the subject line, along with the title. FS-ISAC s Traffic Light Protocol White Green Amber Red Share freely but copyrighted Share among FS-ISAC members and partners only. Not public. Share among FS-ISAC members only. Restricted to a defined group. The alert will go into more detail such as the type of threat, summary, and handling instructions.

Threat Intelligence: US-CERT Alert CVE Affected Products Patching Information

Threat Intelligence s s s External Sources FS-ISAC US-CERT Third-Party Servicers e.g., core, telecommunications, managed security services s Internal Sources Reports Operational Reports Internal Audit Reports Fraud Detection Reports Logs Executives Board Fraud Operations Tellers Audit HR Network Administrator Security

Information Security Program: Refocused Resilience/ Restoration Governance Structure and Policies Threat Intelligence Business Continuity/ Disaster Recovery Information Security Program Audit Program Incident Response Risk Assessment and Control Structure Third-Party Management

Third-Party Management Core Transactional Internet Banking Mobile Banking Managed Network Security

Appendix J: Third-Party Management Relationship Management s Due Diligence s Contracts s Ongoing Monitoring Resiliency and Testing s Mission-Critical Services s Capacity s Service Provider Continuity Strategies s Evaluate/Understand Gaps s Service Provider Alternatives

Information Security Program: Refocused Resilience/ Restoration Governance Structure and Policies Threat Intelligence Business Continuity/ Disaster Recovery Information Security Program Audit Program Incident Response Risk Assessment and Control Structure Third-Party Management

Appendix J: Resilience Consider incorporating the following mitigating controls into business continuity plans: s Data backup architecture and technology s Data integrity controls s Independent, redundant communication providers s Layered security strategies s Enhanced planning for the possibility of simultaneous attacks s Increased awareness of potential insider threats s Prearranged third-party forensic and incident management services

Appendix J: Incident Response Enhance and test incident response plans to incorporate potential cyber threats Integrate service providers into incident response planning FFIEC Guidance: Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, dated April 1, 2005 s s s s Assess nature/scope and contain/control the incident Notify primary Federal regulator File Suspicious Activity Report (SARs) and notify law enforcement Notify customers if there is a reasonable likelihood the information will be misused

Information Security Program: Refocused Resilience/ Restoration Governance Structure and Policies Threat Intelligence Business Continuity/ Disaster Recovery Information Security Program Audit Program Incident Response Risk Assessment and Control Structure Third-Party Management

FFIEC Cybersecurity Assessment Tool FFIEC Press Release: Cybersecurity Assessment Tool, dated June 30, 2015 s Voluntary tool that provides management with a repeatable and measurable process to assess an institution s risks and cybersecurity preparedness s Consists of two parts: Inherent Risk Profile and Cybersecurity Maturity s Consider periodically reevaluating the Inherent Risk Profile and Cybersecurity Maturity over time as threats, vulnerabilities, and operational environments change

FFIEC Cybersecurity Assessment Tool Benefits to the Institution: s Identify factors contributing to and determining the institution s overall cyber risk profile. s Assess the institution s cybersecurity preparedness. s Evaluate whether the institution s cybersecurity preparedness is aligned with its risks. s Determine risk management practices and controls that could be enhanced and actions that could be taken to achieve the desired state of cyber preparedness. s Inform risk management strategies.

Evolution of Data Security Emerging ATM

Threat Intelligence Resources Financial Services-Information Sharing and Analysis Center (FS-ISAC) www.fsisac.com/ United States Computer Emergency Readiness Team (US-CERT) www.us-cert.gov/ InfraGard www.infragard.org/ U.S. Secret Service Electronic Crimes Task Force www.secretservice.gov/ectf.shtml The Top Cyber Threat Intelligence Feeds www.thecyberthreat.com/cyber-threat-intelligence-feeds/

Resources FFIEC IT Examination Handbooks http://ithandbook.ffiec.gov FFIEC http://ffiec.gov/cybersecurity.htm FDIC Financial Institution Letters www.fdic.gov/regulations/resources/director/risk/it-security.htm

Directors Resource Center Directors Resource Center www.fdic.gov/regulations/resources/director/ Technical Assistance Video Program s Information Technology (IT) s Corporate Governance s Third-Party Risk s Cyber Challenge: A Community Bank Cyber Exercise Questions supervision@fdic.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information