The Intersection of Internal Controls and Cyber Security



Similar documents
AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Compliance Risk Management IT Governance Assurance

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

Review of the SEC s Systems Certification and Accreditation Process

Final Audit Report. Report No. 4A-CI-OO

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Information Security for Managers

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

2012 FISMA Executive Summary Report

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Cyber Risk Management Guidance for FHFA Regulated Entities

Significant Revisions to OMB Circular A-127. Section Revision to A-127 Purpose of Revision Section 1. Purpose

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Final Audit Report -- CAUTION --

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Security Control Standard

IT-CNP, Inc. Capability Statement

AUDIT REPORT. Federal Energy Regulatory Commission s Unclassified Cybersecurity Program 2015

2014 Audit of the Board s Information Security Program

NISTIR 7359 Information Security Guide For Government Executives

Office of Inspector General Corporation for National and Community Service

Lots of Updates! Where do we start?

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

Contracts Management Software as a Tool for SOX Compliance

How To Improve Nasa'S Security

Audit of the Department of State Information Security Program

Get Confidence in Mission Security with IV&V Information Assurance

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

In Brief. Smithsonian Institution Office of the Inspector General

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

United States Department of Agriculture. Office of Inspector General

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

Impact of New Internal Control Frameworks

Trends in Information Technology (IT) Auditing

Governance Simplified

NOTICE: This publication is available at:

Advancing Access to Restricted Data: Regulations, Compliance, Continuous Monitoring. OH MY!!!

How To Audit The National Security System

POSTAL REGULATORY COMMISSION

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Evaluation of DHS' Information Security Program for Fiscal Year 2015

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

SYSTEMS AND CONTROLS. Management Assurances FEDERAL MANAGERS FINANCIAL INTEGRITY ACT (FMFIA) ASSURANCE STATEMENT FISCAL YEAR (FY) 2012

FISMA Implementation Project

Information System Security Officer (ISSO) Guide

Office of Inspector General

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

NIST Cyber Security Activities

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

for Information Security

NARA s Information Security Program. OIG Audit Report No October 27, 2014

INFORMATION SECURITY

Overview. FedRAMP CONOPS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Integrated Governance, Risk and Compliance (igrc) Approach

OFFICE OF INSPECTOR GENERAL

NASA OFFICE OF INSPECTOR GENERAL

2.0 ROLES AND RESPONSIBILITIES

Publication Number: Third Draft Special Publication Revision 1. A Role Based Model for Federal Information Technology / Cyber Security Training

White Paper. Understanding NIST FISMA Requirements

Evaluation of DHS' Information Security Program for Fiscal Year 2015

Transcription:

The Intersection of Internal Controls and Cyber Security Ralph Mosios Chief Information Security Officer Federal Housing Finance Agency ISACA NCAC Conference November 18, 2014 The Federal Housing Finance Agency (FHFA), as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the FHFA or of the author s colleagues upon FHFA s staff.

About FHFA, Part 2 FHFA is an independent agency with a unique mission responsible for providing oversight of the housing government-sponsored enterprises (GSEs). FHFA s mission is to promote GSE safety and soundness and ensure that the GSEs serve as a reliable source of liquidity and funding for housing finance and community investment. GSEs provide more than $5.5 trillion in funding for U.S. mortgage markets and financial institutions. FHFA is not subject to Federal Financial Management Improvement Act (FFMIA) of 1996. FHFA adheres to internal control requirements of the Federal Managers Financial Integrity Act (FMFIA) of 1982 and OMB Circular A-123. FHFA adheres to Title III of the Electronic Government Act of 2002, commonly referred to as the Federal Information Security Management Act (FISMA). 2

Internal Controls Who Cares? What are Internal Controls? 1 Management processes, policies, and procedures that help to ensure Efficient, effective operations Reliable financial reports Legal and regulatory compliance Internal controls must be documented, routinely tested, and auditable JPMorgan, HSBC, Enron, Worldcom, and other scandals, perceived in part as a result of poor internal controls Internal controls are at the heart of Sarbanes-Oxley Act (Section 404) OMB Circular A-123 Federal Information Security Management Act Bottom Line: Internal Controls is an FHFA Agency-wide Priority 1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO), see http://www.coso.org/publications/executive_summary_integrated_framework.htm. 3

Federal Information Security Management Act (FISMA) Requires Federal Agencies to develop and implement an agency-wide information security program. Establishes a framework to protect agency information, operations, and assets. Requires each agency to perform an annual, independent evaluation of their information security program and practices to determine its effectiveness. Consolidates many security requirements and guidance into an overall framework. Establishes the National Institute of Standards and Technology (NIST) role in developing information standards and guidelines. 4

Key Drivers for FHFA s Cyber Program NIST developed a significant number of standards for Federal Agencies that helps shape internal controls. NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, is a driving force behind FHFA s compliance program. NIST Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. 5

Components of FHFA s Cyber Security Program NIST 800-137 NIST 800-53 CISO NIST 800-37 STIG FIPS-199 CIS Policy & Compliance Continuous Monitoring Engineering & Operations Develop Policy & Procedures Continuous Monitoring Program Plans of Actions & Milestones (POA&M) Tracking Risk Assessments Training & Awareness Security Outreach Internal Controls/Audit Support Security Technical Implementation Guides (STIG) Center for Internet Security (CIS) Federal Information Processing Standards (FIPS) Security Operations Center Incident Response Manage Security Devices Monitoring Events Forensic Analysis Network Scanning Application & Database Scanning Vulnerability Management Security Testing Penetration Testing 6

Implementing an Effective Cyber Security Program There are no silver bullets with implementing an effective cyber security program with internal controls: Combination of management, operational, and technical controls are required. Not an inexpensive venture! Know relevant legislation and corresponding compliance frameworks (e.g., FISMA, FISCAM, SOX). Senior management support is critical. A cultural change may be required. Establish a relationship with your auditors! Eat the elephant one piece at a time. 7

References 2013 Federal Housing Finance Agency Performance and Accountability Report, www.fhfa.gov/webfiles/25882/par_2013.pdf The Committee of Sponsoring Organizations of the Treadway Commission (COSO), http://www.coso.org/publications/executive_summary_integrated_framework.htm 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information