2017 IT Examination Preparedness

Iowa Bankers 2017 Technology Conference

October 24, 2017

1

Disclaimer• Materials designed to give general information on

the specific subjects covered and are educational and discussion purposes only. They are not intended to be a comprehensive summary of regulations, laws, guidance, or regulatory work programs.

2

FDIC  and  FRB

• Using  the  Informa6on  Technology  Risk  Examina6on  (INTREx)  Program  

• Assigning  Component  Ra6ngs  and  a  Composite  Ra6ng

3

Exam  Components

• Audit  

• Management  

• Development  and  Acquisi6on  

• Support  and  Delivery

4

Tradi6onal  IT  Examina6on  Areas

• Informa(on  and  Cyber  Security  

• IT  Management  

• Audit  

• Opera6ons/Support  and  Delivery  – Network  

– Opera6ons

• Acquisi6on  and  Development  

• Business  Con6nuity  

• Incident  Response  

• Outsourced  Third  Party  Risk  Management  

• Internet  Banking/Ebanking  

• EFT/Payment  Systems

5

Update on CAT• Must complete a cyber assessment

• Not required to use the FFIEC tool

• Phase One of CAT update and revisions completed May 2017

• Provided for Yes, Yes with comment, No

6

Update on CAT• Examiners looking for validation of responses: comments/explanation on responses

• Example:

• Processes are in place to identify additional expertise needed to improve information security defenses.

• Yes

• Comment: Through our risk assessment and budgeting processes.

• Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.

• Yes

• Comment: Access is controlled; however, we are in the process of researching a tool for monitoring access and activity.

7

Update on CAT• Baseline is the minimum requirement and

expectation

• Based on basic regulatory guidance and FFIEC Booklets

• Establish “Desired Target Maturity Level”

• Create “Action Plan” to reach the Desired Target Maturity Level

8

FFIEC Information Security Booklet September 2016

9

Information Security• Strong Board and Senior Management support

• Integration of security and controls throughout business processes

• Clear accountability for carrying out security responsibilities

• Focus on information and cyber security controls

10

Information Security Program• Robust program

• Risk identification

• Risk measurement

• Risk mitigation

• Risk monitoring and reporting

• Incorporate cybersecurity elements

• Comprehensive testing and assurance to determine the effectiveness of the Program

11

Information Security Program• Integrate processes, people, and technology

• Maintain risk profile in accordance with Board’s risk appetite

• Encompass the entire Bank, not just focus on IT controls

12

Risk Appetite StatementThe Board has established specific strategic goals and objectives as defined in the Organizational Strategic Plan for the Bank. To increase the probability of achieving these goals, the Board has established acceptable risk tolerances within its risk appetite. The Board periodically reviews the risk appetite and associated tolerances and may adjust them to adapt to changing economic conditions, the threat landscape and/or strategic goals.

Overall, the Board desires to maintain enterprise Information/Cyber Security risk mitigation and control strategies that will reduce inherent risk to a moderate or low level as feasible. Specifically relating to the Cyber Security Assessment our goal is maintain a reasonable alignment of our Inherent Risk Level and Cyber Maturity Levels based on the Assessment. When either the enterprise Information/Cyber Security Risk is High or the Cyber Security Assessment levels are out of alignment or high the Board will be notified and kept apprised of the situation until the items are addressed.

13

Information Security Program

• Completion of a Cyber Assessment

• Target Inherent Risk Level and Cyber Maturity Level

• Cyber Security Strategy

• Integration of Cyber Security and Information Security

Enterprise-wide Information Security Risk Assessment

• If Management cannot or chooses not to mitigate a vulnerability should document:

• Decision to accept

• Level of risk associated with the vulnerability

• Person accountable for accepting the risk

15

Risk Measurement• Use threat analysis tools

• Understand and support measurement of information security related risks

• Map threats and vulnerabilities

• Improve consistency in risk measurement

• Highlight potential areas for mitigation

• Select proper controls to cover various attack stages, channels, and assets

• Allow comparisons among threats, events, and potential mitigating controls

16

Risk Mitigation• Develop and implement appropriate plan to mitigate

identified risks

• Understand extent and quality of current control environment

• Consider system controls rather than any discrete control

• Obtain, analyze, and respond to information from sources like FS-ISAC (Threat intelligence gathering)

• Develop, maintain, and update a repository of cybersecurity threats and vulnerability information

17

Inventory and Classification of Assets• Updated Inventory

• Classifies the sensitivity and criticality of assets

• Hardware, software, information, and connections

• High, Medium, Low

• Public, non-public, institution confidential

• Critical and non-critical

• Policies to govern inventory and classification

• Inception and throughout life cycle

18

Interconnectivity Risk• Sharing information with other institutions and third

parties

• Risk

• Misuse

• Mismanagement

• Compromise of connections

19

Mitigation of Interconnectivity Risk • Identify all connections

• Identify all access points and connection types

• Identify connections between and access across low risk and high risk systems

• LAN, ISP, WiFi, cellular

• Assess all connections with third parties that provide remote access or control over internal system

• Implement and access adequacy of controls to ensure security of connections (regardless of criticality or sensitivity)

20

Network Controls• Establish trusted and non-trusted zones; segment

the network

• Implement appropriate controls over wired and wireless networks

• Maintain accurate network diagram and data flow diagrams

• Develop data inventory

21

Network and Data Flow Diagram

• Identify:

• Hardware

• Software

• Network components

• Internal and external connections, including cloud

• Types of information passed between systems to facilitate the development of defense in depth security

22

CoNetrix23

CoNetrix

24

Data Inventory

Network Controls• Defense-in-depth

• Blacklist to disallow code execution

• Whitelist approved programs

• Port monitoring

• Monitoring of unauthorized software installation

• Monitoring for anomalous activity

• Monitor network traffic

25

Log Management• SIEM provide method for management to:

• Collect

• Aggregate

• Analyze

• Correlate

26

Log Management• Should have effective log retention policies

• Strict control and monitor access to log files

• Encrypt logs containing sensitive data or transmitted over the Internet

• Ensure adequate storage

• Secure backup and disposal of log files

27

• Log data to a separate, isolated computer

• Log data to read only media

• Set log parameters to disallow any modification to previously written data

• Restrict access to log files

28

Log Management• SIEM used to gather information from:

• Network and security devices and systems

• Identify and access management applications

• Vulnerability management and policy compliance tools

• Operating system, database, and application logs

• Physical and environmental monitoring systems

• External threat data

29

Logging• Inactive user accounts

• Failed login attempts

• Changes to administrative groups

• Account management

• Access to sensitive files and folders

• Security events

30

Change Management• Process to introduce changes to the environment in

a controlled manner

• Configuration management of IT systems and applications

• Hardening of systems and applications

• Use of standard builds

• Patch management

31

Configuration Management• Securely maintaining technology by developing

baselines for tracking, controlling, and managingsystem settings

• Confirm security settings

• Track, verify, and report configuration items

• Monitor unauthorized changes andmisconfiguration

32

Patch Management• Process:

• Monitoring that identifies availability of patches

• Evaluating patches against the threat and network environment

• Prioritizing to determine which patches apply

• Obtaining, testing, securely installing

33

• Exception process with appropriate documentation for delaying or not applying

• Ensuring all patches installed in production environment, installed in the DR environment

• Documenting assets and technology inventory and DRP when patches applied

34

End of Life• Maintaining inventories of systems and applications

• Adhering to approved EOL or sunset policy

• Tracking change management, updates, end of support

• Risk assess to help determine EOL

• Plan for replacement (IT Strategic Plan)

• Plan for and securely destroy or wipe hard drives

35

Testing• Management should ascertain that the Information

Security Program is operating securely, as expected, and reaching intended goals

• Two types of tests mention:

• IT system’s design

• IT system’s operation

36

Testing Plans• Key Factors

• Scope

• Personnel

• Notifications

• Confidentiality, integrity, availability

• Confidentiality of test plans and data

• Frequency

• Proxy testing

37

Types of Tests• Self Assessments

• Penetration Test

• Vulnerability Assessments

• Audits

38

FFIEC IT Management Booklet November 2015

Information Security Officer/Chief Information Security Officer

• Not an IT resource

• Strategic and integral part of business management team

• Enterprise-wide risk manager

• Championing security awareness training programs

• Reports directly to the Board or Board Committee or Senior Management

40

IT Planning• Short term and long term goals

• Align with business plans

• Identify and measure risk before implementation

• Ensure infrastructure to support

• Integrate IT spending into the budgeting process

41

IT Strategic Planning• Addresses the long-term goals and allocation of IT

resources

• Three to five year timeframe

• Helps ensure alignment with Institution’s business plans and goals

• Risk management/controls

• Addresses budget

• Board reporting

42

Tactical Plan• Supports the IT Strategic Plan

• Define specific steps necessary to complete

• Hardware and software architecture

• End user computing resources

• Processing Done by Third Party Providers

43

Operational Plan• Supports IT Strategic Plan and Tactical Plan

• Addresses in more detail steps to implement

• Specific tasks and timelines

• Responsibilities for each task and milestone

• Drop dead dates

• Budgetary needs

44

Budgeting• Management performance

• Consider undocumented costs

• repairs, support, upgrades, lifetime management

• Can be a separate IT budget

45

Common Findings 2017/Hot Spots

Common Exam Findings

• Third party risk management program/vendor management not comprehensive

• Untimely annual third party oversight

• Need process for monitoring problems with third party provider or a “troubled” third party

47

Common Exam Findings• Outsourced Third Party Risk Management/Vendor

Management

• Risk assessment not including all relationships, broaden criteria beyond mission critical and access to customer information

• Not performing and documenting due diligence reviews, and reporting to Board for prospective third party providers

• Ongoing oversight of third parties not comprehensive

48

Common Exam Findings• Insufficient asset Inventory (hardware, software,

devices)

• Need all information systems assets/equipment

• Asset, Role, Location, Model, Serial #, OS, Patch level, Prioritization, Number of licenses owned

49

Common Exam Findings• Business continuity planning

• Comprehensive business impact analysis does not include:

• MAD, RTOs, RPOs, recovery of the critical path

• Acceptable level of losses associated with business functions and processes

• In adequate documentation, maintenance, and testing of the plan and backup

• Tabletop and overall testing needs to be more robust50

Common Exam Findings• No data flow diagram

• No data inventory

• Network topologies not comprehensive

• Depict LAN, WAN

• Show all devices, external and internal connectivity

51

Common Exam Findings• Lack of Board cyber security discussions

• Lack of Board cyber security training

• FS-ISAC Executive Briefings

• FDIC Cyber Security Challenge

**Every board member should have an understanding of their responsibility

52

Common Exam Findings• Lack of or infrequent reporting to the Board on

cyber security and IT

• Threat intelligence

• Security event monitoring (SIEM)

• Patch management

• Asset inventory updates

53

Common Exam Findings• CAT

• General confusion on baseline controls

• Inaccurate level of maturity

• Have a compliance frame of mind - just checking off the box vs process, security frame of mind

54

Common Exam Findings

• Lack of employee information security training

• Only using generic online training i.e. BAI, BVS, etc.

• Need more on bank processes, policies, controls

55

Common Exam Findings

• Lack of segregation or conflict of IT officer/manager and Information Security Officer duties

• Enterprise-wide information security risk assessment not presented to the Board for review and approval

• Network Admin accounts not renamed

56

Common Exam Findings• Admin and service accounts not managed, need

more robust credentials

• Administrators needs to have admin profile and separate general user profile

• Audit not doing a deep dive on user profiles and access

Common Exam Findings

• IT Strategic Plan does not identify both long and short term projects, goals, and objectives

• Address competitive demands of the marketplace, budget, periodic report to Board, status of risk management controls

58

Common Exam Findings• Lack of patching of security devices (FW, IDS, IPS, etc)

• Need standards for infrastructure patching based on risk/criticality

• 1st priority: Internet facing systems

• 2nd priority: Systems/applications that move money

• 3rd priority: any system/application that has confidential information

• 4th priority: all other systems/applications

Common Exam Findings• Vulnerability assessments are limited to scan of IP

addresses

• Need authenticated scan to check internal services, patches, etc.

• Do at least quarterly

• Lack of social engineering training

• Lack of social engineering testing

60

Common Exam Findings• Cloud services

• Not performing thorough due diligence

• Risk assess services, security, and controls

• Know where data is and if secured in transit and/or at rest

• Does it fit into strategic/business plans

61

• Don’t leave out “core provider”

• Private cloud

• Where are servers

• What security is in place

62

Common Exam Findings• Audit

• Do not have a comprehensive IT audit plan/policy

• Do not have an IT audit risk assessment

• Not documenting findings and followup corrective action

63

Questions? Susan Orr Consulting, Ltd

www.susanorrconsulting.com 630.499.0276

susan@susanorrconsulting.com

64