Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015.
-
Upload
clement-gaines -
Category
Documents
-
view
219 -
download
0
description
Transcript of Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015.
Cyber Risk Management Solutions
Fall 2015
Thomas Compliance Associates, Inc. 2015
Cyber Risk Management Examiners are raising the bar on Cyber
Security compliance Result of the rapidly changing
technological environment IT exams getting tougher because there is
more technology risk than ever before Agencies independent authority conducts
audits of examiner’s audit programs Agencies making many changes to its
exam procedures pursuant to recommendations
Cyber Risk Management The FFIEC realizes most banks rely on
independent vendors for all or part of cyber risk management efforts
Not all third party vendors are regulated
All vendors are not the same in terms of appropriate security controls
Agencies see advantages in standardizing expectations for Cyber Risk Management
Cybersecurity Assessment Tool Released by the FFIEC on June 30, 2015 Expectations are the Board of Directors
will use this tool to assess cybersecurity risk
The Board is responsible for recognizing the cyber risks you are accepting and what mitigating controls are in place.
Assessment Tool has two partso Part 1 - Inherent Risk Profileo Part 2 - Cybersecurity Maturity (mitigating
controls)
Cybersecurity Assessment ToolPart 1 - Inherent Risk Profile
Relies greatly on your ability to identify where sensitive customer data resides throughout your organization.
Early stages indicate examiners will “take your word for it” provided you have documented that you have made a reasonable effort.
Software is now available which can identify all NCI (nonpublic Customer Information) wherever it resides on your various systems.
Cybersecurity Assessment ToolPart 1 - Inherent Risk Profile
Examiners will quickly evolve and require you to be able to demonstrate, not guess, that you know the location of sensitive data.
Also expect that when you get hacked (not if you get hacked) you know what information was stolen.
Cybersecurity Assessment ToolPart 2 - Cybersecurity MaturityAnalyzes several factors to determine the controls and risk mitigating practices that are already being practicedCybersecurity Preparedness includes: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity controls External dependency management Cyber incident management and resilience
Cybersecurity Preparedness
Risk Management and Oversight Governance, allocation off resources and training and
awareness of employees
Threat Intelligence and Collaboration Gathering, monitoring, analyzing and sharing information
from multiple sources on cyber threats and vulnerabilities
Cybersecurity PreparednessCybersecurity controls A combination of preventive, detective or preventative
External dependency management Includes connectivity to third party providers, business
partners, customers or others and your institution’s expectations and practices to oversee these relationships
Cyber incident management and resilience Detection, response, mitigation, escalation, reporting and
resilience
Cybersecurity – Preparing for the Next IT Examination
Board should be prepared to answer questions about information security during next IT exam
Document the Board’s participation in training; use available FFIEC resources
Cybersecurity – Preparing for the Next IT Examination Be able to exhibit that the Board and
Management understand supervisory expectations and have a high awareness of cybersecurity risks (threats and vulnerabilities) and how that risk is mitigated
IT Officer should have completed Cybersecurity Assessment Tool
Documented, reasonable approach InfoGPS puts you half a step ahead of your examiners
Cybersecurity and My BankAre you plugged into the Cloud?
Cybersecurity and My BankAre you plugged into the Cloud?
Google, Bing, Yahoo Search
Social Media Lexis Nexus FinCEN Core Vendor Services Local IT Outsourcing
Cybersecurity and My BankAre you plugged into the Cloud?So are the Cyber Criminals
Cybersecurity and My BankAre you plugged into the Cloud?So are the Cyber Criminals
How do Banks Address this Risk ?
Cybersecurity and My Bank
TCA addresses Cybersecurity in its IT Audit Program
IT Audit is a Method of Measuring and Managing Risk
IT Audit
IT AuditFundamental Components
Risk Assessments
Asset Management
Confidential Data
IT AuditExaminers Now View the Enterprise Througha Cybersecurity Lens
Examiner IT Audit Requirements
Show me your IT Risk Assessment
Show me your Enterprise Assets
Show me where your Sensitive Information Resides
Show me your IT Risk Assessment
Show me your Enterprise Assets
Show me where your Sensitive Information Resides
Can Your Bank Respond to These Examiner Requirements?
Completes much of your IT Risk Assessment Cyber-security Assessment Tool
Inventories your Enterprise Assets (HW, SW, Applications)
Identifies where your Customer Information Reside Monitors and Reports on the Creation and
Movement of Sensitive Data
There is a Product that Addresses these Compliance Mandates!!!
Back to the Future, an Old Requirement
Gramm Leach Bliley Act 1999
(GLBA)
Joint Release “Safeguarding of Customer Information”
FFIEC IT Handbook
Institutions may establish an information data classification program to identify and rank data, systems, and applications in order of importance. Classifying data allows the institution to ensure
consistent protection of information and other critical data throughout the system. Classifying systems
allows the institution to focus its controls and efforts in an efficient and structured manner.
2015 Cybersecurity Assessment Requirement
Page 22: IT Asset Management - Baseline
• An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
• Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.
Cybersecurity Assessment Tool Underscores Fundamentals.Cyb
er incident managemen
t and resilienc
e
External dependency management
Cybersecurity controls
Threat Intelligence and Collaboration
Risk Management and Oversight
Do the Fundamental First: Know your IS AssetsAn accurate knowledge of your IS Assets, specifically your data assets, is critical to perform ALL of the following:
• Compliance & Audit• IS Risk Assessment• Craft the Information Security Program• Prepare for Business Resiliency• Prepare for Incident Response• Obtain favorably priced Cyber Security Insurance• Properly educate your board• Properly apply controls to protect your Data.
Cybersecurity Summary
FI’s are critically dependent on IT to conduct business operations – There is increasing interconnectedness between different business sectors.
Cyber threats are very rapidly evolving and it is no longer a matter of those who have been hacked and those who haven’t
Cybersecurity Summary Examiners now acknowledge all FI’s have
been or will be hacked – let that sink in for a minute!
The difference will be those who know what data was compromised and those who do not
Those who do not will be required to devote significant resources to determine what was lost, who was affected and how to resolve enforcement actions and manage significant reputation risks. As a result you will see examiners establishing new standards for identification and management of Non Public Personal Information
Cybersecurity SummaryBottom Line The OCC (and all of the Regulatory Agencies) are
reviewing and updating current guidance and examination procedures to align with changing cybersecurity risk
Your choice of vendor for IT Audit is critical and you must ensure the vendor is adjusting their audit approach to be consistent with the significant changes being made by examiners
Your next IT examination will be tougher than any IT examination before it – your ability to exhibit an understanding of your risk and how you manage it is paramount
Questions?
Please use the Chat feature to submit questions now!
TCA, Inc.1-800-934-REGSwww.tcaregs.com
©2015 TCA, INC.