Management Awareness Training
description
Transcript of Management Awareness Training
![Page 1: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/1.jpg)
infotex
Dan Hadaway CISA, CISMManaging Partnerinfotex
Management Awareness Training
Awareness Training Series
![Page 2: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/2.jpg)
infotex
Objectives
• What is IT Governance, and what does a typical IT Governance program look like?
• What is the management team’s role in the IT Governance Program?
• What is the ISO’s role?• What should the management team know
to ensure proper IT Governance?• How can management help manage
technology risk?
![Page 3: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/3.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 4: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/4.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 5: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/5.jpg)
In this next section
• We will become familiar with the “workshop portal” and this presentation.
• We will hear credentials that can be used to log onto the workshop portal.
• We will learn what is on the “workshop portal.”
infotex
![Page 6: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/6.jpg)
infotex
Available Tools . . .
• IT Audit Test Types• The ISO Job Description• Awareness Training Procedure• Management Awareness
Training Procedure• Governance Policy
Development Chart
![Page 7: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/7.jpg)
infotex
Available Tools . . .
• Management Guidelines for Social Media
• User Guidelines for Social Media
• Management Talking Points for Mobile Banking and Social Media
![Page 8: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/8.jpg)
infotex
Available Tools . . .
• Wireless Banking Article (Top Five Risks)
• Wireless Banking Article• Wireless Banking Risk
Assessment• Wireless Banking Due
Diligence Kit
![Page 9: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/9.jpg)
infotexinfotex
Our Credentials
• Information Security– CISAs, CISMs, CISSPs– Developed my first AUP in 1988– Updating our process annually– Been doing Annual UAT for banks since 2002
• GLBA, BSA, OFAC, FACTA, HIPAA• Assessments, IT Audits, Consulting• Managed Services (Network Monitoring)
![Page 10: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/10.jpg)
infotexinfotex
Nomenclature
• Information Security Strategy• Information Security Program• IT Risk Management Program• IT Governance Program
Essentially the same thing.
![Page 11: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/11.jpg)
infotexinfotex
IT Governance Program
• Combines:– Serve Business Mission– Manage Technology Risk
(information security)
![Page 12: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/12.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 13: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/13.jpg)
In this next section
• We will learn five basic tenets of IT Governance that all management team members should know.
• We will learn why IT Governance is concerned with Risk Management
• We will learn “the one control” and why this workshop is important.
infotex
![Page 14: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/14.jpg)
infotexinfotex
#1
![Page 15: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/15.jpg)
infotexinfotex
#1: Serve the Mission
Information Technology must be aligned with the Business Strategy of the bank!
![Page 16: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/16.jpg)
infotexinfotex
Strategy Alignment
• Facilitate business tactics– Assists in business processes– Creates a competitive edge– Increases Communication with “all four
corners of the bank” especially customers.
– Provides accurate information to management
![Page 17: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/17.jpg)
infotexinfotex
Strategy Alignment
• Deliver a Return on Investment– Tangible Return
• Check 21 takes advantage of quicker check processing. Imaging System reduces paper costs.
• Fees charged for various services.
– Intangible Return• Firewall mitigates risk of internet hacking.• On-line Banking provides convenience to
customers.
![Page 18: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/18.jpg)
infotexinfotex
Management Role
• Determine technologies that will best facilitate business tactics.
• Determine appropriate time to deploy new technologies (Apply Pressure)
![Page 19: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/19.jpg)
infotexinfotex
Management Role
• Search and Selection Process– Cost/Benefit Benefit/Risk When???– Risk Analysis– Requirements Definition– Request for Proposal
![Page 20: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/20.jpg)
infotexinfotex
Management Role
• Negotiate Contracts(as per Vendor Management Procedure)
• Implementation – From a user perspective– Return to risk analysis– Return to cost/benefit analysis– Return to features analysis
• Ongoing Vendor Due Diligence (as per Vendor Management Procedure)
![Page 21: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/21.jpg)
infotexinfotex
When is the appropriate time?
![Page 22: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/22.jpg)
Roger’s Diffusion Theory of Innovation• Innovators •Early adopters•Early majority•Late majority •Laggards
Everett M. Rogers' Diffusion of Innovations
infotex 1. Align IT with Business Strategy
![Page 23: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/23.jpg)
Stages of Innovation
•Knowledge•Persuasion•Decision• Implementation•Confirmation
Risk Assessment?
Security Controls
Everett M. Rogers' Diffusion of Innovations
infotex 1. Align IT with Business Strategy
![Page 24: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/24.jpg)
Early Adopters in Banking
•Physical Security• Information Security
Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations
infotex 1. Align IT with Business Strategy
![Page 25: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/25.jpg)
Late Majority / Laggard
•Virtualization•Cloud Computing•Social Media•Telecommuting
Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations
Softwareforcloudcomputing.com
infotex 1. Align IT with Business Strategy
![Page 26: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/26.jpg)
Risk/Benefit Evolution Curve
Val
ue
Time
Features, Sophistication
Price, Problems
infotex 1. Align IT with Business Strategy
![Page 27: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/27.jpg)
Risk/Benefit Evolution Curve
Val
ue
Time
Features, Sophistication
Price, Problems
infotex 1. Align IT with Business Strategy
![Page 28: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/28.jpg)
Risk/Benefit Evolution Curve
Val
ue
Time
Features, Sophistication
Price, Problems
Innovator
Early Adopter
Early Majority Late MajorityLaggards
infotex 1. Align IT with Business Strategy
![Page 29: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/29.jpg)
infotexinfotex
Digital Video Security
• Innovators • Early adopters• Early majority• Late majority • Laggards
2012
![Page 30: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/30.jpg)
infotexinfotex
Secure Messaging
• Innovators • Early adopters• Early majority• Late majority • Laggards
2012
![Page 31: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/31.jpg)
infotexinfotex
Remote Access in Banks
• Innovators • Early adopters• Early majority• Late majority • Laggards
2010
![Page 32: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/32.jpg)
infotexinfotex
Social Media in Banks
• Innovators • Early adopters• Early majority• Late majority • Laggards 2011
![Page 33: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/33.jpg)
infotexinfotex
Wireless Banking
• Innovators • Early adopters• Early majority• Late majority • Laggards
2013
![Page 34: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/34.jpg)
infotexinfotex
#2
![Page 35: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/35.jpg)
infotexinfotex
#2: Manage the Risk
Information, Technology,
and Information Technology
expose the bank to risk!
![Page 36: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/36.jpg)
infotexinfotex
#2) The Risk Spectrum
• There is no such thing as 100% security!
Ignore it? Obsession?
![Page 37: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/37.jpg)
infotexinfotex
#2) The Risk Spectrum
• There is no such thing as 100% security!
Ignore it? FFIEC Guidelines
![Page 38: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/38.jpg)
infotexinfotex
How do you decide?
• There is no such thing as 100% security!
Ignore it? FFIEC Guidelines
Risk-basedRemediation
![Page 39: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/39.jpg)
infotexinfotex
Principle Number Two
Information Security is about
ACCEPTING RISK.
![Page 40: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/40.jpg)
infotexinfotex
#3
![Page 41: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/41.jpg)
infotex
A process questionA process question
When you are finishedserving a customer, what do you typically do?
A. Cross Customer Service off the to-do list.
B. File the experience away as one you hope you’ll never have to do again.
C. Learn from the experience and try to serve the next customer better.
D. Move on to the next project.
![Page 42: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/42.jpg)
infotexinfotex
Fundamental #3
![Page 43: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/43.jpg)
infotexinfotex
Which means . . .
• No crossing it off the list.• No filing it away.• No wishing you never have to deal
with it again.
![Page 44: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/44.jpg)
infotexinfotex
And means . . .
• Its cyclical.• You learn from each cycle.• It is constantly improving (we hope).
• It’s about managing risk and ensuring alignment with other business processes.
![Page 45: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/45.jpg)
infotexinfotex
And to improve . . . .
• We must start by measuring.
But remember that metrics are all relative.
![Page 46: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/46.jpg)
infotexinfotex
Fundamental #3
![Page 47: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/47.jpg)
infotexinfotex
#4
![Page 48: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/48.jpg)
infotex
Important Point QuestionImportant Point Question
What is the Number 1 form
of Identity Theft?
A. Pretext Calling
B. Drive-by Attacks (Trojan Horses installed by rogue websites.)
C. Insider Data Theft
D. Phishing
E. Other
![Page 49: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/49.jpg)
infotexinfotex
Source: Javelin Research 2009 Identity Fraud Survey Reporta survey of 25,000 adults.
![Page 50: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/50.jpg)
infotexinfotex
4) It’s not really Technical
TechnologyPeople
Policy Process
![Page 51: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/51.jpg)
infotexinfotex
IT requires a Team Approach
• Risk must be measured and managed using a multi-disciplinary approach.
• Risk is mitigated by establishing controls in the form of policies, procedures, and tools.
• Risk Management Controls involve “all four corners of the bank.”
![Page 52: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/52.jpg)
infotexinfotex
Four Corners of the Bank
![Page 53: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/53.jpg)
infotex
Four Corners of the BankBoard of Directors
OversightCommittee
ManagementTeam
Technical TeamUsers
VendorsLaw Enforcement
Academia
Customers
![Page 54: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/54.jpg)
infotexinfotex
Information Security Officer
• Measures, Manages, Reports Information Security Risk
• Interacts with all four corners.• Facilitates development and
continuous improvement of security controls.
• Delivers an Annual Report directly to the board.
![Page 55: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/55.jpg)
infotexinfotex
Information Security Officer
• Works with Management to:– Measure and Control Risk– Develop and enforce Security Controls – Plan Response to Negative Incidents
(Policy Violation, Security, Disaster)
– Manage Vendor Risk– Authorize Access to IT Assets– Inventory and manage IT Assets– Escalate Risk Acceptance Decisions
(to the Board of Directors)
![Page 56: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/56.jpg)
infotexinfotex
#5
![Page 57: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/57.jpg)
infotexinfotex
![Page 58: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/58.jpg)
infotex
Four Risk Factors
Threats
Vulnerabilities
Impact Severity
Likelihood
![Page 59: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/59.jpg)
infotexinfotex
Threats
• Terrorists • Hackers• Scammers / Con-
men /Fraudsters / Thieves
• Vandals• Technology Itself• Users / Vendors• Nosy Neighbors• Ex-Spouses
![Page 60: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/60.jpg)
infotexinfotex
We can’t take it lightly
• Zeus • Software suite designed to help
hackers attack banks.
![Page 61: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/61.jpg)
infotexinfotex
Marc Rogers, Purdue University
![Page 62: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/62.jpg)
infotexinfotex
. . . zooming in . . .
![Page 63: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/63.jpg)
infotexinfotex
Vulnerabilities
• Airplanes • Ports• Subway System• Buildings• Public Places
• E-mail• Browsers• Network Access
• Users
• > 300 considered in Risk Assessment
![Page 64: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/64.jpg)
infotexinfotex
Impact Severity
• Almost 3000 people
• Financial System• Airlines• Convenience
• Customers’ Identities
• Horror Stories
• Heartland Payment System ($7/card, 20,000 cards)
• Reputation
![Page 65: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/65.jpg)
infotexinfotex
Likelihood
• It can happen on American Soil
• Technology Itself Very High
• Pretext Calling High• Phishing High
• Hacking Medium
• Physical Breach Low– Still happens though!
![Page 66: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/66.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 67: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/67.jpg)
In this next section
• We will learn about the Federal Financial Institution Examination Council (FFIEC) and it’s published “guidelines” for information technology, and why these guidelines become audit frameworks.
• We will see a quick summary of “management responsibilities for IT.”
• We will review a “map” of the typical bank’s IT Governance Program
• We will learn how the management team “plugs in” to the IT Governance Program.
infotex
![Page 68: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/68.jpg)
infotexinfotex
Types of Risk
• Transaction Risk– Data Corruption Problems– Social Engineering– Customer Errors (Internet Banking)
• Legal Risk– Obscene Jokes in E-mail– Privacy Violations– Unlicensed Software
![Page 69: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/69.jpg)
infotexinfotex
Types of Risk
• Financial Risk– Early Adapter of Technology– Vendor Solvency– Cost of Security Breaches
• Operational Risk– Virus Attacks– Denial of Service (DoS) Attacks– Project Management Risk
![Page 70: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/70.jpg)
infotexinfotex
Types of Risk
• Reputational Risk– Any Security Incident
presents some reputational risk.
– Poor Incident Response can turn a minor incident into a major incident.
![Page 71: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/71.jpg)
infotexinfotex
Types of Risk
• Compliance Risk– GLBA– HIPAA, CIPA, SOX– PCI, BS12000, ITIL, CobiT– BSA, OFAC, US Patriot Act– FACTA– SB1386
![Page 72: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/72.jpg)
infotexinfotex
Gramm Leach Bliley Act
Specifically, Title V of the GLBA, called "Disclosure of Nonpublic Personal Information," is intended to ensure security and confidentiality of customers' records and information, protect the integrity of such information, and protect against unauthorized access to such information.
![Page 73: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/73.jpg)
infotexinfotex
Thank goodness for the . . .
![Page 74: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/74.jpg)
infotexinfotex
The FFIEC
• Federal Reserve System (FRB) • Federal Deposit Insurance
Corporation (FDIC) • National Credit Union Administration
(NCUA) • Office of the Comptroller of the
Currency (OCC) • Office of Thrift Supervision (OTS)
![Page 75: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/75.jpg)
infotexinfotex
The FFIEC
Information Security
Work Program
IT Audit Work Program
Information Security
Handbook
IT Audit Handbook
Boilerplates
![Page 76: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/76.jpg)
infotex
Management Responsibilities
A quick summary
Awareness Training Series
![Page 77: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/77.jpg)
infotexinfotex
Summary of Responsibilities
• Understand how IT aligns with bank and department business strategy and work with IT to ensure appropriate alignment.
• Know the IT Governance program, how it works, the ISO’s role, and your role in the various sub-programs.
• Be familiar with technology risk that the bank faces.
• Enforce technology controls.• Activate awareness of staff members.
![Page 78: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/78.jpg)
infotexinfotex
What does an IT Governance Program include?
(according to FFIEC Guidelines)
![Page 79: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/79.jpg)
infotexinfotex
The FFIEC
Information Security
Work Program
IT Audit Work Program
Information Security
Handbook
IT Audit Handbook
Boilerplates
How about a map?
![Page 80: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/80.jpg)
infotexinfotex
IT Governance Program
The combined
policy,procedures,
and toolsabout a
particularissue can be
referred to as a
“Program.”
Policy
Procedure
Tools (standards, guidelines,
applications, forms, websites, etc.)
![Page 81: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/81.jpg)
infotexinfotex
Authentication Example
A procedure enforces a board level
policy using tools called
for in the procedure.
AUP
AuthenticationProcedures
Passwords Out-of-Pocket Questions
Visitor Authorization Process
![Page 82: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/82.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 83: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/83.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 84: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/84.jpg)
infotexinfotex
Risk Analysis Program
![Page 85: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/85.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 86: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/86.jpg)
infotexinfotex
Access Management
![Page 87: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/87.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 88: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/88.jpg)
infotexinfotex
Incident Response
Program
![Page 89: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/89.jpg)
infotexinfotex
Incident Response
• Awareness is an important part of incident response.
CIRT
ISO
Everybody
• Board of Directors• Law Enforcement• Customers
(Could be steering committee.)
![Page 90: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/90.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 91: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/91.jpg)
infotexinfotex
Asset Management
Program
![Page 92: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/92.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 93: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/93.jpg)
infotexinfotex
Business Continuity Program
![Page 94: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/94.jpg)
infotexinfotex
Scenario Responses
Pandemic Ice Storm Tornado Flood Fire
Risk AnalysisBusiness
Continuity Plan
Business Continuity Program
![Page 95: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/95.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 96: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/96.jpg)
infotexinfotex
Procedure
Vendor Management Program
GovernancePolicy
Vendor Management
Policy
Search and Selection
ContractNegotiations
Security SanctionsPolicy
Assigned SecurityResponsibility
OngoingDue Diligence
ThresholdRisk Assessment
ThresholdRisk Assessment
Vendor AgreementTemplate
Vendor Request
Detailed Risk Assessment
Risk Analysis
Vendor Risk Determination Table
Checklists
![Page 97: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/97.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 98: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/98.jpg)
infotexinfotex
Security Standards
![Page 99: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/99.jpg)
infotexinfotex
Security Standards
![Page 100: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/100.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 101: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/101.jpg)
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Awareness Program
![Page 102: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/102.jpg)
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Vendor ManagementProgram
Due DiligenceRequest Letter
Awareness Program
![Page 103: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/103.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 104: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/104.jpg)
infotexinfotex
IT Governance Policy
CommitteeMembership
Board Member
ManagementTeam
End Users(rotated)
Establish SteeringCommittee
Authorize the ISO
Requires Trainingat all levels
Report CriticalSecurity Breaches
DefineGovernance
Align ITwith Business
Delineates Annual Report to the Board
![Page 105: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/105.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 106: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/106.jpg)
In this next section
• We will learn why a multidisciplinary approach to technology risk assessments is critical.
• We will find out the types of threats that need to be considered in a risk assessment.
• We will see a typical risk assessment process.
infotex
![Page 107: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/107.jpg)
infotexinfotex
Summary: Managers Should
• Clearly support all aspects of the information security program;
• Implement the information security program as approved by the board of directors;
• Establish appropriate policies, procedures, and controls;
• Participate in assessing the effect of security issues on the financial institution and its business lines and processes;
![Page 108: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/108.jpg)
infotexinfotex
Summary: Managers Should
• Delineate clear lines of responsibility and accountability for information security risk management decisions;
• Define risk measurement definitions and criteria;
• Establish acceptable levels of information security risks; and
• Oversee risk mitigation activities.
![Page 109: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/109.jpg)
infotexinfotex
That’s straight out of FFIECguidelines (page 6,
Information Security Handbook)
![Page 110: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/110.jpg)
infotexinfotex
Information Security ProgramEquals
IT Governance Program
![Page 111: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/111.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 112: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/112.jpg)
infotexinfotex
Risk Analysis Program
![Page 113: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/113.jpg)
infotexinfotex
Four Primary Risk Assessments
Risk Assessments
VendorRisk Determination
Business Impact Analysis
TechnologyRisk Assessment
AssetCriticalityAnalysis
![Page 114: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/114.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2010/2011• ISO Job Description & Interactions
![Page 115: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/115.jpg)
In this next section
• We will learn the primary purposes of an IT Audit.
• We will understand the need for risk-based auditing
• We will learn the different types of audit tests.
• We will be exposed to the need for good IT Audit metrics.
infotex
![Page 116: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/116.jpg)
infotexinfotex
The IT Audit
![Page 117: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/117.jpg)
infotexinfotex
Three Primary Purposes
• Alignment with business mission• Appropriate risk management• Compliance with applicable law
![Page 118: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/118.jpg)
infotexinfotex
Alignment w/ Business Mission
• Strategy Alignment• Facilitate Execution of Business
Tactics• Demonstrate Return on Investment
![Page 119: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/119.jpg)
infotexinfotex
Risk Management Assurance
• Test of Risk Assessment Process • Test of Management Awareness• Test of Declared Controls• Test of User Awareness• Escalate Risk Acceptance decisions
to the Board of Directors
![Page 120: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/120.jpg)
infotexinfotex
Comply with the Law!
• FFIEC Guidelines as the Framework• CobiT as Framework for SOX banks• State laws may introduce individual
compliance framework needs (SB1386 in California)
![Page 121: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/121.jpg)
infotexinfotex
Risk-based Auditing
• Ensures testing is appropriate• Delivers Value to Audit Process• Relies heavily on bank risk
assessment
![Page 122: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/122.jpg)
infotexinfotex
Risk-based Auditing
• Test the controls that protect the highest value assets.
• Test the controls that protect the most likely targeted assets.
• Test the controls that management has declared mitigate the MOST risk (highest delta control value).
![Page 123: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/123.jpg)
infotexinfotex
Risk-based Auditing
Inherent Risk Residual RiskDelta Control
![Page 124: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/124.jpg)
infotexinfotex
Types of IT Audit Tests
• Technical• Non-technical
![Page 125: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/125.jpg)
infotexinfotex
But first …
• Capture-the-flag versus assessment
![Page 126: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/126.jpg)
infotexinfotex
Types of IT Audit Tests
• IT Governance Review– GLBA Compliance– Policy and Procedure Review– Testing of Non-technical Controls– Involves interviewing “all four
corners” of the bank
![Page 127: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/127.jpg)
infotexinfotex
Types of IT Audit Tests
• Technical Vulnerability Assessments– Perimeter
• Penetration Testing• Vulnerability Scanning of Perimeter• Confirmation
– Internal Network• Vulnerability Scanning• Network Configuration Audit• Confirmation
![Page 128: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/128.jpg)
infotexinfotex
Types of IT Audit Tests
• Social Engineering Tests– Two purposes
• Test Awareness• Test Incident Response
– Spear Phishing– Pretext Calling– Password File Analysis– Orchestrated Attacks
![Page 129: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/129.jpg)
infotexinfotex
IT Physical Security
• Physical Breach Tests• Walk-through’s• Dumpster Diving
– Trash-can Diving
• Physical Security Checklists
![Page 130: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/130.jpg)
infotexinfotex
Checklist Tests
• IT Governance• Physical Security• Network Configuration Audits
Be careful that findingsare risk ranked.
![Page 131: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/131.jpg)
infotexinfotex
Risk Metrics
• Should be based on likelihood and impact
• Some auditors will also factor in ease of remediation
• You should be interested in residual risk, anticipated residual risk, and risk reduction (or “delta control”)
![Page 132: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/132.jpg)
infotexinfotex
Risk Metrics
• Comparing risk from one year to the next, or from one bank to the next, is difficult
• What’s important is knowing that the management team understands the metrics and the risk
![Page 133: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/133.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 134: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/134.jpg)
In this next section
• We will learn the primary purposes of the annual Vendor Due Diligence Review.
infotex
![Page 135: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/135.jpg)
infotexinfotex
Procedure
Vendor Management Program
GovernancePolicy
Vendor Management
Policy
Search and Selection
ContractNegotiations
Security SanctionsPolicy
Assigned SecurityResponsibility
OngoingDue Diligence
ThresholdRisk Assessment
ThresholdRisk Assessment
Vendor AgreementTemplate
Vendor Request
Detailed Risk Assessment
Risk Analysis
Vendor Risk Determination Table
Checklists
![Page 136: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/136.jpg)
infotexinfotex
Selection Process
Risk AssessmentRequirements
Definition vs. RFPResponses
Due Diligence
Evaluation
![Page 137: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/137.jpg)
infotexinfotex
Vendor Due Diligence Checklist
• Makes the annual review go so much better!
• . . . . . . at least after the first one.
![Page 138: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/138.jpg)
infotexinfotex
Vendor Risk Assessment Process
ThresholdRisk
Assessment
Vendor Due DiligenceRequest
Due Diligence Checklist
Missing Controls
RiskManagement
Program
Reportto Board
DetailedRisk Assessment
![Page 139: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/139.jpg)
infotexinfotex
Missing controls and anticipated safeguards should input into the IT Risk Assessment.
Outputs of Annual Review
![Page 140: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/140.jpg)
infotexinfotex
Remember this diagram?
Risk Assessments
VendorDue Diligence
Business Impact Analysis
TechnologyRisk Assessment
![Page 141: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/141.jpg)
infotexinfotex
Remember this diagram?
Risk Assessments
VendorDue Diligence
Business Impact Analysis
TechnologyRisk Assessment
This (and missing vendor controls)is where Vendor Due Diligence plugsinto the overall Risk AssessmentProcess.
![Page 142: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/142.jpg)
infotexinfotex
Missing controls and anticipated safeguards should input into the IT Risk Assessment.
They will be deployed as per risk severity in a reasonable period of time.
Outputs of Annual Review
![Page 143: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/143.jpg)
infotexinfotex
Finally, risk acceptance decisions should be escalated to the board of directors by the ISO in the Annual Report.
Outputs of Annual Review
![Page 144: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/144.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 145: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/145.jpg)
In this next section
• We will learn some of the fundamental responsibilities of the Information Security Officer.
• We will see how the ISO interacts with various areas of the bank.
• We will understand how we can utilize the ISO to better manage our own technology risk.
infotex
![Page 146: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/146.jpg)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
![Page 147: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/147.jpg)
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Vendor ManagementProgram
Due DiligenceRequest Letter
Awareness Program
![Page 148: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/148.jpg)
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Awareness Program
![Page 149: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/149.jpg)
infotexinfotex
Risk ManagementProgram
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
![Page 150: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/150.jpg)
infotexinfotex
• Board Awareness Training (video webcast is available)
• Annual Report– Risk Analysis Executive Summary– Vendor Due Diligence Results– Summary of Critical Security Breaches– Strategy
• Policy Approval Process
BAT Tools
![Page 151: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/151.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 152: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/152.jpg)
infotexinfotex
New Risks in 2011/2012
• Targeted Malware attacks (Zeus, Russian Business Network, Chinese, and spin-offs)
• Social Media Usage (by employees AND the bank)
• Mobile Banking Deployment
![Page 153: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/153.jpg)
infotexinfotex
Orchestrated Attacks
• Usually combining:– Malware from drive-by attack sites– Phishing– Pretext Calling
• Assets Attacked:– Customer credentials– ACH– On-line Banking
![Page 154: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/154.jpg)
infotexinfotex
Social Media
• Bank site risks– Compliance (disclosures)– Negative Comments– Poor Content
• Employee risks– General Users– Management Team Members
![Page 155: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/155.jpg)
infotexinfotex
Wireless Banking Risks
1. Late Majority Adoption2. Tepid Adoption3. Security Risk4. Compliance Risk5. Strategic Risk
infotex Horse Before the Cart: Top 5 Mobile Banking Risks
![Page 156: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/156.jpg)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
![Page 157: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/157.jpg)
In this next section
• We will learn some of the fundamental responsibilities of the Information Security Officer.
• We will see how the ISO interacts with various areas of the bank.
• We will understand how we can utilize the ISO to better manage our own technology risk.
infotex
![Page 158: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/158.jpg)
infotexinfotex
ISO Job Description
• The single point of contact . . . liaison . . . for all matters involving Information Security (and often IT Governance as a whole.)
• The “inside consultant” on IT Security Matters.
• The person who teaches us how to manage technology risk.
![Page 159: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/159.jpg)
infotexinfotex
ISO Teams
• Steering Committee: Member• Technical Staff: Member • CIRT: Team Leader• Risk Assessment: Team Leader• Vendor Management: Team Leader• Business Continuity Plan:
sometimes the BCP coordinator, often not.
![Page 160: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/160.jpg)
infotexinfotex
What the ISO does . . .
• Writes policies and procedures.• Filters vulnerability news down to
what the bank needs to know.• Writes agendas and reports for
various meetings.• Activates awareness through
reminders, tests, and training.
![Page 161: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/161.jpg)
infotexinfotex
ISO Job Description
• Maintain the IT Governance Program• Ensure through measurement and
testing that the controls in the IT Governance Program are adequate and are being enforced.
• Escalate Risk Acceptance Decisions to the Board
• Educate, Motivate, and Activate Awareness.
![Page 162: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/162.jpg)
infotexinfotex
Awareness Life Cycle
Educate
Motivate
Activate
![Page 163: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/163.jpg)
infotexinfotex
Four Corners
Board of Directors
OversightCommittee
ManagementTeam
Technical TeamUsers
Vendors
Customers
![Page 164: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/164.jpg)
infotexinfotex
Board Level
• Educate
• Motivate
• Activate
• Annual Report, Awareness Training
• Risk Analysis, VDD Results, Audit Findings
• Policy Approval, Strategy, Budget
![Page 165: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/165.jpg)
infotexinfotex
Management Team
• Educate
• Motivate
• Activate
• Annual Awareness Training, Applicable Policies and Procedures (see distribution list)
• Annual Report to the Board, Audit Results
• Risk Analysis, Vendor Due Diligence
![Page 166: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/166.jpg)
infotexinfotex
Technical Team
• Educate
• Motivate
• Activate
• IT Audit Program, Security Standards, Policies and Procedures, Comprehension Testing, BCP Testing Plan
• Auditing, Monitoring, Testing, Vulnerability Assessments
• Vulnerability Reports, Conferences, CPE
![Page 167: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/167.jpg)
infotexinfotex
Users
• Educate
• Motivate
• Activate
• Acceptable Use Policy
• Annual Awareness Training, Comprehension Tests
• Social Engineering Tests, Exercises, Reminders
![Page 168: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/168.jpg)
infotexinfotex
Customers
• Educate
• Motivate
• Activate
• Flyers, Knowledgeable Employees
• Annual Awareness Training
• Stuffers, Web Site Announcements
![Page 169: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/169.jpg)
infotexinfotex
Vendors
• Educate
• Motivate
• Activate
• Due Diligence Request Letter, Phone Call
• Contract Negotiations, Due Diligence Request Letter, AP New Vendor Form
• Ongoing discussion emphasizing security. A call when something doesn’t seem right.
![Page 170: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/170.jpg)
infotex
• Information Security Officer Job Description
On the Portal . . .
![Page 171: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/171.jpg)
infotexinfotex
How should we summarize?
![Page 172: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/172.jpg)
infotexinfotex
Interactions
![Page 173: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/173.jpg)
infotexinfotex
ISO must interact with:
• Board of Directors– Annual Report to the Board – Risk Acceptance Decisions– Policy Approval
![Page 174: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/174.jpg)
infotexinfotex
ISO must interact with:
• Oversight Committee– Internal Auditing– Monitoring– Audit Reports– Vulnerability Assessments
![Page 175: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/175.jpg)
infotexinfotex
ISO must interact with:
• Management Team– Risk Analysis– Training– Vendor Due Diligence– Access Authorization Review– Budget– Incident Response
![Page 176: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/176.jpg)
infotexinfotex
ISO Must Interact With:
• The you-wouldn’t-expect interactions– Human Resources
• Policy Development and Enforcement• Incident Response Team• Risk Assessment• Orientation
– Marketing• Customer Awareness Training• Public Presence Security Controls• Use of Social Media
![Page 177: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/177.jpg)
infotexinfotex
ISO must interact with:
• Technical Team– Security Standards– Incident Response– Vulnerability Assessments– Audits– Network Monitoring
![Page 178: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/178.jpg)
infotexinfotex
ISO must interact with:
• Users (all employees)– Acceptable Use Policy– Annual Awareness Training– Policy Enforcement– Security Reminders and Notices– Testing– Incident Response– Answering Questions
![Page 179: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/179.jpg)
infotexinfotex
ISO must interact with:
• Vendors– Vendor Risk Analysis– Vendor Due Diligence Requirements– Risk Acceptance
![Page 180: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/180.jpg)
infotexinfotex
ISO must interact with:
• Customers– Customer Awareness Training– Incident Response
![Page 181: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/181.jpg)
infotexinfotex
Thank you!
Don’t forget the
Evaluations!
![Page 182: Management Awareness Training](https://reader030.fdocuments.net/reader030/viewer/2022013006/56813d61550346895da733ee/html5/thumbnails/182.jpg)
infotex
The Workshop Portal
• List of boilerplates and related websites.• Electronic Version of Documents, Articles,
and Boilerplates for your use.– mat2009.infotex.com (all lower case)– Your user name . . . mat2009 (all lower case)– Th3!b@#1 is the password.
• Portal is classified “internal use.”