Which Describes Your Cybersecurity Program –Eager Beaver or …€¦ · Team Structure and...
Transcript of Which Describes Your Cybersecurity Program –Eager Beaver or …€¦ · Team Structure and...
Which Describes Your Cybersecurity Program –Eager Beaver or Deer in Headlights?
October 29, 2015
Jamie Barnett, Partner Venable LLP
Michael Abboud Founder & CEO, TetherView
Eric Feldman, CIO The Riverside Company
Mark Heil, EVP PEF Services LLC
Our Presenters
Welcome to the Cybersecurity Webinar
Program is scheduled to last for 1.5 hours. – If you ask questions, we will try to address them during the program.
– If time does not permit us to answer a question posed during the webcast, it will be answered offline after the event.
– Program will be recorded and posted to our webpage within a week. The presentation and additional materials will be available tomorrow.
Requirements for CPE Credits: – Remain logged on for at least 1 hour, 15 minutes
– Respond to at least 6 of the 8 polling questions that will be presented
Please complete the evaluation survey following the event. – A link to the survey will be emailed shortly following the program.
– Feedback used to make future presentations better.
Learning Objectives
How to apply the results from The Office of Compliance Inspections and Examinations ("OCIE") 2015 Cybersecurity Examination Initiative to augment your firm’s cybersecurity preparedness
Preparing for OCIE Cybersecurity exams “that will involve more testing to assess implementation of firm procedures and controls.”
Developing the types of policies, documents and reports that need to be created to manage effectively your cybersecurity program and to respond to an OCIE Exam
Assesses risk associated with using a vendor as part of your cybersecurity due diligence
Establishing an incident response program that effectively detects breaches, generates alerts, defines the scope of the incident and provides procedures for communicating the incident to appropriate parties
Self Assessment:
Are you an
“Eager Beaver”
or a
“Deer in Headlights?”
Self Assessment: Eager Beaver or Deer-in-Headlights?
If Yes to all of these questions = Eager Beaver If Yes to 3 or fewer = A Deer in Headlights
1. Has your firm adopted written information cybersecurity policies and procedures?
8. Has your firm conducted firm-wide inventorying or mapping of their technology resources?
9. Has your firm incorporated language into their contracts with vendors regarding cybersecurity risk?
13. Have you obtained Cybersecurity Insurance?
14. Does your firm make use of encryption?
15. Does your firm have a designated Chief Information Security Officer separate from CTO and CCO?
16. Does your firm use a secure portal and file exchange when transferring confidential or personal identification information with clients or vendors?
OCIE Enforcement Action
Fined R.T. Jones, a registered investment adviser -- $75,ooo: – Attacked in July 2013 by a hacker who gained access and copy rights to
the personally identifiable information (PII) of more than 100,000 individuals
– Failed to adopt written policies and procedures to safeguard customer information: e.g., failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
– Promptly retained several cybersecurity consulting firms to confirm the attack and determine the scope.
– Provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring
– No indications of a client suffering financial harm as a result of the cyber attack.
Summary of OCIE Risk Alert
OCIE will continue its cybersecurity examinations of registered investment advisers – OCIE’s examinations will involve more testing to assess
implementation of firm procedures and controls.
Key topics include – Governance and risk assessment – Access rights and controls – Data loss prevention – Vendor management – Training – Incident response
Governance and Risk Assessment
FINRA's Cybersecurity Governance Framework
Purpose: – To support informed decision making and escalation within the
organization to identify and manage cybersecurity risks.
Effective practices include: – defining a governance framework to support decision making
based on risk appetite; – ensuring active senior management, and as appropriate to the
firm, board-level engagement with cybersecurity issues; – identifying frameworks and standards to address cybersecurity; – using metrics and thresholds to inform governance processes; – dedicating resources to achieve the desired risk posture; and – performing cybersecurity risk assessments.
The Types of Documents OCIE May Request for Cyber Exam
Governance Firm policies re: protection of
“customer” information Patch management practices Board materials regarding
cyber-matters. Information regarding the firm’s
Chief Information Security Officer (“CISO”) Information regarding the firm’s
organizational structure
Access and Controls Policies regarding access to
network and information documenting access controls Policies to verify the
authenticity of customer requests to transfer funds Customer complaints related
to customer access Reviews of access rights Internal audit
Data Loss Prevention Policies and procedures re:
enterprise data loss prevention, including data mapping (especially PII) Policies related to data
classification and risk levels Policies related to monitoring
unauthorized distribution of sensitive information
Vendor Management Policies related to third party
vendors including due diligence, contracts, agreements, approval processes, supervision, and risk assessments Written contingency plans
concerning conflicts of interest, bankruptcy, etc.
Training Training provided to
employees re: information security and risks, training method, dates, topics, etc. Training provided to third
party vendors or business partners
Incident Response Business continuity plans that
mitigate effects of a cybersecurity incident
Process for testing the incident response plan
System generated reports related to data loss
Incidents of unauthorized access or distribution of PII
Access Controls/Data Loss Prevention Complicate
– Make it difficult for intruders through user authentication, encryption, firewalls and access rights & controls
Detect – Intrusion detection – Open source monitoring
Respond – Minimize continuing damage – Collect and preserve data related to the incident.
• “Image” the network • Keep all logs, notes, and other records • Keep records of ongoing attacks
– DO NOT : Use compromised systems to communicate or Hack Back or Intrude upon another network
Common Vendor Management Issues
• Lack of a formal due diligence and risk assessment process in planning and selection of vendors
• Understand the data inventory and mapping risks (Security) – Where is your data??
• Policies and procedures when onboarding and monitoring vendors (i.e., controls) – Contract Terms, Onsite Audits, etc…
• Compliance with the regulations and understanding the “4th Party” risks
• COST BENEFIT ANALYSIS – ensure you have considered compliance and risk mitigation
Cybersecurity and Vendor Contracts
Identify and Mark all Attributional/Proprietary Information Consider Employee Nondisclosure Agreements Requirement Require Safeguarding of Confidential and PII Information Compel Specific Actions for Cyber Incidents:
– Require a specific incident reporting period (e.g., 72 hours) – Insert a duty to investigate cyber incidents and provide a report – Require customer approval of remediation plan – Conduct forensic investigation to determine cause and affected data and
systems – Provide regular updates of its investigation to customer and permit
reasonable access to the investigation to the customer – Cooperate with customer’s investigation – Customer, not supplier, makes final decision on notification of affected
individuals
Riverside’s Online Cybersecurity Training
Employee Training – Who, What & When
Who: New hire training Existing employees IT Senior Management
What: Responsibility for Company
Data Internal Policies, Document
Management and Notification Procedures
Passwords Unauthorized Software Internet Use, Social Media
Policy; Social Engineering Email, Social Engineering
and Phishing Mobile Devices Protecting Computer
Resources
When: Onboarding Regular Training
Sessions Testing Constant Education
Key Elements of An Incident Response Plan According to National Institute of Standards and Technology (NIST)
Incident Handling and Reporting Procedures
Communication Guidelines with Outside Parties
Team Structure and Staffing Model
Establish Relationships and Lines of Communication, internally and externally
Incident Response Team Scope of Services
Incident Response Team Staffing and Training
NIST Incident Response Team Communications Model
Potential Pitfalls of Incident Response Plans
Outdated – Not integrated into the current practices of the firm
– Changes at vendors or agencies in policies, procedures or contacts
Lack of training of those involved – Practice? Who needs practice? – Evidence lost or destroyed
Single point of failure – Plan depends on one or two key people who may not be
available at time of crisis
Identify the Real Risks Protect what Matters Most • Develop a security strategy focused on business
drivers and protecting high-value data • Define the organization’s overall risk appetite • Identify the most important information and
applications, where they reside and who has/needs access
• Assess the threat landscape and your security program maturity – model your real exposures
• Assume breaches will occur – improve processes that complicate, detect and respond
• Balance the fundamentals with emerging threat and vulnerability management
• Establish and rationalize access control models for applications and information
• Protect key identities and roles because they have access to the crown jewels
Sustain your Security Program Enable Security in the Business • Get governance right – security is a board-level
priority • Allow good security to drive compliance – not
vice versa • Measure leading indicators to catch problems
while they are still small • Accept manageable risks that improve
performance • Know your weaknesses – and address them!
• Make security everyone's responsibility — it's a business problem, not just an IT problem
• Align all aspects of security (information, privacy, physical and business continuity) with the business
• Spend wisely in controls and technology – invest more in people and process
• Selectively consider outsourcing or co-sourcing operational security program areas
Summarizing Today’s Program
Thank you for joining us!
Michael Abboud TetherView
[email protected] 707-927-0490
www.tetherview.com
Eric Feldman The Riverside Company
[email protected] 212-484-2178
www.riversidecompany.com
Jamie Barnett Venable LLP
[email protected] 202-344-4695
www.venable.com
Mark Heil PEF Services LLC
[email protected] (212) 203-4679
www.pefundservices.com