bdqcrm service offering phase i scoring

1

Black Diamond Quantitative Cyber Risk Management Group

Black Diamond Quantitative Cyber Risk Management (BDQCRM) Service Offering – Phase I Scoring

The Founders of BDQRM, Dr. Robert Mark, Michael Angelo and Mitchell Grooms are experienced Risk Management Professionals with global expertise in designing, constructing, implementing and operationalizing , comprehensive, solutions for Cybersecurity Risk Management programs (including Regulatory approval).

BDQRM offers a comprehensive, resilient, preventative, Quantitative Cybersecurity Risk Management program for financial intermediaries and corporations. The proof of concept can be demonstrated by operationalizing Phase I Scoring of the three part framework, which includes a Security review and analysis; consisting of 1) a Technical and Process review of the infrastructure, 2) Scoring, and 3) Assessments, in order to stress test the Security infrastructure for protection, preparedness, generate a migration plan to enhance the Security infrastructure, develop a Residual Risk Management plan to manage the risk , identify the price and obtain desired insurance by operationalizing an ERM framework that transparently demonstrates the management of the Cybersecurity risk, deliver summary assessments to the Board and Senior Management as appropriate and to link to Phase II and Phase III if so proscribed.

BDQCRM Discussion Points

Executive Summary: Organizations face a host of Regulatory challenges (Federal Financial Institutions Examination Council, Securities and Exchange Commission Office of Compliance Examinations and Inspections, Federal Trade Commission, Financial Conduct Authority, Prudential Regulatory Authority, Bank of England CBEST, Singapore Monetary Authority, others) which also contain embedded standards, e.g., ISO 27001, PCI DSS compliance. In addition, the business environment and corporate infrastructure challenges of managing earnings in the digital economy includes the management of the significant Cybersecurity Risk. Cybersecurity is a significant risk with extraordinary exponential aspects (Operational Risk that morphs into Credit Risk and escalates harm) that is a major risk in managing earnings and assuring corporate survival in the digital economy. To manage earnings in today’s environment it is essential to assess the Security infrastructure and processes of your company and build an Enterprise Risk Management (ERM) Framework that incorporates Cybersecurity Risk Management into the company’s overall earnings management, governance and ERM program. The first step in operationalizing a successful Quantitative Cybersecurity Risk Management Program is Scoring.

BRQCRM Service Offering

Phase I Scoring

a) Security Review and Analysis


2


Technical Analysis Process Analysis

b) Cybersecurity Risk Management Scoring

Quantitative Cybersecurity Risk Management Scoringo Scoring is based on multilayered granular assessment

Migration Strategy Recommendationso Protect and prepareo Coordinate, inform, as requested the primary Regulator

c) Cybersecurity Risk Residual Risk Mitigation Strategy

Assessment of Cyber Risks and Determination of How to Manage Cyber Risks Introduction of Cyber Risk Transfer Pricing & Transparency

d) Cybersecurity Risk Residual Risk Study for the purposes of pricing and acquiring Cyber Risk Insurance

Pricing, evaluation, for structuring Cyber Insurance Make trade-offs between self-insurance and buying Cyber Insurance

e) Executive presentation to Senior Management and the Board of the Cyber Risk Assessment and Scoring Assessment of Phase I Results

o Protect and assess current level of Preparedness for Cybersecurityo Shift from Reactive Event driven Cybersecurity Risk Management to

Preventative Cybersecurity Risk Management Phase II Cybersecurity Risk Management Database Recommendation

o Develop Cybersecurity Proactive Risk Management Business Intelligence

Phase III Quantitative Cybersecurity Risk Management Program Recommendation

o Operationalize Quantitative Cybersecurity Risk Management Programo Harmonize Security, Information Security, Cybersecurity with Office of

the CRO* (See Note)o Implement Cybersecurity Risk Management Capital Management

Programo Establish the transparency of the Quantitative Cybersecurity Risk

Management Program internally for the Board, Executive Management, CRO & CSO, externally, for the primary Regulator(s)

How the Cybersecurity Program Phase I – Scoring, works:


3


1) Scoring

2) Assessments

Statement of Work

1) Scoring

Using the BDQRM Scoring System we are going to perform a Security analysis of the infrastructure, the analysis will be done on a Technical and Process analysis basis, which will includes:

Cybersecurity Controls External Dependency Management

Cybersecurity Controls

Connectivity includes: ISP’s, Unsecured External Connections (FTP, Telnet, rlogin), Wireless Network Access Points, Personal Devices Allowed to Connect to Corporate Network, PCI DSS compliance, the total number of Third parties, including number of organizations and number of individuals from vendors and subcontractors, with access to internal systems (e.g., virtual private network, modem intranet, direct connection, Wholesale customers with dedicated connections, internally hosted and developed or modified vendor applications supporting critical activities, internally hosted, vendor developed applications supporting critical activities, internally hosted vendor developed applications supporting critical activities, User developed technologies and user computing that support critical activities, User developed technologies and user computing that support critical activities support critical operations at End-of-Life (EOL) or a majority of critical operations dependent on systems that have reached EOL or will reach EOL within the next 2 years or an unknown number of systems that have reached EOL, a majority of operations dependent on OSS that support critical operations, Network devices (e.g., servers, routers, and firewalls; include physical and virtual, Third-party service providers storing and/or processing information that supports critical activities (Do not have access to internal systems, but the institution relies on their services, Cloud computing services, Cloud providers; Cloud provider locations used include international us of public Cloud.

Patch Management

External Dependency Management

Delivery Channels includes: Online presence that serves as a delivery channel for Wholesale Customers including a focus on account originations and managing large value assets, Mobile Asset Management application assessing full functionality,


4


including originating new transactions (e.g., ACH, wire), ATM services managed internally; ATM services provided to other financial institutions; ATM’s at domestic branches and retail locations; cash reload services managed internally, debit or credit cards directly; issue cards on behalf of other financial institutions, prepaid cards internally, through a third party, on behalf of other financial institutions, direct acceptance of emerging payments technologies; moderate transaction volume and/or foreign payments, Person-to-Person payments (P2P), sponsor third-party payment processor; originate ACH debits and credits, wholesale payments (e.g., CHIPS), wire transfers, Merchant remote deposit capture (RDC), Global remittances, Treasury services, Trust services, a Correspondent Bank, a Merchant acquirer (sponsor Merchants or card processor activity into the payment system) and card payment processor, host IT services or provide IT services for other organizations (either through joint systems or administrative support)

Ongoing Monitoring includes: Efforts to develop new auditable processes for ongoing monitoring of Cybersecurity risks posed by third parties, incident response process includes detailed actions and rules based triggers for law enforcement.

2) Assessments

Security Review and Assessment, includes Technical and Process analysis that initiates the comprehensive BDQCRM Program and establishes the level of preparedness and the most efficient, capable, path to protect your business.

Upon completion of the Security analysis and Scoring we will provide specific assessments for internal and external use;

Risk Mitigation Assessment for internal usage; enhancing Security infrastructure, determine Residual Risk Mitigation strategies, based on the results of the Scoring, immediately take actions by using the results to eliminate the Operational Risks identified with Operational Risk mitigation strategies that remove the Operational Risk, the Scoring identifies the Risk and how to reduce the Risk thereby creating an immediate Security migration strategy for Hermes Investment Management, applications for business development, new products.

Residual Risk Mitigation Assessment used to develop pricing for insurance.

Board, Senior Management Presentation including recommendations for Phase II & Phase III of the Quantitative Cybersecurity Risk Management Program, non-Executive Board Member Cybersecurity Risk Management training, recommendations on how to set the target state of Cybersecurity preparedness that best aligns with the board of directors’ (board) stated (or approved) risk appetite., review, approve, and support plans to address risk management and control weaknesses, analyze and present results for executive oversight, including key


5


stakeholders and the board, or an appropriate board committee, recommendations on how to oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of Cybersecurity Risk, recommend changes to maintain or increase the desired Cybersecurity preparedness.

o Note: What differentiates us from other solutions is we provide a 3 phase approach, others provide a strategy which does not harmonize Security, Information Security, and Cybersecurity with Office of the CRO.


bdqcrm service offering phase i scoring

Documents