cyber security and the ffiec expectationsttsmedia.ttstrain.com/cybersecuritydx062315.pdf6/23/2015 2...
TRANSCRIPT
6/23/2015
1
Cyber Security and the FFIEC
Expectations
TTS WebinarJune 23, 2015
Background• Cyber Security Initiatives
• Cyber Security and Critical Infrastructure Working Group –June 2013
• Webinar: Executive Leadership of Cyber Security: What Today’s CEOs Need to Know About the Treats They Don’t See – May 7, 2014
• Cyber Security Preparedness Assessments – June/July 2014
• Cyber Security Assessments General Observations– Nov. 3, 2014
• Appendix J: BCP Handbook Strengthening the Resilience of Outsourced Technology Services
6/23/2015
2
FFIEC
• Teams of examiners dedicated to IT security issues.
• Focusing on community banks, thrifts, and credit unions.
• Devoting resources to cyber security at all institutions.
General Observations
• Range of inherent risks
• Varied risk management practices
• Questions for CEOs and BODs
Document is not guidance
6/23/2015
3
Cyber Security Inherent Risk
• The amount of risk posed by an institution’s activities and connections, not withstanding risk-mitigation controls that are in place
• Type
• Volume
• Complexity
Connection Types
• VPN
• Wireless
• FTP, Telnet
• LAN
• BYOD
6/23/2015
4
Products and Services
• Offered by the Institution
• Attackers target technologies
• Stolen user credentials
Technologies Used
• Core System
• Internet Banking
• Mobile Banking
• Cloud Computing
• ATMs
6/23/2015
5
Questions• What type of connections do we have?
• How are we managing the connections in relation to rapidly evolving threats/vulnerabilities?
• Do we need all the connections? Would we reduce risk by eliminating some connections?
• How do we evaluate the threats and vulnerabilities for the products/services we offer and technologies used?
• How do the connections, products/services, technologies affect inherent cybersecurity risk?
Preparedness
• Risk management and oversight
• Threat intelligence and collaboration
• Cybersecurity controls
• External dependency management
• Cyber incident management and resilence
6/23/2015
6
Risk Management and Oversight
• Governance
• Allocation of resources
• Training and awareness
Governance• Policies
• Procedures
• Controls
• Ongoing Security Assessements
• Monitoring
• Exception Logs
• Access Controls
• Testing of Controls
• Risk Assessments
• Threats
• Vulnerabilities
• Controls
• Processes that enable adaptability and change due to threats
• Response Plans
• Board and Senior Management Reporting
6/23/2015
7
Questions• What is the process for ensuring ongoing and
routine cybersecurity discussions by BOD and Sr. Mgmt?
• How is accountability determined for mangaging cyber risks? Does this include mgmt’s accountability for business decisions that may introduce cyber risks?
• What is process for ensuring ongoing employee awareness and effective response to cyber risks?
Threat Intelligence and Collaboration
• Getting, monitoring, sharing, and analyzing information on cyber threats
• Maintain awareness and monitor, evaluate so can respond timely and appropriately
• Participate in info sharing forums
6/23/2015
8
Threat Intelligence• Risk assessment reports
• Internal audit reports
• Fraud detection
• AML/BSA monitoring
• FS-ISAC
• FBI
• US Secret Service Electronic Crimes Task Force
• Regulatory Reports
• Webinars/Conferences
• NIST
• 3rd Party Reports
• Verisign
• Mandiant
• Trustwave
• Symantec
Questions• What is the process to gather and analyze
threat information from multiple sources?
• How do you leverage this information to improve risk management practices?
• What reports are provided to the BOD on cyber events and trends?
• Who is accountable for maintaining relationships with law enforcement.?
6/23/2015
9
Controls
• Preventive
• Detective
• Corrective
Preventive• Administrative, technical, physical
• Change management and patch management
• Access controls
• Encryption
• Firewalls, IPS
• Training
• Policies, procedures
6/23/2015
10
Detective
• Anti-virus, anti-malware
• Monitoring, alerting
• Pen testing, vulnerability assessments
• Port scans
• Audit
Corrective
• Installing updates/patches
• Changing passwords, access levels
• Implementing audit and exam recommendations
6/23/2015
11
Questions• What is the process for determining and
implementing preventive, detective, corrective controls on the network?
• Does the process call for a review and update of ocntrols when IT environment changes?
• What is the process for classifying data and determining appropriate controls based on risk?
• What is the process for ensuring risks identified through detective controls are remediated?
6/23/2015
12
External Dependency Management
• Outsourced third parties
• Expectations and practices to oversee relationships
Questions
• How do we connect to third parties and ensure they are managing their cybersecurity controls?
• What are the third parties responsibilities during a cyber attack? How are these outlined in the incident response plan?
6/23/2015
13
Incident Management and Resilience
• Incident
• Detection
• Response
• Mitigation
• Escalation
• Reporting
• Resilience
Questions
• In the event of a cyber attack, how will we respond internally and with customers, third parties, regulators, and law enforcement?
• How are cyber incident scenarios incorporated into our business continuity and disaster recovery plans? Have they been tested?
6/23/2015
14
7 Cybersecurity Questions Bank Boards Need to Ask
• What is management’s familiarity with cybersecurity?
• Have the crown jewels been identified and are they properly protected?
• Can management articulate is cyber risks and explain its approach and responses?
• Has management assigned clear roles and responsibilities for identifying, evaluating, monitoring, and responding to cybersecurity incidents?
• What are the crisis communication plans in event of cyber attack?
• Is the bank managing third-party vendors?
• Are the third-party vendors and the bank members of an information sharing and analysis center (like FS-ISAC)?
American Banker, Oct. 6, 2014
Regulatory Cyber Security and Preparedness
• Baseline Protections
• Information Sharing
• Response and Recovery
6/23/2015
15
Baseline Protection
• Policies
• Procedures
• Controls
Baseline Protection Questions to Ask
• #1 - Is Cyber risk part of the current risk management framework?
• #2 - Do we follow the NIST Cybersecurity Framework?
• #3 - Do we know the cyber risks that our vendors and third-party service providers expose us to and do we know the rigor of their cybersecurity controls?
6/23/2015
16
Baseline Protection Questions to Ask
• #4 - Do we have Cyber Risk Insurance? If yes, what does it cover and exclude? Is the coverage adequate based on the cyber risk exposure?
• #5 - Do we engage in basic cyber hygiene?
Information Sharing Questions to Ask
• #6 - Do we share incident information with industy groups? If so, when and how does this occur?
6/23/2015
17
Response and Recovery Questions to Ask
• #7 - Do we have a cyber-incident playbook and who is the point person for managing response and recovery?
• #8 - What roles do senior leaders and the board play in managing and overseeing the cyber incident response?
• #9 - When and how do we engage with law enforcement after a breach?
Response and Recovery Questions to Ask
• #10 - After a cyber incident, when and how do we inform our customers, investors, and the general public?
6/23/2015
18
NIST Cybersecurity Framework
• February 12, 2014 - Framework for Improving Critical Infrastructure Cybersecurity
• Provides “what’s needed” for comprehensive cybersecurity program.
• Any size organization can apply principles and best practices
NIST Framework• Organizations should:
• Describe current cybersecurity posture
• Describe target state for cybersecurity
• Identify and prioritize opportunities for improvement
• Assess progress
• Communicate with internal and external stakeholders about risks
6/23/2015
19
NIST Framework
• Core
• Identify
• Protect
• Detect
• Respond and Recover
Why Review NIST Framework
• Regulators may use to formulate examination work program and guidance
• Increased focus on cybersecurity - high profile data breaches
• Regulators devoting extra resources to cybersecurity
6/23/2015
20
4 - Key Elements • Third Party Management
• Third Party Capacity
• Testing with Third Party TSPs
• Cyber Resilience
6/23/2015
21
Third Party Management
• Risk Focused
• Oversight
• Controls
• Evaluating a third party before you enter into the relationship
• Consider maturity of new technologies
• Understand the benefits and risks
• Assess the effectiveness of TSP’s BCP
• Review with your BCP in mind
Due Diligence
6/23/2015
22
Contracts• Right to audit
• Establishing and monitoring performance standards
• Default and termination
• Subcontracting
• Foreign-based service providers
• BCP testing
• Data governance
• TSP updates
• Security issues
Ongoing Monitoring
• Monitor performance
• Review the third parties BCP including testing
• Third party audits (of the outsourced third party)
• MIS reports
6/23/2015
23
Third Party Capacity
• Third Party Service Provider’s ability:
• To provide critical services to all its clients
• Meet stated RTOs and RPOs
TSP Alternatives• Lack of resilience/failure of TSP
• Financial Institution clients take over operations
• Convert
• New TSP takes over existing operations
• Bring in-house
6/23/2015
24
• Have a contingency plan that addresses alternatives for the resilience of services supporting critical operations
Strategic Considerations -Third Party Management
• Business resilience embedded in your third party risk management life cycle
• Ensure third party service provider has a “third party risk management program”
6/23/2015
25
• Ensure your TSPs have an adequate plan and have tested it
• Identify and prearrange alternative resources
Strategic Considerations - Third Party Capacity
Within the Plan• Discuss scenarios of significant
disruptions
• Assess immediate or short term space, systems, and personnel capacity
• Identify feasible recovery operations and address restoration of key services in a BCP
• Participate in user groups or industry initiatives to test recovery scenarios
6/23/2015
26
Testing with TSPs• Demonstrate ability to meet recovery
objectives
• Include important services in your testing
• Based on established risk prioritization and evaluation of critical functions
Remember• Ability to
• Recover
• Restore
• Resume
• Maintain
6/23/2015
27
• Test with TSP
• Review TSP’s test scope, execution, and results
• Provide test results to Board
• Understand the testing process and that the testing is adequate
Appendix J
6/23/2015
28
Test Scenarios
• TSP outage or disruption
• Institution outage or disruption
• Cyber event both institution and TSP
• Simultaneous attack affecting both
Testing Complexity
• Develop strategies
• Extend beyond:
• Third party network connectivity
• Include transaction processing
• Functionality testing
• Demonstrate transaction flows
• Identify interdependencies and end to end processes
6/23/2015
29
• Perform integrated tests incorporating more than one system or application including external dependencies
• Test interdependencies - two or more departments, business lines, processes, functions
• Conduct end to end exercises
• Conduct full scale exercises
• Perform exercises that include third parties, subcontractors, vendors, or servicers
• Assurances the TSP has capacity to restore critical services
• TSP needs to be transparent with testing activities and results
• TSP should share results, remediation action plans, status report
• Institution needs to evaluate the results
Testing wth TSP
6/23/2015
30
Cyber Resilience• Malware - use layered
anti-malware strategy
• Integrity checks
• Anomaly detection
• System behavior monitoring
• Employee security awareness training
• Strong passwords
• Mobile device controls
• Social media controls
• Hardened operating systems
• Controlled Internet access
Cyber Resilience
• Insider Threats
• Employee screening/hiring practices
• Background checks, drug testing, credit checks, etc.
• Dual controls
• Segregation of duties
6/23/2015
31
Data or Systems Destruction and
Corruption• Destruction - erased or rendered unusable
• Corruption - altered/manipulated without authorization
• “Air gap” - computer, system, or network is physically separated from other computers, systems, or networks
• Limits exposure to cyber attack and allows for restoration of data to a point in time before the attack
• “Periodic read only” backup
• Transmission of data to a physically and logically separate read only backup location
6/23/2015
32
• Cloud based disaster recovery services
• Virtualization
• Disk backup
• Data replication
• Reliance on a single communication provider
• Disruptions that affect multiple financial institutions due to TSP concentration
• Simultaneous disruptions of voice and data due to convergence of services in same network
• Disruption of data and voice between other entities and TSP
Communication Infrastructure Disruption
6/23/2015
33
Simultaneous Attack on Financial Institution and
TSPs• Production and backup sites geographically separated (sufficient distance apart)
• What about a Cyber Attack? Will geographic disparity help?
Strategic Considerations - Cyber Resilience
• How you respond is critical
• Use backup architectures and technology that minimize potential for destruction and corruption
• Use integrity controls
• Use independent, redundant alternate communication providers
• Layer your anti-malware strategy
• Enhance planning to include simultaneous attacks
• Increase awareness of insider threats
• Enhance incident response plans
• Prearrange 3rd party forensics and incident management services
6/23/2015
34
• Management should ensure resilience through:
• Third Party Management
• Third Party Capacity
• Testing
• Cyber Resilience
Risk Management Program• Senior management and Board level - awareness,
understand risks/threats, and are engaged.
• Need security measures to deter and combat.
• Create a culture of risk management
• Emphasize importance of identifying and escalating risks internally, communicate enterprise-wide about risks.
• Evaluate new products, services, and relationships -IT Strategic plan.
6/23/2015
35
Risk Management Program
• Enhance to address cyber security
• Current written information security program
• Enterprise-wide information security risk assessment
• BCP, DRP, Incident Response Plan, Outsourced Third Party Risk Management Program
• Board reporting
• Employee security awareness training
• Insurance – cyber security
• Given the increase in cyber security threats, (Institution) is expanding its Information Security Program to also include a Cyber Security Preparedness and Risk Management. This Information and Cyber Security Preparedness Risk Management Program will include as applicable for (Institution’s) size and complexity:
• Identifying, monitoring, measuring, and mitigating risks
• Aligning the information cyber security strategy with the institution’s business strategy
6/23/2015
36
Cyber Risk Management &
Oversight• Robust governance policies and risk management strategies
• Commit sufficient resources
• Enterprise-wide approach
• Ensure strong cyber security culture
Threat Intelligence & Collaboration
• Timely monitoring of threat information and identification of attack methods
• Leverage known sources
• Share crucial threat information
6/23/2015
37
Cyber Security Controls
• Incorporate physical, logical, and other cyber security controls
• Prevent
• Detect
• Mitigate
External Dependency Management
• Identify critical external dependencies
• Establish rigorous vendor management controls
• Define 3rd party responsibilities and service level
• Evaluate 3rd party’s incident response and resilience
6/23/2015
38
Incident Management & Resilience
• Develop Incident Response Plan
• Identify incidents
• Use monitoring tools
• Escalate and report
Incident Response
• Assess nature and scope
• Identify information and/or systems involved
• Notify primary regulator
• Comply with applicable SAR regulations and guidance
• Contain and control
• Notify customers
6/23/2015
39
Cyber security = Information Security
Cultural Change = More Involvement by Sr. Mgmt;
not just IT Issue; Tone at the Top
6/23/2015
40
Not just an IT issue - it is an Operational issue
“Impact goes beyond IT, there are real financial and
reputation implications”
“Few issues more important than cyber attack and cybersecurity to the
regulators”
6/23/2015
41
Questions?Thank YouSusan Orrwww.susanorrconsulting.comsusan@susanorrconsulting.com630.499.0276
TTSWesley [email protected]
Upcoming WebinarsJune 24th - W-8, W-9 and Account Opening Issues
June 25th - Dealing with Subpoenas, Summonses, Garnishments, Tax Levies, Etc.
June 25th - 10 Key Compliance Issues on Overdraft Privilege Programs: What your Branches Need to Know and Do
July 7th - Call Center Representative Training
July 8th - Using Business Tax Returns to Analyze Lending Requests
July 8th - Best-Ever Compliance Checklists for Consumer Loans
July 9th - Federal Benefit Payments Garnishment Requirements
July 14th - Entering the World of Consumer Lending - Part 1
July 15th – Outsourced Third Party Risk Management - Vendor Management
July 16th - Lending to Municipalities