ffiec and nist: what you need to know about two prevalent new it security compliance frameworks
TRANSCRIPT
BUSINESS CONSULTANTS
DEEP TECHNOLOGISTS
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
West Monroe Partners is large enough to tackle our clients’ toughest challenges and nimble enough to adapt to unique requirements with custom solutions. Established in 2002
Founded by a team from Arthur Andersen, West Monroe is a full-service business and technology consulting firm.
People Over 600 career consultants, confident enough to engage in constructive debate and understand that it’s okay to disagree.
Organization We are 100% employee owned. We answer to our people and our clients only.
Global reach but geographically close We serve global clients, locally by partnering with BearingPoint Europe and Grupo Assa.
2
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
In 2009 and 2010 named one of
Crain’s Chicago Business “Best
20 Places to Work in Chicago”
3
Named by National Association of Business
Resources as one of Chicago’s “101 Best and Brightest Companies to
Work For” in 2006, 2007, 2008, 2009 and 2012
Early 2000s
Early 2000s
In 2008, 2011, 2012, 2013, 2014 and 2015
Seattle Business Magazine named West
Monroe “Best Large Company Headquartered
Outside Washington”
From 2010-2015 named as a
“Top Workplace” by
the Chicago Tribune
Named one of Consulting
Magazines “Best Small Firms to Work For” for
second straight year in 2010
In 2012, 2013, 2014 and 2015 named
one of the top Managed Service
Providers in North America by MSP
mentor
In 2011 named to Columbus
Business First’s 2011 “Best
Places to Work”
In 2012, 2013, 2014 and 2015 named one of Consulting magazine’s “Best
Large Firms to Work For”
In 2013 and 2014 named to Great Place to Work “Best Small &
Medium Workplaces” list
published in FORTUNE magazine
2011 2012 2013 2014
In 2012, 2014 and 2015, the Puget Sound
Business Journal selected West Monroe
Partners as a finalist for Washington's Best
Workplaces
Selected for the 2013 “Inner City
100” by The Initiative for a
Competitive Inner City (ICIC) and
FORTUNE
In 2008, 2009, 2011, 2012, 2013 and 2015
named by Crain’s Chicago Business as
one of its “Fast Fifty”
2015
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
West Monroe’s Security team was built from the ground up with a blending of deep technologists and a focus on strategic security consulting
We emphasize security as a component of an overall risk management approach, meaning we focus on strategic solutions and helping organizations to operationalize their security investments
Where most security consultancies focus on addressing security through tactical assessments and solutions, we deliver prioritized roadmaps that address the areas that will most effectively improve your security posture and reduce risk
West Monroe Partners: An uncommon blend of business consultants and deep technologists solving security challenges in today’s business climate
4
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
Federal Financial Institutions Examination Council
FRB Federal Reserve Bank -
“The Fed”
OCC Office of the Comptroller
of the Currency
FDIC Federal Deposit
Insurance Corporation
NCUA National Credit Union
Association
CFPB Consumer Financial Protection Bureau
SLC State Liaison Committee
CSBS Conference of State Banking Supervisors
ACSSS American Council of
State Savings Supervisors
NASCUS Nat. Assoc. of State
Credit Union Supervisors
Starting in late 2015, examiners will begin using a new assessment tool to better understand risks and controls related to cybersecurity
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
There are two pieces of the FFIEC tool that must be accomplished, in order
6
1
2 Technologies
and Connections
Delivery Channels
Online, Mobile, and Tech. Services
Org. Characteristics
External Threats
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
The Cybersecurity Maturity profile worksheet is hierarchically structured, similar to most compliance frameworks
7
Domain Assessment Factor Component Maturity
Level Declarative Statement
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
By combining the information from the Inherent Risk and Maturity profiles, gaps can be assessed
8
1
2 3
3 8 21 7 0
Y
N
N
N
N
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
On its own, use of the FFIEC CAT has clear strengths and weaknesses
9
Easy to conduct Ordained by regulators Good coverage Contextual Thoroughly mapped
Lack of detailed gap analysis Little flexibility Hard for non-technologists to digest Difficult to represent findings
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
Depending on the ability of your organization to respond to regulatory guidance, additional support or use of alternate frameworks may help
10
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
Subcategories further divide a Category into specific outcomes of technical and/or management activities.
Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory.
The NIST Framework Core identifies underlying key Categories and Subcategories for each Function, and maps them to Informative References
11
Identify
Protect
Detect
Respond
Recover
Function Category
Subcategory
Informative References
Asset Management Business Environment Risk Assessment Risk Management Strategy
Access Control Awareness and Training Data Security Information Protection Procedures Maintenance Protective Technology
Anomalies and Events Security Continuous Monitoring Detection Processes
Response Planning Communications Analysis Mitigation Improvements
Recovery Planning Improvements Communications
Gov
erna
nce
Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
The FFIEC Cybersecurity Assessment Tool directly aligns with the NIST Cybersecurity Framework
12
NIST Framework: Industry Alignment
The FFIEC Cybersecurity Assessment Tool (FFIEC CAT) provides a statement by statement and page by page comparison from the NIST Cybersecurity Framework (NIST CSF) to the FFIEC CAT.
FFIEC Cybersecurity
Assessment Tool
NIST Cybersecurity
Framework
Example of the NIST CSF mapping to the FFIEC CAT:
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
The Core of the NIST Cybersecurity Framework further aligns to other Frameworks
13
NIST Framework: Industry Alignment
Organizations with successful implementations of NIST CSF can benefit from its synergy with other Frameworks
The NIST CSF Core contains Informative References which are specific sections of other Frameworks that illustrate a method to achieve the outcomes associated with each of the Core’s Subcategories.
Example of the NIST CSF Core referring to other Frameworks:
Other Frameworks
NIST Cybersecurity
Framework
Function Category Subcategory Informative References· CCS CSC 1· COBIT 5 BAI09.01, BAI09.02· ISA 62443-2-1:2009 4.2.3.4· ISA 62443-3-3:2013 SR 7.8· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2· NIST SP 800-53 Rev. 4 CM-8
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
IDENTIFY (ID)
ID.AM-1: Physical devices and systems within the organization are inventoried
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
By assessing both the current state and desired state profiles, an organization can determine the most impactful areas of focus
14
PRISMA Scale
Govern
Protect
Recover Identify
Respond
Detect
Identify
Protect
Detect
Respond Recover
Govern
NIST / WMP Framework
Implementation Testing Procedures Org. Integration Policies
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. 15
The NIST framework can be leveraged to monitor and objectively evaluate an organization’s security maturity and associated progress
Function Current Rating
Desired Rating
GOVERN 1.5 3.6
IDENTIFY 1.1 3.5
PROTECT 1.4 3.5
DETECT 1.4 3.2
RESPOND 1.5 3.5
RECOVER 1.2 3.1
LEGEND
Govern
Protect
Recover Identify
Respond
Detect
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
At the end of the day, regulators will demand more than a completed checklist
16
Questions & Discussion
17
JERIN MAY Director - Infrastructure and Security - Seattle Desk 206.905.0209 Cell 206.920.0958 [email protected]
ROSS MILLER Manager – Infrastructure and Security - Seattle Desk 206.905.0167 Cell 517.525.1843 [email protected]