Embed Size (px)
Citation preview
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
cliftonlarsonallen.com
Keeping Pace With Changes to the FFIEC IT Exam Handbook and Cybersecurity Management
©20
13 C
lifto
nLar
sonA
llen
LLP
Our perspective… CliftonLarsonAllen – Started in 1953 with a goal of total
client service – Today, industry specialized CPA and
Advisory firm ranked in the top 10 in the U.S.
– Information Security offered as specialized service offering for over 15 years
– Largest Credit Union Service Practice*
*Callahan and Associates 2015 Guide to Credit Union CPA Auditors. CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. www.larsonallen.com – news release
2
©20
13 C
lifto
nLar
sonA
llen
LLP
IT Examination Handbook 2004 2015
• 2004 Original FFIEC IT Examination Handbook • 2013 Executive Order – Critical Infrastructure • 2014 FFIEC Executive Leadership of Cybersecurity • 2014 Cybersecurity exam procedures piloted • 2015 Guidance on Cybersecurity Governance
and Cybersecurity Controls • 2015 Cybersecurity Risk Assessment Tool (CAT) • 2015 Update to FFIEC IT Management Handbook • 2016 Exams incorporate updated cybersecurity
3
©20
13 C
lifto
nLar
sonA
llen
LLP
Cyber Fraud Risk Themes
• Rise of organized crime
• Hackers have “monetized” their activity – More sophisticated hacking – More “hands-on” effort – Smaller organizations targeted – Black market economy
• To Hackers everyone is a target – everyone has
something of value to them 4
©20
13 C
lifto
nLar
sonA
llen
LLP
Largest Cyber Risk Trends
• Most common cyber risk and fraud scenarios we see affecting our credit unions and their members – Theft of information & access (cyber fraud)
◊ PII and PFI ◊ Credit card information ◊ Account Take Overs
– Interference with operations (cyber fraud) ◊ Denial Of Service ◊ Ransomware
– Dependence on 3rd party service providers (cyber risk) – Insider risks and miss-use (cyber risk)
5
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Executive Leadership Cybersecurity Webinar
6
©20
13 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
7
©20
13 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
8
©20
13 C
lifto
nLar
sonA
llen
LLP
May 7, 2014 FFIEC Executive Leadership Cybersecurity webinar • Importance of identifying emerging cyber threats and the
need for Board/C-suite involvement, including: – Setting the tone at the top and building a security culture – Identifying, measuring, mitigating, and monitoring risks – Developing risk management processes commensurate with the
risks and complexity of the institutions – Aligning cybersecurity strategy with business strategy and
accounting for how risks will be managed now and in the future – Creating a governance process to ensure ongoing awareness and
accountability – Ensuring timely reports to senior management that include
meaningful information addressing the institution's vulnerability to cyber risks
9
©20
13 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
10
©20
13 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
11
©20
13 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
12
©20
13 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
13
©20
13 C
lifto
nLar
sonA
llen
LLP
Cybersecurity Assessments
July – August 2014
14
©20
13 C
lifto
nLar
sonA
llen
LLP
OLD (2014) FFIEC IT Examination Process • Each FFIEC agency (FDIC, Federal Reserve, OCC, NCUA)
will perform periodic information technology examinations at regulated financial institutions.
• Examination procedures are based on the FFIEC IT Handbooks (http://ithandbook.ffiec.gov/) and supplemented by periodic agency guidance.
• IT Examinations review the financial institution’s Information Security Program (ISP).
15
©20
13 C
lifto
nLar
sonA
llen
LLP
New/Added FFIEC Cybersecurity Assessments • Summer of 2014 - FFIEC agencies piloted new
Cybersecurity Assessment procedures to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
• Integrated into regular IT Examination process – Cyber Risk Management and Oversight – Cyber Security Controls – External Dependency Management – Threat Intelligence and Collaboration – Cyber Resilience
16
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessments FFIEC Cybersecurity Threat and Vulnerability Monitoring
and Sharing Statement (11/3/14) • FI Management should:
– Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
– Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization ◊ FS-ISAC: www.fsisac.com
◊ FBI Infragard: www.infragard.org
◊ U.S. Computer Emergency Readiness Team at US-CERT: www.us-cert.gov
◊ U.S. Secret Service Electronic Crimes Task Force: www.secretservice.gov/ectf.shtml
17
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment
General Observations • Cybersecurity Inherent Risk
– Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
Connection Types: identify and assess the threats to all access points to the internal network ◊ VPN ◊ Wireless ◊ Remote access protocols: RDP/Telnet/FTP ◊ Vendor LAN/WAN access ◊ BYOD
18
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment
General Observations • Cybersecurity Inherent Risk (cont.)
Products and Services: identify and assess threats to all products and services currently offered and planned – Online ACH and Wire Transfer origination – External funds transfers (A2A, P2P, bill pay)
19
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment
General Observations • Cybersecurity Inherent Risk (cont.)
Technologies Used: identify and assess threats to all technologies currently used and planned – Core systems – ATMs – Internet and mobile applications – Cloud computing
20
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment
General Observations • Cybersecurity Preparedness
– Current cybersecurity practices and overall preparedness should include:
Cybersecurity Controls: Preventive, detective, or corrective procedures for mitigating identified cybersecurity threats – Patching, encryption, limited user access – Intrusion detection/prevention systems, firewall alerts – Formal audit program with scope and schedule based on an asset’s
inherent risk, prompt and documented remediation of findings, regular activity report reviews
21
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment
General Observations • Cybersecurity Preparedness (cont.)
Cyber Incident Management and Resilience: Incident
detection, response, mitigation, escalation, reporting, and resilience
◊ Formal Incident Response Programs, including regulatory and customer notification guidelines and procedures
◊ Senior management and board incident reporting
22
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Updates (Early 2015) • February 2015 Financial Regulators Release New Appendix to
Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services
• March 2015 FFIEC Focuses on Cybersecurity,
Will Debut Self-Assessment Tool
• March 2015 FFIEC Releases Two Statements on Compromised Credentials and Destructive Malware
23
https://www.ffiec.gov/press.htm
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessment Tool (CAT) • Released in June 2015
• The National Credit Union
Administration intends to incorporate the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool into its examinations, starting in June 2016.
24
http://news.cuna.org/articles/107023-ncua-outlines-examiner-training-for-cyber-assessment-tool
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessment Tool (CAT) • Inherent Risk Profile • Cybersecurity inherent risk is
the level of risk posed to the institution by the following: 1. Technologies and Connection
Types 2. Delivery Channels 3. Online/Mobile Products and
Technology Services 4. Organizational Characteristics 5. External Threats
25
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Assessment Tool (CAT) • Cybersecurity Maturity
1. Cyber Risk Management and Oversight
2. Threat Intelligence and Collaboration
3. Cybersecurity Controls 4. External Dependency
Management 5. Cyber Incident Management
and Resilience
26
©20
13 C
lifto
nLar
sonA
llen
LLP
Polling Question True or False The Cybersecurity Assessment Tool (CAT) has two main components: documentation of inherent risk and assessment of control effectiveness to arrive at cybersecurity maturity.
A. TRUE
B. FALSE
27
©20
13 C
lifto
nLar
sonA
llen
LLP
• Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data and/or availability of systems.
• Risk is determined based on the likelihood of a given threat-source’s ability to exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
• The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative, technical, and physical controls to reduce or eliminate the impact of the threat.
Information Security Program Risk Assessment and Risk Management
28
©20
13 C
lifto
nLar
sonA
llen
LLP
Information Security Program (ISP) Audit • ISP-related Audits/Reviews
– ISP Review/IT General Controls Review – External/Internal Vulnerability and Penetration Assessments – Social Engineering Assessments
• E-Banking Reviews
– ACH Audit – Wire Transfer Audit – Remote/Mobile Deposit Capture Audit
• Audit/Exam Recommendation Tracking and Reporting
29
©20
13 C
lifto
nLar
sonA
llen
LLP
Information Security Program (ISP) Business Continuity/Disaster Recovery Incident Response • Business Continuity/Disaster Recovery Plan
– Annual Testing of Critical Systems – Annual Employee Tabletop/Scenario Testing – Board Reporting
• Incident Response Plan
– Compromise of customer information – Annual Testing – FS-ISAC – FBI Infraguard – Cybersecurity Examinations?
30
©20
13 C
lifto
nLar
sonA
llen
LLP
Information Security Program (ISP) Vendor Management
• Vendor Management Policy
• Vendor Risk Assessment – Access to Customer Information – Criticality to Bank Operations – Ease of Replacement
• New Vendor Due Diligence and Annual Reviews
• Continuous Monitoring
31
©20
13 C
lifto
nLar
sonA
llen
LLP
Polling Question True or False Use of the Cybersecurity Assessment Tool (CAT) as a measurement and reporting tool will be required starting in June of 2016.
A. TRUE
B. FALSE
32
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
cliftonlarsonallen.com
Changes To Management Booklet
33
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC - Management Booklet • “Management” booklet is one of 11 booklets that
make up the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook).
• Provides guidance to examiners and outlines principles of overall governance and, more specifically, IT governance.
• Booklet explains how risk management is a component of governance and how IT Risk management (ITRM) is a component of risk management.
34
©20
13 C
lifto
nLar
sonA
llen
LLP
Summary of Changes • Changes and additions: Vendor management moves from specific section
to being integrated throughout all sections of the booklet.
More focus and direction related to IT Governance and IT Risk Management (ITMR)
Examination procedures re-written and all objectives have been expanded 2014 9 Objectives 2015 14 Objectives plus Glossary
35
©20
13 C
lifto
nLar
sonA
llen
LLP
Summary of Changes • Increased focus on: Board oversight and involvement
Effective risk management
programs Vendor management programs
Modern cybersecurity risks
36
©20
13 C
lifto
nLar
sonA
llen
LLP
Summary of Changes • New sections and changes: New section on risk measurement (pg24)
Detailed processes for reducing risks
through introduction of specific controls (pg 26)
New section on Enterprise Architecture
Expanded section on IT Governance, including enhancements to roles supporting IT
37
©20
13 C
lifto
nLar
sonA
llen
LLP
Changes – More Focus on Risk Assessments / Risk Management
• Updated handbook refers to IT Risk Management (ITRM). – This term was not explicitly used in
2004 version. – The updated version seems to have
recurring emphasis of the importance of key IT stakeholders to be able to identify and mitigate risks.
38
©20
13 C
lifto
nLar
sonA
llen
LLP
Changes – More Focus on Risk Assessments / Risk Management
• Updated handbook contains expanded details regarding ITRM and enterprise risk management. – The ITRM process supports the
enterprise-wide risk management framework through four activities: (1) Risk identification (2) Risk measurement (3) Risk mitigation (4) Risk monitoring and reporting
39
©20
13 C
lifto
nLar
sonA
llen
LLP
Changes – More Focus on Risk Assessments / Risk Management
• Risk Appetite - The FFIEC Cybersecurity Assessment Tool introduced this new term and the Management Handbook makes an additional 11 references.
• Institutions should understand this relatively new (for IT anyway) concept and incorporate it into their strategic planning process
40
©20
13 C
lifto
nLar
sonA
llen
LLP
Changes involving Board oversight • The expectations of the Board’s level of involvement
in and, ultimately, responsibility for IT and Cybersecurity have increased dramatically
• Board should be: – Actively reviewing and approving policies – Intimately aware of current IT environment for
their organization
• Detailed more in objective 2 but the booklet also
emphasizes their involvement throughout 41
©20
13 C
lifto
nLar
sonA
llen
LLP
Changes involving Board oversight • The Board and a steering committee are still
responsible for overall IT management, but the guidance now introduces a new obligation for the Board, requiring that they provide a “credible challenge” to management.
• Specifically, this means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”.
• No more “rubber stamps”. The Board is expected to actually govern, and that means they need access to accurate, timely and relevant information.
42
©20
13 C
lifto
nLar
sonA
llen
LLP
Changes to IT Management Structure • 2004 IT Management Structure
– Board of Directors / Steering Committee – Chief Information Officer / Chief Technology Officer – IT Line Management – Business Unit Management
• 2015 updated structure (changes in bold) – Board of Directors / Steering Committee Executive Management – Chief Information Officer or Chief Technology Officer Chief Information Security Officer – IT Line Management – Business Unit Management 43
©20
13 C
lifto
nLar
sonA
llen
LLP
Examination Procedures Comparison • 2004 booklet only has 9 objectives
• 2015 booklet has 14 objectives – Minimal Change to Objectives 1 and 6
44
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 2 • More detailed and focused on reviewing the Board’s
involvement with IT governance. • Objective sub-points instruct examiners to review the
depth of the Board’s involvement in the following areas: – Review of IT strategic plan – Review if Board is involved with management processes for
approving third-party providers – Board oversight on IT projects – IT resource allocation – Provides credible challenge to management decisions, and
much more 45
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 3 • Two bullet points (5 and 6) regarding the organizations
ability to generate and review effective IT system generated reports
• Reports should cover topics such as: – Status of software development and maintenance activity – Performance problems – System usage, etc.
• Reports should include necessary information for
managers/committees to make business decisions. 46
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 4 • Expounds on IT operations planning and investment
responsibilities of the Board - considers the following: – Business strategy – IT strategic plan – Does board approve IT risk assessment – Funding IT resources
– Vetting third parties, etc.
• Previous booklet only had short bullet points for these areas - new booklet has paragraphs for each
47
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 5 • Discusses the adequacy of the institution’s HR
function to ensure its ability to attract and retain a competent workforce – This does not appear to be discussed in nearly as much
detail the 2004 booklet – This ties to Cybersecurity Assessment examination
requests and focus related to Cybersecurity Job Descriptions
• Increased emphasis on recruiting appropriate
employees.
48
©20
13 C
lifto
nLar
sonA
llen
LLP
Examination Procedures Comparison • Objectives 7-13 Risk Assessment & Risk
Management – Objectives 7-13 in the 2015 booklet are
heavily focused on Risk Assessment and Risk Management.
– The 2004 booklet does not go anywhere near the depth the 2015 booklet goes into risk assessment and management.
49
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 7 • Expects examiners to determine whether the
institution’s risk management program facilitates effective risk identification and measurement and provides support for risk decisions within ITRM.
• Reviews: – The extent of Board’s oversight of the risk
management program – Has the board defined Risk Appetite?
50
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 8 and Objective 9 Objective 8 • Focuses on senior management’s ability to mitigate
operational risk which is discussed in similar detail in the 2004 booklet on page 3.
Objective 9 • Determine whether management implements an
ITRM process that supports the overall enterprise-wide risk management process.
51
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 10 and Objective 11 Objective 10 • Determine whether the institution maintains a
risk identification process that is coordinated and consistent across the enterprise.
Objective 11 • Determine whether institution management
maintains a risk measurement process that is coordinated and consistent across the enterprise.
52
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 12 • Determine whether financial institution
management effectively implements satisfactory risk mitigation practices.
• Has 18 subpoints for mitigating risk with focus on: – Policy review – Vendor management review – Purchasing hardware/software – Information security program – Board oversight – Effective hiring procedures
53
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 13 • Determine whether IT management develops
satisfactory measures for defining and monitoring: – Metrics – Performance benchmarks – Service level agreements – Compliance with policies – Effectiveness of controls – Quality assurance and control.
• Determine whether management developed
satisfactory reporting of ITRM activities. 54
©20
13 C
lifto
nLar
sonA
llen
LLP
Objective 14 • Focused on corrective action taken by the examiner
and their effectiveness in communicating findings to the organization.
• Fairly short section that talks about discussing findings with Examiner-in-charge (EIC) and the organizations management.
55
©20
13 C
lifto
nLar
sonA
llen
LLP
Polling Question Which of following reflect changes to the Management Handbook:
A. Significant focus on board and management governance
B. Added guidance related to IT Risk Management (ITRM)
C. Change vendor/service provider management from a stand
along objective to a topic integrated throughout the booklet
D. All of the above
E. None of the above
56
©20
13 C
lifto
nLar
sonA
llen
LLP
Summary • Significant increase in focus on Cybersecurity • IT Governance • Enhanced/expanded description of IT Risk
Management (ITRM) – Measuring Risk – Managing/mitigating/reducing risk
• Enterprise architecture – Integration of IT risk management and business strategies
and processes
• Vendor management integrated into everything • Addition of Glossary
57
©20
13 C
lifto
nLar
sonA
llen
LLP
Questions?
58
©20
13 C
lifto
nLar
sonA
llen
LLP
59
©20
13 C
lifto
nLar
sonA
llen
LLP
cliftonlarsonallen.com
twitter.com/ CLA_CPAs
facebook.com/ cliftonlarsonallen
linkedin.com/company/ cliftonlarsonallen
Randy Romes, CISSP, CRISC, MCP, PCI-QSA Principal Information Security Services [email protected] 888.529.2648
59
