Embed Size (px)
Citation preview
Effectively Utilizing the New
FFIEC Cybersecurity
Assessment Tool
Michael Barnsback, Esquire
and
David Reed, Esquire
October 20, 2015 1
Your Presenters
David Reed, Esq.
Partner
Reed & Jolly, PLLC
Michael Barnsback, Esq.,
CIPP/US
LeClairRyan
Michael.Barnsback@lecla
irryan.com
2
3 3
The contents of this presentation are intended
to provide you with a general understanding
of the subject matter. However, it is not
intended to provide legal, accounting, or other
professional advice and should not be relied
on as such.
Any views or opinions expressed are those of
the presenters and do not necessarily reflect
the views of NAFCU.
Overview
• Assessment is an all hands on deck
exercise
• Not simply an IT issue
• Establishing the responsibility and
accountability of key stakeholders is
essential to success
• Assessments, audits and examinations
are different processes
4
Know Your Credit Union
• Understand your cyber footprint
– Products, services and delivery mechanisms
– All areas are impacted by internet access or
remote access
– In-house versus outsourced IT services
• Recent GAO Study and
Recommendations
5
Polling Question
• Do you have a complete network map that
shows all of your devices, networks, IP
addresses, controls, end users and
vendors?
a. Yes
b. No
c. Working on it now
6
What We Know • Increasing volume and sophistication of cyber
threats
• Existing cyber security vulnerabilities are known
• New remote platforms create new opportunities for cyber attacks
• Bad guys evolve as they observe online behavior
• Evolving malware risks
• Government sponsored cyber attacks
7
Recent NCUA Guidance
• January 15, 2015, NCUA Letter No.: 15-CU-01,
provided guidance to CU Boards of Directors and
Chief Executive Officers on the NCUA
examinations in 2015
• The first item in the guidance letter: Cybersecurity
• “In 2015, NCUA will redouble efforts to ensure that
the credit union system is prepared for a range of
cybersecurity threats.
8
Recent NCUA Guidance
• Guidance letter identified 6 “proactive measures credit unions can take to protect their data and their members: – encrypting sensitive data;
– developing a comprehensive information security policy;
– performing due diligence over third parties that handle credit union data;
– monitoring cybersecurity risk exposure;
– monitoring transactions; and,
– testing security measures.”
9
What Is the FFIEC?
• The FFIEC comprises key representatives of
The Board of Governors of the Federal
Reserve System, Federal Deposit Insurance
Corporation, National Credit Union
Administration, Office of the Comptroller of
the Currency, Consumer Financial Protection
Bureau, and State Liaison Committee (for
state banks and credit unions)
• When they speak, our world listens!
10
FFIEC Risk Assessment Tool
• Goal is to help institutions identify their risks and determine their cybersecurity preparedness (maturity)
• Assessment Tool provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time
• Draws heavily on other sources, including:
– FFIEC Information Technology (IT) Examination Handbook
– National Institute of Standards and Technology (NIST) Cybersecurity Framework
11
Is It Voluntary?
• Existing IT Security Requirements and
Guidance
• Part 748 NCUA Regulations
• FFIEC IT Examination Handbook
• AIRES Examination Questionnaires
• Two part logic: Internal value and
examination value
12
Assessment Overview
• Make sure you have ALL the tools before
you initiate the assessment
– Overview for CEOs and Boards
– User’s Guide
– Assessment Tool
– CS Maturity Scale and Inherent Risk Profiles
– Appendices A and B
13
Polling Question
• Does your CU have a bring your own
device policy?
a. Yes
b. No
c. Maybe
d. Working on one
14
A Tale of Two Parts
The Assessment Tool consists of two parts
1. Inherent Risk Profile
2. Cybersecurity Maturity
15
5 Risk Profile Levels
Least
Inherent
Risk
Minimal
Inherent
Risk
Moderate
Inherent
Risk
Significant
Inherent
Risk
Most
Inherent
Risk
Risk Levels incorporate the type, volume, and
complexity of the credit union’s operations and
threats directed at the institution.
16
Let’s Begin
• To complete the Assessment,
management first assesses the credit
union’s Inherent Risk Profile based on five
categories:
– Technologies and Connection Types
– Delivery Channels
– Online/Mobile Products and Technology
Services
– Organizational Characteristics
– External Threats 17
All images from FFIEC CS Overview
18
Technologies and Connection
Types
• “This category includes the number of
Internet service provider (ISP) and third-party
connections, whether systems are hosted
internally or outsourced, the number of
unsecured connections, the use of wireless
access, volume of network devices, end-of-
life systems, extent of cloud services, and
use of personal devices.”
• Key Stakeholders: Information Technology
Source: FFIEC Cybersecurity Assessment Tool
19
Delivery Channels
• “This category addresses whether
products and services are available
through online and mobile delivery
channels and the extent of automated
teller machine (ATM) operations.”
• Key Stakeholders: IT, card services,
service delivery, ATM, operations, etc.
Source: FFIEC Cybersecurity Assessment Tool
20
Online/Mobile Products and
Technology Services
• “This category includes various payment services,
such as debit and credit cards, person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant remote deposit capture, treasury services and clients and trust services, global remittances, correspondent banking, and merchant acquiring activities. This category also includes consideration of whether the institution provides technology services to other organizations.”
• Key Stakeholders: IT, card services, payment systems, ACH, wires, deposits, trusts (CUSO), merchant services or business services, etc.
Source: FFIEC Cybersecurity Assessment Tool
21
Organizational Characteristics
• “This category considers organizational
characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.”
• Key Stakeholders: CEO, HR, IT, service delivery, operations, etc.
Source: FFIEC Cybersecurity Assessment Tool
22
External Threats
• “The volume and type of attacks
(attempted or successful) affect an
institution’s inherent risk exposure. This
category considers the volume and
sophistication of the attacks targeting the
institution.”
• Key Stakeholders: IT, security, BSA
officer, etc.
Source: FFIEC Cybersecurity Assessment Tool
23
It Rhymes! Cybersecurity Maturity
After determining the Inherent Risk Profile, the credit union transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the following five domains:
– Domain 1: Cyber Risk Management and Oversight
– Domain 2: Threat Intelligence and Collaboration
– Domain 3: Cybersecurity Controls
– Domain 4: External Dependency Management
– Domain 5: Cyber Incident Management and Resilience
24
Domain 1: Cyber Risk
Management and Oversight • Cyber risk management and oversight
addresses the board of directors’ (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
• Key Stakeholders: Board, CEO, IT, security (BSA), HR, CFO, internal audit, risk manager, etc.
25
Polling Question
• What types of third party IT vendors does
your credit union utilize?
a. Network Administrator
b. IT Security
c. Penetration testing
d. Cloud applications
e. All of the above
f. More than one of the above
26
Domain 2: Threat Intelligence and
Collaboration
• Threat intelligence and collaboration
includes processes to effectively discover,
analyze, and understand cyber threats,
with the capability to share information
internally and with appropriate third
parties.
• Key Stakeholders: IT, security (BSA), third
party resources, etc.
27
Domain 3: Cybersecurity Controls
• Cybersecurity controls are the practices
and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring.
• Key Stakeholders: SC, IT, security (BSA), internal audit, facilities, operations, branch, third party resources, etc.
28
Domain 4: External Dependency
Management
• External dependency management involves
establishing and maintaining a
comprehensive program to oversee and
manage external connections and third-party
relationships with access to the institution’s
technology assets and information.
• Key Stakeholders: CEO, IT, vendor
management, security, internal audit, legal,
external resource (?)
29
Domain 5: Cyber Incident
Management and Resilience • Cyber incident management includes establishing,
identifying, and analyzing cyber events; prioritizing
the institution’s containment or mitigation; and
escalating information to appropriate stakeholders.
Cyber resilience encompasses both planning and
testing to maintain and recover ongoing operations
during and following a cyber incident.
• Key Stakeholders: Board, IT, business continuity,
security (BSA), internal audit, facilities, operations,
branch, third party resources, etc.
30
How Mature Are You?
• Each domain and maturity level has a set of declarative statements organized by assessment factor.
• It looks like this:
Domains
Assessment Factors
Components
Declarative Statements
31
Work Through the Assessment
• Within each domain are assessment
factors and contributing components.
• Under each component, there are
declarative statements describing an
activity that supports the assessment
factor at that level of maturity.
32
Domains and Assessment Factors
33
Definition and Assessment Factors
34
Maturity Levels
35
Example of Maturity Assessment
36
Bringing It Together
37
38
Third Party Vendors
• It is always advisable to understand the
benefits and risks of third party IT
specialists
• Specialized due diligence and analysis
• Arms length transactions
• Contract language
• Regular communication and reporting
39
The Moving Parts of Security
• Part 748 Security Program
• Part 748.1 Filing of Reports
– Compliance Report
– Catastrophic Act
– Suspicious Activity Report
• Part 748.2 BSA Compliance
– Establish a compliance program
– CIP
• Appendix A Safeguarding Member Information
• Appendix B Response Program – Unauth. Access
40
The Certification
“The chairperson of the Credit Union’s Board of Directors is required to certify compliance with Part 748 each year. The statement of compliance is provided at the bottom of the Credit Union Profile Form that is submitted annually to the regional director following the credit union’s election of officials.”
Source: NCUA CU Profile Form 6/14
41
I hereby certify to the best of my knowledge and belief that this credit union has developed and administers a security program that equals or exceeds the standards prescribed by Part 748.0of the NCUA Rules and Regulations; that such security program has been reduced to writing, approved by this credit union's Board of Directors; and this credit union has provided for the installation, maintenance, and operation of security devices, if appropriate, in each of its offices. Further, I certify that I am the president or managing official of the credit union or that the president or managing official has authorized me to make this submission on his/her behalf.
______________________________________________
VOLUNTEER’S NAME HERE
42
Questions?
43
