PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC

1

PACB One-Day Cybersecurity WorkshopCYBERSECURITY IN YOUR ISP!PRESENTED BY:

JON WALDMAN, SBS – CISA, CRISC

© Secure Banking Solutions, LLCwww.protectmybank.com

2

Agenda• What is cybersecurity?• What do I need to know about cybersecurity?• What are some of today’s cybersecurity threats?• How do I build a useful Information Security Program?• How do I build a Risk Assessment that helps me make

decisions?• People are the weakest link; how do I prepare and

train my people to mitigate risk?• Bad things are going to happen; it’s inevitable. How do

I plan for and prepare to respond to incidents?


3

Building an Information Security ProgramHOW TO MAKE YOUR ISP YOUR BEST FRIEND!


4

Gramm-Leach-Bliley Act

• Management must develop a ◦ written information security program

• What is the “M” in the CAMELS rating?

The Information Security Program is the way management demonstratesto regulators that information security is being managed at the bank


5© Secure Banking Solutions, LLCwww.protectmybank.com

6

Written Information Security Program

• Includes administrative, technical, and physical safeguards appropriate to the bank’s size and complexity and the nature and scope of activities

• Represented by a set of policies and procedures that implement controls identified in the risk assessment


7

Gramm-Leach-Bliley 501 (b)

FINANCIAL INSTITUTIONS SAFEGUARDS.—In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards— • (1) to insure the security and confidentiality of customer

records and information; • (2) to protect against any anticipated threats or hazards to

the security or integrity of such records; and • (3) to protect against unauthorized access to or use of

such records or information which could result in substantial harm or inconvenience to any customer.


8

FDIC - Appendix B to Part 364

A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.B. Objectives. A bank's information security program shall be designed to:

1. Ensure the security and confidentiality of customer information;2. Protect against any anticipated threats or hazards to the security or

integrity of such information; 3. Protect against unauthorized access to or use of such information that

could result in substantial harm or inconvenience to any customer; and4. Ensure the proper disposal of customer information and consumer

information.


9

Top 10 ISP Issues• Incomplete - no standard to follow and missing key components

(Vendor, Scanning)• Not documented• Non-auditable statements• Hard to maintain (gets out of date quickly)• Developed reactively• Lack of management/board involvement• Moving target - bar is continually raised• Lack of automation - policy is developed by hand, risk

assessment is completed by hand, etc.• Poor IT risk assessment• Insufficient audit - qualifications, independence, scope, etc.


10

Policy

• Each new policy gets bolted on.• Older policies get older.• More stuff gets added to fix old stuff that is

still there.• Why does this happen, don’t you like policy

writing?

BEWARETHE GLOB!

Oh no! Not the GLOB!


11

Ideally…

• Customized ISP for a Community Bank includes the best of:



13

IT Risk Assessment

Gramm-Leach-Bliley Act requires you to develop and implement an Information Security Program (ISP) based on the IT Risk Assessment• Identification of reasonably foreseeable internal and

external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of bank information or bank information systems.

• Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the bank information.

• Assessment of the sufficiency of the policies, procedures and bank information systems in place to control the identified risks.


14

Asset Management• Inventory assets• Policy and procedure for:

◦ Adding assets◦ Retiring assets◦ Cleansing assets

• ISO standard is big into asset management• Think about how many information leaks involve

not accounting for assets◦ Laptops◦ Tapes◦ Etc.


15

Vendor Management• Given the increased reliance on outside firms for

technology-related products and services, management must identify and mitigate risk in these technology decisions

• Vendor Management• Technology Service Provider Management• Just because you outsource your technology does not

mean you outsource your information protection responsibilities

• Need to manage your vendors to ensure they are protecting your nonpublic information (customer and financial information)


16

Vulnerability Assessment

• Definition• Technical scan of your networked equipment that identifies

vulnerabilities, conducted from inside the Bank.

• Scope◦ All networked equipment.◦ Examples include:◦ Core Banking Server◦ Servers◦ Workstations◦ Voice Over IP◦ Mobile Devices

Bank Firewall

Internet

Workstations

Servers

Vulnerability Assessment Penetration Test

Hackers


17

Penetration Testing• Definition• Technical scan conducted from outside the Bank on any

equipment that is exposed to the internet. Simulates the process that a hacker would use to gain access to Bank information.

• Scope Include all your public IP addresses (even unused IP’s) Email Server Web Server Internet Banking Server VPN connections

Bank Firewall

Internet

Workstations

Servers

Vulnerability Assessment Penetration Test

Hackers


18

Security Awareness

• Security Awareness is the degree or extent to people understand (and act accordingly):

◦ the importance of security and common threats◦ organizational policies and procedures◦ their individual security responsibilities

◦ Employees only?


19

Social Engineering

• The manipulation of people, rather than machines, to successfully breach the security systems of an organization.

• People, by nature, are unpredictable and susceptible to manipulation and persuasion.

• Rich Mogull, research director for information security and risk at Gartner, said “social engineering is more of a problem than hacking. We believe social engineering is the single greatest security risk in the decade ahead."

• Google “social engineering biggest threat”


20

Emergency Preparedness

• Disaster Recovery• Business Continuity• Incident Response• Pandemic Influenza

BIARisk

Assessmen

t

Risk Manageme

nt“Plan

”

Monitor / Test


21

Audit

• Determine the presence of controls and test the effectiveness of those controls through an independent and objective evaluation.

• Risk Assessment = identifies the controls• ISP = policies, procedures and guidelines

that document controls• IT audit = reviews compliance and

adequacy of controls


22

Organizational Chart

• Provides an overview of the personnel working at the bank

• Looking for the following roles (sample):◦ Information Security Officer◦ Information Technology◦ Auditor◦ Compliance Officer

• Who is doing what?


23

IT Committee

• Is management involved in IT decisions?• Checks and balances…not just one person• Weekly, monthly, or quarterly• Made up of people who can make decisions• Can work out issues before presenting to the

board (i.e., policy changes)• Can handle issues so that some things don’t

need to go to the board (procedure changes)


24

Network Diagram• Picture representation of your network• Includes connectivity to:

◦ Internet◦ Branches◦ Service Providers◦ Etc.

• Important because:◦ Communicates the network to staff and examiners◦ Support maintenance and troubleshooting network issues◦ Plan for addition of new technology◦ Be helpful for business continuity


25

Network Diagram Example


26

Information Security Blueprint Benefits• GLBA Compliance

◦ Simple representation of a complex question

• Successful IT Examination◦ Initial talking points with examiners◦ Demonstrate effective management

• Good Measurable Security◦ Red, Yellow, Green for the fundamentals of good security

• Improve Over Time ◦ (Plan - Do - Check - Act, process improvement)

• Where else do you create blueprints?◦ Organizational Chart◦ Network Diagram◦ Branch Construction



28

Summary of Lessons Learned

• Find a blueprint you like• Implement the blueprint in phases• Use the blueprint to handle new

technologies and security threats• Explore tools to make it easier and faster• Automating policy development and

maintenance is now an option


29

Agenda• What is cybersecurity?• What do I need to know about cybersecurity?• What are some of today’s cybersecurity threats?• How do I build a useful Information Security Program?• How do I build a Risk Assessment that helps me make

decisions?• People are the weakest link; how do I prepare and

train my people to mitigate risk?• Bad things are going to happen; it’s inevitable. How do

I plan for and prepare to respond to incidents?


Documents

PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC