GLBA, information security and incident response a compliance perspective

Transcription

1 GLBA, information security and incident response a compliance perspective

2 Introductions How many have experience with IT? How many have responsibilities involving IT? How many have responsibilities involving information security? 2

3 Todays Agenda Discuss GLBA, IT threats, risk assessments and controls. Data breach Tie together with discussion about the Target breach 3

4 What is GLBA? Brief history Banking Act of 1933/Glass Steagall Act Gramm-Leach-Bliley Act of 2002 Section 501(b) and 503 Section 216 of the FACT Act 4

5 Other requirements & laws PCI DSS Standards credit card and payment processors Civil laws Criminal laws State laws California Security Breach Information Act (CASB 1386) if you only suspect data has been stolen, you are legally obligated to disclose that a potential breach has occurred. International personal privacy laws 5

6 Safeguards Rule Section 501(b): FINANCIAL INSTITUTIONS SAFEGUARDS. In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. 6

7 What does that mean? Comprehensive information security program Must be written Administrative safeguards Technical safeguards Physical safeguards All elements must be coordinated 7

8 Financial Privacy Rule Section 503 Requires the financial institution to provide consumers with a privacy notice and annually if the notice is changed or if information is shared with nonaffiliated third parties. Proposed rule makes changes to , allowing a website notice to be used, if: it is continuously in a clear and conspicuous manner on the web site without requiring a login name and password, the customer has requested that no information be sent to them, And customer is not shared with nonaffiliated third parties for joint marketing. See , ,

9 Section 216 of FACT Act Regulatory agencies amended their guidance in 2005 to require the proper disposal of consumer information. Both paper and electronic 9

10 FDIC Part 364, Appendix B Interagency Guidelines Establishing Standards for Safeguarding Customer Information. Commonly called, The Guidelines 10

11 The Guidelines Information security program to control identified risks based on the sensitivity of the information and the complexity of the bank. Access controls (physical and logical) for both authorized employees as well as unauthorized individuals with criminal intent. Encryption of data Procedures for change and patch management Dual controls, segregation of duties, and employee background checks on employees with access to information Monitoring systems Response programs Protections from destruction, loss or damage of customer information. Employee training Testing of controls, systems and procedures for information security. 11

12 FFIEC IT booklets Federal Financial Institutions Examination Council (FFIEC) Audit Business continuity planning Development and Acquisition E-banking Information Security Management Operations Outsourcing Technology Services Retail Payment Systems Supervision of Technology Service Providers (TSP) Wholesale Payment Systems Cybersecurity (rumored to be published at some point) 12

13 Regulatory challenges Increasingly complex regulatory environment for IT departments Aligning IT goals with business goals IT department aligned with compliance/legal aspects of information security And obtaining satisfactory marks in compliance with regulatory requirements with bank examiners and internal audits. SAR filing on computer intrusions intended to remove, steal, procure or otherwise affect funds, critical information such as customer information or otherwise damage or disable critical systems. 13

14 Penalties for non-compliance Additional work and expense Loss of reputation among regulators and increased regulator oversight Loss of reputation among customers and business partners Loss of market share Litigation Loss in shareholder value Monetary penalties and/or fines 14

15 Information security program Policy and Procedures IT Governance Security controls Data Loss Prevention (DLP) Data Breach 15

16 IT Governance and Policies Directors should approve IT plans, Policies and major expenditures. IT steering committee to assist the Board Made up of senior mgmt., IT dept., end-user departments. Board reporting on IT risks, projects and issues IT risk management process Risk assessment, planned use of IT, IT implementation, measure and monitor IT risks. Chief information officer/chief Technology Officer Chief Information Security officer IT audit performed by either internal or external auditor. Compliance for interest rate calculations, disclosures, GLBA issues and information security. Record retention of electronic documents, correspondence and s. Employee training, security awareness, information security, social engineering and cybersecurity. 16

17 Cybersecurity Is management familiar with it? Has management identified cyber risks and approach and response to such risk? Are there clear roles and responsibilities for identifying, evaluating, monitoring, and responding to cybersecurity incidents? Are there crisis communications plans in place? Are non-public, sensitive data identified and protected? Are third party vendors being managed properly? What is being done to stay alert and aware of emerging cyber risks? Such as being a member of information sharing organizations. 17

18 IT threat analysis Survey external sources for emerging trends in potential threats Survey internal logs and monitoring to identify any emerging trends in new or existing threats Conduct a security review to identify weaknesses in IT infrastructure that could enable a threat Map incident attempt patterns to critical security controls could be a part of the IT risk assessment Periodic vulnerability scans can also uncover new or emerging threats 18

19 Current IT threats Cyber security/resiliency Advanced Persistent Threats (APTs) DDoS attacks Social engineering Cyber-espionage Malware & Crimeware Web app attacks Man-in-the-middle attacks Insider misuse Payment card skimmers & point-of-sale intrusions Pretext calling 19

20 IT risk assessment General goals of any risk assessment: Communicate what the risks are Prioritize critical security controls Identifies control weaknesses Gap analysis IT Risk assessment frameworks: International Organization for Standardization (ISO) Control Objectives for Information Technology (COBIT) National Institute of Standards and Technology (NIST) BITS 20

21 IT Controls Pre-employment background screens Physical Security Authentication and logical access Authority and user rights & permissions Network infrastructure Security Encryption Database management Systems development and change management Log and event governance Mobile security BYOD Wifi security Web Application security Social media Data retention policy Business continuity and disaster recovery IT internal audits White hat hacking 21

22 Third party vendors SLA Agreements Access to SSAE 16 Type II, Audit rights GLBA and IT security clauses FDIC FIL guidance for outsourcing technology vendors. Three documents on: vendor selection, contracts, and managing multiple vendors. FDIC FIL notification under the Bank Service Company Act. Use Form FIL applies even to IT 22

23 Recent guidance FFIEC webinar on Executive Leadership of Cybersecurity FDIC FIL : GNU Bourne-Again Shell (Bash) vulnerability FDIC FIL : OpenSSL Heartbleed Vulnerability FTC, DOJ on sharing cybersecurity information Antitrust guidelines for collaborations among competitors Recognize the importance of sharing cyber threat information not competitively sensitive information. FDIC PR : Cyber resources to help identify and mitigate potential cyber-related risks Printer/fax/copier FIL

24 Other areas for review and IT hot topics Other areas Bank Secrecy Act systems Identity theft red flags Hot topics Cybersecurity Third-party/vendor management Mobile and malware 24

25 Data Breach, what is it? A disaster! IT cannot guarantee against a data breach It can effect not only the consumers, but also impact the financial institution. Could effect other business relationship, such as a third party vendor Stats from Identity Theft Resource Center: Businesses, healthcare, and education accounted for 86% Financial industry only 3.7% Data breaches change consumer behavior 36% stopped shopping at retailer 24% reduced or stopped making online purchases 23% reduced or stopped using their credit and/or debt cards 25

26 How to prepare Face it and remain cool Respond fast Build a team and establish key relationships (internal & external) Lay groundwork before it happens have a plan Begin with a simple strategy Keep the plan alive Commit to the plan Cover all bases Make it a priority from the top Add accountability Training Test it Learn from it and what others are doing 26

27 Incident Response Plan Written procedures in place Conduct an investigation on what/how it happened Brief stakeholders Define an identified incident that requires a public response Nature of the compromise, type of information taken, Likelihood of misuse, potential damage arising from misuse Notify affected consumers in writing Notify law enforcement, local police, local FBI office or the U.S. Secret Service Notify the three major credit bureaus Notify FSISAC so others in the industry can also prepare against such an attack. Setup a hotline to respond to customers Provide information on adding a fraud alert to their credit file. 27

28 Public Notice Contents Be honest and clear in communications Describe what is know about the compromise How it happened, what was taken, how the information was used, what actions you are/have taken Brief description about identity theft. FTC s website is a great resource Provide contact information for the law enforcement agency working on the case Encourage consumers to file a complaint with the FTC so their information can be entered in to the identity theft data clearinghouse this information is made available to law enforcement. 28

29 Recent notable breaches Target The Home Depot JP Morgan 29

30 The Target Breach Kill Chain Source: U.S. Senate: Committee on commerce, Science, and Transportation, A Kill Chain Analysis of the 2013 Target data Breach 30

31 The Target Breach Timeline Source: U.S. Senate: Committee on commerce, Science, and Transportation, A Kill Chain Analysis of the 2013 Target data Breach 31

32 Resources Financial Services Information Sharing and Analysis Center (FSISAC) ISACA NIST publications SANS Institute Krebsonsecruity.com Pcisecuritystandards.org Albert Gonzalez (cybercriminal now in prison) 32

33 Questions? Mike De Carlo 33