Security Driven Compliance

Transcription

1 Security Driven Compliance Using the FFIEC Cybersecurity Assessment Effectively Presented by Bryan Boam Azureity, Inc.

2 Agenda Who is Azureity? Compliance Driven Security - Traditional Security Model Azureity FFIEC Cyber Security Assessment toolkit

3 Who is Azureity?

4 Introduction to Azureity Who we are Azureity was formed in 2008 to provide managed outsourced services to banks, credit unions and other financial institutions Azureity is headquartered in Bountiful, Utah with data centers in Salt Lake City and Las Vegas What we do Provide managed IT services with the focus on security and risk management Services include ITIL Complaint Service Desk Services (Backup and DR, Desktop Mgt., Technical Support, etc ) Computer Network Security Management (IPS, Firewall Mgt., Penetration Testing, etc ) Policy Management (Acceptable Use, Backup and DR, Security, Operations) Compliance Support (Exam Preparation, FFIEC Cyber Security Toolkit, Monthly Reporting)

5 Compliance Driven Security Traditionally most organizations respond to IT audits or IT exams with the sole desire of not failing the next audit or exam

6 Firewall Compliance Driven Security Inside the Network Outside the Network Data The Internet

7 Firewall Compliance Driven Security Inside the Network Outside the Network Data The Internet

8 Firewall Bigger Firewall Traditional Security Model Inside the Network Outside the Network Data The Internet

9 Compliance Driven Security Misconception 1. The data is confined to the inside of the network

10 Firewall Bigger Firewall Compliance Driven Security Inside the Network Outside the Network Data The Internet Data

11 Compliance Driven Security Misconceptions 1. The data is not confined to the inside of the network 2. The BAD GUYS are ONLY outside the network

12 Firewall Bigger Firewall Compliance Driven Security Inside the Network Outside the Network Data The Internet Data

13 Compliance Driven Security Misconceptions 1. The data is confined to the inside of the network 2. The GOOD GUYS AND BAD GUYS are EVERYWHERE 3. Tools will solve our problems

14 Compliance Driven Security Tool Tool Tool Tool Tool Data Tool Tool Tool Tool Tool

15 Examples of New Attacks

16 Examples of new security holes

17 New Attack

18 New View of Security Compliance Driven Security Security Driven Compliance

19 Security Driven Compliance What are they doing with it? Who is accessing it? Data From where are they accessing it?

20 FFIEC Cybersecurity Overview Meant to give a meaningful, uniform assessment tool to financial institutions of all sizes Two main sections Inherent Risk Profile (39 questions) Cybersecurity Maturity (494 questions) Not a toolkit No reporting No continuity No actionable items

21 Azureity Cybersecurity Tool OVERVIEW PROCESS SECTIONS BENEFITS

22 Comprehensive Solution

23 Azureity Cybersecurity Tool: REPORT SECTIONS PRIMER EXECUTIVE SUMMARY RISK ASSESSMENT MATURITY ASSESSMENT KEY FINDINGS NEXT STEPS APPENDIX

24 Azureity Cybersecurity Tool: REPORT SECTIONS: Executive Summary

25 Azureity Cybersecurity Tool: REPORT SECTIONS: Risk Assessment Risk Assessment Process Inherent Risk Profile Sensitivity Analysis High Risk Responses Clarifying Questions Categorical Analysis Timeline Comparison

26 Azureity Cybersecurity Tool: REPORT SECTIONS: Maturity Assessment PRIMER EXECUTIVE SUMMARY RISK ASSESSMENT MATURITY ASSESSMENT KEY FINDINGS NEXT STEPS APPENDIX Innovative Advanced Intermediate Evolving Baseline

27 Azureity Cybersecurity Tool: REPORT SECTIONS: Maturity Assessment PRIMER EXECUTIVE SUMMARY RISK ASSESSMENT MATURITY ASSESSMENT KEY FINDINGS NEXT STEPS APPENDIX

28 Azureity Cybersecurity Tool: REPORT SECTIONS: Recommendations

29 Azureity Cybersecurity Tool: REPORT SECTIONS: Appendix

30 Azureity s FFIEC Cyber Security Toolkit - Simple Input System - Executive Reporting - Actionable Items - Year Over Year Continuity