Lecture Materials MANAGING SECURITY RISK IN BANKING
|
|
- Rose Shepherd
- 6 years ago
- Views:
Transcription
1 Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin Streff Professor of Cybersecurity Dakota State University & Founder SBS Cybersecurity, LLC August 9-11, 2017
2
3 IT Risk Assessment 2017 Graduate School of Banking at University of Wisconsin Dr. Kevin Streff Founder: SBS Cybersecurity, LLC 1
4 Goals Understand the top risk assessment issues that cause problems and inefficiencies Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices 2
5 Regulator Requirements: Gramm Leach Bliley Act Gramm Leach Bliley Act requires you to develop and implement an Information Security Program and conduct Risk Assessments A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank s operations and the nature and scope of its activities. Prior to implementing an information security program, a bank must first conduct a risk assessment which entails: Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems. Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information. Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks. 3
6 Gramm Leach Bliley Act Management must develop a written information security program What is the M in the CAMELS rating? Don t just do good security things, have a well managed program Don t rely on individual heroism, have a well managed program The Information Security Program is the way management demonstrates to regulators that information security is being managed at the financial institution 4
7 Gramm Leach Bliley Act Gramm Leach Bliley Act requires your financial institution to develop and implement 1) an Information Security Program and 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment
8 Layered Information Security Program I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit Documentation Boards & Committees 6
9 2016 Secure Banking Solutions, LLC 7
10 Question What is the OUTCOME of good IT risk assessment? 8
11 Exercise 1 Allocating Resources 9
12 10
13 Exercise 1 Your bank has $25,000 of additional spending to put towards security in You were just provided the chart How would you allocate the $25,000? 11
14 Maturing Your Risk Assessment Bank Internal & External System & Organizational Third Party Vendors Business Partners Downstream Partners Commercial Merchant Correspondent Banking ACH Origination Enterprise Risk Bank Secrecy Act Cyber Risk 12
15 Capability Maturity Model Level 0 Initial Any sort of process at all Level 1 Repeatable Processes are documented and practiced Level 2 Defined Processes are consistent and known within the organization Level 3 Quantitatively Managed Processes are measured quantitatively and evaluated Level 4 Optimized Processes continually improve with new technologies or methods 13
16 4 Commercial Threats Goal 3 3 rd Party Threats Goal Bank Threats Goal Level of Assessment (CMM Levels) Low Medium High Level of Risk 14
17 Bank Assessments 15
18 What is IT Risk Assessment? The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources Streff,
19 Exercise 2 Reviewing a Risk Assessment 17
20 Asset Value Threat Likelihood Impact Control Traditional IT Risk Core Processor High Unauthorized User Access High High Password Controls Assessment Process View Core Processor example in attached spreadsheet Physical Access End-User Responsibilities Access Controls Insurance Unauthorized Physical Access Low Medium Motion Sensors and Alarm System Security Cameras Control Authorized Use Hardware Security Physical Security Unauthorized Viewing Medium Medium Screen Savers Privacy Screens Electrical Anomalies Medium High Electrical Services Contingency Plan Physical Security Hardware Failure Medium High Data Integrity Bank Processing Hardware EDP Contingency Procedures Software Failure Medium High Data Software Availability Bank Processing Software Incident Response Plan Host Processing Systems Software Security Data and Software Availability Media Failure Medium Low Data Integrity Disaster Recovery Data and Software Availability Overall Risk Rating Communications Failure Low Medium Telecommunications Services Low 18 High Medium Medium High High Medium Low
21 Asset Value Threat Likelihood Impact Control Traditional IT Risk Natural Disaster Low High Contingency and Plan Business Resumption Assessment Process View Core Processor example in attached spreadsheet Data Integrity Incident Response Plan Insurance Other Disasters Low High Contingency and Business Resumption Plan Data Integrity Fire Control Incident Response Plan Insurance Overall Risk Rating Medium Medium Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium User Error Medium Low Dual Control Procedures Low Accidental Disclosure, Social Engineering Medium Medium Dial-up Access Encryption Information Requests File Transfers Fraudulent Transactions Medium High Separation of Duties System Activity Logs Maintenance Error Medium Low Modifications Modification Procedures Software Change Control Host Processing Systems Improper Use Medium Medium System Activity Logs Modifications, Dual Control Procedures Acceptable Use Medium Medium Low Medium 19
22 Exercise 2 Instructions What do you agree with? What do you disagree with? What story is this risk assessment telling? How would the bank allocate resources if you provided them with this assessment? 20
23 Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor A management process to identify, measure, mitigate and monitor to allocate resources 21
24 5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 22
25 Step 1 - Inventory: Identify all assets, vendors and service providers 5 Step IT Risk Assessment Process Step -5-Demonstrate Compliance: Reporting Improve the process Document Residual Risk Step 2 - Develop Priorities: Protection Profile (CIAV) Residual Risk Step 4 - System Controls: What system safeguards does the bank want to implement? Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)? Inherent Risk 23
26 IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information and making decisions (not compiling a risk assessment spreadsheet) 24
27 Top Risk Assessment Products Archer tech.com Kansas bsecure Texas CoNetrix Texas Modulo Seattle Riskkey Texas RiskWatch Maryland Scout inc.com Wisconsin TRAC South Dakota WolfPAC Maryland 25
28 IT Assets
29 Protection Profile
30 Threats
31 Controls
32 Protection Profile Report
33
34 Risk Appetite The more important the asset, the more risk you want to reduce risk. Acceptable levels of risk are identified and measured against.
35 Commercial Account Assessments Commercial Banking Fraud 33
36 Commercial Account Takeover Cyber criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) Schumer Bill introduced in 2012 to Reg E Schools and Municipalities 34
37 Commercial Banking Fraud January 22, 2009 Experi Metal Inc. Sterling Heights, MI Sues Comerica Bank ($60M) Dallas, TX An EMI employee opened and clicked on links within a phishing $1.9M stolen, $560,000 was not recoverable 47 wires in one day to foreign and domestic accounts which EMI never wire to before Ruling: Bank failed to detect the fraud and must pay Experi Metal $560,000 in losses. 35
38 Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc. 36
39 37
40 Finger Pointing and ACH Risk 38
41 Mitigating ACH Fraud in Community Banks Layered Information Security Program Enhanced Focus on Security Awareness Risk Assess Corporate Account Portfolio and Take Action 39
42 Commercial Account Takeover FFIEC Guidance FFIEC s Interagency Supplement to Authentication in an Internet Banking Environment states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging threats. Increased multi factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness. CSBS CATO Guidance 40
43 Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts 41
44 ACH Regulatory Compliance REGULATION Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud Meet FFIEC Guidance Meet CSBS Guidance Actions Controls at the Bank Corporate account security is part of your layered security program Minimum list of 9 security controls in the FFIEC supplement Controls at the Business CATO Risk Assessment List of controls in the CSBS guidance Customer Education Contracts/Documentation 42
45 Controls at Your Bank Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out Of Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education 43
46 How do You Assess Merchant Risk? 44
47 5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 45
48 Commercial Account Assessments Commercial Banking Fraud
49 Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts
50 48
51 49
52 Assessment Results 50
53 Track Progress 51
54 Easily Create a campaign 52 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y
55 Choose from a huge library of phishing templates 53 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y
56 Realistic Templates 54 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y
57 Educate them WHEN they click 55 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y
58 Other Phishing Tools Wombat Phishme QuickPhish Tandem Phishing Most of these tools offer a free trial 56 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y
59 Enterprise Risk Management 57
60 Enterprise Risk Management (ERM) ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO) ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity s risk management in a changing operating environment. (Protiviti consulting firm) 58
61 Business Processes Administrative Affiliate Back Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology 59
62 Threat Areas Operational Reputational Compliance Financial Strategic Categories commonly used in FFEIC booklets. 60
63 ERM Risk Mitigation Goals 61
64 ERM Protection Profile 62
65 ERM Threats 63
66 ERM Controls 64
67 ERM Reporting 65
68 Report Risk Mitigation 66
69 Report Threat Source 67
70 REPORT PEERCOMPARISON 68
71 Bank Secrecy Act Assessments 69
72 Bank Secrecy Act (BSA) The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the Bank Secrecy Act or BSA ) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in The BSA is sometimes referred to as an anti money laundering law ( AML ) or jointly as BSA/AML. Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC and 31 CFR Chapter X [formerly 31 CFR Part 103] ). 70
73 BSA Program Components Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for managing BSA compliance (BSA compliance officer). Training for appropriate personnel htm 71
74 Risk Driven BSA Program 72
75 BSA Account Types 73
76 BSA Risk Areas 74
77 BSA Controls 75
78 BSA Reports 76
79 Report Account Risk 77
80 Cyber Security Assessment Sec ure Ban king
81 FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity Sec ure Ban king
82 Cybersecurity Inherent Risk Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats Sec ure Ban king
83 Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats Sec ure Ban king
84 Sec ure Ban king
85 Cybersecurity Maturity Measure Maturity in 5 Domains (+ Assessment Factors) 1. Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training 2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing 3. Cybersecurity Controls Preventative, Detective, and Corrective controls 4. External Dependency Management External Connections and (Vendor) Relationship Management 5. Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting Sec ure Ban king
86 What is Cybersecurity Maturity? Determining whether an institution s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? Sec ure Ban king
87 Determining Maturity Level Within each component, declarative statements describe activities supporting the assessment factor at each maturity level All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain s maturity level What this actually means: Identify the controls you have in place, starting with baseline controls and escalating up in order to determine maturity levels Sec ure Ban king
88 Sec ure Ban king
89 Increasing Maturity Sec ure Ban king
90
91
92
93
94
95
96
97
98
99
100
101
102 Risk Assessment Best Practices Determine which kind of assessment is the most important for your bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision making Don t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement 100
103 Review of Goals Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and inefficiencies Learn how to expand and mature: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules 101
104 Risk Assessment Schedule 102
105 Dr. Kevin Streff Professor of Cybersecurity at Dakota State University (605) Founder: SBS Cybersecurity, LLC. (605)
MANAGING SECURITY RISK IN BANKING. Kevin F. Streff Managing Partner SBS CyberSecurity, LLC Madison, SD
MANAGING SECURITY RISK IN BANKING Kevin F. Streff Managing Partner SBS CyberSecurity, LLC Madison, SD kevin.streff@sbscyber.com 605-270-0790 August 8-10, 2018 IT Risk Assessment 2018 Graduate School of
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationInterpreting the FFIEC Cybersecurity Assessment Tool
Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity What We ll Cover Cyber risk management Cybersecurity
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationEmerging Issues: Cybersecurity. Directors College 2015
Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity
More information2015 HFMA What Healthcare Can Learn from the Banking Industry
2015 HFMA What Healthcare Can Learn from the Banking Industry Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationsecurity FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.
security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name. Security for Your Business Mitigating risk is a daily reality for business owners, but you don t have
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationFFIEC Guidance: Mobile Financial Services
FFIEC Guidance: Mobile Financial Services Written by: Jon Waldman, CISA, CRISC Partner and Senior Information Security Consultant Secure Banking Solutions, LLC FFIEC Updates IT Examination Handbook to
More informationManaging Cybersecurity Risk
Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for
More informationTable of Contents. Sample
TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS...
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationCybersecurity and Data Protection Developments
Cybersecurity and Data Protection Developments Nathan Taylor March 8, 2017 NY2 786488 MORRISON & FOERSTER LLP 2017 mofo.com Regulatory Themes 2 A Developing Regulatory Environment 2016 2017 March CFPB
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationAnnual Report on the Status of the Information Security Program
October 2, 2014 San Bernardino County Employees Retirement Association 348 W. Hospitality Lane, Third Floor San Bernardino, CA 92415-0014 1 Table of Contents I. Executive Summary... 3 A. Overview... 3
More informationRisk Management in Electronic Banking: Concepts and Best Practices
Risk Management in Electronic Banking: Concepts and Best Practices Jayaram Kondabagil BICENTENNIAL B1CBNTENNIAL John Wiley & Sons (Asia) Pte Ltd. Contents List of Figures xiii List of Tables xv Preface
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationREGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES Dynamic Solutions. Superior Results. PERSONALIZED HELP THAT RELIEVES THE BURDEN OF MANAGING COMPLIANCE The burden of managing risk and compliance is
More informationGLBA, information security and incident response a compliance perspective
GLBA, information security and incident response a compliance perspective Introductions How many have experience with IT? How many have responsibilities involving IT? How many have responsibilities involving
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationGlobal Statement of Business Continuity
Business Continuity Management Version 1.0-2017 Date January 25, 2017 Status Author Business Continuity Management (BCM) Table of Contents 1. Credit Suisse Business Continuity Statement 3 2. BCM Program
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationPrepaid Access MIDWEST ANTI-MONEY LAUNDERING CONFERENCE Federal Reserve Bank of Kansas City March 5, 2014
Prepaid Access 2014 MIDWEST ANTI-MONEY LAUNDERING CONFERENCE Federal Reserve Bank of Kansas City March 5, 2014 Discussion Points Emerging Technology Prepaid Access What is it and how does it work? Open
More informationPost-Secondary Institution Data-Security Overview and Requirements
Post-Secondary Institution Data-Security Overview and Tiina K.O. Rodrigue, EdDc, CISSP, CISM, PMP, CSM, CEA, ITIL, ISC2 Compliance Mapper, A+ Senior Advisor Cybersecurity - 2017 Agenda Who needs to worry
More informationCredit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank
Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Introduction The 6,331 credit unions in the United States face a unique challenge when it comes to cybersecurity.
More information2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along
2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management Today s Speakers Olivia Munro Senior Marketing Specialist Eze Castle Integration Bob Shaw Director, Technical Architecture Eze Castle
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationASSESSMENT LAYERED SECURITY
FFIEC BUSINESS ACCOUNT GUIDANCE RISK & ASSESSMENT LAYERED SECURITY FOR ONLINE BUSINESS TRANSACTIONS New financial standards will assist banks and business account holders to make online banking safer and
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More informationEFT SWIFT Breaches Highlight Growing Fraud
EFT SWIFT Breaches Highlight Growing Fraud HOW ARE THE BAD GUYS STEALING MONEY OUT FROM UNDER OUR NOSES? PRESENTED BY: TOTAL TRAINING SOLUTIONS AND JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon
More informationSecurity Breaches: How to Prepare and Respond
Security Breaches: How to Prepare and Respond BIOS SARAH A. SARGENT Sarah is a CIPP/US- and CIPP/E-certified attorney at Godfrey & Kahn S.C. in Milwaukee, Wisconsin. She specializes in cybersecurity and
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More informationFFIEC Cybersecurity Assessment Tool
All About the ew FFIEC Cybersecurity Assessment Tool August 25, 2015 Susan Orr Consulting, Ltd. FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent
More informationFFIEC Cybersecurity Assessment Tool
All About the ew FFIEC Cybersecurity Assessment Tool June 22, 2016 Susan Orr Consulting, Ltd. 1 FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent
More information3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework
COSO Revised: Implications for Compliance and Ethics Programs Urton Anderson, CCEP Director of the Von Allmen School of Accountancy and EY Professor The University of Kentucky Session Agenda The COSO Framework
More informationCybersecurity Conference Presentation North Bay Business Journal. September 27, 2016
Cybersecurity Conference Presentation North Bay Business Journal September 27, 2016 1 PRESENTER Francis Tam, CPA, CISM, CISA, CITP, CRISC, PCI QSA Partner Information Security and Infrastructure Practice
More informationAddressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting
Addressing Vulnerabilities By Integrating Your Incident Response Plans Brian Coates Enaxis Consulting Contents Enaxis Introduction Presenter Bio: Brian Coates Incident Response / Incident Management in
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More information2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager
2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager NIST Cybersecurity Framework (CSF) Executive Order 13636 Improving Critical Infrastructure Cybersecurity tasked the National
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationCOMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards
November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationGOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationGUIDANCE NOTE ON CYBERSECURITY
GUIDANCE NOTE ON CYBERSECURITY AUGUST 2017 GUIDANCE NOTE ON CYBERSECURITY PART I Preliminary 1.1 Title 1.2 Authorization 1.3 Application 1.4 Definitions PART II Statement of Policy 2.1 Purpose 2.2 Scope
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationData Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016
Data Protection Practical Strategies for Getting it Right Jamie Ross Data Security Day June 8, 2016 Agenda 1) Data protection key drivers and the need for an integrated approach 2) Common challenges data
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More information354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2
Index Accounts Payable Process Review Procedures Assessments, 191 Actions to Resolve Risks COSO ERM Control Activities, 97 Activity Management COSO ERM Control Activities, 81 AICPA SAS No. 1 Internal Controls
More informationCybersecurity and Examinations
Tim Segerson, Deputy Director NCUA E&I Cybersecurity and Examinations October 6, 2016 Chicago, IL Connected Devices Declining costs + increased bandwidth + powerful algorithms will spur a new information
More informationTexas Department of Banking United States Secret Service January 25, 2012
Texas Department of Banking United States Secret Service January 25, 2012 Presented by: Texas Department of Banking Banking Commissioner Charles G. Cooper Deputy Commissioner Bob Bacon Chief IT Security
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More information716 West Ave Austin, TX USA
Fundamentals of Computer and Internet Fraud GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA TABLE OF CONTENTS I. INTRODUCTION What Is Computer Crime?... 2 Computer Fraud
More informationKey Findings from the Global State of Information Security Survey 2017 Indonesian Insights
www.pwc.com/id Key Findings from the State of Information Security Survey 2017 n Insights Key Findings from the State of Information Security Survey 2017 n Insights By now, the numbers have become numbing.
More informationUnderstanding IT Audit and Risk Management
Understanding IT Audit and Risk Management Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation We need
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationHF Markets SA (Pty) Ltd Protection of Personal Information Policy
Protection of Personal Information Policy Protection of Personal Information Policy This privacy statement covers the website www.hotforex.co.za, and all its related subdomains that are registered and
More informationIT risks and controls
Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles
More informationIntegrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise
February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise Tejas Katwala CEO
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationTSC Business Continuity & Disaster Recovery Session
TSC Business Continuity & Disaster Recovery Session Mohamed Ashmawy Infrastructure Consulting Pursuit Hewlett-Packard Enterprise Saudi Arabia Mohamed.ashmawy@hpe.com Session Objectives and Outcomes Objectives
More informationHeadline Verdana Bold
Headline Verdana Bold Federal Banking Agencies Issue Proposal on Cyber Risk Management Standards Standards would require largest institutions to enhance operational resilience October 2016 Executive summary
More informationIT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager
IT Audit and Risk Trends for Credit Union Internal Auditors Blair Bautista, Director Bob Grill, Manager David Dyk, Manager 1 AGENDA Internet Banking Authentication ATM Security and PIN Compliance Social
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationGlobal Security Consulting Services, compliancy and risk asessment services
Global Security Consulting Services, compliancy and risk asessment services Introduced by Nadine Dereza Presented by Suheil Shahryar Director of Global Security Consulting Today s Business Environment
More informationCLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016
CLE Alabama Banking Law Update Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016 Best Practices on Managing Cyber-Security Risks J.T. Malatesta III and Sarah S. Glover Maynard Cooper
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More information1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice
1. This Muscat & Co Mortgage Solutions Ltd privacy notice provides information on how we and any of our subsidiaries, and any 3 rd party providers collect, use, secure, transfer and share your information.
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationFFIEC CONSUMER GUIDANCE
FFIEC CONSUMER GUIDANCE Important Facts About Your Account Authentication Online Banking & Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their
More informationInformation Security Officer (ISO) Education
Information Security Officer (ISO) Education October 16, 2018 TBA Barrett Training Center Nashville, Tenn. Information Security Officer (ISO) Education October 16, 2018 TBA Barrett Training Center Nashville,
More informationCOUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017
COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE Presented by Paul R. Hales, J.D. May 8, 2017 1 HIPAA Rules Combat Cyber Crime HIPAA Rules A Blueprint to Combat Cyber Crime 2 HIPAA Rules Combat Cyber Crime
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More information