Lecture Materials MANAGING SECURITY RISK IN BANKING

Transcription

1 Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin Streff Professor of Cybersecurity Dakota State University & Founder SBS Cybersecurity, LLC August 9-11, 2017

2

3 IT Risk Assessment 2017 Graduate School of Banking at University of Wisconsin Dr. Kevin Streff Founder: SBS Cybersecurity, LLC 1

4 Goals Understand the top risk assessment issues that cause problems and inefficiencies Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices 2

5 Regulator Requirements: Gramm Leach Bliley Act Gramm Leach Bliley Act requires you to develop and implement an Information Security Program and conduct Risk Assessments A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank s operations and the nature and scope of its activities. Prior to implementing an information security program, a bank must first conduct a risk assessment which entails: Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems. Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information. Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks. 3

6 Gramm Leach Bliley Act Management must develop a written information security program What is the M in the CAMELS rating? Don t just do good security things, have a well managed program Don t rely on individual heroism, have a well managed program The Information Security Program is the way management demonstrates to regulators that information security is being managed at the financial institution 4

7 Gramm Leach Bliley Act Gramm Leach Bliley Act requires your financial institution to develop and implement 1) an Information Security Program and 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment

8 Layered Information Security Program I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit Documentation Boards & Committees 6

9 2016 Secure Banking Solutions, LLC 7

10 Question What is the OUTCOME of good IT risk assessment? 8

11 Exercise 1 Allocating Resources 9

12 10

13 Exercise 1 Your bank has $25,000 of additional spending to put towards security in You were just provided the chart How would you allocate the $25,000? 11

14 Maturing Your Risk Assessment Bank Internal & External System & Organizational Third Party Vendors Business Partners Downstream Partners Commercial Merchant Correspondent Banking ACH Origination Enterprise Risk Bank Secrecy Act Cyber Risk 12

15 Capability Maturity Model Level 0 Initial Any sort of process at all Level 1 Repeatable Processes are documented and practiced Level 2 Defined Processes are consistent and known within the organization Level 3 Quantitatively Managed Processes are measured quantitatively and evaluated Level 4 Optimized Processes continually improve with new technologies or methods 13

16 4 Commercial Threats Goal 3 3 rd Party Threats Goal Bank Threats Goal Level of Assessment (CMM Levels) Low Medium High Level of Risk 14

17 Bank Assessments 15

18 What is IT Risk Assessment? The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources Streff,

19 Exercise 2 Reviewing a Risk Assessment 17

20 Asset Value Threat Likelihood Impact Control Traditional IT Risk Core Processor High Unauthorized User Access High High Password Controls Assessment Process View Core Processor example in attached spreadsheet Physical Access End-User Responsibilities Access Controls Insurance Unauthorized Physical Access Low Medium Motion Sensors and Alarm System Security Cameras Control Authorized Use Hardware Security Physical Security Unauthorized Viewing Medium Medium Screen Savers Privacy Screens Electrical Anomalies Medium High Electrical Services Contingency Plan Physical Security Hardware Failure Medium High Data Integrity Bank Processing Hardware EDP Contingency Procedures Software Failure Medium High Data Software Availability Bank Processing Software Incident Response Plan Host Processing Systems Software Security Data and Software Availability Media Failure Medium Low Data Integrity Disaster Recovery Data and Software Availability Overall Risk Rating Communications Failure Low Medium Telecommunications Services Low 18 High Medium Medium High High Medium Low

21 Asset Value Threat Likelihood Impact Control Traditional IT Risk Natural Disaster Low High Contingency and Plan Business Resumption Assessment Process View Core Processor example in attached spreadsheet Data Integrity Incident Response Plan Insurance Other Disasters Low High Contingency and Business Resumption Plan Data Integrity Fire Control Incident Response Plan Insurance Overall Risk Rating Medium Medium Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium User Error Medium Low Dual Control Procedures Low Accidental Disclosure, Social Engineering Medium Medium Dial-up Access Encryption Information Requests File Transfers Fraudulent Transactions Medium High Separation of Duties System Activity Logs Maintenance Error Medium Low Modifications Modification Procedures Software Change Control Host Processing Systems Improper Use Medium Medium System Activity Logs Modifications, Dual Control Procedures Acceptable Use Medium Medium Low Medium 19

22 Exercise 2 Instructions What do you agree with? What do you disagree with? What story is this risk assessment telling? How would the bank allocate resources if you provided them with this assessment? 20

23 Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor A management process to identify, measure, mitigate and monitor to allocate resources 21

24 5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 22

25 Step 1 - Inventory: Identify all assets, vendors and service providers 5 Step IT Risk Assessment Process Step -5-Demonstrate Compliance: Reporting Improve the process Document Residual Risk Step 2 - Develop Priorities: Protection Profile (CIAV) Residual Risk Step 4 - System Controls: What system safeguards does the bank want to implement? Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)? Inherent Risk 23

26 IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information and making decisions (not compiling a risk assessment spreadsheet) 24

27 Top Risk Assessment Products Archer tech.com Kansas bsecure Texas CoNetrix Texas Modulo Seattle Riskkey Texas RiskWatch Maryland Scout inc.com Wisconsin TRAC South Dakota WolfPAC Maryland 25

28 IT Assets

29 Protection Profile

30 Threats

31 Controls

32 Protection Profile Report

33

34 Risk Appetite The more important the asset, the more risk you want to reduce risk. Acceptable levels of risk are identified and measured against.

35 Commercial Account Assessments Commercial Banking Fraud 33

36 Commercial Account Takeover Cyber criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) Schumer Bill introduced in 2012 to Reg E Schools and Municipalities 34

37 Commercial Banking Fraud January 22, 2009 Experi Metal Inc. Sterling Heights, MI Sues Comerica Bank ($60M) Dallas, TX An EMI employee opened and clicked on links within a phishing $1.9M stolen, $560,000 was not recoverable 47 wires in one day to foreign and domestic accounts which EMI never wire to before Ruling: Bank failed to detect the fraud and must pay Experi Metal $560,000 in losses. 35

38 Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc. 36

39 37

40 Finger Pointing and ACH Risk 38

41 Mitigating ACH Fraud in Community Banks Layered Information Security Program Enhanced Focus on Security Awareness Risk Assess Corporate Account Portfolio and Take Action 39

42 Commercial Account Takeover FFIEC Guidance FFIEC s Interagency Supplement to Authentication in an Internet Banking Environment states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging threats. Increased multi factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness. CSBS CATO Guidance 40

43 Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts 41

44 ACH Regulatory Compliance REGULATION Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud Meet FFIEC Guidance Meet CSBS Guidance Actions Controls at the Bank Corporate account security is part of your layered security program Minimum list of 9 security controls in the FFIEC supplement Controls at the Business CATO Risk Assessment List of controls in the CSBS guidance Customer Education Contracts/Documentation 42

45 Controls at Your Bank Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out Of Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education 43

46 How do You Assess Merchant Risk? 44

47 5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 45

48 Commercial Account Assessments Commercial Banking Fraud

49 Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts

50 48

51 49

52 Assessment Results 50

53 Track Progress 51

54 Easily Create a campaign 52 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y

55 Choose from a huge library of phishing templates 53 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y

56 Realistic Templates 54 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y

57 Educate them WHEN they click 55 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y

58 Other Phishing Tools Wombat Phishme QuickPhish Tandem Phishing Most of these tools offer a free trial 56 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit y

59 Enterprise Risk Management 57

60 Enterprise Risk Management (ERM) ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO) ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity s risk management in a changing operating environment. (Protiviti consulting firm) 58

61 Business Processes Administrative Affiliate Back Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology 59

62 Threat Areas Operational Reputational Compliance Financial Strategic Categories commonly used in FFEIC booklets. 60

63 ERM Risk Mitigation Goals 61

64 ERM Protection Profile 62

65 ERM Threats 63

66 ERM Controls 64

67 ERM Reporting 65

68 Report Risk Mitigation 66

69 Report Threat Source 67

70 REPORT PEERCOMPARISON 68

71 Bank Secrecy Act Assessments 69

72 Bank Secrecy Act (BSA) The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the Bank Secrecy Act or BSA ) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in The BSA is sometimes referred to as an anti money laundering law ( AML ) or jointly as BSA/AML. Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC and 31 CFR Chapter X [formerly 31 CFR Part 103] ). 70

73 BSA Program Components Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for managing BSA compliance (BSA compliance officer). Training for appropriate personnel htm 71

74 Risk Driven BSA Program 72

75 BSA Account Types 73

76 BSA Risk Areas 74

77 BSA Controls 75

78 BSA Reports 76

79 Report Account Risk 77

80 Cyber Security Assessment Sec ure Ban king

81 FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity Sec ure Ban king

82 Cybersecurity Inherent Risk Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats Sec ure Ban king

83 Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats Sec ure Ban king

84 Sec ure Ban king

85 Cybersecurity Maturity Measure Maturity in 5 Domains (+ Assessment Factors) 1. Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training 2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing 3. Cybersecurity Controls Preventative, Detective, and Corrective controls 4. External Dependency Management External Connections and (Vendor) Relationship Management 5. Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting Sec ure Ban king

86 What is Cybersecurity Maturity? Determining whether an institution s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? Sec ure Ban king

87 Determining Maturity Level Within each component, declarative statements describe activities supporting the assessment factor at each maturity level All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain s maturity level What this actually means: Identify the controls you have in place, starting with baseline controls and escalating up in order to determine maturity levels Sec ure Ban king

88 Sec ure Ban king

89 Increasing Maturity Sec ure Ban king

90

91

92

93

94

95

96

97

98

99

100

101

102 Risk Assessment Best Practices Determine which kind of assessment is the most important for your bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision making Don t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement 100

103 Review of Goals Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and inefficiencies Learn how to expand and mature: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules 101

104 Risk Assessment Schedule 102

105 Dr. Kevin Streff Professor of Cybersecurity at Dakota State University (605) Founder: SBS Cybersecurity, LLC. (605)