2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017
|
|
- Denis Bates
- 6 years ago
- Views:
Transcription
1 2017 IT Examination Preparedness Iowa Bankers 2017 Technology Conference October 24,
2
3 Disclaimer Materials designed to give general information on the specific subjects covered and are educational and discussion purposes only. They are not intended to be a comprehensive summary of regulations, laws, guidance, or regulatory work programs. 2
4 FDIC and FRB Using the Informa6on Technology Risk Examina6on (INTREx) Program Assigning Component Ra6ngs and a Composite Ra6ng 3
5 Exam Components Audit Management Development and Acquisi6on Support and Delivery 4
6 Tradi6onal IT Examina6on Areas Informa(on and Cyber Security IT Management Audit Opera6ons/Support and Delivery Network Opera6ons Acquisi6on and Development Business Con6nuity Incident Response Outsourced Third Party Risk Management Internet Banking/ Ebanking EFT/Payment Systems 5
7 Update on CAT Must complete a cyber assessment Not required to use the FFIEC tool Phase One of CAT update and revisions completed May 2017 Provided for Yes, Yes with comment, No 6
8 Update on CAT Examiners looking for validation of responses: comments/explanation on responses Example: Processes are in place to identify additional expertise needed to improve information security defenses. Yes Comment: Through our risk assessment and budgeting processes. Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. Yes Comment: Access is controlled; however, we are in the process of researching a tool for monitoring access and activity. 7
9 Update on CAT Baseline is the minimum requirement and expectation Based on basic regulatory guidance and FFIEC Booklets Establish Desired Target Maturity Level Create Action Plan to reach the Desired Target Maturity Level 8
10 FFIEC Information Security Booklet September
11 Information Security Strong Board and Senior Management support Integration of security and controls throughout business processes Clear accountability for carrying out security responsibilities Focus on information and cyber security controls 10
12 Information Security Program Robust program Risk identification Risk measurement Risk mitigation Risk monitoring and reporting Incorporate cybersecurity elements Comprehensive testing and assurance to determine the effectiveness of the Program 11
13 Information Security Program Integrate processes, people, and technology Maintain risk profile in accordance with Board s risk appetite Encompass the entire Bank, not just focus on IT controls 12
14 Risk Appetite Statement The Board has established specific strategic goals and objectives as defined in the Organizational Strategic Plan for the Bank. To increase the probability of achieving these goals, the Board has established acceptable risk tolerances within its risk appetite. The Board periodically reviews the risk appetite and associated tolerances and may adjust them to adapt to changing economic conditions, the threat landscape and/or strategic goals. Overall, the Board desires to maintain enterprise Information/Cyber Security risk mitigation and control strategies that will reduce inherent risk to a moderate or low level as feasible. Specifically relating to the Cyber Security Assessment our goal is maintain a reasonable alignment of our Inherent Risk Level and Cyber Maturity Levels based on the Assessment. When either the enterprise Information/Cyber Security Risk is High or the Cyber Security Assessment levels are out of alignment or high the Board will be notified and kept apprised of the situation until the items are addressed. 13
15 Information Security Program Completion of a Cyber Assessment Target Inherent Risk Level and Cyber Maturity Level Cyber Security Strategy Integration of Cyber Security and Information Security
16 Enterprise-wide Information Security Risk Assessment If Management cannot or chooses not to mitigate a vulnerability should document: Decision to accept Level of risk associated with the vulnerability Person accountable for accepting the risk 15
17 Risk Measurement Use threat analysis tools Understand and support measurement of information security related risks Map threats and vulnerabilities Improve consistency in risk measurement Highlight potential areas for mitigation Select proper controls to cover various attack stages, channels, and assets Allow comparisons among threats, events, and potential mitigating controls 16
18 Risk Mitigation Develop and implement appropriate plan to mitigate identified risks Understand extent and quality of current control environment Consider system controls rather than any discrete control Obtain, analyze, and respond to information from sources like FS-ISAC (Threat intelligence gathering) Develop, maintain, and update a repository of cybersecurity threats and vulnerability information 17
19 Inventory and Classification of Assets Updated Inventory Classifies the sensitivity and criticality of assets Hardware, software, information, and connections High, Medium, Low Public, non-public, institution confidential Critical and non-critical Policies to govern inventory and classification Inception and throughout life cycle 18
20 Interconnectivity Risk Sharing information with other institutions and third parties Risk Misuse Mismanagement Compromise of connections 19
21 Mitigation of Interconnectivity Risk Identify all connections Identify all access points and connection types Identify connections between and access across low risk and high risk systems LAN, ISP, WiFi, cellular Assess all connections with third parties that provide remote access or control over internal system Implement and access adequacy of controls to ensure security of connections (regardless of criticality or sensitivity) 20
22 Network Controls Establish trusted and non-trusted zones; segment the network Implement appropriate controls over wired and wireless networks Maintain accurate network diagram and data flow diagrams Develop data inventory 21
23 Network and Data Flow Diagram Identify: Hardware Software Network components Internal and external connections, including cloud Types of information passed between systems to facilitate the development of defense in depth security 22
24 23 CoNetrix
25 Data Inventory CoNetrix 24
26 Network Controls Defense-in-depth Blacklist to disallow code execution Whitelist approved programs Port monitoring Monitoring of unauthorized software installation Monitoring for anomalous activity Monitor network traffic 25
27 Log Management SIEM provide method for management to: Collect Aggregate Analyze Correlate 26
28 Log Management Should have effective log retention policies Strict control and monitor access to log files Encrypt logs containing sensitive data or transmitted over the Internet Ensure adequate storage Secure backup and disposal of log files 27
29 Log data to a separate, isolated computer Log data to read only media Set log parameters to disallow any modification to previously written data Restrict access to log files 28
30 Log Management SIEM used to gather information from: Network and security devices and systems Identify and access management applications Vulnerability management and policy compliance tools Operating system, database, and application logs Physical and environmental monitoring systems External threat data 29
31 Logging Inactive user accounts Failed login attempts Changes to administrative groups Account management Access to sensitive files and folders Security events 30
32 Change Management Process to introduce changes to the environment in a controlled manner Configuration management of IT systems and applications Hardening of systems and applications Use of standard builds Patch management 31
33 Configuration Management Securely maintaining technology by developing baselines for tracking, controlling, and managing system settings Confirm security settings Track, verify, and report configuration items Monitor unauthorized changes and misconfiguration 32
34 Patch Management Process: Monitoring that identifies availability of patches Evaluating patches against the threat and network environment Prioritizing to determine which patches apply Obtaining, testing, securely installing 33
35 Exception process with appropriate documentation for delaying or not applying Ensuring all patches installed in production environment, installed in the DR environment Documenting assets and technology inventory and DRP when patches applied 34
36 End of Life Maintaining inventories of systems and applications Adhering to approved EOL or sunset policy Tracking change management, updates, end of support Risk assess to help determine EOL Plan for replacement (IT Strategic Plan) Plan for and securely destroy or wipe hard drives 35
37 Testing Management should ascertain that the Information Security Program is operating securely, as expected, and reaching intended goals Two types of tests mention: IT system s design IT system s operation 36
38 Testing Plans Key Factors Scope Personnel Notifications Confidentiality, integrity, availability Confidentiality of test plans and data Frequency Proxy testing 37
39 Types of Tests Self Assessments Penetration Test Vulnerability Assessments Audits 38
40 FFIEC IT Management Booklet November 2015
41 Information Security Officer/Chief Information Security Officer Not an IT resource Strategic and integral part of business management team Enterprise-wide risk manager Championing security awareness training programs Reports directly to the Board or Board Committee or Senior Management 40
42 IT Planning Short term and long term goals Align with business plans Identify and measure risk before implementation Ensure infrastructure to support Integrate IT spending into the budgeting process 41
43 IT Strategic Planning Addresses the long-term goals and allocation of IT resources Three to five year timeframe Helps ensure alignment with Institution s business plans and goals Risk management/controls Addresses budget Board reporting 42
44 Tactical Plan Supports the IT Strategic Plan Define specific steps necessary to complete Hardware and software architecture End user computing resources Processing Done by Third Party Providers 43
45 Operational Plan Supports IT Strategic Plan and Tactical Plan Addresses in more detail steps to implement Specific tasks and timelines Responsibilities for each task and milestone Drop dead dates Budgetary needs 44
46 Budgeting Management performance Consider undocumented costs repairs, support, upgrades, lifetime management Can be a separate IT budget 45
47 Common Findings 2017/Hot Spots
48 Common Exam Findings Third party risk management program/vendor management not comprehensive Untimely annual third party oversight Need process for monitoring problems with third party provider or a troubled third party 47
49 Common Exam Findings Outsourced Third Party Risk Management/Vendor Management Risk assessment not including all relationships, broaden criteria beyond mission critical and access to customer information Not performing and documenting due diligence reviews, and reporting to Board for prospective third party providers Ongoing oversight of third parties not comprehensive 48
50 Common Exam Findings Insufficient asset Inventory (hardware, software, devices) Need all information systems assets/equipment Asset, Role, Location, Model, Serial #, OS, Patch level, Prioritization, Number of licenses owned 49
51 Common Exam Findings Business continuity planning Comprehensive business impact analysis does not include: MAD, RTOs, RPOs, recovery of the critical path Acceptable level of losses associated with business functions and processes In adequate documentation, maintenance, and testing of the plan and backup Tabletop and overall testing needs to be more robust 50
52 Common Exam Findings No data flow diagram No data inventory Network topologies not comprehensive Depict LAN, WAN Show all devices, external and internal connectivity 51
53 Common Exam Findings Lack of Board cyber security discussions Lack of Board cyber security training FS-ISAC Executive Briefings FDIC Cyber Security Challenge **Every board member should have an understanding of their responsibility 52
54 Common Exam Findings Lack of or infrequent reporting to the Board on cyber security and IT Threat intelligence Security event monitoring (SIEM) Patch management Asset inventory updates 53
55 Common Exam Findings CAT General confusion on baseline controls Inaccurate level of maturity Have a compliance frame of mind - just checking off the box vs process, security frame of mind 54
56 Common Exam Findings Lack of employee information security training Only using generic online training i.e. BAI, BVS, etc. Need more on bank processes, policies, controls 55
57 Common Exam Findings Lack of segregation or conflict of IT officer/ manager and Information Security Officer duties Enterprise-wide information security risk assessment not presented to the Board for review and approval Network Admin accounts not renamed 56
58 Common Exam Findings Admin and service accounts not managed, need more robust credentials Administrators needs to have admin profile and separate general user profile Audit not doing a deep dive on user profiles and access
59 Common Exam Findings IT Strategic Plan does not identify both long and short term projects, goals, and objectives Address competitive demands of the marketplace, budget, periodic report to Board, status of risk management controls 58
60 Common Exam Findings Lack of patching of security devices (FW, IDS, IPS, etc) Need standards for infrastructure patching based on risk/criticality 1st priority: Internet facing systems 2nd priority: Systems/applications that move money 3rd priority: any system/application that has confidential information 4th priority: all other systems/applications
61 Common Exam Findings Vulnerability assessments are limited to scan of IP addresses Need authenticated scan to check internal services, patches, etc. Do at least quarterly Lack of social engineering training Lack of social engineering testing 60
62 Common Exam Findings Cloud services Not performing thorough due diligence Risk assess services, security, and controls Know where data is and if secured in transit and/or at rest Does it fit into strategic/business plans 61
63 Don t leave out core provider Private cloud Where are servers What security is in place 62
64 Common Exam Findings Audit Do not have a comprehensive IT audit plan/ policy Do not have an IT audit risk assessment Not documenting findings and followup corrective action 63
65 Questions? Susan Orr Consulting, Ltd
FDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationFFIEC Cybersecurity Assessment Tool
All About the ew FFIEC Cybersecurity Assessment Tool June 22, 2016 Susan Orr Consulting, Ltd. 1 FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationFFIEC Cybersecurity Assessment Tool
All About the ew FFIEC Cybersecurity Assessment Tool August 25, 2015 Susan Orr Consulting, Ltd. FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Board Users Guide Inherent
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationCybersecurity and Data Protection Developments
Cybersecurity and Data Protection Developments Nathan Taylor March 8, 2017 NY2 786488 MORRISON & FOERSTER LLP 2017 mofo.com Regulatory Themes 2 A Developing Regulatory Environment 2016 2017 March CFPB
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More information<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.
Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationUnderstanding IT Audit and Risk Management
Understanding IT Audit and Risk Management Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation We need
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationInterpreting the FFIEC Cybersecurity Assessment Tool
Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity What We ll Cover Cyber risk management Cybersecurity
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationTable of Contents. Sample
TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS...
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationEmerging Issues: Cybersecurity. Directors College 2015
Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationSecure Access & SWIFT Customer Security Controls Framework
Secure Access & SWIFT Customer Security Controls Framework SWIFT Financial Messaging Services SWIFT is the world s leading provider of secure financial messaging services. Their services are used and trusted
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationREGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES Dynamic Solutions. Superior Results. PERSONALIZED HELP THAT RELIEVES THE BURDEN OF MANAGING COMPLIANCE The burden of managing risk and compliance is
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationCYBERSECURITY MATURITY ASSESSMENT
CYBERSECURITY MATURITY ASSESSMENT ANTICIPATE. IMPROVE. PREPARE. The CrowdStrike Cybersecurity Maturity Assessment (CSMA) is unique in the security assessment arena. Rather than focusing solely on compliance
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationINFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK
INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended
More informationCYBERSECURITY RISK LOWERING CHECKLIST
CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016
CLE Alabama Banking Law Update Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016 Best Practices on Managing Cyber-Security Risks J.T. Malatesta III and Sarah S. Glover Maynard Cooper
More informationManchester Metropolitan University Information Security Strategy
Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History
More informationRBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH
RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH CONTEXT RBI has provided guidelines on Cyber Security Framework circular DBS. CO/CSITE/BC.11/33.01.001/2015-16
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationSANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Critical Security Control Solution Brief Version 6 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable,
More informationManaged Security Services - Endpoint Managed Security on Cloud
Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document
More informationTSC Business Continuity & Disaster Recovery Session
TSC Business Continuity & Disaster Recovery Session Mohamed Ashmawy Infrastructure Consulting Pursuit Hewlett-Packard Enterprise Saudi Arabia Mohamed.ashmawy@hpe.com Session Objectives and Outcomes Objectives
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationData Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016
Data Protection Practical Strategies for Getting it Right Jamie Ross Data Security Day June 8, 2016 Agenda 1) Data protection key drivers and the need for an integrated approach 2) Common challenges data
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationHealthcare HIPAA and Cybersecurity Update
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update Agenda > Introductions > Cybersecurity
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationSecurity Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:
Position: Reports to: Location: Security Monitoring Engineer / (NY or NC) Director, Information Security New York, NY or Winston-Salem, NC Position Summary: The Clearing House (TCH) Information Security
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 04/12/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationApril Appendix 3. IA System Security. Sida 1 (8)
IA System Security Sida 1 (8) Table of Contents 1 Introduction... 3 2 Regulatory documents... 3 3 Organisation... 3 4 Personnel security... 3 5 Asset management... 4 6 Access control... 4 6.1 Within AFA
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationEmbedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere
Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Who is Who? Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 05/24/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More informationFFIEC Guidance: Mobile Financial Services
FFIEC Guidance: Mobile Financial Services Written by: Jon Waldman, CISA, CRISC Partner and Senior Information Security Consultant Secure Banking Solutions, LLC FFIEC Updates IT Examination Handbook to
More informationEmbedding GDPR into the SDLC
Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Toreon 2 Who is Who? Sebastien Deleersnyder Siebe De Roovere 5 years developer experience 15+ years information security experience
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationSOLUTION BRIEF Virtual CISO
SOLUTION BRIEF Virtual CISO programs that prepare you for tomorrow s threats today Organizations often find themselves in a vise between ever-evolving cyber threats and regulatory requirements that tighten
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationSecure Development Lifecycle
Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationCybersecurity Today Avoid Becoming a News Headline
Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More information