FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Transcription

1 FFIEC Cyber Security Assessment Tool Overview and Key Considerations

2 Overview of FFIEC Cybersecurity Assessment Tool

3 Agenda Overview of assessment tool Review inherent risk profile categories Review domain 1-5 for cyber security maturity Summary of risk/maturity relationships Overview of use case performed Final thoughts Q&A

4 Benefits to Institutions Identifying factors contributing to and determining the institution s overall cyber risk Assessing the institution's cybersecurity preparedness. Evaluating whether the institutions cybersecurity preparedness is aligned with its risks Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness Informing risk management strategies.

5 Not just for Finance! Don t tune out if your not in the financial services sector!! Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.

6 Inherent Risk Profile

7 Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats

8 Inherent Risk Profile Risk Levels

9 Inherent Risk Profile Excerpt

10 Inherent Risk Profile Technologies and Connection Types Internet service providers Third party connections Internal vs outsourced hosted systems Wireless access points Network devices EOL Systems Cloud services Personal Devices

11 Inherent Risk Profile Online and mobile products and services delivery channels Delivery Channels ATM operations

12 Inherent Risk Profile Online/Mobile Products and Technology Services Credit and debit cards P2P payments ACH Wire transfers Wholesale payments Remote deposit Treasury and trust Global remittances Correspondent banking Merchant acquiring activities

13 Inherent Risk Profile Organizational Characteristics Mergers and acquisitions Direct employees and contractors IT environment Business presence and locations of operations and data centers

14 Inherent Risk Profile

15 Inherent risk Reponses Best Practice Automate Answers using existing solutions to: Track in real time areas such as: Asset inventory Third party connections Transaction data

16 Cybersecurity Maturity Assessment

17 Cybersecurity Maturity Overview

18 Cybersecurity Maturity Domain Coverage

19 Domain 1 Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture

20 Domain 2 Threat Intelligence and Collaboration Threat Intelligence Monitoring and Analyzing Information Sharing

21 Domain 3 Cyber Security Controls Preventative Infrastructure management Access and asset management Device/endpoint security Secure coding practices Detective Threat and vulnerability detection Anomalous behavior activity detection Event detection Corrective Patch management Remediation

22 Domain 4 External Dependency Management Connections Identifications Monitoring Management of external connections and data flows to third parties Relationship Management Due diligence Contracts Ongoing monitoring

23 Domain 5 Cyber Incident Management and Response Incident Resilience Planning & Strategy Detection, Response, & Mitigation Escalation & Reporting

24 Risk Maturity Relationship

25 Risk Maturity Matrix

26 National Bank Case Study

27 ABC National Bank Business Profile Background employees banking locations HQ in Central US Est Banking Operations Branch Banking Commercial Banking Consumer Lending Investment Advisors Current State EOL systems still in use, no upgrade plan Mobile banking applications and some BYOD Previous security incidents external phishing attempts and ATM s being infected with malware IT Security Director has left the Bank

28 Inherent Risk Score Inherent Risk Score legend <= Category Data Weights Points Least Minimal Moderate Significant Most Technologies and connection Types Delivery Channels Organizational Characteristics Online/Mobile Products and Technological Services External Threats Totals % 28.21% 51.28% 10.26% 0.00%

29 Cybersecurity Maturity Assessment

30 FFIEC Recap of Steps Taken for Use Case Inherent Risk Profile Low Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Cybersecurity Maturity Domain 1: Cyber Risk Management & Oversight Domain 2: Threat Intelligence & Collaboration Domain 3: Cybersecurity Controls Domain 4: External Dependency Management Domain 5: Cyber Incident Management and Resilience

31 Maturity Achieved Against Defined Targets ABC Bank 81.06% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Intermediate 64.89% Innovative % 6.67% Management Advanced % 15.63% 15.63% and Oversight Intermediate % 24.14% 24.14% Evolving % 67.65% 67.65% Threat Intelligence and Collaboration Cyber Security Controls Baseline % % Intermediate 88.46% Innovative % 0.00% Advanced % 18.18% 18.18% Intermediate % 72.73% 72.73% Evolving % % % Baseline % % Intermediate 80.62% Innovative % 10.00% Advanced % 20.00% 20.00% Intermediate % 58.97% 58.97% Evolving % 76.92% 76.92% Baseline % % External Intermediate 86.84% Innovative % 0.00% Dependency Advanced % 42.86% 42.86% Management Intermediate % 66.67% 66.67% Evolving % 84.62% 84.62% Baseline % % Cyber Incident Intermediate 84.48% Innovative % 10.00%

32 Domain Level Controls Domain 1 - Governance, Risk, and Audit Solution capability desired - Visibility and Intelligence Domain 2 - Threat Intelligence and Sharing Solution capability desired - Intelligence and Integration Domain 3 - Preventive, Detective, and Corrective controls Solution capability desired - Detection, Prevention, and Response No Endpoint visibility Limited Intelligence on oversight and audit functions Polling and scanning, basic manual risks assigned Limited Intelligence without any Integration Alerts and logs are consolidated in a SIEM for integration, manually shared Threat Intelligence Detection: AV signatures Only detects known malware, extensive logs analysis Prevention: Relying on AV only stops known malware Response: Reimage machines, No root cause analysis Control Maturity Level Baseline Inherent Risk Profile Level Low Negative Security Approach Evolving Minimal Detection: Software and IP reputation data Prevention: Remove admin rights, Basic whitelisting Response: Manual root-cause and scope analysis, Post-mortem forensics Domain 4 - Third Party Management Solution capability desired - Visibility and Detection Domain 5 - Incident Response Solution capability desired - Detection and Response No visibility into third party security or threats No detection of security incidents spawned from third party's Detection: AV signatures Only detects known malware, extensive logs analysis Response: Reimage machines, No root cause analysis Limited visibility into criticality of third party s Still no detection of interactions or unauthorized attempts to obtain/change sensitive information Detection: Software and IP reputation data Response: Manual root-cause and scope analysis, Post-mortem forensics

33 Control Maturity Level Intermediate Advanced Innovative Inherent Risk Level Moderate Significant Most Risks exceed appetite they are escalated to management Policies include threat intelligence Baselines cannot be altered w/o formal change request Formal IT change management process Risk management includes financial strategic, regulatory, and compliance implications Benchmarks and target performance metrics are established Audits are used to identify gaps Industry standards are used for the analysis of gaps Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory Automated processes are in place to detect and block unauthorized changes to software and hardware Risk assessments of changes in change management system Risk data aggregation and real time reporting capabilities support ongoing reporting Periodic audit process improvements based on threat landscape Continuous monitoring of security controls KPI's determine training awareness influence Formal change management function governs decentralized or highly distributed change requests and measures security risks Automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware Formal threat Intelligence program is implemented and has external and internal source A read only central repository of cyber threat intelligence is maintained Profile of threats is created Threat Intelligence is automatically received from multiple sources in real time Threat Intelligence is used to update architecture and configuration standards IT systems automatically detect configuration weaknesses based on Threat Intellgince and alert management Real time threat sharing Threat analysis systems correlates threat data to risks while taking automated actions and alerting management Invests in threat intelligence and collaboration mechanisms Combines all threat intelligence from mechanisms Security controls for remote access Unauthorized code prevention tools s and attachments are automatically scanned to detect malware and blocked when it is present Tools for unauthorized data mining Tools to monitor security logs Audit logs are backed up to a centralized log server that is difficult to alter Event detection processes are tested as reliable Controls verified to detect and prevent intrusions from third party connections Monitoring covers all external and internal connections Anti-spoofing measures for forged IP addresses Automated tools proactively identifies high-risk behavior signaling on an employee who poses insider threat Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices Real-time network monitoring and detection is implemented and incorporates Positive Security Approach sector wide event information Real time alerts are automatically sent when unauthorized software, hardware, or changes occur Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters Patch monitoring software is installed on all servers Maintain and improve security of external connections Automated real time risk scores of infrastructure Centralized end-point management tool Real time risk scoring of threats Detection of insider threats and block activity in real time Remediation of systems damaged by zero-days Detailed Diagram of data flow analysis IR team notified when anomalous behavior and attack patterns or signatures are detected Detect infiltrations before attacker traverses across systems, Incidents detected in real time through automated processes and correlated events across the enterprise Networks and system alerts are correlated across business units to detect and prevent multifaceted attacks Early analysis of security events to minimize impact Institution corrects root cause for problems discovered during testing Sophisticated and adaptive technologies are deployed that can detect an alert the incident response team of Specific tasks when threat indicators across the enterprise indicate potential external and internal threats Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert IR teams in real time, IR team collaborates with threat intelligence team during and incident, Detailed metrics, dashboards and/or scorecards outlining cyber events are provided to management. IR plan ensures recovery from disruption, assurance of data integrity, and recovery of lost or corrupted data following an incident IR process includes detailed actions and rule based triggers for automated response Validated the ability to remediate systems damaged by zero day attacks to maintain RTO Detect and block zero day attacks and alert management and IR teams in real time Risk management of significant cyber incidents results in limited to no down time for critical services Mechanism in place to alert in real time incidents through multiple channels while tracking and verifying communication for audit

34 Maturity Achieved Against Intermediate Targets with Proactive Security W/b9 intermediate 92.98% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Intermediate 73.40% Innovative % 46.67% Management Advanced % 34.38% 34.38% and Intermediate % 31.03% 31.03% Oversight Evolving % 85.29% 85.29% Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Management and Resilience Baseline % 100% Intermediate % Innovative % 50.00% Advanced % 45.45% 45.45% Intermediate % 100% 100% Evolving % 100% 100% Baseline % 100% Intermediate 91.47% Innovative % 40.00% Advanced % 64.00% 64.00% Intermediate % 82.05% 82.05% Evolving % 89.74% 89.74% Baseline % 100% Intermediate % Innovative % 0.00% Advanced % 42.86% 42.86% Intermediate % 100% 100% Evolving % 100% 100% Baseline % 100% Intermediate % Innovative % 60.00% Advanced % 53.33% 53.33% Intermediate % 100% 100% Evolving % 100% 100% Baseline % 100%

35 Domain Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Managament and Resillence Maturity Achieved Against Defined Targets Status Quo 61.05% Achiev Stateme Moderat Significa Desired Target %Achecived Maturity ed nts Least Minimal e nt Most Innovative 47.52% Innovative % 6.67% Advanced % 15.63% 15.63% Intermediate % 24.14% 24.14% Evolving % 67.65% 67.65% Baseline % % Innovative 55.56% Innovative % 0.00% Advanced % 18.18% 18.18% Intermediate % 72.73% 72.73% Evolving % % % Baseline % % Innovative 63.79% Innovative % 10.00% Advanced % 20.00% 20.00% Intermediate % 58.97% 58.97% Evolving % 76.92% 76.92% Baseline % % Innovative 74.51% Innovative % 0.00% Advanced % 42.86% 42.86% Intermediate % 66.67% 66.67% Evolving % % % Baseline % % Innovative 63.86% Innovative % 10.00% Advanced % 20.00% 20.00% Intermediate % 71.43% 71.43% Evolving % 85.00% 85.00% Baseline % %

36 Maturity Achieved Against Innovative Targets with Proactive Security W/b9 innovative 77.65% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Innovative 61.70% Innovative % 46.67% Management Advanced % 34.38% 34.38% and Oversight Intermediate % 31.03% 31.03% Evolving % 85.29% 85.29% Baseline % 100% Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Management and Resilience Innovative Innovative % 50.00% Advanced % 45.45% 45.45% Intermediate % 100% 100% Evolving % 100% 100% Baseline % 100% Innovative 81.61% Innovative % 40.00% Advanced % 64.00% 64.00% Intermediate % 82.05% 82.05% Evolving % 89.74% 89.74% Baseline % 100% Innovative 80.39% Innovative % 0.00% Advanced % 42.86% 42.86% Intermediate % 100% 100% Evolving % 100% 100% Baseline % 100% Innovative 86.75% Innovative % 60.00% Advanced % 53.33% 53.33% Intermediate % 100% 100% Evolving % 100% 100% Baseline % 100%

37 Key Considerations While Using the CAT Being Innovative in Cybersecurity Maturity Real time detection and response Always be updating for changes Automatic metrics and reporting Threat analytics that matter Baseline risk measurement

38 How to use the CAT

39 Future of FFIEC Present Examiners have begun using the handbook Criticism from FI s of making a voluntary tool seem mandated. They do not track the NIST Cybersecurity Framework Declarative statements that are subjective in nature. Future FFIEC took in feedback as a response to the accusations this January. The tool will be updated on a periodic basis. Publications from the FFIEC and OCC released stating the CAT could become mandatory if examiners do not see risk mitigations improvements from banks.

40 Not just for Finance! Industry s can use the tool to fit their inherent risk profile by changing the criteria that best fits them. Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start. Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other standard that pertains to your industry.

41 Questions?