Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2
Cybersecurity Statistics Cybersecurity-related incidents are continually on the rise 1,346 data records were lost or stolen every minute in 2015 1 89% of 2015 data breaches had a financial or espionage motive 2 63% of 2015 data breaches involved weak, default, or stolen passwords 2 Only 4% of 2015 data breaches were Secure Breaches where encryption was used and the stolen data was useless 1 1 http://www.gemalto.com/brochures-site/download-site/documents/ent-infographic-2015-breach-level-index.jpg 2 Verizon 2016 Breach Investigations Report 3
Recent Data Breaches Global Bank Large National Bank California Credit Union 4
Cybersecurity Assessment Tools NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Tool Information Security Risk Assessment 5
NIST Cybersecurity Framework Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity called for a framework that provides a prioritized, flexible, repeatable, performance-based, and cost effective approach to manage cybersecurity risk Ensures organizations have the necessary processes and documentation in place to proactively manage and respond to cybersecurity-related risk Encourages communication between internal and external stakeholders on the topic of risk and cybersecurity management 6
NIST Cybersecurity Framework Why should we adopt this framework? What if we already have something in place? Other regulatory bodies have created additional guidance for NIST Cybersecurity Framework support FFIEC Cybersecurity Assessment Tool 7
NIST Cybersecurity Framework Three Primary Elements Implementation Guidance Framework Core Functions Categories Subcategories References Framework Profile Four Tiers: Partial, Risk-Informed, Repeatable, Adaptive 8
NIST Cybersecurity Framework Core COBIT 5 APO13.02 ISA 62443-2-1:2009 4.4.3.2 ISA 62443-3-3:2013 SR 3.3 ISO/IEC 27001:2013 A.14.2.8 NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4 Detection Process (De.DP) DE.DP-3: Detection processes are tested 9
NIST Cybersecurity Framework Core 10
NIST Cybersecurity Framework Tiers Framework Tiers Tier 1: Partial Tier 2: Risk-Informed Tier 3: Repeatable Tier 4: Adaptive Risk Management Process Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements. Risk Management Process Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements. Risk Management Process The organization s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape. Risk Management Process The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner. 11
NIST Cybersecurity Framework Profile Determine your current cybersecurity maturity and future goals Tiers do not necessarily equal maturity Comparison of your target and current profiles help determine gaps and build a roadmap Source: National Institute of Standards and Technology 12
NIST Cybersecurity Framework Best Practices Start conversations early with all stakeholders get buy in from the beginning Identify all responsible parties Focus on just a subset at first start where you are comfortable Source: National Institute of Standards and Technology 13
Is It Required? The use of the NIST Cybersecurity Framework is voluntary The NIST Cybersecurity Framework is guidance based on existing standards, guidelines, and practices for critical infrastructure organizations The purpose is to help organizations better manage and reduce cybersecurity risk 14
NIST Cybersecurity Framework Benefits Very flexible framework, so it works for credit unions of any size and maturity Works well for credit unions that already have a cybersecurity program in place Compare existing program to the NIST Cybersecurity Framework to identify opportunities for improvement For those that don t, the framework is a great starting point Many other regulations, such as FFIEC, reference the NIST Cybersecurity Framework, so implementation of the framework helps with compliance requirements 15
FFIEC Cybersecurity Assessment Tool In June 2015, the FFIEC created the Cybersecurity Assessment Tool to help financial institutions evaluate their overall cyber risk The tool is an extensive self-assessment questionnaire in PDF form Financial institutions are encouraged to continuously assess and monitor their cybersecurity preparedness using the tool 16
FFIEC Cybersecurity Assessment Tool 17
FFIEC Cybersecurity Assessment Tool 18
FFIEC Cybersecurity Assessment Tool 19
FFIEC Cybersecurity Assessment Tool 20
FFIEC Cybersecurity Assessment Tool 21
Is It Required? The FFIEC agencies the Federal Reserve Board, Federal Deposit Insurance Corp., NCUA, Office of the Comptroller of the Currency (OCC), Consumer Financial Protection Bureau, and State Liaison Committee will implement the assessment as part of the examination process to benchmark and monitor institutions cybersecurity efforts. OCC examiners will incorporate the assessment in late 2015, and NCUA is projected to use the tool in mid-2016. 22
FFIEC Cybersecurity Assessment Tool Benefits Helps your credit union understand where the focus should be placed, based on your inherent risk profile and cybersecurity maturity If you meet baseline requirements, you are meeting the minimum FFIEC compliance requirements If you do not meet baseline requirements, the tool identifies gaps so you can work towards becoming FFIEC compliant 23
Information Security Risk Assessment Information Technology (IT) / Information Security (IS) Risk Assessments are detailed, customized assessments that evaluate the status of your credit union s information security program The controls and threats that are examined during the assessment are specific to your credit union s unique IT environment Risk assessments can be completed in-house or performed by a third-party provider 24
Information Security Risk Assessment Many controls are assessed to determine residual risk 25
Information Security Risk Assessment If performed by a third-party provider, recommendations are delivered that can help your credit union determine where to focus remediation efforts Credit unions can build remediation plans based on self-assessments or third-party assessments performed 26
Is It Required? Credit unions are currently required to conduct an IT/IS Risk Assessment on an annual basis 27
Information Security Risk Assessment Benefits Helps your credit union understand residual risk based on controls in place Not just compliance focused Based on the entire organization so a risk assessment is much more specific than a compliance assessment 28
Tool Comparison NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Information Security Risk Assessment How does this help me? Framework for developing a cybersecurity program Helps credit unions understand inherent risk profile and cybersecurity maturity Evaluates the status of an information security program Is it required? Currently a voluntary framework Not currently a requirement, but may be in the near future Credit unions are required to conduct an IT/IS Risk Assessment on an annual basis 29
Cybersecurity Best Practices Continuous Risk Management Not meant to just be a point in time so update as your credit union changes Create a risk strategy that works for your credit union Remediate! You do not have to fix everything, but develop a plan for addressing gaps Identify Gaps in Program Implementation Evaluate Risks Implement Action Plans to Address Discovered Gaps 30
Cybersecurity Best Practices Test your systems regularly Verify controls are working properly Maintain at least baseline maturity to maintain compliance Many baseline items will show up on FFIEC audits Baseline Maturity statements are directly related to the FFIEC Information Security Booklet 31
Cybersecurity Best Practices Complete basic testing Risk assessments Internal and external penetration testing Phishing, vishing, and onsite social engineering Vulnerability scanning Above items are directly mapped to the baseline maturity requirements 32
Key Takeaways Breaches happen and no industry or organization is bulletproof it is not always about preventing, but how ready you are to respond There are many tools and assessments out there, so find what works best for your credit union Completion of the Cybersecurity Assessment does not replace the need for a formal IT Risk Assessment Implementing the NIST Cybersecurity Framework, completing the FFIEC Cybersecurity Assessment, and performing a risk assessment are all feasible tasks that combined help minimize the threat of a cyber-attack Keep in mind other best practices, like penetration testing and social engineering! 33
Contact Information Michelle Misko TraceSecurity Product Specialist michellem@tracesecurity.com 34
Thank You!