Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Similar documents
Using Metrics to Gain Management Support for Cyber Security Initiatives

Cybersecurity Assessment Tool

Rethinking Information Security Risk Management CRM002

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Interpreting the FFIEC Cybersecurity Assessment Tool

Table of Contents. Sample

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

NCSF Foundation Certification

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity The Evolving Landscape

NCSF Foundation Certification

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

FDIC InTREx What Documentation Are You Expected to Have?

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Framework for Improving Critical Infrastructure Cybersecurity

SOLUTION BRIEF Virtual CISO

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Why you should adopt the NIST Cybersecurity Framework

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cybersecurity and Examinations

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Framework for Improving Critical Infrastructure Cybersecurity

Emerging Issues: Cybersecurity. Directors College 2015

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Effective Strategies for Managing Cybersecurity Risks

Updates to the NIST Cybersecurity Framework

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Improving Cybersecurity through the use of the Cybersecurity Framework

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Sage Data Security Services Directory

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

CYBERSECURITY MATURITY ASSESSMENT

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Peer Collaboration The Next Best Practice for Third Party Risk Management

Framework for Improving Critical Infrastructure Cybersecurity

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

CISO as Change Agent: Getting to Yes

Defensible and Beyond

MITIGATE CYBER ATTACK RISK

FFIEC Cybersecurity Assessment Tool

Security Driven Compliance

CISO Success Strategies: On Becoming a Security Business Leader

Navigate IT Security with a Framework as Your Guide

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

To Audit Your IAM Program

InfoSec Risks from the Front Lines

Certified Information Security Manager (CISM) Course Overview

The NIST Cybersecurity Framework

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Information Security Risk Strategies. By

IMPLEMENTING A RISK-BASE CYBER SECURITY FRAMEWORK FOR HEALTHCARE

ACR 2 Solutions Compliance Tools

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

Cybersecurity, safety and resilience - Airline perspective

SOC for cybersecurity

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Cybersecurity Framework

Ensuring System Protection throughout the Operational Lifecycle

Department of Management Services REQUEST FOR INFORMATION

Cybersecurity and Data Protection Developments

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Defense in Depth Security in the Enterprise

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Cyber Risks in the Boardroom Conference

Framework for Improving Critical Infrastructure Cybersecurity

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

Technology Risk Management and Information Security A Practical Workshop

NYDFS Cybersecurity Regulations

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Healthcare HIPAA and Cybersecurity Update

Cybersecurity in Government

MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SAC PA Security Frameworks - FISMA and NIST

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

PROFESSIONAL SERVICES (Solution Brief)

What It Takes to be a CISO in 2017

FFIEC Cybersecurity Assessment Tool

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Altius IT Policy Collection Compliance and Standards Matrix

SWIFT Customer Security Programme

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Must Have Items for Your Cybersecurity or IT Budget in 2018

Cybersecurity in Higher Ed

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

2017 RIMS CYBER SURVEY

Transcription:

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2

Cybersecurity Statistics Cybersecurity-related incidents are continually on the rise 1,346 data records were lost or stolen every minute in 2015 1 89% of 2015 data breaches had a financial or espionage motive 2 63% of 2015 data breaches involved weak, default, or stolen passwords 2 Only 4% of 2015 data breaches were Secure Breaches where encryption was used and the stolen data was useless 1 1 http://www.gemalto.com/brochures-site/download-site/documents/ent-infographic-2015-breach-level-index.jpg 2 Verizon 2016 Breach Investigations Report 3

Recent Data Breaches Global Bank Large National Bank California Credit Union 4

Cybersecurity Assessment Tools NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Tool Information Security Risk Assessment 5

NIST Cybersecurity Framework Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity called for a framework that provides a prioritized, flexible, repeatable, performance-based, and cost effective approach to manage cybersecurity risk Ensures organizations have the necessary processes and documentation in place to proactively manage and respond to cybersecurity-related risk Encourages communication between internal and external stakeholders on the topic of risk and cybersecurity management 6

NIST Cybersecurity Framework Why should we adopt this framework? What if we already have something in place? Other regulatory bodies have created additional guidance for NIST Cybersecurity Framework support FFIEC Cybersecurity Assessment Tool 7

NIST Cybersecurity Framework Three Primary Elements Implementation Guidance Framework Core Functions Categories Subcategories References Framework Profile Four Tiers: Partial, Risk-Informed, Repeatable, Adaptive 8

NIST Cybersecurity Framework Core COBIT 5 APO13.02 ISA 62443-2-1:2009 4.4.3.2 ISA 62443-3-3:2013 SR 3.3 ISO/IEC 27001:2013 A.14.2.8 NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4 Detection Process (De.DP) DE.DP-3: Detection processes are tested 9

NIST Cybersecurity Framework Core 10

NIST Cybersecurity Framework Tiers Framework Tiers Tier 1: Partial Tier 2: Risk-Informed Tier 3: Repeatable Tier 4: Adaptive Risk Management Process Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements. Risk Management Process Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements. Risk Management Process The organization s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape. Risk Management Process The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner. 11

NIST Cybersecurity Framework Profile Determine your current cybersecurity maturity and future goals Tiers do not necessarily equal maturity Comparison of your target and current profiles help determine gaps and build a roadmap Source: National Institute of Standards and Technology 12

NIST Cybersecurity Framework Best Practices Start conversations early with all stakeholders get buy in from the beginning Identify all responsible parties Focus on just a subset at first start where you are comfortable Source: National Institute of Standards and Technology 13

Is It Required? The use of the NIST Cybersecurity Framework is voluntary The NIST Cybersecurity Framework is guidance based on existing standards, guidelines, and practices for critical infrastructure organizations The purpose is to help organizations better manage and reduce cybersecurity risk 14

NIST Cybersecurity Framework Benefits Very flexible framework, so it works for credit unions of any size and maturity Works well for credit unions that already have a cybersecurity program in place Compare existing program to the NIST Cybersecurity Framework to identify opportunities for improvement For those that don t, the framework is a great starting point Many other regulations, such as FFIEC, reference the NIST Cybersecurity Framework, so implementation of the framework helps with compliance requirements 15

FFIEC Cybersecurity Assessment Tool In June 2015, the FFIEC created the Cybersecurity Assessment Tool to help financial institutions evaluate their overall cyber risk The tool is an extensive self-assessment questionnaire in PDF form Financial institutions are encouraged to continuously assess and monitor their cybersecurity preparedness using the tool 16

FFIEC Cybersecurity Assessment Tool 17

FFIEC Cybersecurity Assessment Tool 18

FFIEC Cybersecurity Assessment Tool 19

FFIEC Cybersecurity Assessment Tool 20

FFIEC Cybersecurity Assessment Tool 21

Is It Required? The FFIEC agencies the Federal Reserve Board, Federal Deposit Insurance Corp., NCUA, Office of the Comptroller of the Currency (OCC), Consumer Financial Protection Bureau, and State Liaison Committee will implement the assessment as part of the examination process to benchmark and monitor institutions cybersecurity efforts. OCC examiners will incorporate the assessment in late 2015, and NCUA is projected to use the tool in mid-2016. 22

FFIEC Cybersecurity Assessment Tool Benefits Helps your credit union understand where the focus should be placed, based on your inherent risk profile and cybersecurity maturity If you meet baseline requirements, you are meeting the minimum FFIEC compliance requirements If you do not meet baseline requirements, the tool identifies gaps so you can work towards becoming FFIEC compliant 23

Information Security Risk Assessment Information Technology (IT) / Information Security (IS) Risk Assessments are detailed, customized assessments that evaluate the status of your credit union s information security program The controls and threats that are examined during the assessment are specific to your credit union s unique IT environment Risk assessments can be completed in-house or performed by a third-party provider 24

Information Security Risk Assessment Many controls are assessed to determine residual risk 25

Information Security Risk Assessment If performed by a third-party provider, recommendations are delivered that can help your credit union determine where to focus remediation efforts Credit unions can build remediation plans based on self-assessments or third-party assessments performed 26

Is It Required? Credit unions are currently required to conduct an IT/IS Risk Assessment on an annual basis 27

Information Security Risk Assessment Benefits Helps your credit union understand residual risk based on controls in place Not just compliance focused Based on the entire organization so a risk assessment is much more specific than a compliance assessment 28

Tool Comparison NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Information Security Risk Assessment How does this help me? Framework for developing a cybersecurity program Helps credit unions understand inherent risk profile and cybersecurity maturity Evaluates the status of an information security program Is it required? Currently a voluntary framework Not currently a requirement, but may be in the near future Credit unions are required to conduct an IT/IS Risk Assessment on an annual basis 29

Cybersecurity Best Practices Continuous Risk Management Not meant to just be a point in time so update as your credit union changes Create a risk strategy that works for your credit union Remediate! You do not have to fix everything, but develop a plan for addressing gaps Identify Gaps in Program Implementation Evaluate Risks Implement Action Plans to Address Discovered Gaps 30

Cybersecurity Best Practices Test your systems regularly Verify controls are working properly Maintain at least baseline maturity to maintain compliance Many baseline items will show up on FFIEC audits Baseline Maturity statements are directly related to the FFIEC Information Security Booklet 31

Cybersecurity Best Practices Complete basic testing Risk assessments Internal and external penetration testing Phishing, vishing, and onsite social engineering Vulnerability scanning Above items are directly mapped to the baseline maturity requirements 32

Key Takeaways Breaches happen and no industry or organization is bulletproof it is not always about preventing, but how ready you are to respond There are many tools and assessments out there, so find what works best for your credit union Completion of the Cybersecurity Assessment does not replace the need for a formal IT Risk Assessment Implementing the NIST Cybersecurity Framework, completing the FFIEC Cybersecurity Assessment, and performing a risk assessment are all feasible tasks that combined help minimize the threat of a cyber-attack Keep in mind other best practices, like penetration testing and social engineering! 33

Contact Information Michelle Misko TraceSecurity Product Specialist michellem@tracesecurity.com 34

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback