Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. 11:00 a.m.

Similar documents
Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m.

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Cybersecurity: Ongoing Challenges and Increasing Threats (Medium and Large Firm Focus) Wednesday, May 25 10:00 a.m. 11:00 a.m.

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

Department of Management Services REQUEST FOR INFORMATION

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

DHS Cybersecurity: Services for State and Local Officials. February 2017

UNITED STATES OFFICE OF PERSONNEL MANAGEMENT

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

IT-CNP, Inc. Capability Statement

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

NERC Staff Organization Chart Budget 2019

IT Consulting and Implementation Services

Security Takes Center Stage

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

NERC Staff Organization Chart Budget 2019

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

ISAO SO Product Outline

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Accelerate Your Enterprise Private Cloud Initiative

Security and Privacy Governance Program Guidelines

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

NERC Staff Organization Chart Budget 2017

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

CYBERSECURITY TRAINING EXERCISE KMU TRAINING CENTER NOVEMBER 7, 2017

NERC Staff Organization Chart Budget 2017

White Paper. View cyber and mission-critical data in one dashboard

Cybersecurity Overview

NERC Staff Organization Chart Budget 2018

RICK RAMPOLLA WHO WE ARE. ITDM Security Operations, Publix Super Markets Inc.

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Must Have Items for Your Cybersecurity or IT Budget in 2018

Good morning, Chairman Harman, Ranking Member Reichert, and Members of

Securing Your Digital Transformation

Introduction to AWS GoldBase

Big data privacy in Australia

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

HISTORY: ADMINISTRATION AND COST CONTROL:

NCPC ANNUAL REPORT 2015 NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM. Helping Secure the Nation s Cyber Infrastructure One Community at a Time

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Government-Industry-Academic Partnerships UW Bothell Cybersecurity Pilot

THE POWER OF TECH-SAVVY BOARDS:

NYDFS Cybersecurity Regulations

Cybersecurity & Privacy Enhancements

How Secure is Blockchain? June 6 th, 2017

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Cyber Risks in the Boardroom Conference

Inter-American Port Security Cooperation Plan

TRIAEM LLC Corporate Capabilities Briefing

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

POSITION DESCRIPTION

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Fundamentals of Cybersecurity Controls Thursday, February 11 10:00 a.m. 11:00 a.m.

Statement for the Record

BUILT FOR THE STORM. AND THE NORM.

Cybersecurity in Higher Ed

State of Security Operations

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Continuous protection to reduce risk and maintain production availability

Cybersecurity and the Board of Directors

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

TEL2813/IS2621 Security Management

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Welcome Remarks Thursday, February 22 9:00 a.m. 9:15 a.m.

Turning Risk into Advantage

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

locuz.com SOC Services

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Reinvent Your 2013 Security Management Strategy

SOC for cybersecurity

Certified Information Security Manager (CISM) Course Overview

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

NERC Staff Organization Chart 2015 Budget

Opening Doors to Cyber and Homeland Security Careers

Agency Support. Change Board IT Consultant Assignment. Change Board for Project Team Staff Assignment. Division Led Business Case Development

BHConsulting. Your trusted cybersecurity partner

HITRUST CSF: One Framework

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Transcription:

Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. 11:00 a.m. Financial institutions are subject to threats on multiple fronts. Two threats of significant and growing concern to our industry include insiders, such as employees, and third parties, such as vendors. We necessarily rely on and trust both insiders and third parties; however, we must exert appropriate oversight if we are to prevent that trust from being violated by either malicious actors, or careless actions or inactions. During this session, panelists discuss case studies and share effective practices firms can use to manage and mitigate these risks, and develop and improve both their insider risk and third-party risk management programs. Moderator: David Yacono Senior Director FINRA Technology, Cyber & Information Security Panelists: Brice Cook Director, Insider Risk Program FINRA Technology, Cyber & Information Security Kishen Sridharan Cybersecurity Partnership and Outreach Executive Raymond James Financial Homayun Yaqub Executive Director JPMorgan Chase & Co. 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Effective Practices for Insider Threats and Third-Party Risk Management Panelist Bios: Moderator: David Yacono is Senior Director of Cyber & Information Security at FINRA. His current responsibilities include FINRA s software security program, which provides security assurance services to a portfolio of more than 100 internally developed systems, as well as FINRA s third-party risk management program which evaluates, monitors, and manages the cybersecurity risk posed by FINRA s vendors, cloud providers, and other third-party relationships. Mr. Yacono is also responsible for FINRA s IT Security Risk Management and Compliance programs, which ensures compliance with IT security standards including FISMA, PCI-DSS, and FBI-CJIS. Since joining FINRA in 1999 he has served in various roles responsible for ensuring the secure and reliable operation of FINRA s information technology systems, including security architect and security engineer. Mr. Yacono specializes in the application of information security processes, methodologies, and tools to protect the confidentiality, integrity, and availability of information and information processing systems, with special emphasis on financial services; he has nearly 25 years of experience in cybersecurity. Mr.Yacono earned a Bachelor of Science in Electrical Engineering from the University of Maryland, and holds current certifications as a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP), and a Certified Third Party Risk Management Professional (CTPRP). Panelists: Brice Cook is FINRA s first Director for Insider Risk, formally establishing the program after joining FINRA in early 2017. In this role, he leads a collaborative company-wide effort to develop, implement, and execute technical and non-technical processes needed to create a holistic system to manage insider risks. Before Mr. Cook came to FINRA, he retired as a Supervisory Criminal Investigator after 29 years of Federal Government service protecting some of the Nation s most critical assets. The last 22 years of his Federal Government tenure was at the Department of Energy, serving as a Director in the Office of Corporate Security and leading efforts in Insider Threat, Special Access Programs, Human Reliability Programs, Investigations, Threat Management, and Executive Protection. Mr. Cook s accomplishments include; establishing the DOE s first formal Insider Threat Program, founding the Protective Services Working Group a group of over 50 Federal organizations protecting the nation s leadership of which he also served as Chair, serving as a Chair in the Defense Department s Combating Terrorism Technical Support Office, which provided expertise and oversight in the research and development of personnel protection technologies, serving as a board member of the FBI Joint Terrorism Task Force Executive Board and the DHS Advisory Board for Law Enforcement Officers Flying Armed, and developing policy and guidance for the Federal Government on security professional development and continuity programs. Mr. Cook is a graduate of the 244th session of the FBI National Academy, the Federal Law Enforcement Training Center, and the Federal Executive Institute. Mr. Cook has a Master s in Public Administration from American University. He has a Bachelor s degree from Washington State University. He also holds professional certificates as a Certified Information Systems Security Professional (CISSP) and Insider Threat Program Management (ITPM). Mr. Cook has even worked on the FOX Television show America s Most Wanted, where he supported investigations that led to the arrest of over 150 wanted persons. Kishen Sridharan is the Cybersecurity Partnership & Outreach Executive, reporting to the Chief Information Security Officer of Raymond James. In this strategic role, he focuses on strengthening and growing Raymond James network of relationships with outside organizations like industry associations (e.g. FS-ISAC and SIFMA), peers, government/law enforcement entities, universities, potential new strategic suppliers, and community. He determines level of engagement, assesses ROI to Raymond James, and makes sure Raymond James is a valuable contributing partner in return. In prior roles at Raymond James, Mr. Sridharan helped established a Product Management mindset, framework, and governance structure to deliver highly valuable business outcomes, particularly those which support the Strategic Roadmap. This is the stepping stone to formally convert the InfraSec organization to an as a Service model. Before that, he stood up a Project Management Office within InfraSec. Mr. Sridharan has almost 16 years of experience in various facets of technology, project implementation and business process improvement. His experience ranges from compliance, risk management and information assurance to strategic information security consulting. He earned his Bachelor of Science from the Pennsylvania State University in Management Science, Information 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

Systems and International Business and an MBA from the University of Maryland. He is a certified Project Management Professional (PMP) and a Scrum Master (CSM). Homayun Yaqub is Executive Director in JPMorgan Chase and Company s Global Security and Investigations team managing the firm s Insider Threat program. Prior to joining JPMorgan Chase in 2015, Mr. Yaqub served in the U.S. Intelligence Community and Department of Defense with more than 20 years of experience leading sensitive intelligence activities and related programs worldwide. Mr. Yaqub was also a founding member of The MASY Group, a Washington D.C. based security, intelligence, and risk consulting firm supporting both public and private sector clients. He began his career as a U.S. Army officer serving in various roles throughout the United States, the Middle East, South Asia, and Europe. Mr. Yaqub holds a Masters in Conflict Analysis and Resolution from George Mason University and Bachelors in International Business from James Madison University. 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 3

2018 Cybersecurity Conference February 22 New York, NY Effective Practices for Insider Threats and Third-Party Risk Management

Panelists Moderator David Yacono, Senior Director, FINRA Technology, Cyber & Information Security Panelists Brice Cook, Director, Insider Risk Program, FINRA Technology, Cyber & Information Security Kishen Sridharan, Cybersecurity Partnership and Outreach Executive, Raymond James Financial Homayun Yaqub, Executive Director, JPMorgan Chase & Co. 1

To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Effective Practices for Insider Threats and Third-Party Risk Management session, Click on the polling icon: 2

Polling Question 1 Firm Size 1. My firm staff size is: a. More than 1000 b. 251 to 1000 c. 51 to 250 d. 11 to 50 e. 10 or fewer 3

Polling Question 2 Characterizing Insider and Third-party Risk 2. For my firm, Insider Risk is: a. A substantial concern b. A moderate concern c. A minor concern d. A negligible concern (e.g., due to extremely small firm size.) e. Not sure 4

Polling Question 3 Characterizing Insider and Third-party Risk 3. For my firm, Third-party Risk is: a. A substantial concern. The security of my third parties significantly affects my ability to protect my systems/data/processes. b. A moderate concern c. A minor concern. There s no obvious way that a security deficiency of one of my third parties could significantly harm me. d. Not a concern. I have no dependencies on third parties. e. Not sure 5

Characterizing Insider and Third-Party Risks Importance of Insider and Third-Party risk Significance relative to other risk sources. Trends in emphasis? Drivers? 6

Identifying Threat Agents and Risk Factors Insider Risk Who are the insider threats? Risk factors to consider? Strategies for focusing, prioritizing. Third-party Risk What are the third-party threats? Risk factors to consider? Strategies for focusing, prioritizing. 7

Polling Question 4 Insider Risk Management 4. My firm s Insider Risk Program is: a. Mature. Robust strategy with well-defined processes. Advanced controls including Predictive Analysis, Behavioral Analytics b. Established. A defined insider risk strategy backed by processes and tools that enable enterprise-wide information aggregation and correlation (e.g., SIEM.) c. Nascent. Basic controls in use, but no overarching strategy. d. Nonexistent. Needed, but not yet established. e. None needed. We don t see the need for an insider risk program. 8

Insider Risk Management Methodology Lifecycle: Vetting, Monitoring, Adjudicating, Detection, Analysis Insider Risk Kill Chain High-risk employees, assets, operations Control Techniques: Basic: SOD, POLP, training, others? Better: Log aggregation, SIEM, others? Best: UEBA, leveraging data/analytics, others? Recruitment/ Tipping Point Search and Recon Exploitation Acquisition Exfiltration Insider Risk Kill Chain 9

Polling Question 5 Third-party Risk Management 5. My firm s Third-party Risk Program is: a. Mature. Robust strategy with well-defined processes that are applied to all third parties, and that are quantitatively measured. b. Established. A defined third-party risk management strategy backed by processes and tools. c. Nascent. Some controls in place (e.g., vendor questionnaire), but no overarching strategy. d. Nonexistent. We use third parties, but no explicit risk mgmt controls. e. None needed. We don t use third-parties that impact our risk profile. 10

Third-party Risk Management Methodology Identifying, Prioritizing Third Parties Sources of risk: People, Process, Technology Assessment Processes, Techniques, Timing Assurance/Evidence Expectations Controlling Risks Contract Provisions, Other techniques. Risk Acceptance? Show stoppers? Monitoring, Detecting changes Changes at third party. Changes in relationship with third party. Supporting Tools, Services Coordination w/ org stakeholders Infosec, purchasing, legal, etc. 11

Advice for Smaller Firms Insider Risk Difference in risk for smaller firms? Control priorities. Effective insider risk management on a budget. Third-party Risk Difference in risk for smaller firms? Control priorities. Effective third-party risk management on a budget. 12

2018 Cybersecurity Conference February 22 New York, NY THANK YOU!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback