FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Similar documents
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Interpreting the FFIEC Cybersecurity Assessment Tool

Emerging Issues: Cybersecurity. Directors College 2015

FFIEC Cybersecurity Assessment Tool

FDIC InTREx What Documentation Are You Expected to Have?

Cybersecurity Assessment Tool

Cybersecurity and Examinations

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

FFIEC Cybersecurity Assessment Tool

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Certified Information Security Manager (CISM) Course Overview

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity in Higher Ed

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

FFIEC Cybersecurity Assessment Tool

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Automating the Top 20 CIS Critical Security Controls

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Information Security Controls Policy

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

SIEM: Five Requirements that Solve the Bigger Business Issues

Designing and Building a Cybersecurity Program

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

LESSONS LEARNED IN SMART GRID CYBER SECURITY

CISO as Change Agent: Getting to Yes

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

MITIGATE CYBER ATTACK RISK

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

locuz.com SOC Services

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Reinvent Your 2013 Security Management Strategy

Cybersecurity for Health Care Providers

Medical Device Cybersecurity: FDA Perspective

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Carbon Black PCI Compliance Mapping Checklist

Why you should adopt the NIST Cybersecurity Framework

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

RSA NetWitness Suite Respond in Minutes, Not Months

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Cybersecurity The Evolving Landscape

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Nebraska CERT Conference

Healthcare HIPAA and Cybersecurity Update

Total Security Management PCI DSS Compliance Guide

Avanade s Approach to Client Data Protection

CYBER RESILIENCE & INCIDENT RESPONSE

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

External Supplier Control Obligations. Cyber Security

Security by Default: Enabling Transformation Through Cyber Resilience

INTELLIGENCE DRIVEN GRC FOR SECURITY

Bradford J. Willke. 19 September 2007

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Aligning with the Critical Security Controls to Achieve Quick Security Wins

SFC strengthens internet trading regulatory controls

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

One Hospital s Cybersecurity Journey

What It Takes to be a CISO in 2017

NIST Special Publication

CCISO Blueprint v1. EC-Council

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

ISO27001 Preparing your business with Snare

Changing the Game: An HPR Approach to Cyber CRM007

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

The Convergence of Security and Compliance

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Business Context: Key for Successful Risk Management

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

AT&T Endpoint Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

How to Prepare a Response to Cyber Attack for a Multinational Company.

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Transforming Security from Defense in Depth to Comprehensive Security Assurance

NEXT GENERATION SECURITY OPERATIONS CENTER

Proactive Approach to Cyber Security

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Managed Endpoint Defense

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Cybersecurity Auditing in an Unsecure World

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Transcription:

FFIEC Cyber Security Assessment Tool Overview and Key Considerations

Overview of FFIEC Cybersecurity Assessment Tool

Agenda Overview of assessment tool Review inherent risk profile categories Review domain 1-5 for cyber security maturity Summary of risk/maturity relationships Overview of use case performed Final thoughts Q&A

Benefits to Institutions Identifying factors contributing to and determining the institution s overall cyber risk Assessing the institution's cybersecurity preparedness. Evaluating whether the institutions cybersecurity preparedness is aligned with its risks Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness Informing risk management strategies.

Not just for Finance! Don t tune out if your not in the financial services sector!! Throughout the presentation you can see that risk assessment and preparedness is a major theme in any industry. Feel free to ask particular questions about your company and industry.

Inherent Risk Profile

Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats

Inherent Risk Profile Risk Levels

Inherent Risk Profile Excerpt

Inherent Risk Profile Technologies and Connection Types Internet service providers Third party connections Internal vs outsourced hosted systems Wireless access points Network devices EOL Systems Cloud services Personal Devices

Inherent Risk Profile Online and mobile products and services delivery channels Delivery Channels ATM operations

Inherent Risk Profile Online/Mobile Products and Technology Services Credit and debit cards P2P payments ACH Wire transfers Wholesale payments Remote deposit Treasury and trust Global remittances Correspondent banking Merchant acquiring activities

Inherent Risk Profile Organizational Characteristics Mergers and acquisitions Direct employees and contractors IT environment Business presence and locations of operations and data centers

Inherent Risk Profile

Inherent risk Reponses Best Practice Automate Answers using existing solutions to: Track in real time areas such as: Asset inventory Third party connections Transaction data

Cybersecurity Maturity Assessment

Cybersecurity Maturity Overview

Cybersecurity Maturity Domain Coverage

Domain 1 Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture

Domain 2 Threat Intelligence and Collaboration Threat Intelligence Monitoring and Analyzing Information Sharing

Domain 3 Cyber Security Controls Preventative Infrastructure management Access and asset management Device/endpoint security Secure coding practices Detective Threat and vulnerability detection Anomalous behavior activity detection Event detection Corrective Patch management Remediation

Domain 4 External Dependency Management Connections Identifications Monitoring Management of external connections and data flows to third parties Relationship Management Due diligence Contracts Ongoing monitoring

Domain 5 Cyber Incident Management and Response Incident Resilience Planning & Strategy Detection, Response, & Mitigation Escalation & Reporting

Risk Maturity Relationship

Risk Maturity Matrix

National Bank Case Study

ABC National Bank Business Profile Background 13000+ employees 1000+ banking locations HQ in Central US Est. 1967 Banking Operations Branch Banking Commercial Banking Consumer Lending Investment Advisors Current State EOL systems still in use, no upgrade plan Mobile banking applications and some BYOD Previous security incidents external phishing attempts and ATM s being infected with malware IT Security Director has left the Bank

Inherent Risk Score Inherent Risk Score 507.69 legend <=200 201-400 401-600 601-800 801-1000 Category Data Weights Points Least Minimal Moderate Significant Most Technologies and connection Types 1 14 0 8 4 2 0 Delivery Channels 1 3 0 0 1 2 0 Organizational Characteristics 1 7 1 0 6 0 0 Online/Mobile Products and Technological Services 1 14 3 3 8 0 0 External Threats 1 1 0 0 1 0 0 Totals 5 39 4 11 20 4 0 10.26 % 28.21% 51.28% 10.26% 0.00%

Cybersecurity Maturity Assessment

FFIEC Recap of Steps Taken for Use Case Inherent Risk Profile Low Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Cybersecurity Maturity Domain 1: Cyber Risk Management & Oversight Domain 2: Threat Intelligence & Collaboration Domain 3: Cybersecurity Controls Domain 4: External Dependency Management Domain 5: Cyber Incident Management and Resilience

Maturity Achieved Against Defined Targets ABC Bank 81.06% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Intermediate 64.89% Innovative 1 15 6.67% 6.67% Management Advanced 5 32 15.63% 15.63% 15.63% and Oversight Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65% 100.00 100.00 Threat Intelligence and Collaboration Cyber Security Controls Baseline 31 31 % % Intermediate 88.46% Innovative 0 8 0.00% 0.00% Advanced 2 11 18.18% 18.18% 18.18% Intermediate 8 11 72.73% 72.73% 72.73% Evolving 7 7 100.00 % 100.00 % 100.00% Baseline 8 8 100.00 % 100.00 % Intermediate 80.62% Innovative 2 20 10.00% 10.00% Advanced 5 25 20.00% 20.00% 20.00% Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92% Baseline 51 51 100.00 % 100.00 % External Intermediate 86.84% Innovative 0 7 0.00% 0.00% Dependency Advanced 3 7 42.86% 42.86% 42.86% Management Intermediate 6 9 66.67% 66.67% 66.67% Evolving 11 13 84.62% 84.62% 84.62% Baseline 16 16 100.00 % 100.00 % Cyber Incident Intermediate 84.48% Innovative 1 10 10.00% 10.00%

Domain Level Controls Domain 1 - Governance, Risk, and Audit Solution capability desired - Visibility and Intelligence Domain 2 - Threat Intelligence and Sharing Solution capability desired - Intelligence and Integration Domain 3 - Preventive, Detective, and Corrective controls Solution capability desired - Detection, Prevention, and Response No Endpoint visibility Limited Intelligence on oversight and audit functions Polling and scanning, basic manual risks assigned Limited Intelligence without any Integration Alerts and logs are consolidated in a SIEM for integration, manually shared Threat Intelligence Detection: AV signatures Only detects known malware, extensive logs analysis Prevention: Relying on AV only stops known malware Response: Reimage machines, No root cause analysis Control Maturity Level Baseline Inherent Risk Profile Level Low Negative Security Approach Evolving Minimal Detection: Software and IP reputation data Prevention: Remove admin rights, Basic whitelisting Response: Manual root-cause and scope analysis, Post-mortem forensics Domain 4 - Third Party Management Solution capability desired - Visibility and Detection Domain 5 - Incident Response Solution capability desired - Detection and Response No visibility into third party security or threats No detection of security incidents spawned from third party's Detection: AV signatures Only detects known malware, extensive logs analysis Response: Reimage machines, No root cause analysis Limited visibility into criticality of third party s Still no detection of interactions or unauthorized attempts to obtain/change sensitive information Detection: Software and IP reputation data Response: Manual root-cause and scope analysis, Post-mortem forensics

Control Maturity Level Intermediate Advanced Innovative Inherent Risk Level Moderate Significant Most Risks exceed appetite they are escalated to management Policies include threat intelligence Baselines cannot be altered w/o formal change request Formal IT change management process Risk management includes financial strategic, regulatory, and compliance implications Benchmarks and target performance metrics are established Audits are used to identify gaps Industry standards are used for the analysis of gaps Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory Automated processes are in place to detect and block unauthorized changes to software and hardware Risk assessments of changes in change management system Risk data aggregation and real time reporting capabilities support ongoing reporting Periodic audit process improvements based on threat landscape Continuous monitoring of security controls KPI's determine training awareness influence Formal change management function governs decentralized or highly distributed change requests and measures security risks Automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware Formal threat Intelligence program is implemented and has external and internal source A read only central repository of cyber threat intelligence is maintained Profile of threats is created Threat Intelligence is automatically received from multiple sources in real time Threat Intelligence is used to update architecture and configuration standards IT systems automatically detect configuration weaknesses based on Threat Intellgince and alert management Real time threat sharing Threat analysis systems correlates threat data to risks while taking automated actions and alerting management Invests in threat intelligence and collaboration mechanisms Combines all threat intelligence from mechanisms Security controls for remote access Unauthorized code prevention tools Emails and attachments are automatically scanned to detect malware and blocked when it is present Tools for unauthorized data mining Tools to monitor security logs Audit logs are backed up to a centralized log server that is difficult to alter Event detection processes are tested as reliable Controls verified to detect and prevent intrusions from third party connections Monitoring covers all external and internal connections Anti-spoofing measures for forged IP addresses Automated tools proactively identifies high-risk behavior signaling on an employee who poses insider threat Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices Real-time network monitoring and detection is implemented and incorporates Positive Security Approach sector wide event information Real time alerts are automatically sent when unauthorized software, hardware, or changes occur Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters Patch monitoring software is installed on all servers Maintain and improve security of external connections Automated real time risk scores of infrastructure Centralized end-point management tool Real time risk scoring of threats Detection of insider threats and block activity in real time Remediation of systems damaged by zero-days Detailed Diagram of data flow analysis IR team notified when anomalous behavior and attack patterns or signatures are detected Detect infiltrations before attacker traverses across systems, Incidents detected in real time through automated processes and correlated events across the enterprise Networks and system alerts are correlated across business units to detect and prevent multifaceted attacks Early analysis of security events to minimize impact Institution corrects root cause for problems discovered during testing Sophisticated and adaptive technologies are deployed that can detect an alert the incident response team of Specific tasks when threat indicators across the enterprise indicate potential external and internal threats Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert IR teams in real time, IR team collaborates with threat intelligence team during and incident, Detailed metrics, dashboards and/or scorecards outlining cyber events are provided to management. IR plan ensures recovery from disruption, assurance of data integrity, and recovery of lost or corrupted data following an incident IR process includes detailed actions and rule based triggers for automated response Validated the ability to remediate systems damaged by zero day attacks to maintain RTO Detect and block zero day attacks and alert management and IR teams in real time Risk management of significant cyber incidents results in limited to no down time for critical services Mechanism in place to alert in real time incidents through multiple channels while tracking and verifying communication for audit

Maturity Achieved Against Intermediate Targets with Proactive Security W/b9 +cb @ intermediate 92.98% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Intermediate 73.40% Innovative 7 15 46.67% 46.67% Management Advanced 11 32 34.38% 34.38% 34.38% and Intermediate 9 29 31.03% 31.03% 31.03% Oversight Evolving 29 34 85.29% 85.29% 85.29% Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Management and Resilience Baseline 31 31 100% 100% Intermediate 100.00% Innovative 4 8 50.00% 50.00% Advanced 5 11 45.45% 45.45% 45.45% Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100% Baseline 8 8 100% 100% Intermediate 91.47% Innovative 8 20 40.00% 40.00% Advanced 16 25 64.00% 64.00% 64.00% Intermediate 32 39 82.05% 82.05% 82.05% Evolving 35 39 89.74% 89.74% 89.74% Baseline 51 51 100% 100% Intermediate 100.00% Innovative 0 6 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 9 9 100% 100% 100% Evolving 13 13 100% 100% 100% Baseline 16 16 100% 100% Intermediate 100.00% Innovative 6 10 60.00% 60.00% Advanced 8 15 53.33% 53.33% 53.33% Intermediate 21 21 100% 100% 100% Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%

Domain Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Managament and Resillence Maturity Achieved Against Defined Targets Status Quo 61.05% Achiev Stateme Moderat Significa Desired Target %Achecived Maturity ed nts Least Minimal e nt Most Innovative 47.52% Innovative 1 15 6.67% 6.67% Advanced 5 32 15.63% 15.63% 15.63% Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65% Baseline 31 31 100.00% 100.00% Innovative 55.56% Innovative 0 8 0.00% 0.00% Advanced 2 11 18.18% 18.18% 18.18% Intermediate 8 11 72.73% 72.73% 72.73% Evolving 7 7 100.00% 100.00% 100.00% Baseline 8 8 100.00% 100.00% Innovative 63.79% Innovative 2 20 10.00% 10.00% Advanced 5 25 20.00% 20.00% 20.00% Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92% Baseline 51 51 100.00% 100.00% Innovative 74.51% Innovative 0 6 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 6 9 66.67% 66.67% 66.67% Evolving 13 13 100.00% 100.00% 100.00% Baseline 16 16 100.00% 100.00% Innovative 63.86% Innovative 1 10 10.00% 10.00% Advanced 3 15 20.00% 20.00% 20.00% Intermediate 15 21 71.43% 71.43% 71.43% Evolving 17 20 85.00% 85.00% 85.00% Baseline 17 17 100.00% 100.00%

Maturity Achieved Against Innovative Targets with Proactive Security W/b9 +cb @ innovative 77.65% Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Innovative 61.70% Innovative 7 15 46.67% 46.67% Management Advanced 11 32 34.38% 34.38% 34.38% and Oversight Intermediate 9 29 31.03% 31.03% 31.03% Evolving 29 34 85.29% 85.29% 85.29% Baseline 31 31 100% 100% Threat Intelligence and Collaboration Cyber Security Controls External Dependency Management Cyber Incident Management and Resilience Innovative 77.78 Innovative 4 8 50.00% 50.00% Advanced 5 11 45.45% 45.45% 45.45% Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100% Baseline 8 8 100% 100% Innovative 81.61% Innovative 8 20 40.00% 40.00% Advanced 16 25 64.00% 64.00% 64.00% Intermediate 32 39 82.05% 82.05% 82.05% Evolving 35 39 89.74% 89.74% 89.74% Baseline 51 51 100% 100% Innovative 80.39% Innovative 0 6 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 9 9 100% 100% 100% Evolving 13 13 100% 100% 100% Baseline 16 16 100% 100% Innovative 86.75% Innovative 6 10 60.00% 60.00% Advanced 8 15 53.33% 53.33% 53.33% Intermediate 21 21 100% 100% 100% Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%

Key Considerations While Using the CAT Being Innovative in Cybersecurity Maturity Real time detection and response Always be updating for changes Automatic metrics and reporting Threat analytics that matter Baseline risk measurement

How to use the CAT

Future of FFIEC Present Examiners have begun using the handbook Criticism from FI s of making a voluntary tool seem mandated. They do not track the NIST Cybersecurity Framework Declarative statements that are subjective in nature. Future FFIEC took in feedback as a response to the accusations this January. The tool will be updated on a periodic basis. Publications from the FFIEC and OCC released stating the CAT could become mandatory if examiners do not see risk mitigations improvements from banks.

Not just for Finance! Industry s can use the tool to fit their inherent risk profile by changing the criteria that best fits them. Eg, healthcare can tailor their inherent risk based on the nature of health services provided, number of devices connected to the network including medical devices, the number of sensitive patient files, and number of medical services locations as a start. Same goes for the cyber security assessment maturity questionnaire, you can tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other standard that pertains to your industry.

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback