Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin Streff Professor of Cybersecurity Dakota State University kevin.streff@dsu.edu 605-270-0790 & Founder SBS Cybersecurity, LLC Kevin.streff@sbscyber.com 605-270-0790 August 9-11, 2017
IT Risk Assessment 2017 Graduate School of Banking at University of Wisconsin Dr. Kevin Streff Founder: SBS Cybersecurity, LLC www.sbscyber.com 1
Goals Understand the top risk assessment issues that cause problems and inefficiencies Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices 2
Regulator Requirements: Gramm Leach Bliley Act Gramm Leach Bliley Act requires you to develop and implement an Information Security Program and conduct Risk Assessments A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank s operations and the nature and scope of its activities. Prior to implementing an information security program, a bank must first conduct a risk assessment which entails: Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems. Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information. Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks. 3
Gramm Leach Bliley Act Management must develop a written information security program What is the M in the CAMELS rating? Don t just do good security things, have a well managed program Don t rely on individual heroism, have a well managed program The Information Security Program is the way management demonstrates to regulators that information security is being managed at the financial institution 4
Gramm Leach Bliley Act Gramm Leach Bliley Act requires your financial institution to develop and implement 1) an Information Security Program and 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment
Layered Information Security Program I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit Documentation Boards & Committees 6
2016 Secure Banking Solutions, LLC 7
Question What is the OUTCOME of good IT risk assessment? 8
Exercise 1 Allocating Resources 9
10
Exercise 1 Your bank has $25,000 of additional spending to put towards security in 2017. You were just provided the chart How would you allocate the $25,000? 11
Maturing Your Risk Assessment Bank Internal & External System & Organizational Third Party Vendors Business Partners Downstream Partners Commercial Merchant Correspondent Banking ACH Origination Enterprise Risk Bank Secrecy Act Cyber Risk 12
Capability Maturity Model Level 0 Initial Any sort of process at all Level 1 Repeatable Processes are documented and practiced Level 2 Defined Processes are consistent and known within the organization Level 3 Quantitatively Managed Processes are measured quantitatively and evaluated Level 4 Optimized Processes continually improve with new technologies or methods 13
4 Commercial Threats Goal 3 3 rd Party Threats Goal Bank Threats Goal Level of Assessment (CMM Levels) 2 1 0 Low Medium High Level of Risk 14
Bank Assessments 15
What is IT Risk Assessment? The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources Streff, 2017 16
Exercise 2 Reviewing a Risk Assessment 17
Asset Value Threat Likelihood Impact Control Traditional IT Risk Core Processor High Unauthorized User Access High High Password Controls Assessment Process View Core Processor example in attached spreadsheet Physical Access End-User Responsibilities Access Controls Insurance Unauthorized Physical Access Low Medium Motion Sensors and Alarm System Security Cameras Control Authorized Use Hardware Security Physical Security Unauthorized Viewing Medium Medium Screen Savers Privacy Screens Electrical Anomalies Medium High Electrical Services Contingency Plan Physical Security Hardware Failure Medium High Data Integrity Bank Processing Hardware EDP Contingency Procedures Software Failure Medium High Data Software Availability Bank Processing Software Incident Response Plan Host Processing Systems Software Security Data and Software Availability Media Failure Medium Low Data Integrity Disaster Recovery Data and Software Availability Overall Risk Rating Communications Failure Low Medium Telecommunications Services Low 18 High Medium Medium High High Medium Low
Asset Value Threat Likelihood Impact Control Traditional IT Risk Natural Disaster Low High Contingency and Plan Business Resumption Assessment Process View Core Processor example in attached spreadsheet Data Integrity Incident Response Plan Insurance Other Disasters Low High Contingency and Business Resumption Plan Data Integrity Fire Control Incident Response Plan Insurance Overall Risk Rating Medium Medium Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium User Error Medium Low Dual Control Procedures Low Accidental Disclosure, Social Engineering Medium Medium Dial-up Access Encryption Information Requests File Transfers Fraudulent Transactions Medium High Separation of Duties System Activity Logs Maintenance Error Medium Low Modifications Modification Procedures Software Change Control Host Processing Systems Improper Use Medium Medium System Activity Logs Modifications, Dual Control Procedures Acceptable Use Medium Medium Low Medium 19
Exercise 2 Instructions What do you agree with? What do you disagree with? What story is this risk assessment telling? How would the bank allocate resources if you provided them with this assessment? 20
Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor A management process to identify, measure, mitigate and monitor to allocate resources 21
5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 22
Step 1 - Inventory: Identify all assets, vendors and service providers 5 Step IT Risk Assessment Process Step -5-Demonstrate Compliance: Reporting Improve the process Document Residual Risk Step 2 - Develop Priorities: Protection Profile (CIAV) Residual Risk Step 4 - System Controls: What system safeguards does the bank want to implement? Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)? Inherent Risk 23
IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information and making decisions (not compiling a risk assessment spreadsheet) 24
Top Risk Assessment Products Archer www.archer tech.com Kansas bsecure www.brintech.com Texas CoNetrix www.conetrix.com Texas Modulo www.modulo.com Seattle Riskkey www.riskkey.com Texas RiskWatch www.riskwatch.com Maryland Scout www.locknet inc.com Wisconsin TRAC www.tracadvantage.com South Dakota WolfPAC www.wolfandco.com Maryland 25
IT Assets
Protection Profile
Threats
Controls
Protection Profile Report
Risk Appetite The more important the asset, the more risk you want to reduce risk. Acceptable levels of risk are identified and measured against.
Commercial Account Assessments Commercial Banking Fraud 33
Commercial Account Takeover Cyber criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) Schumer Bill introduced in 2012 to Reg E Schools and Municipalities 34
Commercial Banking Fraud January 22, 2009 Experi Metal Inc. Sterling Heights, MI Sues Comerica Bank ($60M) Dallas, TX An EMI employee opened and clicked on links within a phishing email $1.9M stolen, $560,000 was not recoverable 47 wires in one day to foreign and domestic accounts which EMI never wire to before Ruling: Bank failed to detect the fraud and must pay Experi Metal $560,000 in losses. 35
Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc. 36
37
Finger Pointing and ACH Risk 38
Mitigating ACH Fraud in Community Banks Layered Information Security Program Enhanced Focus on Security Awareness Risk Assess Corporate Account Portfolio and Take Action 39
Commercial Account Takeover FFIEC Guidance FFIEC s Interagency Supplement to Authentication in an Internet Banking Environment states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging threats. Increased multi factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness. CSBS CATO Guidance 40
Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts 41
ACH Regulatory Compliance REGULATION Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud Meet FFIEC Guidance Meet CSBS Guidance Actions Controls at the Bank Corporate account security is part of your layered security program Minimum list of 9 security controls in the FFIEC supplement Controls at the Business CATO Risk Assessment List of controls in the CSBS guidance Customer Education Contracts/Documentation 42
Controls at Your Bank Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out Of Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education 43
How do You Assess Merchant Risk? 44
5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 45
Commercial Account Assessments Commercial Banking Fraud
Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts
48
49
Assessment Results 50
Track Progress 51
Easily Create a campaign 52 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y
Choose from a huge library of phishing templates 53 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y
Realistic Templates 54 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y
Educate them WHEN they click 55 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y
Other Phishing Tools Wombat Phishme QuickPhish Tandem Phishing Most of these tools offer a free trial 56 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y
Enterprise Risk Management 57
Enterprise Risk Management (ERM) ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO) ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity s risk management in a changing operating environment. (Protiviti consulting firm) 58
Business Processes Administrative Affiliate Back Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology 59
Threat Areas Operational Reputational Compliance Financial Strategic Categories commonly used in FFEIC booklets. 60
ERM Risk Mitigation Goals 61
ERM Protection Profile 62
ERM Threats 63
ERM Controls 64
ERM Reporting 65
Report Risk Mitigation 66
Report Threat Source 67
REPORT PEERCOMPARISON 68
Bank Secrecy Act Assessments 69
Bank Secrecy Act (BSA) The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the Bank Secrecy Act or BSA ) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an anti money laundering law ( AML ) or jointly as BSA/AML. Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311 5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] ). 70
BSA Program Components Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for managing BSA compliance (BSA compliance officer). Training for appropriate personnel. http://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_0 08.htm 71
Risk Driven BSA Program 72
BSA Account Types 73
BSA Risk Areas 74
BSA Controls 75
BSA Reports 76
Report Account Risk 77
Cyber Security Assessment www.protectmybank.com 2 015 Sec ure Ban king
FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity. 79 www.protectmybank.com 2 015 Sec ure Ban king
Cybersecurity Inherent Risk Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats 80 www.protectmybank.com 2 015 Sec ure Ban king
Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 81 www.protectmybank.com 2 015 Sec ure Ban king
82 www.protectmybank.com 2 015 Sec ure Ban king
Cybersecurity Maturity Measure Maturity in 5 Domains (+ Assessment Factors) 1. Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training 2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing 3. Cybersecurity Controls Preventative, Detective, and Corrective controls 4. External Dependency Management External Connections and (Vendor) Relationship Management 5. Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting 83 www.protectmybank.com 2 015 Sec ure Ban king
What is Cybersecurity Maturity? Determining whether an institution s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? 84 www.protectmybank.com 2 015 Sec ure Ban king
Determining Maturity Level Within each component, declarative statements describe activities supporting the assessment factor at each maturity level All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain s maturity level What this actually means: Identify the controls you have in place, starting with baseline controls and escalating up in order to determine maturity levels 85 www.protectmybank.com 2 015 Sec ure Ban king
86 www.protectmybank.com 2 015 Sec ure Ban king
Increasing Maturity www.protectmybank.com 2 015 Sec ure Ban king
Risk Assessment Best Practices Determine which kind of assessment is the most important for your bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision making Don t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement 100
Review of Goals Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and inefficiencies Learn how to expand and mature: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules 101
Risk Assessment Schedule 102
Dr. Kevin Streff Professor of Cybersecurity at Dakota State University Kevin.streff@dsu.edu (605) 270 0790 Founder: SBS Cybersecurity, LLC. www.sbscyber.com Kevin.streff@sbscyber.com (605) 270 0790