Lecture Materials MANAGING SECURITY RISK IN BANKING

Similar documents
MANAGING SECURITY RISK IN BANKING. Kevin F. Streff Managing Partner SBS CyberSecurity, LLC Madison, SD

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

FDIC InTREx What Documentation Are You Expected to Have?

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Interpreting the FFIEC Cybersecurity Assessment Tool

Regulation P & GLBA Training

Emerging Issues: Cybersecurity. Directors College 2015

2015 HFMA What Healthcare Can Learn from the Banking Industry

Cybersecurity in Higher Ed

Checklist: Credit Union Information Security and Privacy Policies

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

CCISO Blueprint v1. EC-Council

FFIEC Guidance: Mobile Financial Services

Managing Cybersecurity Risk

Table of Contents. Sample

Information Security Controls Policy

Cybersecurity and Data Protection Developments

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Annual Report on the Status of the Information Security Program

Risk Management in Electronic Banking: Concepts and Best Practices

Information Technology General Control Review

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

GLBA, information security and incident response a compliance perspective

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Information Security Policy

Global Statement of Business Continuity

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Prepaid Access MIDWEST ANTI-MONEY LAUNDERING CONFERENCE Federal Reserve Bank of Kansas City March 5, 2014

Post-Secondary Institution Data-Security Overview and Requirements

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Putting It All Together:

Sage Data Security Services Directory

HIPAA Security and Privacy Policies & Procedures

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ASSESSMENT LAYERED SECURITY

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

CISM Certified Information Security Manager

EFT SWIFT Breaches Highlight Growing Fraud

Security Breaches: How to Prepare and Respond

Cyber Risks in the Boardroom Conference

Information for entity management. April 2018

Cybersecurity and the Board of Directors

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

INTELLIGENCE DRIVEN GRC FOR SECURITY

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Cybersecurity The Evolving Landscape

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Protecting your data. EY s approach to data privacy and information security

GUIDANCE NOTE ON CYBERSECURITY

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

Cybersecurity and Examinations

Texas Department of Banking United States Secret Service January 25, 2012

Red Flags/Identity Theft Prevention Policy: Purpose

716 West Ave Austin, TX USA

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Understanding IT Audit and Risk Management

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

IT risks and controls

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Turning Risk into Advantage

TSC Business Continuity & Disaster Recovery Session

Headline Verdana Bold

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

HIPAA Federal Security Rule H I P A A

Global Security Consulting Services, compliancy and risk asessment services

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Why you should adopt the NIST Cybersecurity Framework

1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice

THE POWER OF TECH-SAVVY BOARDS:

FFIEC CONSUMER GUIDANCE

Information Security Officer (ISO) Education

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Business continuity management and cyber resiliency

Transcription:

Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin Streff Professor of Cybersecurity Dakota State University kevin.streff@dsu.edu 605-270-0790 & Founder SBS Cybersecurity, LLC Kevin.streff@sbscyber.com 605-270-0790 August 9-11, 2017

IT Risk Assessment 2017 Graduate School of Banking at University of Wisconsin Dr. Kevin Streff Founder: SBS Cybersecurity, LLC www.sbscyber.com 1

Goals Understand the top risk assessment issues that cause problems and inefficiencies Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices 2

Regulator Requirements: Gramm Leach Bliley Act Gramm Leach Bliley Act requires you to develop and implement an Information Security Program and conduct Risk Assessments A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank s operations and the nature and scope of its activities. Prior to implementing an information security program, a bank must first conduct a risk assessment which entails: Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems. Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information. Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks. 3

Gramm Leach Bliley Act Management must develop a written information security program What is the M in the CAMELS rating? Don t just do good security things, have a well managed program Don t rely on individual heroism, have a well managed program The Information Security Program is the way management demonstrates to regulators that information security is being managed at the financial institution 4

Gramm Leach Bliley Act Gramm Leach Bliley Act requires your financial institution to develop and implement 1) an Information Security Program and 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment

Layered Information Security Program I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit Documentation Boards & Committees 6

2016 Secure Banking Solutions, LLC 7

Question What is the OUTCOME of good IT risk assessment? 8

Exercise 1 Allocating Resources 9

10

Exercise 1 Your bank has $25,000 of additional spending to put towards security in 2017. You were just provided the chart How would you allocate the $25,000? 11

Maturing Your Risk Assessment Bank Internal & External System & Organizational Third Party Vendors Business Partners Downstream Partners Commercial Merchant Correspondent Banking ACH Origination Enterprise Risk Bank Secrecy Act Cyber Risk 12

Capability Maturity Model Level 0 Initial Any sort of process at all Level 1 Repeatable Processes are documented and practiced Level 2 Defined Processes are consistent and known within the organization Level 3 Quantitatively Managed Processes are measured quantitatively and evaluated Level 4 Optimized Processes continually improve with new technologies or methods 13

4 Commercial Threats Goal 3 3 rd Party Threats Goal Bank Threats Goal Level of Assessment (CMM Levels) 2 1 0 Low Medium High Level of Risk 14

Bank Assessments 15

What is IT Risk Assessment? The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources Streff, 2017 16

Exercise 2 Reviewing a Risk Assessment 17

Asset Value Threat Likelihood Impact Control Traditional IT Risk Core Processor High Unauthorized User Access High High Password Controls Assessment Process View Core Processor example in attached spreadsheet Physical Access End-User Responsibilities Access Controls Insurance Unauthorized Physical Access Low Medium Motion Sensors and Alarm System Security Cameras Control Authorized Use Hardware Security Physical Security Unauthorized Viewing Medium Medium Screen Savers Privacy Screens Electrical Anomalies Medium High Electrical Services Contingency Plan Physical Security Hardware Failure Medium High Data Integrity Bank Processing Hardware EDP Contingency Procedures Software Failure Medium High Data Software Availability Bank Processing Software Incident Response Plan Host Processing Systems Software Security Data and Software Availability Media Failure Medium Low Data Integrity Disaster Recovery Data and Software Availability Overall Risk Rating Communications Failure Low Medium Telecommunications Services Low 18 High Medium Medium High High Medium Low

Asset Value Threat Likelihood Impact Control Traditional IT Risk Natural Disaster Low High Contingency and Plan Business Resumption Assessment Process View Core Processor example in attached spreadsheet Data Integrity Incident Response Plan Insurance Other Disasters Low High Contingency and Business Resumption Plan Data Integrity Fire Control Incident Response Plan Insurance Overall Risk Rating Medium Medium Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium User Error Medium Low Dual Control Procedures Low Accidental Disclosure, Social Engineering Medium Medium Dial-up Access Encryption Information Requests File Transfers Fraudulent Transactions Medium High Separation of Duties System Activity Logs Maintenance Error Medium Low Modifications Modification Procedures Software Change Control Host Processing Systems Improper Use Medium Medium System Activity Logs Modifications, Dual Control Procedures Acceptable Use Medium Medium Low Medium 19

Exercise 2 Instructions What do you agree with? What do you disagree with? What story is this risk assessment telling? How would the bank allocate resources if you provided them with this assessment? 20

Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor A management process to identify, measure, mitigate and monitor to allocate resources 21

5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 22

Step 1 - Inventory: Identify all assets, vendors and service providers 5 Step IT Risk Assessment Process Step -5-Demonstrate Compliance: Reporting Improve the process Document Residual Risk Step 2 - Develop Priorities: Protection Profile (CIAV) Residual Risk Step 4 - System Controls: What system safeguards does the bank want to implement? Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)? Inherent Risk 23

IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information and making decisions (not compiling a risk assessment spreadsheet) 24

Top Risk Assessment Products Archer www.archer tech.com Kansas bsecure www.brintech.com Texas CoNetrix www.conetrix.com Texas Modulo www.modulo.com Seattle Riskkey www.riskkey.com Texas RiskWatch www.riskwatch.com Maryland Scout www.locknet inc.com Wisconsin TRAC www.tracadvantage.com South Dakota WolfPAC www.wolfandco.com Maryland 25

IT Assets

Protection Profile

Threats

Controls

Protection Profile Report

Risk Appetite The more important the asset, the more risk you want to reduce risk. Acceptable levels of risk are identified and measured against.

Commercial Account Assessments Commercial Banking Fraud 33

Commercial Account Takeover Cyber criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) Schumer Bill introduced in 2012 to Reg E Schools and Municipalities 34

Commercial Banking Fraud January 22, 2009 Experi Metal Inc. Sterling Heights, MI Sues Comerica Bank ($60M) Dallas, TX An EMI employee opened and clicked on links within a phishing email $1.9M stolen, $560,000 was not recoverable 47 wires in one day to foreign and domestic accounts which EMI never wire to before Ruling: Bank failed to detect the fraud and must pay Experi Metal $560,000 in losses. 35

Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc. 36

37

Finger Pointing and ACH Risk 38

Mitigating ACH Fraud in Community Banks Layered Information Security Program Enhanced Focus on Security Awareness Risk Assess Corporate Account Portfolio and Take Action 39

Commercial Account Takeover FFIEC Guidance FFIEC s Interagency Supplement to Authentication in an Internet Banking Environment states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging threats. Increased multi factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness. CSBS CATO Guidance 40

Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts 41

ACH Regulatory Compliance REGULATION Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud Meet FFIEC Guidance Meet CSBS Guidance Actions Controls at the Bank Corporate account security is part of your layered security program Minimum list of 9 security controls in the FFIEC supplement Controls at the Business CATO Risk Assessment List of controls in the CSBS guidance Customer Education Contracts/Documentation 42

Controls at Your Bank Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out Of Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education 43

How do You Assess Merchant Risk? 44

5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 45

Commercial Account Assessments Commercial Banking Fraud

Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts

48

49

Assessment Results 50

Track Progress 51

Easily Create a campaign 52 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y

Choose from a huge library of phishing templates 53 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y

Realistic Templates 54 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y

Educate them WHEN they click 55 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y

Other Phishing Tools Wombat Phishme QuickPhish Tandem Phishing Most of these tools offer a free trial 56 SBS CyberSecurity, LLC www.sbscyber.com Con sulti ng Net wor k Sec urit y

Enterprise Risk Management 57

Enterprise Risk Management (ERM) ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO) ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity s risk management in a changing operating environment. (Protiviti consulting firm) 58

Business Processes Administrative Affiliate Back Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology 59

Threat Areas Operational Reputational Compliance Financial Strategic Categories commonly used in FFEIC booklets. 60

ERM Risk Mitigation Goals 61

ERM Protection Profile 62

ERM Threats 63

ERM Controls 64

ERM Reporting 65

Report Risk Mitigation 66

Report Threat Source 67

REPORT PEERCOMPARISON 68

Bank Secrecy Act Assessments 69

Bank Secrecy Act (BSA) The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the Bank Secrecy Act or BSA ) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an anti money laundering law ( AML ) or jointly as BSA/AML. Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311 5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] ). 70

BSA Program Components Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for managing BSA compliance (BSA compliance officer). Training for appropriate personnel. http://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_0 08.htm 71

Risk Driven BSA Program 72

BSA Account Types 73

BSA Risk Areas 74

BSA Controls 75

BSA Reports 76

Report Account Risk 77

Cyber Security Assessment www.protectmybank.com 2 015 Sec ure Ban king

FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity. 79 www.protectmybank.com 2 015 Sec ure Ban king

Cybersecurity Inherent Risk Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats 80 www.protectmybank.com 2 015 Sec ure Ban king

Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 81 www.protectmybank.com 2 015 Sec ure Ban king

82 www.protectmybank.com 2 015 Sec ure Ban king

Cybersecurity Maturity Measure Maturity in 5 Domains (+ Assessment Factors) 1. Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training 2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing 3. Cybersecurity Controls Preventative, Detective, and Corrective controls 4. External Dependency Management External Connections and (Vendor) Relationship Management 5. Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting 83 www.protectmybank.com 2 015 Sec ure Ban king

What is Cybersecurity Maturity? Determining whether an institution s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? 84 www.protectmybank.com 2 015 Sec ure Ban king

Determining Maturity Level Within each component, declarative statements describe activities supporting the assessment factor at each maturity level All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain s maturity level What this actually means: Identify the controls you have in place, starting with baseline controls and escalating up in order to determine maturity levels 85 www.protectmybank.com 2 015 Sec ure Ban king

86 www.protectmybank.com 2 015 Sec ure Ban king

Increasing Maturity www.protectmybank.com 2 015 Sec ure Ban king

Risk Assessment Best Practices Determine which kind of assessment is the most important for your bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision making Don t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement 100

Review of Goals Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and inefficiencies Learn how to expand and mature: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules 101

Risk Assessment Schedule 102

Dr. Kevin Streff Professor of Cybersecurity at Dakota State University Kevin.streff@dsu.edu (605) 270 0790 Founder: SBS Cybersecurity, LLC. www.sbscyber.com Kevin.streff@sbscyber.com (605) 270 0790

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback