Interpreting the FFIEC Cybersecurity Assessment Tool

Similar documents
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Emerging Issues: Cybersecurity. Directors College 2015

FDIC InTREx What Documentation Are You Expected to Have?

Cybersecurity and Examinations

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

FFIEC Cybersecurity Assessment Tool

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity Assessment Tool

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

FFIEC Cybersecurity Assessment Tool

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Must Have Items for Your Cybersecurity or IT Budget in 2018

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

Headline Verdana Bold

BUSINESS CONTINUITY MANAGEMENT

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Information Technology Branch Organization of Cyber Security Technical Standard

Cybersecurity for Health Care Providers

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Sage Data Security Services Directory

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Effective Strategies for Managing Cybersecurity Risks

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Information Security Controls Policy

Why you should adopt the NIST Cybersecurity Framework

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

CISO as Change Agent: Getting to Yes

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Table of Contents. Sample

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

InfoSec Risks from the Front Lines

GUIDANCE NOTE ON CYBERSECURITY

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

NCSF Foundation Certification

Global Statement of Business Continuity

FFIEC Guidance: Mobile Financial Services

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cyber and Information Security Focused Audit Strategy WNY ISACA May 9, 2017 Shamus McMahon CISA, CISSP

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

BRING EXPERT TRAINING TO YOUR WORKPLACE.

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

Cyber Protections: First Step, Risk Assessment

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Accelerate Your Enterprise Private Cloud Initiative

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

Building a BC/DR Control Library and Regulatory Response Program

Securing Your Digital Transformation

FFIEC Cybersecurity Assessment Tool

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

NYDFS Cybersecurity Regulations

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cybersecurity and Data Protection Developments

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Threat and Vulnerability Assessment Tool

Rethinking Information Security Risk Management CRM002

Understanding and Evaluating Service Organization Controls (SOC) Reports

Cybersecurity and the Board of Directors

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cybersecurity. Securely enabling transformation and change

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

June 5, 2018 Independence, Ohio

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Cybersecurity in Higher Ed

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

NW NATURAL CYBER SECURITY 2016.JUNE.16

Certified Information Security Manager (CISM) Course Overview

Cybersecurity The Evolving Landscape

Cyber Risks in the Boardroom Conference

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Understanding IT Audit and Risk Management

The value of visibility. Cybersecurity risk management examination

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

The Windstream Enterprise Advantage for Banking

SFC strengthens internet trading regulatory controls

Lakeshore Technical College Official Policy

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Defensible and Beyond

Position Description IT Auditor

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Bradford J. Willke. 19 September 2007

Information Security Officer (ISO) Education

Transcription:

Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity

What We ll Cover Cyber risk management Cybersecurity Assessment Tool Inherent risk profile Cybersecurity maturity Interpret and analyze results Issues & FAQs 2

Cybersecurity Initiative Summary Primary Objective: help institutions identify their risks and determine their cybersecurity maturity Emphasis: cybersecurity risk management concepts Assessment: provides institutions with a repeatable and measureable process to inform management of their institution s risks and cybersecurity preparedness. Interpret and analyze results: Gap analysis 3

Cyber Risk Management Cyber Risk Program Disaster Recovery Information Security Business Continuity Enterprise-wide Identifies policies, procedures, processes, and controls Develop action plan following gap analysis 4

CYBERSECURITY ASSESSMENT TOOL 5

Cybersecurity Assessment Tool Inherent Risk Profile Cybersecurity Maturity 6

Inherent risk The amount of risk a credit union s activities and connections pose, notwithstanding any controls in place to mitigate risk. 7

Inherent risk profile Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Type, volume, and complexity of operations and threats directed at the institution 8

Inherent Risk Levels Most Risk Significant Risk Moderate Risk Minimal Risk Least Risk 9

IRP Screenshot Category Risk Levels Activity, Service or Product Category: Technologies and Connection Types Total number of internet service provider (ISP) connections (including branch connections) Unsecured external connections, number of connections not users (e.g., file transfer prototype (FTP), Telnet, rlogin) Risk Levels Least Minimal Moderate Significant Most No connections None Minimal complexity (1 20 connections) Few instances of unsecured connections (1 5) Moderate complexity (21 100 connections) Several instances of unsecured connections (6 10) Significant complexity (101 200 connections) Significant instances of unsecured connections (11 25) Substantial complexity (>200 connections) Substantial instances of unsecured connections (>25) 10

Example: Inherent Risk Excerpt Risk Levels Category: Technologies and Connection Types Least Minimal Moderate Significant Most Wireless network access No wireless access Separate access points for guest wireless and corporate wireless Guest and corporate wireless network access are logically separated; limited number of users and access points (1 250 users; 1 25 access points) Wireless corporate network access; significant number of users and access points (251 1,000 users; 26 100 access points) Wireless corporate network access; all employees have access; substantial number of access points (>1,000 users; >100 access points) Personal devices allowed to connect to the corporate network None Only one device type available; available to <5% of employees (staff, executives, managers); e-mail access only Multiple device types used; available to <10% of employees (staff, executives, managers) and board; e-mail access only Multiple device types used; available to <25% of authorized employees (staff, executives, managers) and board; e-mail and some applications accessed Any device type used; available to >25% of employees (staff, executives, managers) and board; all applications accessed Category: Delivery Channels Online presence (customer) Least Minimal Moderate Significant Most No Web-facing applications or Serves as an informational social media presence Web site or social media page (e.g., provides branch and ATM locations and marketing materials) Serves as a delivery channel for retail online banking; may communicate to customers through social media Serves as a delivery channel for wholesale customers; may include retail account origination Internet applications serve as a channel to wholesale customers to manage large value assets Mobile presence None SMS text alerts or notices only; browser-based access Mobile banking application for retail customers (e.g., bill payment, mobile check capture, internal transfers only) Mobile banking application includes external transfers (e.g., for corporate clients, recurring external transactions) Full functionality, including originating new transactions (e.g., ACH, wire) Automated Teller Machines (ATM) (Operation) No ATM services ATM services offered but no owned machines ATM services managed by a ATM services managed internally; third party; ATMs at local and ATMs at U.S. branches and retail regional branches; cash locations; cash reload services reload services outsourced outsourced ATM services managed internally; ATM services provided to other financial institutions; ATMs at domestic and international branches and retail locations; cash reload services managed internally 11

Inherent Risk Levels Parameters, not rigid rules Select higher risk level if assessment indicates level is between two levelsmost Risk Do not factor in mitigating Significant controls Risk when assigning risk levels Moderate Risk Minimal Risk Least Risk 12

Considerations Gathering and validating information Interacting with management, the board, or committees Previously completed risk profile status 13

Cybersecurity Maturity Domains Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 14

Cybersecurity Maturity Levels Innovative Advanced Intermediate Evolving Baseline 15

Domain - Maturity Levels 16

Domain - Maturity Levels 17

Domain - Maturity Levels 18

INTERPRET AND ANALYZE RESULTS 19

Cyber Maturity/Risk Relationship Inherent Risk Levels Least Minimal Moderate Significant Most Innovative Cybersecurity Maturity Level for Each Domain Advanced Intermediate Evolving Baseline Elevated Investment Underinvestment 20

Addressing Misalignments Determine target maturity levels Conduct gap analysis Prioritize and plan actions Implement changes Reevaluate Communicate results 21

Provide Information Read declarative statements to find policies, processes, procedures and controls that can be adopted for use by the credit union to increase cybersecurity preparedness. 22

Share Assessment Results Meet with CEO and board of directors Review assessment results Provide additional information 23

When to Reassess Periodically Following significant operational or technological changes Before new products, services, or initiatives are introduced 24

Benefits to Credit Unions Identify Risk Drivers Assess Level of Preparedness Identify Misalignments in Risk Determine Optimal Enhancements to Align Inform Risk Management Strategies Understand Risk with Third Parties and Partners Measure and Monitor Progress Connect Strategic with Operational Functions 25

ISSUES & FAQS Interpreting the FFIEC Cybersecurity Assessment Tool 26

CAT Issue: Limited Resources to Implement Tailor use of the tool to size and complexity Can be implemented in stages and over time Start with the Baseline Target higher maturity levels in some Domains, Assessment Factors, or Components than others Can weight the results, factor in compensating controls, customize a scoring system, etc. Don t artificially limit to Baseline Many CUs already operate above the Baseline due to vendor cybersecurity control products i.e. network and online banking security 27

CAT Implementation FAQ Do we have to meet all declarative statements in order to move up to the next maturity level? Example: If we meet 100% of Baseline, then 80% of Evolving. Can we state that we are in the Evolving maturity level? If so, than do we need to reach 100% on Evolving before moving to Intermediate? Answer: The CAT was designed so that all statements at a maturity level need to be achieved. For example, deeming statements as not applicable for the environment (NA), or opting out/accepting risk for some statements. Higher maturity levels can be worked on without completing lower levels, but the CAT is designed to be a maturity progression 28

CAT Issue: Consulting Your Vendors CAT not specifically designed to trigger contact with service providers Fully completing the Assessment may necessitate such contact For example, CUs outsourced technical expertise to Managed Security Service Providers Service provider contact can improve management s oversight of the third party relationship/service CUs should expect to find vendor controls and practices commensurate to those in the CAT 29

CAT Case Study: Cloud Provider Some Applicable CAT Statements Risk-based due diligence is performed (Baseline) Board reviews due diligence when 3 rd party affects risk profile (Evolving) Audits of high-risk vendors are conducted on an annual basis (Advanced) Other Key Considerations Does the vendor store PII? SOC 2 Type II performed? Private or public cloud? Offshore or U.S based? Remember, for the IRP we are measuring inherent rather than residual risk 30

CAT Issue: Alternative Frameworks The CAT is voluntary and CUs can us other frameworks to assess cybersecurity preparedness However, the CAT is customized to our industry and draws from numerous sources such as: Existing regulations and regulatory guidance The FFIEC IT Handbooks NIST Cybersecurity Framework and NIST Special Publication 800-53 U.K. Prudential Regulation Authority 2014 cybersecurity assessment Canada s Office of Superintendent of Financial Institutions 2013 cybersecurity assessment Department of Energy s Cybersecurity Capability Maturity Model Program And others, as the CAT was designed to provide considerable benefit and efficiency to financial institutions 31

CAT FAQ: Risk Assessment Replacement? The CAT is not designed to be a risk assessment CAT does not replace risk assessment requirement required by GLBA Guidelines Notation of threats to customer information. Other areas that require a risk assessment process include: New products or services Vendors Business continuity planning 32

CAT FAQ: Risk Assessment Replacement? Does the Assessment replace the risk assessment process outlined in the GLBA Guidelines? No. The Assessment was designed to complement, not replace, an institutions risk management process and cybersecurity program. Therefore it does not replace the risk assessment of threats to customer information required by the GLBA Guidelines. To comply with the GLBA Guidelines, this risk assessment process must: Identify all reasonably foreseeable threats to customer information. Assess the risk (likelihood of occurrence and potential impact). Assess the sufficiency of controls in place to control risks. 33

CAT FAQ: Recommended IT Audits? External vulnerability assessments Internal vulnerability assessments Supplement outsourced with internal scanning IT general controls audit Social engineering testing Phishing Pretext calling Site visits to attempt unauthorized physical access Penetration testing at higher maturity levels 34

? QUESTIONS? 35

Contact for Questions For Credit Unions: CU_cybersecurity@ncua.gov 36

Critical Infrastructure & Cybersecurity Feel free to contact our office with questions or comments. Primary Staff: Wayne H. Trout, Supv. email: wtrout@ncua.gov Office Phone: 703-664-3412 37

Reference 1. FFIEC Cyber Assessment Tool & Supporting Materials https://www.ffiec.gov/cyberassessmenttool.htm 2. FFIEC IT Handbook InfoBase http://ithandbook.ffiec.gov/ 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback