FDIC InTREx What Documentation Are You Expected to Have?

Similar documents
Certified Information Security Manager (CISM) Course Overview

Interpreting the FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Information Technology General Control Review

Table of Contents. Sample

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

CCISO Blueprint v1. EC-Council

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Emerging Issues: Cybersecurity. Directors College 2015

Cyber Risks in the Boardroom Conference

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Certified Information Systems Auditor (CISA)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Session ID: CISO-W22 Session Classification: General Interest

Position Description IT Auditor

Cybersecurity and Data Protection Developments

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Security and Privacy Governance Program Guidelines

Oracle Data Cloud ( ODC ) Inbound Security Policies

University of Pittsburgh Security Assessment Questionnaire (v1.7)

REPORT 2015/149 INTERNAL AUDIT DIVISION

SFC strengthens internet trading regulatory controls

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

ITG. Information Security Management System Manual

Cybersecurity Auditing in an Unsecure World

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

The Common Controls Framework BY ADOBE

Information Security Controls Policy

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

SECURITY & PRIVACY DOCUMENTATION

Bringing Cybersecurity to the Boardroom Bret Arsenault

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

ADIENT VENDOR SECURITY STANDARD

Texas Department of Banking United States Secret Service January 25, 2012

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Altius IT Policy Collection

Cybersecurity The Evolving Landscape

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Manchester Metropolitan University Information Security Strategy

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Cybersecurity Assessment Tool

NW NATURAL CYBER SECURITY 2016.JUNE.16

Recommendations for Implementing an Information Security Framework for Life Science Organizations

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Data Security and Privacy Principles IBM Cloud Services

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Cybersecurity Checklist Business Action Items

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

FFIEC Cybersecurity Assessment Tool

Information Security Policy

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Altius IT Policy Collection Compliance and Standards Matrix

CISO as Change Agent: Getting to Yes

NYDFS Cybersecurity Regulations

Business continuity management and cyber resiliency

AUTHORITY FOR ELECTRICITY REGULATION

01.0 Policy Responsibilities and Oversight

TAN Jenny Partner PwC Singapore

Total Security Management PCI DSS Compliance Guide

Altius IT Policy Collection Compliance and Standards Matrix

locuz.com SOC Services

Information Technology Branch Organization of Cyber Security Technical Standard

One Hospital s Cybersecurity Journey

Headline Verdana Bold

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Business Continuity Management Standards A Side-by-Side Comparison

Influence and Implementation

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Must Have Items for Your Cybersecurity or IT Budget in 2018

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Global Statement of Business Continuity

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Rethinking Information Security Risk Management CRM002

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Canada Life Cyber Security Statement 2018

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Cyber Hygiene: A Baseline Set of Practices

Checklist: Credit Union Information Security and Privacy Policies

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

ACM Retreat - Today s Topics:

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Transcription:

FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the new Information Technology Risk Examination procedures (InTREx) on June 30, 2016, expectations regarding required documentation from financial institutions have been made a bit clearer. The following is a list of documentation pulled from the InTREx procedures. We hope this helps you as you update your Information Security Program documentation and as you prepare for your next IT examination. General Required Documentation (listed multiple times in InTREx) InTREx highlights a great deal of documentation in its four (4) Core modules, and even more in a few supplemental sections. The following is a list of documents that are mentioned multiple times throughout the new examination procedures that all financial institutions should include in their Information Security Program documentation: Most recent IT Examination report(s) and work-papers Pre-examination memoranda and file correspondence Formal, documented Information Security Program documentation, including: o Information Security controls, including cybersecurity o Network Security controls, including intrusion detection o Acceptable Use o User Access Rights Management o Electronic Funds Transfer o Vendor Management/Third-Party Risk o Remote Access o Bring Your Own Device (BYOD) o Institution-issued Mobile Devices o Anti-virus/Anti-malware o System Configuration Standards o Change/Patch Management o Physical and Environmental Security o Encryption o Unauthorized/Unlicensed Software o Information Security Training Program, including both the staff and the Board Incident Response Plan, including: o Identifying and Reporting Incidents o Assessing the nature and scope of an Incident o Incident escalation procedures o Identifying what customer information and information systems have been accessed or misused o Notifying primary Federal regulator(s), law enforcement, and customers 1 2016 SBS CyberSecurity

o Filing of a SAR o Incident response and recovery o Testing Program, including results-tracking Business Continuity/Disaster Recovery Plan(s), including: o Enterprise-wide business continuity plan o Business impact analysis o Risk/threat assessment, including cyber risks/threats o Appropriate recovery operations o Pandemic Preparedness o Testing program, including results-tracking Vendor Management Program o Vendor Risk Assessment o Acquisition of Key Vendors o Ongoing Management of Vendors (both foreign and domestic) Most recent IT Risk Assessment o IT asset inventory, including cloud-based and virtualized systems o Criticality of IT assets o Threats (including likelihood and impact) o Inherent Risk Level o Controls to reduce risk o Control testing o Residual Risk Level o Frequency of IT Risk Assessment o Acceptable levels of risk o Remediation of unacceptable risks Most recent Cybersecurity Risk Assessment Most recent Internal and External IT Audit reports Board/Committee minutes related to the review of: o IT-related Committee meetings and decisions o Approval of Information Security Program and IT-related policies o IT and Cybersecurity Risk Assessments o IT Audits o Vendor Management o Change/Patch Management, including major IT projects o Network Security, including Security or Cyber Incidents Organizational Charts that reflect: o Business and IT Structure o Audit Reporting Structure Remediation/ Action Tracking to demonstrate management responses to IT Audit and Examination recommendations and deficiencies 2 2016 SBS CyberSecurity

Additional InTREx Required Documents, by section In addition to the documents listed multiple times throughout InTREx, the following are documents to be reviewed under each identified section: Audit IT Audit Policy and Charter IT Audit Plan/Schedule, including: o Information Security, including compliance with the Interagency Guidelines Establishing Information Security Standards o Cybersecurity o Network architecture, including firewalls and intrusion detection/prevention systems (IDS/IPS) o Incident Response Planning o Business Continuity/Disaster Recovery Planning o Security monitoring, including logging practices o Change/Patch Management o Third-party outsourcing o Social engineering o Electronic Funds Transfer o Electronic Banking (all products, services, and channels), including Mobile Banking Most recent IT Audit Risk Assessment Management IT Governance Documentation regarding the committees, names, and titles of the individual(s) responsible for managing IT and information security IT Asset Inventory IT-related committee minutes IT job descriptions, including qualifications of key IT employees Insurance policies (including Cybersecurity insurance) Strategic plans (business and IT) Succession plans IT budgets Development and Acquisition Change Management Policy and procedures, including: o Request and approval o Testing o Implementation o Backup and back-out o Documentation o User notification and training Project Management Policy and procedures System Development Life Cycle process and procedures (if applicable) IT-related contracts and license agreements 3 2016 SBS CyberSecurity

Support and Delivery Business Operations-related policies, including: o Monitoring of systems for problems or capacity issues o Daily processing issue resolution and escalation procedures o Independent review of master file input and file maintenance changes o Independent review of global parameter changes o Document Imaging and Management Systems o Item Processing Functions, including Check Imaging Up-to-date Network topology Information Technology Profile (InTREx) Most recent Network Vulnerability Assessment/Penetration Testing reports Regulatory vendor reports (e.g., TSP reports) Other Requirements: Additionally, InTREx mentions the following areas in two different Expanded Analysis sections Management Expanded Analysis and Support and Delivery Expanded Analysis. Ensure these areas are appropriately addressed in your Information Security Program and IT-related documentation: Cloud Computing update the following to include any cloud-based products, systems, or vendors: o Information Security Program and IT-related policies o IT and Cybersecurity Risk Assessments o Vendor Management Program o Incident Response Plan o Business Continuity/Disaster Recovery Plan Managed Security Services Providers (MSSP) o Type and frequency of security reports provided by MSSP o MSSP responsiveness to audit findings o Incident Response capabilities o Service Level Agreements (SLA) o Business Continuity/Disaster Recovery Plan o Secure handling of sensitive data o In-house expertise to manage MSSP Foreign-based Technology Service Providers (FBTSP) o Location of FBTSP and institution s data o Familiarity of FBSTP with US banking laws and regulations o Choice of governing law (US law is preferred) o Right of US regulators to audit o FBSTP s Vendor Management Program Wireless Networks o Guest wireless networks vs. Corporate wireless networks o Security and Access guidelines o Periodic network security testing Virtualization 4 2016 SBS CyberSecurity

o Updated Network Topology to reflect virtualized environment o Access Rights Administration, including privileged users and remote access o System/Image Standard Configurations o Licensing o Patch Management o Incident Response Plan o Business Continuity/Disaster Recovery Plan o Physical Security o Encryption o Monitoring, Logging, and Auditing o Network Vulnerability Assessment and Penetration Testing Voice over IP (VoIP) o Physical and Logical Security controls o Patch Management o Network Segmentation o Periodic network security testing o Emergency service communications ATM Operations o Physical and Logical Security controls o Patch Management o Network Segmentation o Dual control over cash o Card issuance procedures, including PIN issuances Customer-facing Call Center Operations o Customer Identification Procedures o Access Rights Administration o Personnel Security o Type and frequency of management reports o Scope and frequency of Call Center audits Internal IT Help Desk Operations o Access Rights Administration o Help Desk activity logging and monitoring o Ticketing/Tracking system adequacy/prioritization o Type and frequency of management reports o Scope and frequency of Help Desk audits Servicing provided to other entities o Contract adequacy o Service Level Agreements (SLA) compliance o Business Continuity/Disaster Recovery Plan considerations o IT and Cybersecurity Risk Assessments o Insurance coverages for services provided o Security of client data, including encryption over data-at-rest and data-in-transit 5 2016 SBS CyberSecurity

o o Type and frequency of management reports for services provided to other entities Scope and frequency of Help Desk audits 6 2016 SBS CyberSecurity

SBS Information Security Program Blueprint SBS has been partnering with financial institutions across the United States for more than 10 years to help build Information Security Programs that are comprehensive, manageable, and valuable. SBS Information Security Program framework is been built on regulatory guidance (primarily the FFIEC IT handbooks) with help from industry best-practice (ISO 27001, NIST, SANS, CIS, and COBIT). SBS has laid out the foundation of a strong Information Security Program in an Information Security Program Blueprint, as seen below in Figure 1. The ISP Blueprint is designed to give bankers a visual depiction of what an Information Security Program should look like, a sense of flow from the top-down, and path to ensure an ISP that is repeatable and can handle anything you throw at it. Figure 1 Information Security Program Blueprint 7 2016 SBS CyberSecurity

The focus of this whitepaper is the documentation outlined by the FDIC InTREx procedures, which aligns directly with the ISP Blueprint above. The Policy Components listed out in the first tier of ISP documentation in the Blueprint are the things that all financial institutions need to do, regardless of size or complexity. If you align the ISP Blueprint Policy Components with the InTREx expected documentation, you ll find most of the major ISP Blueprint sections are listed out multiple times in InTREx, including: The Information Security Program IT Risk Assessment Cybersecurity Assessment Vendor Management Business Continuity/Disaster Recovery Incident Response IT Audit There are three (3) tiers to the top-level of the ISP Blueprint: 1) Policy Components, 2) Implementation Programs, and 3) Plans/ Deliverables/ Services. Policy Components define the high-level, long-lasting policy statements that define the purpose, scope, requirements, and responsibilities of each individual ISP component. Implementation Programs are the day-to-day operating procedures for each component. And finally, Plans/ Deliverables/ Services represent the outcome from each component, whether it s the result of an assessment (report), a deliverable as a result of a service-performed, training, or testing of a BCP or IRP. The next component of the ISP Blueprint is the Issue and System Specific Components section. These additional components of your ISP are based on your risk assessment. If your institution implements Remote Deposit Capture, for example, you should either outline an RDC policy or include an RDC section in your ISP. The controls you have decided to implement around RDC in your risk assessment to reduce risk should then be documented in your RDC policy. If your institution does not implement RDC, you don t need to include it in your ISP. Many of these additional requirements are outlined in the Other Requirements section above. Those items may include cloud-computing, managed security service providers, VoIP, ATMs, virtualization, wireless, help desk, etc. That brings us to the testing component, otherwise referred to as auditing. There are three (3) ways to protect information: People, Process, and Technology. Financial institutions must also test (audit) their People, Process, and Technology for compliance and adequacy. Testing your Processes is frequently performed through an IT Audit. Testing your Technology is accomplished most often through external Penetration Testing and internal Vulnerability Assessment (or other combinations of the two). Testing your People is done through Social Engineering Assessments. InTREx has an entire section dedicated to Audit, which includes documentation around an IT Audit Policy, IT Audit Charter, IT Audit Plan/Schedule (that includes testing for People, Process, and Technology), IT Audit Risk Assessment, and making sure that findings and recommendations are tracked to remediation or acceptance. The final component of a well-rounded ISP is Remediation and Reporting. Remediation involves closing the loop on the feedback component (Audit) by ensuring improvements to the ISP are implemented (completed), tabled, or accepted. Accepted risks should be documented and reported upstream regularly. Reporting is the other final component of the ISP. Strong ISP reporting means that regular reports to senior management and the Board of Directors include updates 8 2016 SBS CyberSecurity

and progress on all the major items discussed above from the risk assessment, to the ISP components, to testing the institution s People, Process, and Technology. When your Information Security Program is at its best, it allows your financial institution to identify risk and make decisions on how to mitigate risk (risk assessment), document those decisions in your policies and procedures (ISP), test those decisions (audit), and continuously improve security at your institution (remediation and reporting). Using a model like the ISP Blueprint can help your organization better understand how all of the components work together to build a better ISP and mature the security of your institution. 9 2016 SBS CyberSecurity

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback