Must Have Items for Your Cybersecurity or IT Budget in 2018

Similar documents
2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

2017 Annual Meeting of Members and Board of Directors Meeting

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Sage Data Security Services Directory

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Defensible Security DefSec 101

FFIEC Cybersecurity Assessment Tool

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cybersecurity The Evolving Landscape

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

How Breaches Really Happen

Interpreting the FFIEC Cybersecurity Assessment Tool

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Cyber Fraud What can you do about it?

Compliance Audit Readiness. Bob Kral Tenable Network Security

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cybersecurity and the Board of Directors

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

FDIC InTREx What Documentation Are You Expected to Have?

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

External Supplier Control Obligations. Cyber Security

Cybersecurity Today Avoid Becoming a News Headline

Emerging Issues: Cybersecurity. Directors College 2015

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Background FAST FACTS

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Take Risks in Life, Not with Your Security

Cybersecurity and Data Protection Developments

Cybersecurity Survey Results

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

IT Vulnerabilities: What an IT Auditor Should be Thinking About

CISO as Change Agent: Getting to Yes

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

CyberVista Certify cybervista.net

Navigate IT Security with a Framework as Your Guide

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Cybersecurity is a Journey and Not a Destination: Developing a risk management culture in your business. Thursday, May 21, 2015

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Cyber Resilience - Protecting your Business 1

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cybersecurity in Higher Ed

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Defense in Depth Security in the Enterprise

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

CompTIA Cybersecurity Analyst+

Digital Health Cyber Security Centre

Sensitive Data Loss is NOT Inevitable

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Protecting your next investment: The importance of cybersecurity due diligence

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Art of Performing Risk Assessments

Cyber Insurance: What is your bank doing to manage risk? presented by

Rethinking Information Security Risk Management CRM002

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

CYBERSECURITY RESILIENCE

Introducing Cyber Observer

The Deloitte-NASCIO Cybersecurity Study Insights from

Defending Our Digital Density.

SOLUTION BRIEF Virtual CISO

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

to Enhance Your Cyber Security Needs

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

PCI DSS COMPLIANCE 101

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

K12 Cybersecurity Roadmap

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Effective Cyber Incident Response in Insurance Companies

Defensible and Beyond

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

ISACA West Florida Chapter - Cybersecurity Event

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Building a Resilient Security Posture for Effective Breach Prevention

OA Cyber Security Plan FY 2018 (Abridged)

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

SFC strengthens internet trading regulatory controls

Vulnerability Assessments and Penetration Testing

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Transcription:

Must Have Items for Your Cybersecurity or IT Budget in 2018 CBAO Regional Meeting Dan Desko (Senior Manager, IT Risk Advisory) Matt Dunn (Senior Security Analyst, IT Risk Advisory)

Who is Schneider Downs? Top 50 public accounting firm in the United States. We have client s worldwide but our primary service area includes OH, PA, MI, NY and WV. Two Offices, 450 personnel: Columbus, OH & Pittsburgh, PA Highly specialized IT Risk Advisory Services Practice that provides IT Audit Co-Source/Out-Source/Special Projects; IT Security Services (Penetration Testing, Phishing Assessment, End-User Awareness Training, etc.); SOC Report Services; Third- Party Risk Management. Dedicated Financial Services Industry Group that focuses on matters related to the Banking Industry.

Daniel Desko Senior Manager of IT Risk Advisory Services at Schneider Downs CISA, CISSP, CTPRP; 12 years of experience, began working in IT; Current ISACA Pittsburgh Chapter President; Experience in delivering IT Audit, Security, Vendor Risk Management services to multiple clients in the Banking Industry; Responsible for product delivery, client satisfaction and quality control.

Matt Dunn Currently Senior Security Analyst within IT Risk Advisory Services at Schneider Downs Certified Information Systems Security Professional (CISSP) Over 10 years of experience in: Information Security and IT Responsible for technical delivery of penetration testing and other security related services.

Agenda Current State of Cybersecurity Budget Items for 2018 Questions

State of Cybersecurity 24% Breaches affected the financial sector 96% Financial organization breaches had monetary motivation 66% Malware was delivered via email Other considerations: Denial of Service attacks ATM skimming attacks Stats from 2017 Verizon Data Breach Investigations Report (DBIR)

State of Cybersecurity ATM skimmers and shimmers

State of Cybersecurity Bigger Breaches 143 Million Consumers Affected Blueprint of What Not To Do When Responding to a Breach Follow-on Attacks Occurring (e.g. phishing scams)

Primary Problems in Cybersecurity Firewalls and antivirus are not enough Phishing emails a serious threat Information Technology is not Information Security Lack of qualified defensive personnel

Item One: Asset Inventory Do you know where your data is? Accurate inventory of devices Accurate inventory of software Accurate inventory of data and data ownership Staff time and potential software costs

Item Two: Enhance Defensive Measures Improve your Defenses Audits like the FFIEC CAT assessment can be used as a guide Focus on Key Improvements Two-factor authentication Advanced endpoint protection Advanced email protection Mimecast Proofpoint Etc. Various costs for defensive systems Staff time required to actively manage

Item Three: FFIEC CAT Self-Assessment Self-Assessment using the FFIEC Cybersecurity Assessment Tool Internal Review; Identify Risks; Identify Maturity The tool has two components Inherent Risk Profile fancy name for risk assessment Cyber Security Maturity Evaluation Five Domains 1. Cyber Risk Management & Oversight 2. Threat Intelligence & Collaboration 3. Cyber Security Controls 4. External Dependency Management 5. Cyber Incident Management & Resilience Staff time and energy

Item Three (Cont d): FFIEC CAT Self-Assessment Independent Assessment of the FFIEC Cybersecurity Assessment Tool Results Have an independent party review and evaluate management s assessment of cybersecurity risks and controls. May be performed by internal audit or qualified independent external party. In our experience we ve seen self-assessment results that aren t quite accurate or represent a pollyannaish view. Internal resource efforts; Cost of external review.

Item Four: Prepare for a Breach It s a Matter of When, Not If. Make sure you have a robust Incident Response Program that is tested regularly. To validate the effectiveness of the institution's incident response program, management should periodically test it through different test types, including scenario planning and tabletop testing, and perform the tests with appropriate internal and external parties. FFIEC Information Security Guide Remember, an incident response program is useless if you can t detect an incident. Internal resource efforts; Cost of external resources to perform test scenarios.

Item Five: Vulnerability Scanning Vulnerability Scanning Many breaches exploit known vulnerabilities Provide regular automated security checks Tools can be purchased and used on a regular basis Nessus Qualys Allows management to improve processes Employee time and cost for service/software.

Item Six: Penetration Testing Simulated Attacks Can I get in Where can I get Can you detect and defend? Be wary of services that provide nothing more than automated vulnerability scans Include phishing attacks and other social engineering attacks to make the test realistic. Employee time and testing fees

Item Seven: Phishing Email Simulations Realistic Test of Employee and Email Security Email attacks target all organizations. Don t hack the firewall dig a tunnel under it. How many employees fall for scams? What is the impact if someone clicks? Employee time and cost of phishing services.

Item Eight: Board and Director Involvement Cybersecurity Governance Does your board have the appropriate experience to hold IT and IT Security Management accountable for central oversight and coordination, assignment of responsibility, and effectiveness of the information security program? Does the board give the information security officer a seat at the table? Ensure regular comprehensive reporting. Guidance notes at least Annually, we recommend Quarterly. Covers key risks; Tracks improvements, requests investments. Employee time, board time.

Item Nine: Highlight Key Risks IT Audit Plan that Highlights Key Risks When is the last time you ve taken a fresh look at your IT audit plan? Is your IT audit plan risk based? Do you audit cybersecurity? Measure risks and re-visit these measurements regularly Employee time and auditing fees

Item Ten: Invest in Security Personnel Do you have a Chief Information Security Officer (CISO) and other supporting personnel? Responsible for cybersecurity and keeping systems and data secure Independent of IT, works with, but does not report to CIO Information Technology and Information Security often have conflicting ideals A CISO alone is usually not enough, a supporting cast is needed Recruitment fees, salary, benefits. CISO or Security as a Service may be an option.

Questions? Contact Information Dan Desko ddesko@schneiderdowns.com Matt Dunn mdunn@schneiderdowns.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback