May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Similar documents
K12 Cybersecurity Roadmap

Automating the Top 20 CIS Critical Security Controls

Designing and Building a Cybersecurity Program

TIPS FOR AUDITING CYBERSECURITY

Cyber Protections: First Step, Risk Assessment

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

NEN The Education Network

Back to Basics: Basic CIS Controls

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ISE North America Leadership Summit and Awards

Sage Data Security Services Directory

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

CyberSecurity: Top 20 Controls

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

How to Develop Key Performance Indicators for Security

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

WHO AM I? Been working in IT Security since 1992

Les joies et les peines de la transformation numérique

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Critical Security Controls. COL Stef Horvath MNARNG Oct 21, 2015

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

VIVOTEK. Security Hardening Guide

How Breaches Really Happen

FDIC InTREx What Documentation Are You Expected to Have?

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cybersecurity Auditing in an Unsecure World

ACM Retreat - Today s Topics:

Cybersecurity Today Avoid Becoming a News Headline

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

IT Vulnerabilities: What an IT Auditor Should be Thinking About

Cyber Hygiene: A Baseline Set of Practices

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Cyber Security Program

CompTIA Cybersecurity Analyst+

CISO as Change Agent: Getting to Yes

Emerging Issues: Cybersecurity. Directors College 2015

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Information Technology General Control Review

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

NCSF Foundation Certification

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

10 Things Every Auditor Should Do Before Performing a Security Audit

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

the SWIFT Customer Security

CCISO Blueprint v1. EC-Council

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Department of Management Services REQUEST FOR INFORMATION

CYBERSECURITY MATURITY ASSESSMENT

Ransomware A case study of the impact, recovery and remediation events

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

External Supplier Control Obligations. Cyber Security

TEL2813/IS2820 Security Management

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cyber Resilience. Think18. Felicity March IBM Corporation

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Ingram Micro Cyber Security Portfolio

Rethinking Information Security Risk Management CRM002

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Building Resilience in a Digital Enterprise

INFORMATION ASSURANCE DIRECTORATE

Gujarat Forensic Sciences University

Protecting productivity with Industrial Security Services

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Cyber Criminal Methods & Prevention Techniques. By

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cybersecurity Session IIA Conference 2018

Altius IT Policy Collection Compliance and Standards Matrix

Heavy Vehicle Cyber Security Bulletin

SECURITY & PRIVACY DOCUMENTATION

Ransomware A case study of the impact, recovery and remediation events

Security Diagnostics for IAM

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Cybersecurity The Evolving Landscape

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Altius IT Policy Collection Compliance and Standards Matrix

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Tech TV Series. Lisa Niles CISSP, Chief Solution Architect

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Critical Hygiene for Preventing Major Breaches

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Why you should adopt the NIST Cybersecurity Framework

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

Reinvent Your 2013 Security Management Strategy

Cyber security tips and self-assessment for business

Transcription:

May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations

Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose to listen with your PC speakers Webinar and phone Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose to listen with your phone Call in number: 888-625-5230 Enter the participant code: 4229 1332# Phone only Call in number: 888-625-5230 Enter the participant code: 4229 1332# 2

Questions During the call, you can submit questions several ways. Via webinar chat: You can submit a question via the Ask Question button in the webinar tool. Your question will only be seen by our presenters. Via email: conversations@stls.frb.org. 3

Todays Presenters Allen North Assistant Vice President Federal Reserve Bank of St. Louis Matthew Case Senior Examiner Federal Reserve Bank of St. Louis Carey Sharp Senior Examiner Federal Reserve Bank of St. Louis 4

Disclaimer The opinions expressed in the presentations are intended for informational purposes, and are not formal opinions of, nor binding on the Federal Reserve Bank of St. Louis or the Board of Governors of the Federal Reserve System. 5

What do we mean by Cybersecurity Posture? This term refers to the overall cybersecurity strength of an organization. We consider the security status of the entire Information Technology (IT) estate, with a primary focus on cyber risks. According to the National Institute of Standards and Technology (NIST), the cybersecurity posture of the organization is the security status of an enterprise s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. 6

Educating the Board It is often difficult to determine how to best educate a bank s board of directors about the bank s network security. Are the branch s front doors locked? That s easy to see. Are the network connections secure? That s harder to determine, especially for less technically-experienced individuals. However, there is a way to do this in a manner that is both effective in measurement and communication. This is done by determining the cybersecurity posture of the bank s IT estate. 7

Implementing Controls The best way to implement controls is through a quality control framework. No more guess work Built on secure architectural principles However, we sometimes see an ad-hoc application of technical controls. This method is characterized by: IT individual s professional knowledge Hot topic of the day Sky is falling prioritization Wait for the examiner to tell us If it s not cheap and easy, it must not be important 8

The Skills Gap Problem 9

Introducing Frameworks What is a framework? A framework can be defined as a basic structure underlying a system, concept, or text. ¹ 1 https://www.google.com/search?q=define+framework 10

Introducing Frameworks Frameworks provide a starting point and a number of benefits for information security/cybersecurity. Specifically, the use of frameworks can: Help management identify gaps in the bank s control structure which may not be covered by a critical control. Provide a measured approach to determine a bank s control implementation against their chosen cybersecurity framework. Assist the board in identifying the areas where resources need to be applied to achieve a stronger cybersecurity posture. Provide a means to to educate the Board on the cybersecurity posture of their bank in a way that is understandable regardless of the directors experience in information technology.

Introducing Frameworks Back to cybersecurity posture 12

Introducing Frameworks Metrics and reporting 13

CIS Top 20 Controls Center for Internet Security (CIS) Top 20 Controls Digestible for any size bank Prioritized, practical, and actionable Align with and map to all of the major compliance frameworks (e.g., NIST, ISO series, PCI, FFIEC, etc.) What are the core, foundational, steps I can take to get most of my security value? 14

CIS Controls How are the Controls structured? 15

Basic Cyber Hygiene #1 Inventory and Control of Hardware Assets Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. You can t secure what you don t know you have! Inventory and control plays a critical role in planning and executing system backup, incident response, and recovery. 16

Basic Cyber Hygiene #2 Inventory and Control of Software Assets Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. Again you can t secure what you don t know you have! Builds upon Control #1 (hardware) and focuses on what software is ALLOWED to run in the environment. 17

Basic Cyber Hygiene #3 Continuous Vulnerability Management Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. Scan Patch Rescan Financial Services Information Sharing and Analysis Center (FS ISAC) or similar organization can be a resource for the latest threats. 18

Basic Cyber Hygiene #4 Controlled use of administrative privileges The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. Super Users have the keys to the kingdom Administrators are targets 19

Basic Cyber Hygiene #5 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. Beware of default settings Continuous management required 20

Basic Cyber Hygiene #6 Maintenance, Monitoring, and Analysis of Audit Logs Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. Timing of logs is everything Security Information and Event Management (SIEM) 21

Foundational & Organizational CIS Controls 7-16 (Foundational) 7) Email and Web Browser Protections 8) Malware Defenses 9) Limitation and Control of Network Ports, Protocols, and Services 10) Data Recovery Capabilities 11) Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches 12) Boundary Defense 13) Data Protection 14) Controlled Access Based on the Need to Know 15) Wireless Access Control 16) Account Monitoring and Control CIS Controls 17-20 (Organizational) 17) Implement a Security Awareness and Training Program 18) Application Software Security 19) Incident Response and Management 20) Penetration Tests and Red Team Exercises 22

Drive Security Across the Enterprise The five critical tenets of an effective cyber defense system as reflected in the CIS Controls are: 1. Offense Informs Defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks. 2. Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment. 23

Drive Security Across the Enterprise 3. Measurements and metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly. 4. Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps. 5. Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics. 24

Common Examination Findings The most common findings* in the Eighth District over the last few years as they correlate to the Controls : Hardware/Software (1 & 2) Patch Management (3) Excessive Privileges (4 & 14) Configurations (5 & 11) Wireless (15) Business Continuity Planning/ Disaster Response (10) *Matters Requiring Attention (MRAs) 25

Examiner Expectations Hardware and Software Inventory Know what s connected Know what s in production Vulnerability Management Scanning on a regular frequency Automated patching Admin Privileges Need to know Change all default passwords Configurations Utilize hardening guidelines from industry sources Log Monitoring SIEM (or third-party monitoring) Cross-pollination with incident response discipline 26

Frameworks and Examinations What does the future hold for examination techniques? How does the use and adoption of a security framework align bank and regulatory expectations? Frameworks drive priorities. Priorities drive strategies. Strategies drive budgets. 27

References CIS Controls https://www.cisecurity.org/controls/ NIST Cybersecurity Framework https://www.nist.gov/cyberframework FFIEC IT Examination Handbooks https://ithandbook.ffiec.gov/ 28

Questions Via webinar chat: You can submit a question via the Ask Question button in the webinar tool. Your question will only be seen by our presenters. Via email: conversations@stls.frb.org.. 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback