NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Similar documents
Risk Assessment and other Defensive Security Measures

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Interpreting the FFIEC Cybersecurity Assessment Tool

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Understanding IT Audit and Risk Management

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Protect Your Organization from Cyber Attacks

FDIC InTREx What Documentation Are You Expected to Have?

Effective Strategies for Managing Cybersecurity Risks

Emerging Issues: Cybersecurity. Directors College 2015

Cybersecurity and Examinations

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cybersecurity Today Avoid Becoming a News Headline

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cyber Risks in the Boardroom Conference

Defensible and Beyond

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Must Have Items for Your Cybersecurity or IT Budget in 2018

Cybersecurity The Evolving Landscape

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

SOC for cybersecurity

Sage Data Security Services Directory

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Background FAST FACTS

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Cyber Protections: First Step, Risk Assessment

locuz.com SOC Services

Cybersecurity and Data Protection Developments

CYBERSECURITY MATURITY ASSESSMENT

ACM Retreat - Today s Topics:

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

Cybersecurity and the Board of Directors

Cyber Risks, Coverage, and the Board of Directors.

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Department of Management Services REQUEST FOR INFORMATION

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

CYBER SECURITY AND MITIGATING RISKS

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

IT Security Update on Practical Risk Mitigation Strategies

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

IT Security Update on Practical Risk Mitigation Strategies

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Security Driven Compliance

The Open Group. Cybersecurity Risk Management

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

2017 Annual Meeting of Members and Board of Directors Meeting

The value of visibility. Cybersecurity risk management examination

Cybersecurity Assessment Tool

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Changing the Game: An HPR Approach to Cyber CRM007

Rethinking Information Security Risk Management CRM002

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

Information Technology General Control Review

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

TEL2813/IS2820 Security Management

2013 CliftonLarsonAllen LLP Not All IT Audits Are the Same How to Choose One That Is Right For You CliftonLarsonAllen LLP. CLAconnect.

Keys to a more secure data environment

the SWIFT Customer Security

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

FFIEC Cybersecurity Assessment Tool

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Fraud and Social Engineering in Community Banks

Cybersecurity Auditing in an Unsecure World

CYBER RESILIENCE & INCIDENT RESPONSE

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Ransomware A case study of the impact, recovery and remediation events

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

K12 Cybersecurity Roadmap

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Establishing a Credible Cybersecurity Program. September 2016

Cylance Axiom Alliances Program

Introducing Cyber Observer

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Navigate IT Security with a Framework as Your Guide

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

NCSF Foundation Certification

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Transcription:

NCUA IT Exam Focus By Tom Schauer, Principal CliftonLarsonAllen

My Background and Experience Computer Science Degree - Puget Sound Information Security Professional for 30 years Consultant: Ernst & Young, Deloitte, Guardent (Verisign) Started TrustCC in 2000 - IT Security and Compliance Grew to about 20 people Technically superior, devoted, trusted! Joined CliftonLarsonAllen in September of 2015 2

My personal security philosophy When you and a friend are being chased by a bear, it is not necessary to out run the bear, it is only necessary to out run your friend. Effective security May Be nothing more than being more secure than the target down the road? Absolute security is unattainable. 3

In the world of networked computers every sociopath is your neighbor.

Opportunistic vs Targeted

Example:

11

Attack Sophistication 13

4PM 4:01PM HACKER Notates Total Debits Notates Total Credits Notates Total # Batches ACH CORE Banking System Windows File Share In-house ACH Originations are most susceptible to this attack vector. Outsourced ACH could also be susceptible. 4:05 to 5:00PM FedLine ACH Upload File to The FED Confirms Total Debits Confirms Total Credits Confirms Total # Batches The FED

Why is ACH Susceptible? ACH File Format created in 1970s and does not include ANY modern security mechanisms. Typical ACH process utilizes Windows File Share as temporary file location. With Windows having 92% of the market share, hackers are most proficient hacking Windows. 65% to 100% success.

1 Secure Computer? The only secure computer is one surrounded by concrete and in the bottom of the ocean. We are not seeking absolute security, we are seeking enough security and enough is a moving target! Password length was 4, then 8, now 14+ Passwords were reused, now unique per use

In Response NCUA has declared Cybersecurity as the number one priority for 2015 and 2016 FFIEC issues Cybersecurity Assessment Tool in 2015 Starting June 2016, Exams will have new Cybersecurity procedures 17

Historical Guidance 2001 GLBA inspired 12CFR Part 748 2005 12CFR Part 748 Appendix B 2006 FFIEC Information Security Guide Miscellaneous Letters to Credit Unions 2015 FFIEC Cybersecurity (CAT)

FFIEC CAT Tool 2015 Guidance, originally notated as voluntary. Voluntary removed Aug 2015 Starting June 2016, examers expect some form of cybersecurity risk assessment that is similarly capable as FFIEC Tool Inherent Risk Component Controls Maturity Component

FFIEC CAT Tool Inherent risk model must scale to financial institutions of all sizes

FFIEC CAT Tool Maturity model is based upon self reporting and does not have a validation component. Just a risk assessment.

FFIEC CAT Tool

FSISAC CAT Tool

Polling Question How many have completed the FFIEC CAT using some form of the guidance? a) Completed b) Not Completed

A Risk Assessment a Day Keeps the Examiner at Bay

Risk Assessments Convenient method of documenting regular risk management analysis and decisions. Differentiate between required and risk assessment as a management tool. Have a simple form Topic Characterization of Inherent Risk Risk Mitigation and Controls Characterization of Residual Risks Conclusion and Plans for Action

Polling Question How many use a risk assessment form/process of some kind to regularly document risk management analysis and decisions? a) Use Documented Form/Process b) Do Not Used Documented Form/Process

Risk Assess: Attack Targets NCUA Aires File Other Core extracts Marketing extracts Wire Transfers ACH Originations

Risk Assess: Ransomware Ransomware and other common attack vectors delivered through social engineering.

Breach Detection Indicators of Compromise The creation or modification of an administrator account Any activity which seems to disable antivirus, logging or firewall controls Outbound data transfers Unknown Hosts attached to the network Unauthorized or Unknown Software installed on a known host Consecutive invalid password attempts on multiple user IDs from the same IP Consecutive access denied events on a single account on multiple hosts from the same IP Attempts to access disabled accounts

Polling Question How many believe their process will detect and alert to these indicators of compromise? a) All, and our testing proves it! b) All, but we ve not validated/tested. c) Some, testing shows gaps. d) Some, but testing needed. e) Oh boy, we are in trouble.

Breach Preparedness and Testing Cybersecurity Insurance Who is covered, when are they covered, how? Incident Response Plan Notice Obligations (12CFR Part 748 Appendix B) Plan Testing Covert Pen Testing (True Breach Simulation) Table Top Scenario Testing

Using Standards Engage a large, nationwide IT auditing firm with extensive experience performing IT governance audits for a range of industries to perform an ISO Based Information Security Assessment leveraging a methodology rooted in industry standards and best practices (ISO 27002, 27015)."

Examiner Skills RISOs generally very well qualified, full time SMEs less experienced, part time Skilled Understand role, operationally savvy Over Achiever Expectations beyond authority Under Achiever Checklist reviews

Polling Question What was the skill of your most recent IT examiner? a) Skilled b) Over Achiever c) Under Achiever

Standards to consider Great tools for measuring progress towards goal In addition to the FFIEC CAT SANS / CIS Twenty Critical Security Controls ISO 27001/27001 NIST 800-53A and others COBIT

Polling Question Are you measuring your security program against a specific standard? a) No b) Yes, SANS/CIS Twenty Critical c) Yes, NIST d) Yes, ISO e) Yes, Other or Several of the Above

Covert Breach Testing Security Assessments performed with IT knowledge and collaboration can be the most thorough and effective tests but they fail to evaluate breach detection and response capabilities.

Vulnerability Management Supplement / Support Patch Management Credentialed Vulnerability Scans Remediation and Reconciliation Reporting

Frequency of Testing Risk Assessment Penetration Testing Vulnerability Assessment General Controls Review Social Engineering True Breach Simulation

Password Management Passwords are clearly the weakest link in the security chain. Equip users to select strong passwords. Length increasing 14 Stronger requirements for Admins Distinct Admin/User accounts w unique PWs Password Wallets?

Board Reporting Regular consider monthly, quarterly All elements: Information Security Program and status - IT and InfoSec Policies - Security Breaches or attempted breaches - IT Strategic Plan - Information Security Risk Assessment - Business Continuity Plan and Testing Results - Incident Response Plan - Results from Vendor Management Reviews - Insurance coverage for IT risks

The threat has reached the point that, given enough time, motivation, and funding, a determined adversary will likely be able to penetrate any system accessible from the Internet. Joseph M Demarest, Assistant Director, Cyber Division FBI, before the Senate Judiciary Committee, May 8, 2013 43

This is your security program! Time Motivation Funding Profit Time Motivation Funding Profit 44

And Business Continuity Planning Vendor Management Information Security Policies

Any Questions? tom.schauer@claconnect.com 253-468-9750 CliftonLarsonAllen

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback