Disclaimer• Materials designed to give general information on
the specific subjects covered and are educational and discussion purposes only. They are not intended to be a comprehensive summary of regulations, laws, guidance, or regulatory work programs.
2
FDIC and FRB
• Using the Informa6on Technology Risk Examina6on (INTREx) Program
• Assigning Component Ra6ngs and a Composite Ra6ng
3
Tradi6onal IT Examina6on Areas
• Informa(on and Cyber Security
• IT Management
• Audit
• Opera6ons/Support and Delivery – Network
– Opera6ons
• Acquisi6on and Development
• Business Con6nuity
• Incident Response
• Outsourced Third Party Risk Management
• Internet Banking/Ebanking
• EFT/Payment Systems
5
Update on CAT• Must complete a cyber assessment
• Not required to use the FFIEC tool
• Phase One of CAT update and revisions completed May 2017
• Provided for Yes, Yes with comment, No
6
Update on CAT• Examiners looking for validation of responses: comments/explanation on responses
• Example:
• Processes are in place to identify additional expertise needed to improve information security defenses.
• Yes
• Comment: Through our risk assessment and budgeting processes.
• Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
• Yes
• Comment: Access is controlled; however, we are in the process of researching a tool for monitoring access and activity.
7
Update on CAT• Baseline is the minimum requirement and
expectation
• Based on basic regulatory guidance and FFIEC Booklets
• Establish “Desired Target Maturity Level”
• Create “Action Plan” to reach the Desired Target Maturity Level
8
Information Security• Strong Board and Senior Management support
• Integration of security and controls throughout business processes
• Clear accountability for carrying out security responsibilities
• Focus on information and cyber security controls
10
Information Security Program• Robust program
• Risk identification
• Risk measurement
• Risk mitigation
• Risk monitoring and reporting
• Incorporate cybersecurity elements
• Comprehensive testing and assurance to determine the effectiveness of the Program
11
Information Security Program• Integrate processes, people, and technology
• Maintain risk profile in accordance with Board’s risk appetite
• Encompass the entire Bank, not just focus on IT controls
12
Risk Appetite StatementThe Board has established specific strategic goals and objectives as defined in the Organizational Strategic Plan for the Bank. To increase the probability of achieving these goals, the Board has established acceptable risk tolerances within its risk appetite. The Board periodically reviews the risk appetite and associated tolerances and may adjust them to adapt to changing economic conditions, the threat landscape and/or strategic goals.
Overall, the Board desires to maintain enterprise Information/Cyber Security risk mitigation and control strategies that will reduce inherent risk to a moderate or low level as feasible. Specifically relating to the Cyber Security Assessment our goal is maintain a reasonable alignment of our Inherent Risk Level and Cyber Maturity Levels based on the Assessment. When either the enterprise Information/Cyber Security Risk is High or the Cyber Security Assessment levels are out of alignment or high the Board will be notified and kept apprised of the situation until the items are addressed.
13
Information Security Program
• Completion of a Cyber Assessment
• Target Inherent Risk Level and Cyber Maturity Level
• Cyber Security Strategy
• Integration of Cyber Security and Information Security
Enterprise-wide Information Security Risk Assessment
• If Management cannot or chooses not to mitigate a vulnerability should document:
• Decision to accept
• Level of risk associated with the vulnerability
• Person accountable for accepting the risk
15
Risk Measurement• Use threat analysis tools
• Understand and support measurement of information security related risks
• Map threats and vulnerabilities
• Improve consistency in risk measurement
• Highlight potential areas for mitigation
• Select proper controls to cover various attack stages, channels, and assets
• Allow comparisons among threats, events, and potential mitigating controls
16
Risk Mitigation• Develop and implement appropriate plan to mitigate
identified risks
• Understand extent and quality of current control environment
• Consider system controls rather than any discrete control
• Obtain, analyze, and respond to information from sources like FS-ISAC (Threat intelligence gathering)
• Develop, maintain, and update a repository of cybersecurity threats and vulnerability information
17
Inventory and Classification of Assets• Updated Inventory
• Classifies the sensitivity and criticality of assets
• Hardware, software, information, and connections
• High, Medium, Low
• Public, non-public, institution confidential
• Critical and non-critical
• Policies to govern inventory and classification
• Inception and throughout life cycle
18
Interconnectivity Risk• Sharing information with other institutions and third
parties
• Risk
• Misuse
• Mismanagement
• Compromise of connections
19
Mitigation of Interconnectivity Risk • Identify all connections
• Identify all access points and connection types
• Identify connections between and access across low risk and high risk systems
• LAN, ISP, WiFi, cellular
• Assess all connections with third parties that provide remote access or control over internal system
• Implement and access adequacy of controls to ensure security of connections (regardless of criticality or sensitivity)
20
Network Controls• Establish trusted and non-trusted zones; segment
the network
• Implement appropriate controls over wired and wireless networks
• Maintain accurate network diagram and data flow diagrams
• Develop data inventory
21
Network and Data Flow Diagram
• Identify:
• Hardware
• Software
• Network components
• Internal and external connections, including cloud
• Types of information passed between systems to facilitate the development of defense in depth security
22
Network Controls• Defense-in-depth
• Blacklist to disallow code execution
• Whitelist approved programs
• Port monitoring
• Monitoring of unauthorized software installation
• Monitoring for anomalous activity
• Monitor network traffic
25
Log Management• SIEM provide method for management to:
• Collect
• Aggregate
• Analyze
• Correlate
26
Log Management• Should have effective log retention policies
• Strict control and monitor access to log files
• Encrypt logs containing sensitive data or transmitted over the Internet
• Ensure adequate storage
• Secure backup and disposal of log files
27
• Log data to a separate, isolated computer
• Log data to read only media
• Set log parameters to disallow any modification to previously written data
• Restrict access to log files
28
Log Management• SIEM used to gather information from:
• Network and security devices and systems
• Identify and access management applications
• Vulnerability management and policy compliance tools
• Operating system, database, and application logs
• Physical and environmental monitoring systems
• External threat data
29
Logging• Inactive user accounts
• Failed login attempts
• Changes to administrative groups
• Account management
• Access to sensitive files and folders
• Security events
30
Change Management• Process to introduce changes to the environment in
a controlled manner
• Configuration management of IT systems and applications
• Hardening of systems and applications
• Use of standard builds
• Patch management
31
Configuration Management• Securely maintaining technology by developing
baselines for tracking, controlling, and managingsystem settings
• Confirm security settings
• Track, verify, and report configuration items
• Monitor unauthorized changes andmisconfiguration
32
Patch Management• Process:
• Monitoring that identifies availability of patches
• Evaluating patches against the threat and network environment
• Prioritizing to determine which patches apply
• Obtaining, testing, securely installing
33
• Exception process with appropriate documentation for delaying or not applying
• Ensuring all patches installed in production environment, installed in the DR environment
• Documenting assets and technology inventory and DRP when patches applied
34
End of Life• Maintaining inventories of systems and applications
• Adhering to approved EOL or sunset policy
• Tracking change management, updates, end of support
• Risk assess to help determine EOL
• Plan for replacement (IT Strategic Plan)
• Plan for and securely destroy or wipe hard drives
35
Testing• Management should ascertain that the Information
Security Program is operating securely, as expected, and reaching intended goals
• Two types of tests mention:
• IT system’s design
• IT system’s operation
36
Testing Plans• Key Factors
• Scope
• Personnel
• Notifications
• Confidentiality, integrity, availability
• Confidentiality of test plans and data
• Frequency
• Proxy testing
37
Information Security Officer/Chief Information Security Officer
• Not an IT resource
• Strategic and integral part of business management team
• Enterprise-wide risk manager
• Championing security awareness training programs
• Reports directly to the Board or Board Committee or Senior Management
40
IT Planning• Short term and long term goals
• Align with business plans
• Identify and measure risk before implementation
• Ensure infrastructure to support
• Integrate IT spending into the budgeting process
41
IT Strategic Planning• Addresses the long-term goals and allocation of IT
resources
• Three to five year timeframe
• Helps ensure alignment with Institution’s business plans and goals
• Risk management/controls
• Addresses budget
• Board reporting
42
Tactical Plan• Supports the IT Strategic Plan
• Define specific steps necessary to complete
• Hardware and software architecture
• End user computing resources
• Processing Done by Third Party Providers
43
Operational Plan• Supports IT Strategic Plan and Tactical Plan
• Addresses in more detail steps to implement
• Specific tasks and timelines
• Responsibilities for each task and milestone
• Drop dead dates
• Budgetary needs
44
Budgeting• Management performance
• Consider undocumented costs
• repairs, support, upgrades, lifetime management
• Can be a separate IT budget
45
Common Exam Findings
• Third party risk management program/vendor management not comprehensive
• Untimely annual third party oversight
• Need process for monitoring problems with third party provider or a “troubled” third party
47
Common Exam Findings• Outsourced Third Party Risk Management/Vendor
Management
• Risk assessment not including all relationships, broaden criteria beyond mission critical and access to customer information
• Not performing and documenting due diligence reviews, and reporting to Board for prospective third party providers
• Ongoing oversight of third parties not comprehensive
48
Common Exam Findings• Insufficient asset Inventory (hardware, software,
devices)
• Need all information systems assets/equipment
• Asset, Role, Location, Model, Serial #, OS, Patch level, Prioritization, Number of licenses owned
49
Common Exam Findings• Business continuity planning
• Comprehensive business impact analysis does not include:
• MAD, RTOs, RPOs, recovery of the critical path
• Acceptable level of losses associated with business functions and processes
• In adequate documentation, maintenance, and testing of the plan and backup
• Tabletop and overall testing needs to be more robust50
Common Exam Findings• No data flow diagram
• No data inventory
• Network topologies not comprehensive
• Depict LAN, WAN
• Show all devices, external and internal connectivity
51
Common Exam Findings• Lack of Board cyber security discussions
• Lack of Board cyber security training
• FS-ISAC Executive Briefings
• FDIC Cyber Security Challenge
**Every board member should have an understanding of their responsibility
52
Common Exam Findings• Lack of or infrequent reporting to the Board on
cyber security and IT
• Threat intelligence
• Security event monitoring (SIEM)
• Patch management
• Asset inventory updates
53
Common Exam Findings• CAT
• General confusion on baseline controls
• Inaccurate level of maturity
• Have a compliance frame of mind - just checking off the box vs process, security frame of mind
54
Common Exam Findings
• Lack of employee information security training
• Only using generic online training i.e. BAI, BVS, etc.
• Need more on bank processes, policies, controls
55
Common Exam Findings
• Lack of segregation or conflict of IT officer/manager and Information Security Officer duties
• Enterprise-wide information security risk assessment not presented to the Board for review and approval
• Network Admin accounts not renamed
56
Common Exam Findings• Admin and service accounts not managed, need
more robust credentials
• Administrators needs to have admin profile and separate general user profile
• Audit not doing a deep dive on user profiles and access
Common Exam Findings
• IT Strategic Plan does not identify both long and short term projects, goals, and objectives
• Address competitive demands of the marketplace, budget, periodic report to Board, status of risk management controls
58
Common Exam Findings• Lack of patching of security devices (FW, IDS, IPS, etc)
• Need standards for infrastructure patching based on risk/criticality
• 1st priority: Internet facing systems
• 2nd priority: Systems/applications that move money
• 3rd priority: any system/application that has confidential information
• 4th priority: all other systems/applications
Common Exam Findings• Vulnerability assessments are limited to scan of IP
addresses
• Need authenticated scan to check internal services, patches, etc.
• Do at least quarterly
• Lack of social engineering training
• Lack of social engineering testing
60
Common Exam Findings• Cloud services
• Not performing thorough due diligence
• Risk assess services, security, and controls
• Know where data is and if secured in transit and/or at rest
• Does it fit into strategic/business plans
61
• Don’t leave out “core provider”
• Private cloud
• Where are servers
• What security is in place
62
Common Exam Findings• Audit
• Do not have a comprehensive IT audit plan/policy
• Do not have an IT audit risk assessment
• Not documenting findings and followup corrective action
63
Questions? Susan Orr Consulting, Ltd
www.susanorrconsulting.com 630.499.0276
64