Presentation is loading. Please wait.

Presentation is loading. Please wait.

FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.

Published byDarren Gerard O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration."— Presentation transcript:

1 FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration

2 Risk Trends FFIEC Cybersecurity Efforts Cybersecurity Assessment Tool 2 Agenda

3 Existing vulnerabilities continue to be exploited Easily exploitable vulnerabilities persist New platforms create new cyber attack opportunities New ways to exploit financial institutions and their customers Lines between cyber actors are blurring Commercialization of tools, resources, and infrastructure 3 Risk Trends

4 Tactics evolve in response to online behavior Social networks enable more effective and targeted attacks Trends in malware are evolving Destructive malware and cryptographic ransomware Global unrest results in changing motivations Regions that either have cyber capabilities or resources to purchase them may turn their focus towards U.S. financial institutions during political and social unrest. 4 Risk Trends

5 Potential Impacts Financial Operational Legal Reputational 5 Risk Trends

6 FFIEC CYBERSECURITY EFFORTS

7 Cybersecurity and Critical Infrastructure Working Group Joint statements and alerts Cybersecurity awareness website and CEO webinar Cybersecurity assessment of community institutions 7 FFIEC Cybersecurity Efforts

8 Issue a Cybersecurity Assessment Tool Enhance incident analysis Align, update and test crisis management protocols Develop training programs for staff Update and supplement the Information Technology Examination Handbook Enhance focus on Technology Service Providers Collaborate with law enforcement and intelligence agencies 8 FFIEC Cybersecurity Efforts

9 FFIEC CYBERSECURITY ASSESSMENT TOOL

10 Objective To help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness. 10 FFIEC Cybersecurity Assessment Tool

11 Consistent with the principles in FFIEC Information Technology Examination Handbook (IT Handbook) National Institute of Standards and Technology (NIST) Cybersecurity Framework Industry accepted cybersecurity practices 11 FFIEC Cybersecurity Assessment Tool

12 Consists of two parts Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity 12 FFIEC Cybersecurity Assessment Tool

13 Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 13 FFIEC Cybersecurity Assessment Tool

14 Inherent Risk Profile Risk Levels Type, volume, and complexity of operations and threats directed at the institution 14 FFIEC Cybersecurity Assessment Tool

15 Category: Technologies and Connection Types Risk Levels LeastMinimalModerateSignificantMost Total number of internet service provider (ISP) connections (including branch connections) No connectionsMinimal complexity (1–20 connections) Moderate complexity (21–100 connections) Significant complexity (101– 200 connections) Substantial complexity (>200 connections) Unsecured external connections, number of connections not users (e.g., file transfer prototype (FTP), Telnet, rlogin) NoneFew instances of unsecured connections (1–5) Several instances of unsecured connections (6–10) Significant instances of unsecured connections (11–25) Substantial instances of unsecured connections (>25) 15 Risk Levels Activity, Service or Product Inherent Risk Profile Excerpt FFIEC Cybersecurity Assessment Tool

16 Maturity Levels 16 FFIEC Cybersecurity Assessment Tool

17 Cybersecurity Maturity Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Response 17 FFIEC Cybersecurity Assessment Tool

18 18 DomainAssessment Factors 1Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture 2Threat Intelligence & Collaboration Intelligence Sourcing Monitoring and Analyzing Information Sharing 3Cybersecurity Controls Preventative Controls Detective Controls Corrective Controls 4External Dependency Management Connections Relationships Management 5Cyber Incident Management & Resilience Incident Resilience Planning and Strategy Detection, Response and Mitigation Escalation and Reporting FFIEC Cybersecurity Assessment Tool

19 Cybersecurity Maturity Domains Assessment Factors Components Declarative Statements 19 FFIEC Cybersecurity Assessment Tool

20 20 Domain 1: Cyber Risk Management and Oversight Assessment Factor: Governance Y, N OVERSIGHT Baseline Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts. Management provides a written report on the overall status of the information security and business continuity programs with the board or an appropriate committee of the board at least annually. Budgeting process includes information security related expenses and tools. Management considers the risks posed by other critical infrastructures (e.g., telecom, energy) to the institution. Domain Maturity Level Declarative Statement Component Assessment Factor Cybersecurity Maturity Excerpt FFIEC Cybersecurity Assessment Tool

21 Cybersecurity Maturity/Risk Relationship Lowest Risk Institutions Highest Risk Institutions 21

22 Patch Management INNOVATIVE ADVANCED Develops Patches, Fixes or Open Source Code. Redundant Systems for Testing, Deployment, and Fallback. INTERMEDIATE Comprehensive Patch Software on Servers Aggressive Testing & Application (0-30 days) EVOLVING High-Risk Patches Tested/Applied or Accountability Assigned BASELINE Formal Program Impact Evaluated Automated Retrieval Missing Patches: Automated Comprehensive Tracking/Prioritization Timely Patching Patch Testing Missing Patch Report Review MATURITY PROGRESSION 22

23 FFIEC Cybersecurity Assessment Tool Inherent Risk Levels LeastMinimalModerateSignificantMost Cybersecurity Maturity Levels Innovative Advanced Intermediate Evolving Baseline Elevated Investment Underinvestment Optimal 23

24 Assessment Process 3. Assess Maturity 7. Adjust Program Involve BOD Throughout 1. Identify Critical Functions & Vendors 4. Determine Target State 2. Complete Inherent Risk Profile 6. Allocate Resources Establish Risk Appetite 5. Develop Plan to Address Gaps 24

25 Supporting Materials User’s Guide Overview for CEOs and Boards of Directors Appendix A: Mapping Baseline Statements to FFIEC IT Handbook Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework Appendix C: Glossary 25 FFIEC Cybersecurity Assessment Tool

26 Benefits to Institutions Identifying factors contributing to and determining the institution’s overall cyber risk. Assessing the institution’s cybersecurity preparedness. Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks. Determining risk management practices and controls that could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness. Informing risk management strategies. 26 FFIEC Cybersecurity Assessment Tool

27 Thanks For Your Time! CU_cybersecurity@ncua.gov Questions/Comments About the Tool Dedicated NCUA email for your questions: 27

28 Office Contact Page Feel free to contact our office with questions or comments. Tim Segerson Deputy E&I Director segerson@ncua.gov 703-518-6397 Patrick Truett Information Systems Officer ptruett@ncua.gov 703-518-6396 28

Download ppt "FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration."

Similar presentations

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Network security policy: best practices

Network security policy: best practices
Patch Management Strategy

Patch Management Strategy
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Information Technology Audit

Information Technology Audit
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Thomas Hacker Barb Fossum Matthew Lawrence Open Science Grid May 19, 2011.

Thomas Hacker Barb Fossum Matthew Lawrence Open Science Grid May 19, 2011.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
N By: Md Rezaul Huda Reza n

N By: Md Rezaul Huda Reza n
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.
The Challenge of IT-Business Alignment

The Challenge of IT-Business Alignment
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Similar presentations

Ads by Google