Presentation is loading. Please wait.

Presentation is loading. Please wait.

PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC www.protectmybank.com.

Published byNorma Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC www.protectmybank.com."— Presentation transcript:

1 PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC www.protectmybank.com 1

2 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today’s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it’s inevitable. How do I plan for and prepare to respond to incidents? © Secure Banking Solutions, LLC www.protectmybank.com 2

3 Building an Information Security Program HOW TO MAKE YOUR ISP YOUR BEST FRIEND! © Secure Banking Solutions, LLC www.protectmybank.com 3

4 Gramm-Leach-Bliley Act Management must develop a ◦written information security program What is the “M” in the CAMELS rating? The Information Security Program is the way management demonstrates to regulators that information security is being managed at the bank © Secure Banking Solutions, LLC www.protectmybank.com 4

5 © Secure Banking Solutions, LLC www.protectmybank.com 5

6 Written Information Security Program Includes administrative, technical, and physical safeguards appropriate to the bank’s size and complexity and the nature and scope of activities Represented by a set of policies and procedures that implement controls identified in the risk assessment © Secure Banking Solutions, LLC www.protectmybank.com 6

7 Gramm-Leach-Bliley 501 (b) FINANCIAL INSTITUTIONS SAFEGUARDS.—In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards— (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. © Secure Banking Solutions, LLC www.protectmybank.com 7

8 FDIC - Appendix B to Part 364 A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: 1.Ensure the security and confidentiality of customer information; 2.Protect against any anticipated threats or hazards to the security or integrity of such information; 3.Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4.Ensure the proper disposal of customer information and consumer information. © Secure Banking Solutions, LLC www.protectmybank.com 8

9 Top 10 ISP Issues Incomplete - no standard to follow and missing key components (Vendor, Scanning) Not documented Non-auditable statements Hard to maintain (gets out of date quickly) Developed reactively Lack of management/board involvement Moving target - bar is continually raised Lack of automation - policy is developed by hand, risk assessment is completed by hand, etc. Poor IT risk assessment Insufficient audit - qualifications, independence, scope, etc. © Secure Banking Solutions, LLC www.protectmybank.com 9

10 Policy Each new policy gets bolted on. Older policies get older. More stuff gets added to fix old stuff that is still there. Why does this happen, don’t you like policy writing? Oh no! Not the GLOB! © Secure Banking Solutions, LLC www.protectmybank.com 10

11 Ideally… Customized ISP for a Community Bank includes the best of: Custom ISP - Exam Procedures - Exam Booklets © Secure Banking Solutions, LLC www.protectmybank.com 11

12 © Secure Banking Solutions, LLC www.protectmybank.com 12

13 IT Risk Assessment Gramm-Leach-Bliley Act requires you to develop and implement an Information Security Program (ISP) based on the IT Risk Assessment Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of bank information or bank information systems. Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the bank information. Assessment of the sufficiency of the policies, procedures and bank information systems in place to control the identified risks. © Secure Banking Solutions, LLC www.protectmybank.com 13

14 Asset Management Inventory assets Policy and procedure for: ◦Adding assets ◦Retiring assets ◦Cleansing assets ISO standard is big into asset management Think about how many information leaks involve not accounting for assets ◦Laptops ◦Tapes ◦Etc. © Secure Banking Solutions, LLC www.protectmybank.com 14

15 Vendor Management Given the increased reliance on outside firms for technology-related products and services, management must identify and mitigate risk in these technology decisions Vendor Management Technology Service Provider Management Just because you outsource your technology does not mean you outsource your information protection responsibilities Need to manage your vendors to ensure they are protecting your nonpublic information (customer and financial information) © Secure Banking Solutions, LLC www.protectmybank.com 15

16 Vulnerability Assessment Definition Technical scan of your networked equipment that identifies vulnerabilities, conducted from inside the Bank. Scope ◦All networked equipment. ◦Examples include: ◦Core Banking Server ◦Servers ◦Workstations ◦Voice Over IP ◦Mobile Devices © Secure Banking Solutions, LLC www.protectmybank.com 16

17 Penetration Testing Definition Technical scan conducted from outside the Bank on any equipment that is exposed to the internet. Simulates the process that a hacker would use to gain access to Bank information. Scope  Include all your public IP addresses (even unused IP’s)  Email Server  Web Server  Internet Banking Server  VPN connections © Secure Banking Solutions, LLC www.protectmybank.com 17

18 Security Awareness Security Awareness is the degree or extent to people understand (and act accordingly): ◦the importance of security and common threats ◦organizational policies and procedures ◦their individual security responsibilities ◦Employees only? © Secure Banking Solutions, LLC www.protectmybank.com 18

19 Social Engineering The manipulation of people, rather than machines, to successfully breach the security systems of an organization. People, by nature, are unpredictable and susceptible to manipulation and persuasion. Rich Mogull, research director for information security and risk at Gartner, said “social engineering is more of a problem than hacking. We believe social engineering is the single greatest security risk in the decade ahead." Google “social engineering biggest threat” © Secure Banking Solutions, LLC www.protectmybank.com 19

20 Emergency Preparedness Disaster Recovery Business Continuity Incident Response Pandemic Influenza BIA Risk Assessment Risk Management “Plan” Monitor / Test © Secure Banking Solutions, LLC www.protectmybank.com 20

21 Audit Determine the presence of controls and test the effectiveness of those controls through an independent and objective evaluation. Risk Assessment = identifies the controls ISP = policies, procedures and guidelines that document controls IT audit = reviews compliance and adequacy of controls © Secure Banking Solutions, LLC www.protectmybank.com 21

22 Organizational Chart Provides an overview of the personnel working at the bank Looking for the following roles (sample): ◦Information Security Officer ◦Information Technology ◦Auditor ◦Compliance Officer Who is doing what? © Secure Banking Solutions, LLC www.protectmybank.com 22

23 IT Committee Is management involved in IT decisions? Checks and balances…not just one person Weekly, monthly, or quarterly Made up of people who can make decisions Can work out issues before presenting to the board (i.e., policy changes) Can handle issues so that some things don’t need to go to the board (procedure changes) © Secure Banking Solutions, LLC www.protectmybank.com 23

24 Network Diagram Picture representation of your network Includes connectivity to: ◦Internet ◦Branches ◦Service Providers ◦Etc. Important because: ◦Communicates the network to staff and examiners ◦Support maintenance and troubleshooting network issues ◦Plan for addition of new technology ◦Be helpful for business continuity © Secure Banking Solutions, LLC www.protectmybank.com 24

25 Network Diagram Example © Secure Banking Solutions, LLC www.protectmybank.com 25

26 Information Security Blueprint Benefits GLBA Compliance ◦Simple representation of a complex question Successful IT Examination ◦Initial talking points with examiners ◦Demonstrate effective management Good Measurable Security ◦Red, Yellow, Green for the fundamentals of good security Improve Over Time ◦ (Plan - Do - Check - Act, process improvement) Where else do you create blueprints? ◦Organizational Chart ◦Network Diagram ◦Branch Construction © Secure Banking Solutions, LLC www.protectmybank.com 26

27 © Secure Banking Solutions, LLC www.protectmybank.com 27

28 Summary of Lessons Learned Find a blueprint you like Implement the blueprint in phases Use the blueprint to handle new technologies and security threats Explore tools to make it easier and faster Automating policy development and maintenance is now an option © Secure Banking Solutions, LLC www.protectmybank.com 28

29 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today’s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it’s inevitable. How do I plan for and prepare to respond to incidents? © Secure Banking Solutions, LLC www.protectmybank.com 29

Download ppt "PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC www.protectmybank.com."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Islamic University of Gaza

The Islamic University of Gaza
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Environmental Management Systems An Overview With Practical Applications.

Environmental Management Systems An Overview With Practical Applications.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO General Awareness Training

ISO General Awareness Training
Information Systems Security Officer

Information Systems Security Officer
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Similar presentations

Ads by Google