Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Building Blocks of a Strong ISP

Published byCody Hall Modified over 9 years ago

Similar presentations

Presentation on theme: "The Building Blocks of a Strong ISP"— Presentation transcript:

1 The Building Blocks of a Strong ISP
Iowa Bankers Association 2015 IBA Technology Conference The Building Blocks of a Strong ISP     Dr. Kevin Streff Founder, Secure Banking Solutions

2 Agenda Emerging Technologies and Security Threats in Banks
Designing an Effective Information Security Program Conducting World-Class Risk Assessments

3 Hot Technologies Core replacement projects are important
Banking Technologies Infrastructure Technologies Branch of the Future Advanced Payment Systems Mobile Delivery Systems Remote Deposit Products Customer Relationship Management (CRM) Cloud Virtualization Cybersecurity Products DLP MSS ERM Tools Continuous Monitoring Core replacement projects are important

4 Technology Leads to all kinds of issues
Document retention I.T. examination Compliance Financial Support Expertise Security Data Privacy Your bank needs to get good with technology Your bank needs to get good at information protection Not individual heroism Driving the need for a well managed information security program that starts with risk assessment

5 Online vs. Mobile Online banking is commodity
Mobile banking revolution is over

6 Layered Security Approach

7 Gramm-Leach-Bliley Act
Management must develop a written information security program meeting the security standards of Part 364, Appendix B What is the “M” in the CAMEL rating? The Information Security Program is the way management demonstrates to regulators that information security is being managed at the bank

8 Regulator Requirements: Current Framework
Management Focused Examination Documented risk-based Information Security Program (ISP) that provides sufficient controls as determined by the Risk Assessments Independent review of controls for compliance and adequacy as verified by IT Audit, Penetration Test and Vulnerability Assessment

9 Written Information Security Program
Includes administrative, technical, & physical safeguards appropriate to the bank’s size and complexity and the nature and scope of activities Represented by a set of policies, procedures and standards that implement controls identified in the risk assessment ISP = Documentation + Activities

10 Top Security Threats Hacking Data Leakage Social Engineering
Corporate Account Takeover Vendor Risk ATM “Small and medium sized banks are in the cross-hairs of the cyber criminal” Howard Schmidt, Cybersecurity Secretary for the White House

11 Hacking Threat #1

12 Hacking Small and medium-sized businesses are the new target
Won’t get caught, won’t get prosecuted, fewer security controls, etc. Hackers are Organized Used to be for fun, now it is for profit How it works Find a computer/network vulnerability and exploit it

13 Hacker Tools Examples Tools to hack your bank are downloadable
Default passwords are all available Economy is available to sell stolen data (“underground markets”)

14

15

16 Threat: Downtime How much time would it take to recover if all of your computers got a virus tomorrow? Data Loss Down Time Cost to replace vs. fix “Of those businesses that experience a disaster and have no emergency plan, 43% never reopen; of those that do reopen, only 29% are still operating two years later.”

17 RansonWare Demand payments or will destroy your data and/or your machine

18 Critical Infrastructure Protection
White House is concerned that our nation’s critical electronic infrastructure PDD63 APT "Terrorism remains the FBI's top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country“ Ex-FBI Director Robert Mueller

19 Data Leakage Threat #2

20 Data Leakage Data Leakage is about insiders leaking customer information out of your bank Most attention is paid to outsiders breaking into your network (aka hackers) Malicious Behavior Accidental

21 Social Engineering Threat #3

22 Social Engineering What is Social Engineering?
Exploitation of human nature for the gathering of sensitive information. Tool attackers use to gain knowledge about employees, networks, vendors or other business associates.

23 Sample Social Engineering Methods
Phishing/Pharming Telephone (Remote Impersonation) Dumpster Diving Impersonation Scams USB Sticks

24 Corporate Account Takeover
Threat #4

25 Small Business Security
70% lack basic security controls Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc.

26 Finger Pointing?

27 Vendor Attacks Threat #6

28 Vendor Attacks Criminals understand that vast amounts of data are stored and transacted thru bank vendors TJX, Heartland, Target, etc. Target – RAM Scraping While you are outsourcing the task, your bank remains responsible for the data Vendor Management Program

29 ATM Fraud Threat #6

30 ATM Fraud Skimmers Cyber heists Remote Access Issues
Active Ports Being Compromised

31

32

33 Skimmer Overlay

34 Skimmer Camera

35 ATMs The ATM environment has changed Used to be most banks:
Closed network Non Windows Today, most ATMs are on your bank’s network and run Windows

36

37 ATM Cyber Heists

38 Gramm-Leach-Bliley Act
Management must develop a written information security What is the “M” in the CAMEL rating? The Information Security Program is the way management demonstrates to regulators that information security is being managed at the bank

39 IT Exam Verifies the bank’s Information Security Program Five areas:
Assessments and audits Five areas: Risk Management Operations Security Audit Business Continuity Vendor Management

40 Recent Regulation FFIEC Authentication Supplement CSBS CATO Regulation
FFIEC ATM Regulation FFIEC DDoS Regulation OCC and FDIC Vendor Management Regulation FFIEC Social Media Guidance Appendix J FFIEC Cybersecurity Assessment Tool

41 Question for you… What is your bank doing to mitigate the risks of:
Hacking Data Leakage Social Engineering Corporate Account Takeover ATM Fraud Vendor Attacks Answer Should Be: Layered Security Program Risk Assessment Customer Awareness and Education Business Continuity & Incident Response Information Sharing Effective Auditing

42

43

44 Asset Management Inventory assets Policy and procedure for:
Adding assets Retiring assets Cleansing assets ISO standard is big into asset management Think about how many information leaks involve not accounting for assets Laptops Tapes Etc.

45 Vulnerability Assessment
Definition Technical scan of your networked equipment that identifies vulnerabilities, conducted from inside the bank. Scope All networked equipment, examples include: Core Banking Server Servers Workstations Voice Over IP

46 Penetration Testing Email Server Web Server Internet Banking Server
Definition Technical scan conducted from outside the bank on any equipment that is exposed to the internet. Simulates the process that a hacker would use to gain access to bank information. Scope Include all your public IP addresses (even unused IP’s) Server Web Server Internet Banking Server VPN connections

47 Security Awareness Security Awareness is the degree or extent to which every member of staff understands: the importance of security the levels of security appropriate to the organization their individual security responsibilities ... and acts accordingly.

48 Employees: Security Awareness
Acceptable Use Policy Annual Security Awareness Training Reminders Online Training System Posters/Calendars Security Awareness Day Member Appreciation Day Games Social Engineering Tests InfraGard Certification

49 Posters/Calendars

50 Posters/Calendars

51 Security Awareness Day
Hold a “Security Awareness Day” at your bank to demonstrate to your customers how important this issue is to the bank Hand out materials that can help them safely bank with you Target audience: customers HOWEVER: employees get involved and get more security conscious as well

52 Welcome to… SECURITY FEUD!
Security Awareness Training 11/22/2015

53 Certification InfraGard SBS
Training program for staff on information security to promote awareness of front-line and support staff Tweleve lessons (4-9 minutes each) SBS Six security certifications for board, management and professionals at your bank 14 hours per certification

54 Customers: Security Awareness
Awareness Information on Website Posters Security Awareness Day Customer Appreciation Day Lunch and Learns

55 Emergency Preparedness
Disaster Recovery Business Continuity Pandemic Bird Flu Incident Response

56 Incident Response Documenting how an organization will respond to security breaches Who is in charge? When do you notify customers? Etc. The point is to have the activities planned out before an incident occurs and everyone is in crisis mode

57 Audit Determine the presence of controls and test the effectiveness of those controls through an independent and objective evaluation. Risk assessment identifies the controls ISP = policies, procedures and guidelines that document controls IT audit reviews compliance and adequacy of controls What is an Audit? An audit is the final step in the risk management life cycle. To better explain what an audit is, let me first talk about Risk assessments. Audits and Risk Assessments get confused all the time because there is no written in stone definition for either process. They are both closely related yet quite distinct in process. Today I will hopefully make the line between an audit and a risk assessment a little less gray. As Dusty has just explained, a Risk Assessment will determine if the controls in place are adequate for reducing risk to the organization, and make recommendations for new controls to be implemented. Once adequate controls are approved by management and implemented, those controls then get audited. This presentation was developed to help make sense of the definition shown.

58 Organizational Chart Provides an overview of the personnel working at the bank Looking for the following roles (sample): Information Security Officer Information Technology Auditor Compliance Officer Who is doing what!

59 Committees Is management involved in IT decisions? Audit committee?
BOD? Checks and balances…not just one person Weekly, Monthly, or quarterly Made up of people who can make decisions Can work out issues before presenting to the board (i.e., policy changes) Can handle issues so that some things don’t need to go to the board (procedure changes)

60 Network Diagram Picture representation of your network
Includes connectivity to: Internet Branches Service Providers Etc. Important because: Communicates the network to staff and examiners Support maintenance and troubleshooting network issues Plan for addition of new technology Be helpful for business continuity

61

62 Use your ISP Any new technology is handled by your ISP
(EXAMPLE: Merchant Capture) Any new security threat is handled by your ISP (EXAMPLE: Data Leakage)

63 Documentation Codifies management direction regarding layered security program Policies, procedures, standards, etc. Provides evidence of a layered security program Demonstrates compliance Demonstrates good security

64 Information Security Program Documentation
Based on Policy Requirements Based on Risk Assessment Program Policy System Policy Plans Procedures Standards Issue

65 Minimum ISP Documentation
Risk Assessment Policies Procedures Standards Guidelines Plans Audit Business Continuity Incident Response Security Awareness Materials Training Log Vendor Assessments Minutes Board of Director Meetings I.T. Committee Meetings Audit Committee Meetings Strategies Test Results Audit Penetration Test Vulnerability Assessment Social Engineering Configuration Test Web Test Wireless Test Exams State Federal Misc. Network Diagram Organizational Chart Contracts Memos Reports

66 Comprehensive Audit Audits will assess people, processes, and technology. A balanced audit program works as follows:  people are assessed with a social engineering test, processes are assessed with an IT audit, and technology is assessed with a penetration test and vulnerability assessment.

67 Layered Audit Approach

68 Assessments I.T. Vendor Corporate Account BIA ERM Cyber Etc.

69 IT Risk Assessment Process
Step 1 - Inventory: Identify all assets, vendors and service providers Step 2 - Develop Priorities: Protection Profile (CIAV) Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)? Step 4 - System Controls: What system safeguards does the bank want to implement? Step -5-Demonstrate Compliance: Reporting Improve the process Document Residual Risk

70 IT Assessment

71

72

73

74

75

76 Vendor Assessments

77 Vendor Management Given the increased reliance on outside firms for technology-related products and services, management must identify and mitigate risk in these technology decisions Vendor Management Technology Service Provider Management Just because you outsource your technology does not mean you outsource your information protection responsibilities Need to manage your vendors to ensure they are protecting your nonpublic information (customer and financial information)

78 Policy Generation

79 Policy Generation

80 Policy Sample

81 Third Party Information

82 Cost Benefit Analysis

83 Reference Evaluation

84 Comparing Threats 84

85 Documenting Controls 85

86 Residual Risk Score Pay attention to the residual risk
Notice that vendor 2 has done the most to reduce the risk of information security threats 86

87 Due Diligence

88 Contract Review

89 Contract Review

90 Management

91 Commercial Account Assessments
Commercial Banking Fraud

92

93 CATO Guidance FFIEC’s “Interagency Supplement to Authentication in an Internet Banking Environment” states the following activities to mitigate commercial account takeover CSBS CATO Guidance FDIC CATO Guidance BOTTOM LINE: Your bank must develop a process to assess the cybersecurity risk to your commercial accounts

94

95

96 Assessment Results

97 Enterprise Risk Management

98 Information Technology Operational Reputational Compliance Financial
Business Processes Threat areas Administrative Affiliate Back-Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology Operational Reputational Compliance Financial Strategic Categories commonly used in FFEIC booklets.

99 ERM – Risk Mitigation Goals

100 ERM – Protection Profile

101 ERM - Threats

102 ERM - Controls

103 Report – Risk Mitigation

104 Report – Peer Comparison

105 Risk Assessment Best Practices
Determine which kind of assessment is the most important for your bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision-making Don’t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement

106 FFIEC Cybersecurity Assessment Tool
©2015 Secure Banking Solutions, LLC

107 ©2015 Secure Banking Solutions, LLC
Overview ©2015 Secure Banking Solutions, LLC

108 ©2015 Secure Banking Solutions, LLC
FFIEC CA Tool (3 parts) Three (3) major components Rating your Inherent Risk for Cybersecurity threats based on your size and complexity Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity. ©2015 Secure Banking Solutions, LLC

109 Cybersecurity Inherent Risk
Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats ©2015 Secure Banking Solutions, LLC

110 Cybersecurity Inherent Risk
Five Inherent Risk Areas Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats ©2015 Secure Banking Solutions, LLC

111 ©2015 Secure Banking Solutions, LLC
©2015 Secure Banking Solutions, LLC

112 Cybersecurity Maturity
Measure Maturity in 5 Domains (+ Assessment Factors) Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing Cybersecurity Controls Preventative, Detective, and Corrective controls External Dependency Management External Connections and (Vendor) Relationship Management Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting ©2015 Secure Banking Solutions, LLC

113 What is Cybersecurity Maturity?
Determining whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? ©2015 Secure Banking Solutions, LLC

114 How does Cybersecurity Maturity work?
Measured by 5 Cybersecurity Maturity Levels Baseline Evolving Intermediate Advanced Innovative ©2015 Secure Banking Solutions, LLC

115 Determining Maturity Level
Within each component, “declarative statements” describe activities supporting the assessment factor at each maturity level “All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level“ What this actually means: Identify the controls you have in place, starting with “baseline” controls and escalating up in order to determine maturity levels ©2015 Secure Banking Solutions, LLC

116 ©2015 Secure Banking Solutions, LLC
©2015 Secure Banking Solutions, LLC

117 ©2015 Secure Banking Solutions, LLC
Determining Maturity ©2015 Secure Banking Solutions, LLC

118 Domains and Assessment Factors
©2015 Secure Banking Solutions, LLC

119 Inherent Risk vs. Maturity
All good Risk Management processes help make decisions and set goals How does one determine Inherent Risk versus Cybersecurity Maturity? And more importantly, what is the right Inherent Risk vs. Maturity level? ©2015 Secure Banking Solutions, LLC

120 ©2015 Secure Banking Solutions, LLC
Increasing Maturity ©2015 Secure Banking Solutions, LLC

121 Inherent Risk vs. Maturity
“No single expected level for an institution” “An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change.” “Management should consider reevaluating the institution’s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.” ©2015 Secure Banking Solutions, LLC

122 Other IMPORTANT take-aways
Is this new FFIEC Cybersecurity Assessment Tool (CAT) a replacement for my IT Risk Assessment? Absolutely not! This FFIEC CAT is a self-assessment of cybersecurity preparedness only, not a determination of risks and controls around your confidential non-public information The assessment process is not a one-time project or process, but rather an ongoing assessment that the institution will be expected to keep up and utilize on an ongoing basis. ©2015 Secure Banking Solutions, LLC

123 Who is responsible for the CAT?
It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity The President/CEO will be expected to DRIVE this Cybersecurity Assessment process and the Board of Directors needs to understand what the results of this Cybersecurity Assessment mean ©2015 Secure Banking Solutions, LLC

124 ©2015 Secure Banking Solutions, LLC
SBS Tool Introducing: FREE SBS Cyber-RISK™ Tool to Aid in Capture and Reporting Did I mention it is FREE? ©2015 Secure Banking Solutions, LLC

125 ©2015 Secure Banking Solutions, LLC
Cyber-RISK Tool Goals of the FREE Cyber-RISKtm tool: Automate the Cybersecurity Assessment Tool Save you from creating your own spreadsheet Make your life easier and more efficient Provide you with one-click reports Improve the process by tying the Inherent Risk and Cybersecurity Maturity processes together more intuitively Get you peer comparison data (down the road) Access to your own personal Information Security Expert if you need us! ©2015 Secure Banking Solutions, LLC

126 Additional Cyber Security Resources
SBS Cybersecurity Assessment Blog: Pre-register for the Cyber-RISK tool: SBS Institute Certifications: ©2015 Secure Banking Solutions, LLC

127 summary

128 10 Steps Your Bank Can Take Find the right partner…
Focus on and invest in mitigating the big 5 Implement a layered security program Automate I.T. risk assessment Work with merchants regarding CATO risks Mature education/training program Evaluate cyber security Mature vendor management Produce minimum documentation Run effective committees Investigate tools and partners to help

129 Contact Info Dr. Kevin Streff Dakota State University Secure Banking Solutions, LLC

Download ppt "The Building Blocks of a Strong ISP"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
The Information Systems Audit Process

The Information Systems Audit Process
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Network security policy: best practices

Network security policy: best practices
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Information Technology Audit

Information Technology Audit
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Similar presentations

Ads by Google