Click to edit Master title style
EVOLUTION OF CYBERSECURITY
IDENTIFYING BEST PRACTICESClick to edit Master title style
Click to edit Master title style
AGENDA
• Defining cybersecurity
• Assessing your cybersecurity preparedness
• Cybersecurity program development
• Regulatory expectations
Click to edit Master title style
DEFINING CYBERSECURITY
In recent security discussions, there are references to both “cybersecurity” and “information security.” The terms are often used interchangeably, but in reality,
cybersecurity is a part of information security.
Note: The interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities. All of these factors have influenced the shift from
Click to edit Master title style
DEFINING CYBERSECURITY (CONT.)
• Information security deals with protecting
information, regardless of its format: physical
documents, digital, intellectual property in people’s minds and verbal or visual communications
• Cybersecurity is concerned with protecting digital assets — everything from networks to hardware and information processed, stored or transported by
Click to edit Master title style
DEFINING CYBERSECURITY (CONT.)
NIST has a very appropriate definition for institutions
• The process of managing cyber threats and
vulnerabilities and for protecting information and information systems by identifying, defending
Click to edit Master title style
DEFINING CYBERSECURITY (CONT.)
• The process of managing cyber threats &
vulnerabilities & for protecting information &
information systems by identifying, defending
against, responding to & recovering from attacks
Click to edit Master title style
DEFINING CYBERSECURITY (CONT.)
• The process of managing cyber threats &
vulnerabilities & for protecting information &
information systems by identifying, defending
against, responding to & recovering from attacks
Click to edit Master title style
DEFINING CYBERSECURITY (CONT.)
• The process of managing cyber threats &
vulnerabilities & for protecting information & information systems by identifying, defending
against, responding to & recovering from attacks
Click to edit Master title style
DEFINING CYBERSECURITY (CONT.)
• The process of managing cyber threats &
vulnerabilities & for protecting information &
information systems by identifying, defending against,
responding to & recovering from attacks
Click to edit Master title style
FFIEC CYBER PREPAREDNESS ASSESSMENT
• Pilot cybersecurity examination work program
(Cybersecurity Assessment) conducted in June 2014
• Approximately 500 assessments on community
financial institutions with $1 billion or less in assets
• Information gathering and learning mode
• Finalized report December 2014
Click to edit Master title style
FFIEC CYBERSECURITY ASSESSMENT SCOPE
• Exam built upon key aspects of existing FFIEC IT Handbook • Assessed financial institutions’ current practices & overall
cybersecurity preparedness
BREAKING NEWS - Preliminary observations indicate most banks do not fully understand specific threats that face them
Click to edit Master title style
FFIEC CYBERSECURITY ASSESSMENT TOOL
• FFIEC Cybersecurity Assessment (CA) Tool released
June 30, 2015
• Not really a “tool” as we have traditionally defined
software or hardware
• More of a process to help banks perform a
self-assessment on their Cybersecurity Preparedness
• Based on size and complexity
• Resulting from the 2014 Cybersecurity Assessment
Click to edit Master title style
FFIEC CA TOOL - 3 MAJOR COMPONENTS
1. Inherent Risk Profile - rating your inherent risk for
cybersecurity threats based on your size and complexity, before implementing controls
2. Cybersecurity Maturity - rating your cybersecurity maturity regarding how prepared you are to handle different
cybersecurity threats
• includes domains, assessment factors, components and
individual declarative statements across five maturity levels to identify controls and practices in place
Click to edit Master title style
CYBERSECURITY INHERENT RISK
• Assesses your institution’s inherent risk profile based
on five inherent risk profile categories:
– Technologies and Connection Types – Delivery Channels
– Online/Mobile Products and Technology Services – Organizational Characteristics
Click to edit Master title style
CYBERSECURITY MATURITY
• Evaluates your institution’s Cybersecurity Maturity
level for each of five domains:
– Cyber Risk Management and Oversight – Threat Intelligence and Collaboration – Cybersecurity Controls
– External Dependency Management
– Cyber Incident Management and Resilience
Click to edit Master title style
Click to edit Master title style
INTERPRETING AND ANALYZING RESULTS
• There is no single expected level for an institution
• An institution’s inherent risk profile and maturity
levels will change over time as threats, vulnerabilities, and operational environments change
• Management should consider reevaluating its
inherent risk profile and cybersecurity maturity
Click to edit Master title style
FFIEC CA TOOL GOAL
• Highlight areas of weakness and strength regarding
how you are or will be able to handle a cybersecurity attack
– Also highlights how you can mitigate this risk and implement additional controls
• Provide regulators and examiners an idea of how
capable your institution is regarding cybersecurity preparedness
Click to edit Master title style
CYBERSECURITY PROGRAM
A cybersecurity program should integrate all aspects of banks’ existing programs
• GLBA Information Security Program
• Business Continuity and Disaster Recovery
• Incident Response and Crisis Management Plans
Click to edit Master title style
EXAMINER EXPECTATIONS
• Incorporate cybersecurity into all existing programs
& policies
• Enhance IT-related risk assessments to identify &
address cyber-specific threats
• Enhance training efforts—employees, board &
customers
• Strengthen monitoring controls
Click to edit Master title style
CONCLUSION
• Be Careful - Don’t be tempted to make your reviews
for cyber-resilience a checkbox compliance exercise.
• Ensure cyber-resilience of internal networks & people
• Consider and evaluate networks of your third-party
service providers & vendors
• Go beyond simply implementing recommendations in
Click to edit Master title style
Click to edit Master title style
#1 – KNOW WHERE YOUR DATA IS
Document and maintain accurate information asset inventories, including all relevant assets that store or transmit sensitive data • Conduct, document & maintain current data flow analysis to
understand location of your data, data interchange & interfaces, as well as applications, operating systems,
databases & supporting technologies that support & impact your data
• Understand Cloud Data Relationships (Use white board to
create flow charts to document processes, etc.)
• Locate & consolidate all valuable data into most singular
Click to edit Master title style
#2 – TAKE ADVANTAGE OF SECURITY
CONTROLS
Establish, implement and actively manage security configuration settings for all hardware and software for servers, workstations, laptops, mobile devices, firewalls, routers, etc.
• System/device hardening • Strong password security
• Limit administrative privileges
Grant only the minimum required access to perform job functions
Click to edit Master title style
#3 – KNOW WHO CAN ACCESS YOUR DATA
Align logical and physical access authorization,
establishment, modification & termination procedures applicable to networks, operating systems, applications & databases
• Screen employees prior to employment
• Document additions and modifications with standard
change management
• Timely removal of terminated employees
Click to edit Master title style
#4 – IMPLEMENT DATA LOSS PREVENTION
CONTROLS
Organizations must limit access to removable media, CD ROMs, email & file transfer websites
• Leverage group policies & existing software such as content filtering, email filters, etc.
• Companies should write clear, well-planned policy that
encompasses device use & disposal of information
• When devices are no longer in use, data should be wiped & then physically destroyed
Click to edit Master title style
#5 – ENSURE ALL CRITICAL DATA IS
ENCRYPTED
Adoption of data encryption, for data in use, in transit and at rest, provides mitigation against data compromise
• Encrypt all hard drives on all portable devices, conducted in conjunction with #1
• Data backup, retention and archival information should all be under protection of strong encryption to ensure such data that may fall into malicious hands cannot be interpreted and/or otherwise utilized
Click to edit Master title style
#6 – EFFECTIVE PATCH MANAGEMENT
Ensure all systems, regardless of function or impact, have recent operating systems, application patches applied and any business-critical applications are maintained at the most current feasible level for your organization
• Evaluate & test critical patches in timely manner • Apply patches for riskiest vulnerabilities first
• Use WSUS to manage Windows-related patches
• Third-party applications (Java, Adobe, Flash, etc.) must also be managed
Click to edit Master title style
#7 – PERFORM RISK ASSESSMENTS
Perform an information security risk assessment that is flexible and responds to changes in your environment. Specific focus should be on all protected information & protected health information (if applicable).
• Asset-based format
• Identify foreseeable threats • Assign inherent risk rating
• Determine likelihood of occurrence • Determine magnitude of impact
• Input mitigating controls
• Determine residual risk rating
• Update annually to adjust for new threats
Click to edit Master title style
#8 – EDUCATE PERSONNEL & HOLD THEM
ACCOUNTABLE
Provide staff training on security best practices, internal policies & new threats. Focus on social engineering,
phishing & physical security concerns.
• Educate all personnel, at least annually, on your company's data security requirements
• Education can be as simple as email reminders, brown bag lunch & learns, etc.
• Make sure new hire onboarding process includes this topic
Click to edit Master title style
#9 – AUDIT & ASSESS CONTROLS
Conduct vulnerability scans and penetration tests to identify and evaluate security vulnerabilities in your environment
• Security controls provide most value when they are audited & monitored for
compliance and/or maintenance • Annual audits provide
necessary insights into keeping security controls
Click to edit Master title style
#10 – MINIMIZE IMPACT BY TAKING
IMMEDIATE ACTION
Management's ultimate goal should be to minimize damage to the institution and its customers through containment of the incident and proper restoration of information systems • Conduct analysis of past incidents & applicable responses
to determine successful & unsuccessful areas
• Use an incident response team to ensure immediate action is taken following security event to minimize impact on operations & loss of data
• Determine who will be responsible for declaring an
Click to edit Master title style
CYBERSECURITY RESOURCES
• FFIEC Cybersecurity Awareness -
http://www.ffiec.gov/cybersecurity.htm
• Bank Info Security - http://www.bankinfosecurity.com/
• ABA Center for Payments and Cybersecurity -
http://www.aba.com/Tools/Function/Pages/center-payments-cybersecurity.aspx
• NIST Framework -
http://www.nist.gov/cyberframework/index.cfm
Click to edit Master title style
CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional
education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.
