Effectively Utilizing the New FFIEC Cybersecurity Assessment Tool - - PowerPoint PPT Presentation

Effectively Utilizing the New FFIEC Cybersecurity Assessment Tool

Michael Barnsback, Esquire and David Reed, Esquire October 20, 2015

1

Your Presenters

David Reed, Esq. Partner Reed & Jolly, PLLC David@reedandjolly.com Michael Barnsback, Esq., CIPP/US LeClairRyan Michael.Barnsback@lecla irryan.com

2

3

3

The contents of this presentation are intended to provide you with a general understanding

• f the subject matter. However, it is not

intended to provide legal, accounting, or other professional advice and should not be relied

• n as such.

Any views or opinions expressed are those of the presenters and do not necessarily reflect the views of NAFCU.

Overview

• Assessment is an all hands on deck

exercise

• Not simply an IT issue
• Establishing the responsibility and

accountability of key stakeholders is essential to success

• Assessments, audits and examinations

are different processes

4

Know Your Credit Union

• Understand your cyber footprint

– Products, services and delivery mechanisms – All areas are impacted by internet access or remote access – In-house versus outsourced IT services

• Recent GAO Study and

Recommendations

5

Polling Question

• Do you have a complete network map that

shows all of your devices, networks, IP addresses, controls, end users and vendors?

• a. Yes
• b. No
• c. Working on it now

6

What We Know

• Increasing volume and sophistication of cyber

threats

• Existing cyber security vulnerabilities are

known

• New remote platforms create new
• pportunities for cyber attacks
• Bad guys evolve as they observe online

behavior

• Evolving malware risks
• Government sponsored cyber attacks

7

Recent NCUA Guidance

• January 15, 2015, NCUA Letter No.: 15-CU-01,

provided guidance to CU Boards of Directors and Chief Executive Officers on the NCUA examinations in 2015

• The first item in the guidance letter: Cybersecurity
• “In 2015, NCUA will redouble efforts to ensure that

the credit union system is prepared for a range of cybersecurity threats.

8

Recent NCUA Guidance

• Guidance letter identified 6 “proactive

measures credit unions can take to protect their data and their members:

– encrypting sensitive data; – developing a comprehensive information security policy; – performing due diligence over third parties that handle credit union data; – monitoring cybersecurity risk exposure; – monitoring transactions; and, – testing security measures.”

9

What Is the FFIEC?

• The FFIEC comprises key representatives of

The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee (for state banks and credit unions)

• When they speak, our world listens!

10

FFIEC Risk Assessment Tool

• Goal is to help institutions identify their risks and

determine their cybersecurity preparedness (maturity)

• Assessment Tool provides a repeatable and

measurable process for institutions to measure their cybersecurity preparedness over time

• Draws heavily on other sources, including:

– FFIEC Information Technology (IT) Examination Handbook – National Institute of Standards and Technology (NIST) Cybersecurity Framework

11

Is It Voluntary?

• Existing IT Security Requirements and

Guidance

• Part 748 NCUA Regulations
• FFIEC IT Examination Handbook
• AIRES Examination Questionnaires
• Two part logic: Internal value and

examination value

12

Assessment Overview

• Make sure you have ALL the tools before

you initiate the assessment

– Overview for CEOs and Boards – User’s Guide – Assessment Tool – CS Maturity Scale and Inherent Risk Profiles – Appendices A and B

13

Polling Question

• Does your CU have a bring your own

device policy?

• a. Yes
• b. No
• c. Maybe
• d. Working on one

14

A Tale of Two Parts

The Assessment Tool consists of two parts

• 1. Inherent Risk Profile
• 2. Cybersecurity Maturity

15

5 Risk Profile Levels

Least

Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk

Risk Levels incorporate the type, volume, and complexity of the credit union’s operations and threats directed at the institution.

16

Let’s Begin

• To complete the Assessment,

management first assesses the credit union’s Inherent Risk Profile based on five categories:

– Technologies and Connection Types – Delivery Channels – Online/Mobile Products and Technology Services – Organizational Characteristics – External Threats

17

All images from FFIEC CS Overview 18

Technologies and Connection Types

• “This category includes the number of

Internet service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections, the use of wireless access, volume of network devices, end-of- life systems, extent of cloud services, and use of personal devices.”

• Key Stakeholders: Information Technology

Source: FFIEC Cybersecurity Assessment Tool 19

Delivery Channels

• “This category addresses whether

products and services are available through online and mobile delivery channels and the extent of automated teller machine (ATM) operations.”

• Key Stakeholders: IT, card services,

service delivery, ATM, operations, etc.

Source: FFIEC Cybersecurity Assessment Tool 20

Online/Mobile Products and Technology Services

• “This category includes various payment services,

such as debit and credit cards, person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant remote deposit capture, treasury services and clients and trust services, global remittances, correspondent banking, and merchant acquiring

• activities. This category also includes consideration of

whether the institution provides technology services to

• ther organizations.”
• Key Stakeholders: IT, card services, payment

systems, ACH, wires, deposits, trusts (CUSO), merchant services or business services, etc.

Source: FFIEC Cybersecurity Assessment Tool 21

Organizational Characteristics

• “This category considers organizational

characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.”

• Key Stakeholders: CEO, HR, IT, service

delivery, operations, etc.

Source: FFIEC Cybersecurity Assessment Tool 22

External Threats

• “The volume and type of attacks

(attempted or successful) affect an institution’s inherent risk exposure. This category considers the volume and sophistication of the attacks targeting the institution.”

• Key Stakeholders: IT, security, BSA
• fficer, etc.

Source: FFIEC Cybersecurity Assessment Tool 23

It Rhymes! Cybersecurity Maturity

After determining the Inherent Risk Profile, the credit union transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the following five domains:

– Domain 1: Cyber Risk Management and Oversight – Domain 2: Threat Intelligence and Collaboration – Domain 3: Cybersecurity Controls – Domain 4: External Dependency Management – Domain 5: Cyber Incident Management and Resilience

24

Domain 1: Cyber Risk Management and Oversight

• Cyber risk management and oversight

addresses the board of directors’ (board’s)

• versight and management’s development

and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and

• versight.
• Key Stakeholders: Board, CEO, IT, security

(BSA), HR, CFO, internal audit, risk manager, etc.

25

Polling Question

• What types of third party IT vendors does

your credit union utilize?

• a. Network Administrator
• b. IT Security
• c. Penetration testing
• d. Cloud applications
• e. All of the above

f. More than one of the above

26

Domain 2: Threat Intelligence and Collaboration

• Threat intelligence and collaboration

includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.

• Key Stakeholders: IT, security (BSA), third

party resources, etc.

27

Domain 3: Cybersecurity Controls

• Cybersecurity controls are the practices

and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring.

• Key Stakeholders: SC, IT, security (BSA),

internal audit, facilities, operations, branch, third party resources, etc.

28

Domain 4: External Dependency Management

• External dependency management involves

establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and information.

• Key Stakeholders: CEO, IT, vendor

management, security, internal audit, legal, external resource (?)

29

Domain 5: Cyber Incident Management and Resilience

• Cyber incident management includes establishing,

identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.

• Key Stakeholders: Board, IT, business continuity,

security (BSA), internal audit, facilities, operations, branch, third party resources, etc.

30

How Mature Are You?

• Each domain and maturity level has a set of

declarative statements organized by assessment factor.

• It looks like this:

Domains Assessment Factors Components Declarative Statements

31

Work Through the Assessment

• Within each domain are assessment

factors and contributing components.

• Under each component, there are

declarative statements describing an activity that supports the assessment factor at that level of maturity.

32

Domains and Assessment Factors

33

Definition and Assessment Factors

34

Maturity Levels

35

Example of Maturity Assessment

36

Bringing It Together

37

38

Third Party Vendors

• It is always advisable to understand the

benefits and risks of third party IT specialists

• Specialized due diligence and analysis
• Arms length transactions
• Contract language
• Regular communication and reporting

39

The Moving Parts of Security

• Part 748 Security Program
• Part 748.1 Filing of Reports

– Compliance Report – Catastrophic Act – Suspicious Activity Report

• Part 748.2 BSA Compliance

– Establish a compliance program – CIP

• Appendix A Safeguarding Member Information
• Appendix B Response Program – Unauth. Access

40

The Certification

“The chairperson of the Credit Union’s Board of Directors is required to certify compliance with Part 748 each year. The statement of compliance is provided at the bottom of the Credit Union Profile Form that is submitted annually to the regional director following the credit union’s election of officials.” Source: NCUA CU Profile Form 6/14

41

I hereby certify to the best of my knowledge and belief that this credit union has developed and administers a security program that equals or exceeds the standards prescribed by Part 748.0of the NCUA Rules and Regulations; that such security program has been reduced to writing, approved by this credit union's Board

• f Directors; and this credit union has provided for the

installation, maintenance, and operation of security devices, if appropriate, in each of its offices. Further, I certify that I am the president or managing official of the credit union or that the president or managing official has authorized me to make this submission on his/her behalf. _____________________________________________ _ VOLUNTEER’S NAME HERE

42

Questions?

43