Effectively Utilizing the New FFIEC Cybersecurity Assessment Tool - PowerPoint PPT Presentation

Effectively Utilizing the New FFIEC Cybersecurity Assessment Tool Michael Barnsback, Esquire and David Reed, Esquire October 20, 2015 1

Your Presenters David Reed, Esq. Michael Barnsback, Esq., CIPP/US Partner LeClairRyan Reed & Jolly, PLLC Michael.Barnsback@lecla David@reedandjolly.com irryan.com 2

The contents of this presentation are intended to provide you with a general understanding of the subject matter. However, it is not intended to provide legal, accounting, or other professional advice and should not be relied on as such. Any views or opinions expressed are those of the presenters and do not necessarily reflect the views of NAFCU. 3 3

Overview • Assessment is an all hands on deck exercise • Not simply an IT issue • Establishing the responsibility and accountability of key stakeholders is essential to success • Assessments, audits and examinations are different processes 4

Know Your Credit Union • Understand your cyber footprint – Products, services and delivery mechanisms – All areas are impacted by internet access or remote access – In-house versus outsourced IT services • Recent GAO Study and Recommendations 5

Polling Question • Do you have a complete network map that shows all of your devices, networks, IP addresses, controls, end users and vendors? a. Yes b. No c. Working on it now 6

What We Know • Increasing volume and sophistication of cyber threats • Existing cyber security vulnerabilities are known • New remote platforms create new opportunities for cyber attacks • Bad guys evolve as they observe online behavior • Evolving malware risks • Government sponsored cyber attacks 7

Recent NCUA Guidance • January 15, 2015, NCUA Letter No.: 15-CU-01, provided guidance to CU Boards of Directors and Chief Executive Officers on the NCUA examinations in 2015 • The first item in the guidance letter: Cybersecurity • “In 2015, NCUA will redouble efforts to ensure that the credit union system is prepared for a range of cybersecurity threats. 8

Recent NCUA Guidance • Guidance letter identified 6 “proactive measures credit unions can take to protect their data and their members: – encrypting sensitive data; – developing a comprehensive information security policy; – performing due diligence over third parties that handle credit union data; – monitoring cybersecurity risk exposure; – monitoring transactions; and, – t esting security measures.” 9

What Is the FFIEC? • The FFIEC comprises key representatives of The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee (for state banks and credit unions) • When they speak, our world listens! 10

FFIEC Risk Assessment Tool • Goal is to help institutions identify their risks and determine their cybersecurity preparedness (maturity) • Assessment Tool provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time • Draws heavily on other sources, including: – FFIEC Information Technology (IT) Examination Handbook – National Institute of Standards and Technology (NIST) Cybersecurity Framework 11

Is It Voluntary? • Existing IT Security Requirements and Guidance • Part 748 NCUA Regulations • FFIEC IT Examination Handbook • AIRES Examination Questionnaires • Two part logic: Internal value and examination value 12

Assessment Overview • Make sure you have ALL the tools before you initiate the assessment – Overview for CEOs and Boards – User’s Guide – Assessment Tool – CS Maturity Scale and Inherent Risk Profiles – Appendices A and B 13

Polling Question • Does your CU have a bring your own device policy ? a. Yes b. No c. Maybe d. Working on one 14

A Tale of Two Parts The Assessment Tool consists of two parts 1. Inherent Risk Profile 2. Cybersecurity Maturity 15

5 Risk Profile Levels Least Minimal Moderate Significant Most Inherent Inherent Inherent Inherent Inherent Risk Risk Risk Risk Risk Risk Levels incorporate the type, volume, and complexity of the credit union’s operations and threats directed at the institution. 16

Let’s Begin • To complete the Assessment, management first assesses the credit union’s Inherent Risk Profile based on five categories: – Technologies and Connection Types – Delivery Channels – Online/Mobile Products and Technology Services – Organizational Characteristics – External Threats 17

All images from FFIEC CS Overview 18

Technologies and Connection Types • “This category includes the number of Internet service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections, the use of wireless access, volume of network devices, end-of- life systems, extent of cloud services, and use of personal devices.” • Key Stakeholders: Information Technology Source: FFIEC Cybersecurity Assessment Tool 19

Delivery Channels • “This category addresses whether products and services are available through online and mobile delivery channels and the extent of automated teller machine (ATM) operations.” • Key Stakeholders: IT, card services, service delivery, ATM, operations, etc. Source: FFIEC Cybersecurity Assessment Tool 20

Online/Mobile Products and Technology Services • “This category includes various payment services, such as debit and credit cards, person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant remote deposit capture, treasury services and clients and trust services, global remittances, correspondent banking, and merchant acquiring activities. This category also includes consideration of whether the institution provides technology services to other organizations.” • Key Stakeholders: IT, card services, payment systems, ACH, wires, deposits, trusts (CUSO), merchant services or business services, etc. Source: FFIEC Cybersecurity Assessment Tool 21

Organizational Characteristics • “This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.” • Key Stakeholders: CEO, HR, IT, service delivery, operations, etc. Source: FFIEC Cybersecurity Assessment Tool 22

External Threats • “The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. This category considers the volume and sophistication of the attacks targeting the institution.” • Key Stakeholders: IT, security, BSA officer, etc. Source: FFIEC Cybersecurity Assessment Tool 23

It Rhymes! Cybersecurity Maturity After determining the Inherent Risk Profile, the credit union transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the following five domains: – Domain 1: Cyber Risk Management and Oversight – Domain 2: Threat Intelligence and Collaboration – Domain 3: Cybersecurity Controls – Domain 4: External Dependency Management – Domain 5: Cyber Incident Management and Resilience 24

Domain 1: Cyber Risk Management and Oversight • Cyber risk management and oversight addresses the board of directors’ (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. • Key Stakeholders: Board, CEO, IT, security (BSA), HR, CFO, internal audit, risk manager, etc. 25

Polling Question • What types of third party IT vendors does your credit union utilize? a. Network Administrator b. IT Security c. Penetration testing d. Cloud applications e. All of the above f. More than one of the above 26

Domain 2: Threat Intelligence and Collaboration • Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. • Key Stakeholders: IT, security (BSA), third party resources, etc. 27

Domain 3: Cybersecurity Controls • Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring. • Key Stakeholders: SC, IT, security (BSA), internal audit, facilities, operations, branch, third party resources, etc. 28

Domain 4: External Dependency Management • External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and information. • Key Stakeholders: CEO, IT, vendor management, security, internal audit, legal, external resource (?) 29