FFIEC Cybersecurity Assessment Tool Monday, April 6 Moderator: Austin Kilgore , Editor in Chief, SourceMedia Mortgage Group Speakers: Michael G. Morgan , Of Counsel, Jones Day Ryan Smyth , Principal- Privacy and Data Security, Promontory Financial
Objectives – Provide overview of the tool and its components – Help each of you understand how to use the tool to: • assess the cyber risk of your organization • the maturity of your security risk program
High Level Overview: What is the goal of a Cybersecurity Assessment? What is the overallgoal of these CybersecurityAssessments? • The Assessment has a heavy focus on CEO and Board level involvement, as well as tying controls to other FFIEC and NIST resources in order to assemblea set of expectations for financialinstitutions based on their size and complexity. • For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following: • Identifyingfactors contributingto and determiningthe institution’s overallcyber risk. • Assessingthe institution’s cybersecuritypreparedness. • Evaluatingwhether the institution’s cybersecuritypreparednessis alignedwith its risks. • Determiningrisk managementpractices and controls that are needed or need enhancement • and actions to be taken to achieve the desired state. • Informingriskmanagementstrategies. • The tool enables the identification of an organizations inherent risk and provides a maturity rating across five different cybersecuritydomains.
High Level Overview of the Tool: Inherent Risk Inherent Risk Profile: Cybersecurityinherentriskis the level of risk posed to the institution by the following: • Technologiesand Connection Types • Delivery Channels • Online/MobileProducts and TechnologyServices • OrganizationalCharacteristics • ExternalThreats The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution. Least Inherent Minimal Moderate Significant Most Inherent Risk Inherent Risk Inherent Risk Inherent Risk Risk
High Level Overview of the Tool: Cybersecurity Maturity Cybersecurity Maturity: The Assessment’s second part is Cybersecurity Maturity, designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can supportcybersecuritypreparednesswithin the followingfive domains: • Cyber Risk Managementand Oversight • ThreatIntelligence and Collaboration • CybersecurityControls • ExternalDependencyManagement • Cyber IncidentManagementand Resilience The domains include assessment factors and contributing components. Within each component, declarative statements describe activities supportingthe assessmentfactor at each maturitylevel.
High Level Overview of the Tool: Cybersecurity Maturity Cybersecurity Maturity: • Perform an assessment of the five (5) Cybersecurity Maturity Domains: Rate each Component from Baseline to Innovative all declarative statements in each level and previous level must be met in order to achieve that domain’s maturity level the Component rating will be generated the Assessment Factor rating will be generated after completing all Component self-assessment The Domain rating will be generated after all AssessmentFactors have been rated the overall TotalMaturity score will adjustas each Domain is assessed
High Level Overview of the Tool: What’s it for? What is the overallgoal of these CybersecurityAssessments? • An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. • On an ongoing basis, management may use the Assessment to identify changes to the institution’s inherent risk profile when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-partyrelationshipsthat supportcritical activities. • In general, as inherentrisk rises, an institution’s maturitylevels should increase.
High Level Overview of the Tool: Cyber Maturity Process Cyber Maturity is a Traditional Knowledge Management Activity: • Data is Collected • Data is Processed into Information • Information is Rationalized as Knowledge • Knowledge Informs Action
Deeper Dive Into the Tool: Case Example “Bank of ABCD” Current State: What does this bank look like: Cyber Threat Concerns: • Characteristics: • Small to medium mortgage lender • Security Posture: • Number of staff? (75-100) • Information security officer? • Turnover? (The independent mortgage banks are showing greater turnover than the average at around 30% but this is still below historical • Security operations – in-house, outsourced averages, and the bank-affiliated lenders are showing much lower than average turnover at around 10%) • Threat awareness • Location and geographic spread? (Northeast Region specialty MA) • Governance: • Security incidents: • Board of directors • Physical – theft • Technology governance • Fraud attempts • Risk governance • Phishing attempts • Online presence: • Spear-phishing? • Website • Social engineering • Social media? (Basic LinkedIn Profile and Twitter/Facebook Profiles) • Denial of Service • Customer applications – access to loan data, online servicing • Website defacement? • Reliance on third party providers for processing • Hacking attempts?
Deeper Dive: Assessing Risk Risk analysis factors: How do we measure these? • Issue: organizations might not have a clear idea of the scale of their exposure in certain areas, for example: • Expertise: • Technologies and Connection Types: • Subject matter experts from across the institution who can • Unsecured external connections provide input • Wireless network access points • Independent assessment is very useful (FFIEC CAT, SANS CSC, • Personal devices on corporate network NIST CF, etc.) • Third parties on corporate network • Internal audit or external specialist • Third parties storing or processing data off site • Process: • Internally hosted and developed or modified vendor applications supporting critical activities • Incremental approach is better than no approach (start small) • Internally hosted, vendor applications supporting critical activities • Working groups • User-developed technologies and user computing that support critical activities (includes MS Excel spreadsheets, Access databases or • Workshops • other user-developed tools) Data gathering: • Open Source Software • Honest appraisal • Cloud computing exposure • How to deal with the known unknowns
Deeper Dive: Assessing Risk Risk analysis factors: How do we measure these? • Issue: organizations might not have a clear idea of the scale of their exposure in certain areas, for example: • Some aspects should be more straightforward (Delivery Channels) • Delivery Channels • Will still require in-depth institutional knowledge • Online/Mobile Products and Technology Services • Process: • Organizational Characteristics: • Incremental approach is better than no approach (start small) • Changes in IT and security staffing • Working groups • Privileged access • Workshops • External Threats • Data gathering: • Honest appraisal • How to deal with the known unknowns – External Threats
Deeper Dive: Determining Maturity Organizational Cyber Maturity Issues by Domain - Governance Organizational Cyber Maturity Issues by Domain – Governance • Oversight: continued • Management responsibility and accountability • Expertise/resources -in-house or external • Audit: • Risk governance/ownership - what is the appropriate level? • Independent audit process evaluates cybersecurity controls to • Strategy/Policies: detect weaknesses • Formal cybersecurity program established? • Resources: • Program evaluated and adjusted? • Qualified and skilled personnel • • Asset Management: Technology investment • Inventory – hardware, software, data • Effective integration • Supply chain security • OpEx budget • • Risk Management Program: Training and Culture: • Existing cyber risk assessment and analysis methodology • Ownership • Integration with operational risk assessment methodology • Communication • Education, Training and Awareness • Phishing and social engineering training • Effectiveness evaluation and adjustment • Accountability
Recommend
More recommend
