FFIEC Cybersecurity Assessment Tool Monday, April 6 Moderator: - - PowerPoint PPT Presentation

Moderator: Austin Kilgore, Editor in Chief, SourceMedia Mortgage Group Speakers: Michael G. Morgan, Of Counsel, Jones Day Ryan Smyth, Principal- Privacy and Data Security, Promontory Financial

FFIEC Cybersecurity Assessment Tool

Monday, April 6

Objectives

– Provide overview of the tool and its components – Help each of you understand how to use the tool to:

• assess the cyber risk of your organization
• the maturity of your security risk program

High Level Overview: What is the goal of a Cybersecurity Assessment?

What is the overallgoal of these CybersecurityAssessments?

• The Assessment has a heavy focus on CEO and Board level involvement, as well as tying controls to other FFIEC and NIST resources in order to

assemblea set of expectations for financialinstitutions based on their size and complexity.

• For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by

doing the following:

• Identifyingfactors contributingto and determiningthe institution’s overallcyber risk.
• Assessingthe institution’s cybersecuritypreparedness.
• Evaluatingwhether the institution’s cybersecuritypreparednessis alignedwith its risks.
• Determiningrisk managementpractices and controls that are needed or need enhancement
• and actions to be taken to achieve the desired state.
• Informingriskmanagementstrategies.
• The tool enables the identification of an organizations inherent risk and provides a maturity rating across five different cybersecuritydomains.

High Level Overview of the Tool: Inherent Risk

Inherent Risk Profile: Cybersecurityinherentriskis the level of risk posed to the institution by the following:

• Technologiesand Connection Types
• Delivery Channels
• Online/MobileProducts and TechnologyServices
• OrganizationalCharacteristics
• ExternalThreats

The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution.

Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk

High Level Overview of the Tool: Cybersecurity Maturity

Cybersecurity Maturity: The Assessment’s second part is Cybersecurity Maturity, designed to help management measure the institution’s level of risk and corresponding

• controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors,

practices, and processes can supportcybersecuritypreparednesswithin the followingfive domains:

• Cyber Risk Managementand Oversight
• ThreatIntelligence and Collaboration
• CybersecurityControls
• ExternalDependencyManagement
• Cyber IncidentManagementand Resilience

The domains include assessment factors and contributing components. Within each component, declarative statements describe activities supportingthe assessmentfactor at each maturitylevel.

High Level Overview of the Tool: Cybersecurity Maturity

Cybersecurity Maturity:

• Perform an assessment of the five (5) Cybersecurity Maturity Domains: Rate each Component from Baseline to Innovative  all declarative

statements in each level and previous level must be met in order to achieve that domain’s maturity level  the Component rating will be generated  the Assessment Factor rating will be generated after completing all Component self-assessment  The Domain rating will be generated after all AssessmentFactors have been rated  the overall TotalMaturity score will adjustas each Domain is assessed

High Level Overview of the Tool: What’s it for?

What is the overallgoal of these CybersecurityAssessments?

• An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments

change.

• On an ongoing basis, management may use the Assessment to identify changes to the institution’s inherent risk profile when new threats

arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-partyrelationshipsthat supportcritical activities.

• In general, as inherentrisk rises, an institution’s maturitylevels should increase.

High Level Overview of the Tool: Cyber Maturity Process

Cyber Maturity is a Traditional Knowledge Management Activity:

• Data is Collected
• Data is Processed into Information
• Information is Rationalized as Knowledge
• Knowledge Informs Action

Deeper Dive Into the Tool: Case Example “Bank of ABCD”

Current State: What does this bank look like:

• Characteristics:
• Small to medium mortgage lender
• Number of staff? (75-100)
• Turnover? (The independent mortgage banks are showing greater turnover than the average at around 30% but this is still below historical

averages, and the bank-affiliated lenders are showing much lower than average turnover at around 10%)

• Location and geographic spread? (Northeast Region specialty MA)
• Governance:
• Board of directors
• Technology governance
• Risk governance
• Online presence:
• Website
• Social media? (Basic LinkedIn Profile and Twitter/Facebook Profiles)
• Customer applications – access to loan data, online servicing
• Reliance on third party providers for processing

Cyber Threat Concerns:

• Security Posture:
• Information security officer?
• Security operations – in-house, outsourced
• Threat awareness
• Security incidents:
• Physical – theft
• Fraud attempts
• Phishing attempts
• Spear-phishing?
• Social engineering
• Denial of Service
• Website defacement?
• Hacking attempts?

Deeper Dive: Assessing Risk

Risk analysis factors:

• Issue: organizations might not have a clear idea of the scale of their exposure in certain areas, for example:
• Technologies and Connection Types:
• Unsecured external connections
• Wireless network access points
• Personal devices on corporate network
• Third parties on corporate network
• Third parties storing or processing data off site
• Internally hosted and developed or modified vendor applications supporting critical activities
• Internally hosted, vendor applications supporting critical activities
• User-developed technologies and user computing that support critical activities (includes MS Excel spreadsheets, Access databases or
• ther user-developed tools)
• Open Source Software
• Cloud computing exposure

How do we measure these?

• Expertise:
• Subject matter experts from across the institution who can

provide input

• Independent assessment is very useful (FFIEC CAT, SANS CSC,

NIST CF, etc.)

• Internal audit or external specialist
• Process:
• Incremental approach is better than no approach (start small)
• Working groups
• Workshops
• Data gathering:
• Honest appraisal
• How to deal with the known unknowns

Deeper Dive: Assessing Risk

Risk analysis factors:

• Issue: organizations might not have a clear idea of the scale of their exposure in certain areas, for example:
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics:
• Changes in IT and security staffing
• Privileged access
• External Threats

How do we measure these?

• Some aspects should be more straightforward (Delivery Channels)
• Will still require in-depth institutional knowledge
• Process:
• Incremental approach is better than no approach (start small)
• Working groups
• Workshops
• Data gathering:
• Honest appraisal
• How to deal with the known unknowns – External Threats

Deeper Dive: Determining Maturity

Organizational Cyber Maturity Issues by Domain - Governance

• Oversight:
• Management responsibility and accountability
• Expertise/resources -in-house or external
• Risk governance/ownership - what is the appropriate level?
• Strategy/Policies:
• Formal cybersecurity program established?
• Program evaluated and adjusted?
• Asset Management:
• Inventory – hardware, software, data
• Supply chain security
• Risk Management Program:
• Existing cyber risk assessment and analysis methodology
• Integration with operational risk assessment methodology

Organizational Cyber Maturity Issues by Domain – Governance continued

• Audit:
• Independent audit process evaluates cybersecurity controls to

detect weaknesses

• Resources:
• Qualified and skilled personnel
• Technology investment
• Effective integration
• OpEx budget
• Training and Culture:
• Ownership
• Communication
• Education, Training and Awareness
• Phishing and social engineering training
• Effectiveness evaluation and adjustment
• Accountability

Deeper Dive: Determining Maturity

Bank of ABCD- Governance

• Oversight:
• Management responsibility and accountability – no clear lead for cybersecurity at Board level
• Expertise/resources -IT staff
• Risk governance/ownership – process unclear, lack of ownership
• Strategy/Policies:
• Formal cybersecurity program established - no
• Program evaluated and adjusted - no
• Asset Management:
• Inventory – incomplete, paper-based (Excel spreadsheets), no process for updating in real time
• Supply chain security - not a major concern
• Risk Management Program:
• Existing cyber risk assessment and analysis methodology - reactive, based on high-profile vulnerabilities
• Integration with operational risk assessment methodology – operational risk takes priority

Bank of ABCD– Governance continued

• Audit:
• Independent audit - focused on operations
• Resources:
• Qualified and skilled personnel – IT staff, audit
• Technology investment – reactive, limited budget
• Effective integration - limited
• OpEx budget – mismatched to CapEx, with resulting inability to

maximize technology investment potential

• Training and Culture:
• Ownership –loose, lack of senior grip
• Communication – limited to acceptable use policies
• Education, Training and Awareness – online annual training for

security

• Phishing and social engineering training – implemented or

being considered

• Effectiveness evaluation and adjustment – training completion

monitored

• Accountability – limited to certain roles (which ones?)

Deeper Dive: Determining Maturity

Organizational Cyber Maturity Issues by Domain – Threat Intelligence and Collaboration

• Threat intelligence:
• Resources
• Monitoring and Analyzing:
• Security event logs reviewed and secured
• Evaluation
• Integration of internal and external information
• Information sharing:
• Usability
• Automation

Bank of ABCD– Threat Intelligence and Collaboration

• Threat intelligence:
• Resources – IT staff, FS ISAC, InfraGuard?
• Monitoring and Analyzing:
• Security event logs reviewed and secured – limited capacity;

logs only reviewed following an incident; logs insecure

• Evaluation – IT staff, security officer
• Integration of internal and external information – IT staff,

security officer

• Information sharing:
• Usability - limited
• Automation – almost certainly not

Deeper Dive: Determining Maturity

Organizational Cyber Maturity Issues by Domain – Cybersecurity Controls

• Infrastructure:
• Perimeter defenses
• Network separation and segmentation
• Malware detection and management
• Defense in depth
• Access and Data Management:
• Identity management
• Access controls/Authentication
• Management of privileged accounts
• Data classification
• Data Leakage Protection
• Device security:
• PCs
• Laptops
• Mobiles
• BYOD

Organizational Cyber Maturity Issues by Domain – Cybersecurity Controls continued

• Secure coding:
• Development environment
• Security testing
• Approval to operate
• Detective controls:
• Vulnerability scanning
• Independent testing
• Anomalous activity
• Audit
• Event detection
• Corrective controls:
• Patch management
• Remediation

Deeper Dive: Determining Maturity

Bank of ABCD– Cybersecurity Controls Infrastructure:

• Perimeter defenses - firewalls
• Network separation and segmentation - no
• Malware detection and management – anti-virus deployed on servers and clients
• Defense in depth – some, limited

Access and Data Management:

• Identity management – basic, not centrally managed
• Access controls/Authentication – basic, weak passwords tolerated or not subject to audit
• Management of privileged accounts – yes, but no regular review & cull
• Data classification – Personally Identifiable Information, Company Confidential
• Data Leakage Protection – some capability integrated with Anti-Virus provision

Device security:

• PCs – AV, Windows Defender, possibly encryption
• Laptops – BitLocker?
• Mobiles – MDM solution?
• BYOD – personal devices used for some business applications (e.g. email)

Bank of ABCD– Cybersecurity Controls continued

• Secure coding:
• Development environment – segregated from production

environment?

• Security testing – limited
• Approval to operate – IT staff
• Detective controls:
• Vulnerability scanning – some, irregular or infrequent, limited

to core network or applications

• Independent testing – some, for high-risk systems
• Anomalous activity – unlikely to be easily detected
• Audit – limited to operations
• Event detection – only if adverse effects become apparent
• Corrective controls:
• Patch management – no comprehensive program, patching not

timely unless newsworthy

• Remediation – ad hoc; legacy systems in use with known

vulnerabilities

Deeper Dive: Determining Maturity

Organizational Cyber Maturity Issues by Domain – External Dependency Management

• Connections:
• External connections are mapped and understood
• Data flows
• Relationship management:
• Due diligence
• External partners cybersecurity controls meet defined standards
• Contracts:
• Security requirements are stipulated in contracts
• SLAs require timely notification of incidents
• Monitoring:
• Identification of legacy relationships that don’t meet current standards
• Right to monitor/assurance of controls
• On-site inspections/reviews

Bank of ABCD– External Dependency Management

• Connections:
• External connections are mapped and understood – almost

certainly not

• Data flows – limited to some core operational functions
• Relationship management:
• Due diligence – now applied for high-risk vendors but this is

limited; substantial legacy issue

• External partners cybersecurity controls meet defined standards
• limited; standards not adequately defined
• Contracts:
• Security requirements are stipulated in contracts – yes, but a

recent development; substantial legacy issue

• SLAs require timely notification of incidents – limited to recent

contracts

• Monitoring:
• Identification of legacy relationships that don’t meet current

standards – limited by resourcing constraints

• Right to monitor/assurance of controls – for recent contracts
• nly
• On-site inspections/reviews – recently in place for high-risk or

critical vendors

Deeper Dive: Determining Maturity

Organizational Cyber Maturity Issues by Domain – Cyber Incident Management and Resilience

• Incident Resilience Planning and Strategy:
• Plans exist!
• Communications plan
• Response team identified
• Regular back-ups (back-ups are tested)
• Plans are regularly tested
• Strategy, plans and testing is integrated with Business Units
• Detection, Response and Mitigation:
• Incidents are detected
• Incidents are categorized and prioritized
• Appropriate resources – e.g. forensic capabilities
• Response plans are activated at appropriate triggers
• Incidents are contained
• Communication and collaboration
• Escalation and Reporting:
• Escalation criteria
• Senior management and Board roles and responsibilities

Bank of ABCD– Cyber Incident Management and Resilience

• Incident Resilience Planning and Strategy:
• Plans exist – some, limited, IT department-focused
• Communications plan – calling tree
• Response team identified – IT staff
• Regular back-ups (back-ups are tested) – yes (but testing

irregular, ad hoc)

• Plans are regularly tested – not regularly, or recently
• Strategy, plans and testing is integrated with Business Units - no
• Detection, Response and Mitigation:
• Incidents are detected – known malware and basic phishing yes;
• therwise, only when adverse impacts are apparent
• Incidents are categorized and prioritized - no
• Appropriate resources – e.g. forensic capabilities – very limited,

IT staff

• Response plans are activated at appropriate triggers – response

sophistication is limited to ‘all or nothing’

• Incidents are contained – limited capability
• Communication and collaboration - limited
• Escalation and Reporting:
• Escalation criteria – limited to regulatory obligations
• Sr. mgmt. and Board roles and responsibilities – crisis mode only

Completing the Assessment: Documenting the Results

What do the results look like? A self-assessment approach by a financial institution:

Completing the Assessment: Documenting the Results

What do the results look like? Inherent Risk:

Completing the Assessment: Documenting the Results

What do the results look like? Maturity:

Completing the Assessment: Documenting the Results

The Cybersecurity Assessment Tool is not a replacement for any current risk management process; it’s an addition to current Information Security Program processes that ensures financial institutions have adequate controls in place to mitigate the risk of cyber-specific threats. Yet, when completing the CAT, you will run into challenges and questions:

• Inherent Risk:
• Many of the risk statements are purely quantitative.
• Is this really an accurate assessment of risk or a measurement of the attack surface?
• How to quantify, define, and know external threats.
• Maturity:
• Many of the statements are subjective and/or are open to interpretation in terms of the quality of the activity taking place.Statements

require effective and accurate judgment.

• Institutions are defensive about how good their security controls actually are. There are many vested interests.

Completing the Assessment: Documenting the Results

Ok, so we’ve done our assessment. What do we now do with the results:

• Inherent Risk:
• Recognize limitations – quantification of attack surface only (not a thorough risk analysis)
• Integrate better threat data:
• Identify likely threat actors
• Assess insider threat
• Motivation
• Capability
• Likelihood
• Revise regularly:
• Threats evolve
• New vulnerabilities emerge

Ok, so we’ve done our assessment. What do we now do with the results:

• Maturity:
• How aligned is this with risk?
• Are there domains which are unaligned (spikes or dips)?
• Can we identify specific issues?

Operationalizing the Cyber Assessment Tool: Putting the CAT to work for you

• Immediate Benefits:
• A risk quantification
• A maturity assessment to communicate to senior managers
• Identification of high-level organizational cybersecurity issues
• A regulatory response
• A basis for a cybersecurity program:
• Cybersecurity is a process – need to start from somewhere
• You need a program based on recognized standards or frameworks
• There are some basics. If you don’t have these, it’s hard to develop the rest
• Senior ownership and effective governance
• Roles and responsibilities
• An understanding of the assets
• A process for identifying and prioritizing the risks
• Resources – staff, expertise, budget
• Relationships – collaboration, external support

Ongoing Monitoring

What do the results look like?

• Sample Monitoring of Program Deliverables (Red, Amber, Green). Dashboard for reporting to Senior Management and the BoD.:

Sample Bullet Slide

Sample slide with bullet points.

• Bullet point one
• Bullet point two
• Bullet point three
• Sub bullet point a

Sample Bullet Slide

Sample slide with bullet points.

• Bullet point one
• Bullet point two
• Bullet point three
• Sub bullet point a

FFIEC Cybersecurity Assessment Tool Deep Dive Workshop

May 12th, 2016 Dallas Texas

Presented by

Join MBA and leading cybersecurity experts for an exhaustive and interactive conversation

• n how to successfully implement and use the tool for your unique business needs.

Special Promo Code: FFIECWorkshop