It examinations and best practices for senior management and the board
This presentation is the property of its rightful owner.
Sponsored Links
1 / 60

IT Examinations and Best Practices for Senior Management and the Board PowerPoint PPT Presentation


  • 45 Views
  • Uploaded on
  • Presentation posted in: General

IT Examinations and Best Practices for Senior Management and the Board. Susan Orr Susan Orr Consulting, Ltd. CISA, CISM, CRISC, CRP. Genesis of the Examination. EDP IS (Information Systems) IT (Information Technology). What is the best title? . Traditional IT Areas. GLBA compliance

Download Presentation

IT Examinations and Best Practices for Senior Management and the Board

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


It examinations and best practices for senior management and the board

IT Examinations and Best Practices for Senior Management and the Board

Susan Orr

Susan Orr Consulting, Ltd.

CISA, CISM, CRISC, CRP


Genesis of the examination

Genesis of the Examination

  • EDP

  • IS (Information Systems)

  • IT (Information Technology)

What is the best title?


Traditional it areas

Traditional IT Areas

  • GLBA compliance

  • IT management

  • Audit

  • Security and controls

    • Network

    • Operations

  • Business Continuity

  • Incident Response

  • Vendor Management

  • EFT/Payment Systems


Traditional it areas1

Traditional IT Areas

  • IT Management

    • Oversight

    • Reporting

    • IT Steering Committee

    • IT Strategic Planning

  • Audit

    • Expertise

    • Content

    • Independence

    • Follow-up


Traditional it areas2

Traditional IT Areas

  • Security and Controls

    • User Profiles

    • Access Controls

    • Activity Monitoring

    • Internal Logical

    • Perimeter Logical

    • Internal Physical

    • Perimeter/External Physical

    • Policies/Procedures


Policies plans programs

Policies/Plans/Programs

  • Policies

    • ACH

    • Wire Transfer

    • Internet Banking

    • Remote Deposit

  • Plans/Programs

    • Information Security

    • BCP

    • Incident Response

    • Vendor Mgmt

    • Acceptable Use

    • Technology


Information security glba

Information Security/GLBA

  • 501(b) – Requires agencies to establish standards for administrative, technical and physical safeguards to:

    • Protect against any anticipated threats or hazards to the security or integrity of such records

    • Ensure the security and confidentiality of customer records and information

    • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer


Interagency guidelines

Interagency Guidelines

  • Interagency Guidelines Establishing Standards for Safeguarding Customer Information

    • FDIC CFR Part 364, Appendix B

    • FRB CFR Part 208, Appendix D-2

    • OCC CFR Part 30, Appendix B

    • NCUA CFR Part 716


Updates to glba and related regs

Updates to GLBA and Related Regs

  • FACTA - 2003

  • Small Entity Guidance

  • US PATRIOT ACT

  • Sarbanes Oxley

  • State Data Protection Laws

  • ID Theft Red Flags

  • PCI

  • Various Interagency and agency specific guidance


It vs enterprise wide

IT vs. Enterprise-wide

  • GLBA and information security isn’t just an IT issue – it is an organizational responsibility.

  • It requires board involvement – a top down approach is imperative


501 b mandated interagency guidance

501(b) Mandated Interagency Guidance

  • Interagency guidelines requires banks to implement a comprehensive written information security program

    • The information security program must include:

      • Administrative safeguards

      • Technical safeguards

      • Physical safeguards

    • Safeguards may be appropriate to

      • Size and complexity of institution

      • Nature and scope of activities performed


Written information security program

Written Information Security Program

  • An information security program is a regulatory requirement and should integrate existing policies, procedures, and controls with management practices in an overall plan for the protection of personal information


Information security program

Information Security Program

  • Policy Statement/Compliance with Laws and Regs

  • Definition of Security

  • Objectives

  • Responsibilities

    • Board, Senior Mgmt

    • Others

  • Delegation of ISO

  • Risk Assessment

  • Risk Mitigation/Key Controls

  • Testing of Key Controls

  • Disposal of Confidential Information

  • Business Continuity

  • Incident Response

  • Vendor Mgmt

  • Updating/Revising

  • Reporting to Board


Recent guidance released

Recent Guidance Released

  • June 28, 2011 Authentication in an Internet Banking Environment – Supplement

  • April 9, 2012 Appendix D: Managed Security Service Providers (Outsourcing Technology Services Booklet)

  • July 10, 2012 Cloud Computing Information Paper

  • October 31, 2012 Revised TSP Booklet

  • January 22, 2013 Proposed Social Media Guidance


Authentication supplement

Authentication Supplement

  • Account Takeover/ACH & WT Online Fraud

    • Hillary Machine

    • Experi-Metal (EMI)

    • Patco

    • Village View Escrow

    • Choice Escrow


It examinations and best practices for senior management and the board

How?

  • Malware

    • Phishing emails

    • Smishing

    • Vishing

  • Compromised email accounts

  • Social engineering

  • Remote login software


Ffiec authentication guidance

FFIEC Authentication Guidance

  • September 2005, Guidance

  • June 2011 Supplement

    • Reinforce Sept. 2005 Guidance’s risk management framework and update regulator’s expectations regarding customer authentication, layered security, or other controls

      • Risk assessment

      • Authentication strategies/layered security

      • Customer awareness education

    • Identifies specific minimum elements that should be part of a customer awareness and education program


Appendix d managed security service providers

Appendix D: Managed Security Service Providers

  • Use of outsourcing security management

  • Engagement

    • Agreed upon SLA in contract

    • Strategies for transparency and accountability

      • Regular communication

        • Change control

        • Problem resolution

      • Descriptions on logical and physical controls

    • Periodic reviews of MSSP processes, infrastructure, and controls


Types of mssps

Types of MSSPs

  • Firewall

  • IDS

  • VPN

  • Event Log Management

  • Antivirus

  • Web Content Filtering

  • Patch Management and Security Software Management

  • Incident Response and Management

  • Data Leak Prevention

  • Secure Messaging

  • Consulting

    • Pen testing

    • Vulnerability assessments

    • Compliance tools

    • Training


Types of mssps1

Types of MSSPs

  • Full Outsourcing

    • Manage all connections

    • Manage network

    • Update rules on devices

    • Analyze data and escalate responses

    • Provide reports and alerts

  • Co-Managed

    • Client owns equipment

    • Security event monitoring tools and data loss prevention

    • After hours IDS/IPS event reporting


Types of mssps2

Types of MSSPs

  • Split Processing

    • MSSP monitors devices

    • Vulnerability assessments

  • Consulting

    • Risk assessments

    • Initial system configuration

    • Policy formulation

    • Information Security compliance

    • Forensics

    • Pen testing

    • Social engineering testing

    • Physical security

    • Management reporting


Cloud computing

Cloud Computing


Key elements of the ffiec document

Key Elements of the FFIEC Document

  • Due Diligence

  • Vendor Management

  • Audit

  • Information Security

  • Legal, Regulatory, and Reputation Considerations

  • Business Continuity Planning


Cloud defined

Cloud Defined

  • Definition – cloudy at best

    • Virtual servers available over the Internet

    • Anything you use outside of the firewall

    • Using resources, networks, servers, software, storage, services basically over the Internet (Web based products/services)

    • “Comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google


Supervision of technology service providers

Supervision of Technology Service Providers

  • FFIEC October 2012

    • Examination program

      • Examination process

      • Examiner responsibilities

      • Frequency


Proposed social media guidance

Proposed Social Media Guidance

  • “Institutions will be expected to use the guidance in their efforts to ensure that policies and procedures provide oversight and controls commensurate with the risks posed by social media activities”


Principle elements of guidance

Principle Elements of Guidance

  • Address increased risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk

  • Financial Institution Use

  • Employee Use

  • Controls


Governance

Governance

  • Strategic plan

    • Aligns and contributes to strategic goals of FI

  • Policies

  • Procedures

  • Monitoring

  • Controls


Expectations

Expectations

  • Even if you don’t have a social media site still need to be prepared to address:

    • Potential for negative comments and complaints

    • Provide guidance for employee use of social media


Findings

Findings

  • Information Security Program

  • Independence of the ISO

  • Incident Response Plan

  • Vendor Management

  • Data Loss Prevention

  • Enterprise-wide Information Security Risk Assessment


Information security program1

Information Security Program

  • Written Program

    • Summary of bank’s program, not reiteration of the FFIEC ISP requirements

  • Controls

    • Review of user profiles

    • Access based on least

  • Report to the Board

    • Content to brief


It examinations and best practices for senior management and the board

ISO

  • Lack of Independence

    • Should not be an IT production resource

  • Lack of knowledge/expertise


Incident response plan

Incident Response Plan

  • Plans are not detailed enough

  • Need a designated Incident Response Team

  • Need to specifically identify the types of incidents (technical and non-technical)

  • Need to note how would be made aware of each incident

  • Need to provide specific steps for how to respond to each identified incident


Vendor management

Vendor Management

  • Big Focus on Vendor Management Program

    • Detailed written program

      • Responsibilities

      • Risk assessment

      • Explanation of risk criteria and ratings

      • Due diligence process

      • Contracting process

      • Ongoing monitoring and oversight

    • Too IT oriented and not enterprise-wide

    • Focused only on mission criticality


It examinations and best practices for senior management and the board

Operations

(wires, ACH, ATM

Core)

IT

HR/

Payroll processor

Trust

Cash Management

Enterprise-wide

Law Firms

Marketing

Facilities/

Security Company

Accounting

Lending


Classification factors

Classification Factors

  • Mission critical

  • Access to sensitive or confidential information

  • Information controlled by service provider

  • Volume of transactions

  • New activity for institution

  • New provider

  • Markets products or services

  • High risk activities


Data loss prevention

Data Loss Prevention

  • Data Leakage – NPI leaving bank

  • Need to develop comprehensive data loss prevention strategy integrating various components/devices and other methods of unauthorized disclosure of NPI.

    • USB, mobile devices

    • Email, fax

    • File transfer

    • Hard copy


Data loss prevention1

Data Loss Prevention

  • Encryption

  • Secure file transfer

  • Restricted use of USB and portable devices

  • Restricted remote access

  • Acceptable Use for copying and removing documents from bank

  • Guidelines for mobile devices and BYOD

  • Email content filtering


Enterprise wide information security risk assessment

Enterprise-wide Information Security Risk Assessment

  • Not Comprehensive

    • Identification of threats/risk

    • Identification of controls

  • Not Enterprise-wide, only focused on IT

  • No Validation of the Effectiveness of the Controls

  • No Definitions for Risk Rating Factors

  • Consider interconnectivity of information assets, vendors or components that store, transmit, or transfer information


Risk assessment process

Identify &

Classify

Assets

Gap Analysis

Vulnerabilities

Threats

Residual Risk

Probabilities

Impact

Assessment

Validation of

Effectiveness

Inherent Risk

Controls

Risk Assessment Process


Mobile

Mobile

  • Internal Use

  • Customer Use


Internal

Internal

  • Smart Phone, Blackberry, iPad

    • BYOD

    • Bank Owned


Internal use

Internal Use

  • Risk Assess

  • Policy and use guidance

  • Controls

    • PIN/Passcode

    • Encryption

    • Firewalls

    • Antivirus

    • Connectivity restrictions

    • App installation restrictions


Customer use

Customer Use

  • Mobile Banking

  • Consumer Capture


Customer use risks

Customer Use Risks

  • Weaker ties to customers than with merchant

  • Consumers more mobile

  • Deposits with mobile phones harder to find fraudster

  • Printing fraudulent checks and depositing, security ink and water marks might not be present or viewable on image

  • Duplicate deposits

  • Using default passwords on device or no password

  • Not installing security updates or software patches

  • Unsecure WiFi connections


It examinations and best practices for senior management and the board

FDIC Supervisory Insights Winter 2012


Customer use controls

Customer Use Controls

  • IT Strategic Plan

  • Risk Assessment

  • Policy

  • Business continuity plan

  • Incident response plan

  • Vendor management

  • Procedures

    • Marketing

    • Enrolling customer

    • Registration, activation

    • Account management

      • Monitoring user activity and security reports

    • Deactivation of user


Customer use controls1

Customer Use Controls

  • Know Your Customer

  • Implement a customer agreement specific for the product

  • Customer opt in/enroll

  • Set limits

  • Strong authentication/MFA

  • Encryption/secure sessions

  • Monitoring/auditing of transactions and activity

  • Implement back office fraud detection

  • De-activation procedures

  • Secure application that is downloaded to protect from being manipulated


It examinations and best practices for senior management and the board

FDIC Supervisory Insights Winter 2012


It examinations and best practices for senior management and the board

FDIC Supervisory Insights Winter 2012


Mobile1

Mobile

  • No regulatory guidance…yet


Cyber security attacks

Cyber Security Attacks

  • DDoS Attacks

    • September 11, 2013 – Threat of new attack

    • August 2013: New DDoS Fraud Link

    • June 2013: Another Version of DDoS Hits Bank

    • June 2013: OCC Sees Cybersecurity as Fastest Growing Risk to Banks


It examinations and best practices for senior management and the board

DDoS


Occ concerns

OCC Concerns

  • Mobile Computing/BYOD

  • Cloud Computing

  • Outsourcing

  • Big Data

  • Sophistication of attacks

  • Expect to get worse before gets better


Laws that govern

Laws that Govern

  • GLBA

  • SOX

  • FCRA

  • FTCA

  • Bank Services Company Act

  • State Data Security Laws

  • Executive Order

  • Cyber security bills

  • PCI – Industry Standards

  • FFIEC guidance


Summary

Summary

  • There are some standard examination protocols

  • There will be variations depending on the examiner, the agency


Questions

Questions????

Susan Orr, CISA, CISM,CRISC,CRP

Susan Orr Consulting, Ltd.

630.499.0276

www.susanorrconsulting.com

[email protected]


  • Login