cyber risk management solutions fall 2015 thomas compliance associates, inc. 2015
DESCRIPTION
Cyber Risk Management The FFIEC realizes most banks rely on independent vendors for all or part of cyber risk management efforts Not all third party vendors are regulated All vendors are not the same in terms of appropriate security controls Agencies see advantages in standardizing expectations for Cyber Risk ManagementTRANSCRIPT
![Page 1: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/1.jpg)
Cyber Risk Management Solutions
Fall 2015
Thomas Compliance Associates, Inc. 2015
![Page 2: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/2.jpg)
Cyber Risk Management Examiners are raising the bar on Cyber
Security compliance Result of the rapidly changing
technological environment IT exams getting tougher because there is
more technology risk than ever before Agencies independent authority conducts
audits of examiner’s audit programs Agencies making many changes to its
exam procedures pursuant to recommendations
![Page 3: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/3.jpg)
Cyber Risk Management The FFIEC realizes most banks rely on
independent vendors for all or part of cyber risk management efforts
Not all third party vendors are regulated
All vendors are not the same in terms of appropriate security controls
Agencies see advantages in standardizing expectations for Cyber Risk Management
![Page 4: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/4.jpg)
Cybersecurity Assessment Tool Released by the FFIEC on June 30, 2015 Expectations are the Board of Directors
will use this tool to assess cybersecurity risk
The Board is responsible for recognizing the cyber risks you are accepting and what mitigating controls are in place.
Assessment Tool has two partso Part 1 - Inherent Risk Profileo Part 2 - Cybersecurity Maturity (mitigating
controls)
![Page 5: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/5.jpg)
Cybersecurity Assessment ToolPart 1 - Inherent Risk Profile
Relies greatly on your ability to identify where sensitive customer data resides throughout your organization.
Early stages indicate examiners will “take your word for it” provided you have documented that you have made a reasonable effort.
Software is now available which can identify all NCI (nonpublic Customer Information) wherever it resides on your various systems.
![Page 6: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/6.jpg)
Cybersecurity Assessment ToolPart 1 - Inherent Risk Profile
Examiners will quickly evolve and require you to be able to demonstrate, not guess, that you know the location of sensitive data.
Also expect that when you get hacked (not if you get hacked) you know what information was stolen.
![Page 7: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/7.jpg)
Cybersecurity Assessment ToolPart 2 - Cybersecurity MaturityAnalyzes several factors to determine the controls and risk mitigating practices that are already being practicedCybersecurity Preparedness includes: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity controls External dependency management Cyber incident management and resilience
![Page 8: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/8.jpg)
Cybersecurity Preparedness
Risk Management and Oversight Governance, allocation off resources and training and
awareness of employees
Threat Intelligence and Collaboration Gathering, monitoring, analyzing and sharing information
from multiple sources on cyber threats and vulnerabilities
![Page 9: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/9.jpg)
Cybersecurity PreparednessCybersecurity controls A combination of preventive, detective or preventative
External dependency management Includes connectivity to third party providers, business
partners, customers or others and your institution’s expectations and practices to oversee these relationships
Cyber incident management and resilience Detection, response, mitigation, escalation, reporting and
resilience
![Page 10: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/10.jpg)
Cybersecurity – Preparing for the Next IT Examination
Board should be prepared to answer questions about information security during next IT exam
Document the Board’s participation in training; use available FFIEC resources
![Page 11: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/11.jpg)
Cybersecurity – Preparing for the Next IT Examination Be able to exhibit that the Board and
Management understand supervisory expectations and have a high awareness of cybersecurity risks (threats and vulnerabilities) and how that risk is mitigated
IT Officer should have completed Cybersecurity Assessment Tool
Documented, reasonable approach InfoGPS puts you half a step ahead of your examiners
![Page 12: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/12.jpg)
Cybersecurity and My BankAre you plugged into the Cloud?
![Page 13: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/13.jpg)
Cybersecurity and My BankAre you plugged into the Cloud?
Google, Bing, Yahoo Search
Social Media Lexis Nexus FinCEN Core Vendor Services Local IT Outsourcing
![Page 14: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/14.jpg)
Cybersecurity and My BankAre you plugged into the Cloud?So are the Cyber Criminals
![Page 15: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/15.jpg)
Cybersecurity and My BankAre you plugged into the Cloud?So are the Cyber Criminals
How do Banks Address this Risk ?
![Page 16: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/16.jpg)
Cybersecurity and My Bank
TCA addresses Cybersecurity in its IT Audit Program
IT Audit is a Method of Measuring and Managing Risk
![Page 17: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/17.jpg)
IT Audit
IT AuditFundamental Components
Risk Assessments
Asset Management
Confidential Data
![Page 18: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/18.jpg)
IT AuditExaminers Now View the Enterprise Througha Cybersecurity Lens
![Page 19: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/19.jpg)
Examiner IT Audit Requirements
Show me your IT Risk Assessment
Show me your Enterprise Assets
Show me where your Sensitive Information Resides
![Page 20: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/20.jpg)
Show me your IT Risk Assessment
Show me your Enterprise Assets
Show me where your Sensitive Information Resides
Can Your Bank Respond to These Examiner Requirements?
![Page 21: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/21.jpg)
Completes much of your IT Risk Assessment Cyber-security Assessment Tool
Inventories your Enterprise Assets (HW, SW, Applications)
Identifies where your Customer Information Reside Monitors and Reports on the Creation and
Movement of Sensitive Data
There is a Product that Addresses these Compliance Mandates!!!
![Page 22: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/22.jpg)
Back to the Future, an Old Requirement
Gramm Leach Bliley Act 1999
(GLBA)
Joint Release “Safeguarding of Customer Information”
FFIEC IT Handbook
Institutions may establish an information data classification program to identify and rank data, systems, and applications in order of importance. Classifying data allows the institution to ensure
consistent protection of information and other critical data throughout the system. Classifying systems
allows the institution to focus its controls and efforts in an efficient and structured manner.
![Page 23: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/23.jpg)
2015 Cybersecurity Assessment Requirement
Page 22: IT Asset Management - Baseline
• An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
• Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.
![Page 24: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/24.jpg)
Cybersecurity Assessment Tool Underscores Fundamentals.Cyb
er incident managemen
t and resilienc
e
External dependency management
Cybersecurity controls
Threat Intelligence and Collaboration
Risk Management and Oversight
![Page 25: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/25.jpg)
![Page 26: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/26.jpg)
![Page 27: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/27.jpg)
![Page 28: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/28.jpg)
Do the Fundamental First: Know your IS AssetsAn accurate knowledge of your IS Assets, specifically your data assets, is critical to perform ALL of the following:
• Compliance & Audit• IS Risk Assessment• Craft the Information Security Program• Prepare for Business Resiliency• Prepare for Incident Response• Obtain favorably priced Cyber Security Insurance• Properly educate your board• Properly apply controls to protect your Data.
![Page 29: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/29.jpg)
![Page 30: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/30.jpg)
![Page 31: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/31.jpg)
![Page 32: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/32.jpg)
![Page 33: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/33.jpg)
![Page 34: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/34.jpg)
Cybersecurity Summary
FI’s are critically dependent on IT to conduct business operations – There is increasing interconnectedness between different business sectors.
Cyber threats are very rapidly evolving and it is no longer a matter of those who have been hacked and those who haven’t
![Page 35: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/35.jpg)
Cybersecurity Summary Examiners now acknowledge all FI’s have
been or will be hacked – let that sink in for a minute!
The difference will be those who know what data was compromised and those who do not
Those who do not will be required to devote significant resources to determine what was lost, who was affected and how to resolve enforcement actions and manage significant reputation risks. As a result you will see examiners establishing new standards for identification and management of Non Public Personal Information
![Page 36: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/36.jpg)
Cybersecurity SummaryBottom Line The OCC (and all of the Regulatory Agencies) are
reviewing and updating current guidance and examination procedures to align with changing cybersecurity risk
Your choice of vendor for IT Audit is critical and you must ensure the vendor is adjusting their audit approach to be consistent with the significant changes being made by examiners
Your next IT examination will be tougher than any IT examination before it – your ability to exhibit an understanding of your risk and how you manage it is paramount
![Page 37: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/37.jpg)
Questions?
Please use the Chat feature to submit questions now!
![Page 38: Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015](https://reader034.vdocuments.mx/reader034/viewer/2022051305/5a4d1b747f8b9ab0599b6af3/html5/thumbnails/38.jpg)
TCA, Inc.1-800-934-REGSwww.tcaregs.com
©2015 TCA, INC.