lecture materials managing security risk in banking kevin ... · business continuity incident...
TRANSCRIPT
![Page 1: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/1.jpg)
Lecture Materials
MANAGING SECURITY RISK IN BANKING
Kevin Streff Professor of Cybersecurity
Dakota State University [email protected]
605-270-0790
&
Founder SBS Cybersecurity, LLC
[email protected] 605-270-0790
August 9 - 11, 2017
![Page 2: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/2.jpg)
![Page 3: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/3.jpg)
IT Risk Assessment2017 Graduate School of Banking at University of Wisconsin
Dr. Kevin StreffFounder: SBS Cybersecurity, LLCwww.sbscyber.com
1
![Page 4: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/4.jpg)
Goals Understand the top risk assessment issues that cause problems and inefficiencies
Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management
Watch how leading tools enable quicker and better risk assessment
Review risk assessment best practices2
![Page 5: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/5.jpg)
Regulator Requirements: Gramm‐Leach‐Bliley Act
• Gramm‐Leach‐Bliley Act requires you to develop and implement an Information Security Program and conduct Risk AssessmentsA comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank’s operations and the nature and scope of its activities.
Prior to implementing an information security program, a bank must first conduct a risk assessment which entails:
Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.
Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information.
Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks.
3
![Page 6: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/6.jpg)
Gramm‐Leach‐Bliley Act Management must develop a written information security program
What is the “M” in the CAMELS rating? Don’t just do good security things, have a well managed program
Don’t rely on individual heroism, have a well managed program
4
The Information Security Program is the way management demonstratesto regulators that information security is being managed at the financial institution
![Page 7: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/7.jpg)
Gramm‐Leach‐Bliley Act
• Gramm‐Leach‐Bliley Act requires your financial institution to develop and implement 1) an Information Security Programand 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution’s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment
![Page 8: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/8.jpg)
I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit
6
Layered Information Security Program
Documentation
Boards & Committees
![Page 9: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/9.jpg)
©2016 Secure Banking Solutions, LLC 7
![Page 10: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/10.jpg)
Question
What is the OUTCOME of good IT risk assessment?
8
![Page 11: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/11.jpg)
Exercise 1 – Allocating Resources
9
![Page 12: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/12.jpg)
10
![Page 13: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/13.jpg)
Exercise 1
Your bank has $25,000 of additional spending to put towards security in 2017.
You were just provided the chart
How would you allocate the $25,000?
11
![Page 14: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/14.jpg)
Maturing Your Risk Assessment Bank
Internal & External
System & Organizational
Third Party Vendors
Business Partners
Downstream Partners
Commercial Merchant
Correspondent Banking
ACH Origination
Enterprise Risk Bank Secrecy Act Cyber Risk
12
![Page 15: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/15.jpg)
Capability Maturity Model
Level 0 – Initial Any sort of process at all
Level 1 – Repeatable Processes are documented and practiced
Level 2 – Defined Processes are consistent and known within the organization
Level 3 – Quantitatively Managed Processes are measured quantitatively and evaluated
Level 4 – Optimized Processes continually improve with new technologies or methods
13
![Page 16: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/16.jpg)
Level of Assessment(CMM Levels)
Level of Risk
0
1
2
3
4
Low Medium High
Bank Threats Goal
3rd Party Threats Goal
CommercialThreats Goal
14
![Page 17: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/17.jpg)
Bank Assessments
15
![Page 18: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/18.jpg)
What is IT Risk Assessment?
“The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources”‐ Streff, 2017
16
![Page 19: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/19.jpg)
Exercise 2 – Reviewing a Risk Assessment
17
![Page 20: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/20.jpg)
18
Traditional IT Risk Assessment Process View Core Processor example in attached spreadsheet
Asset Value Threat Likelihood Impact ControlOverall
Risk Rating
Core Processor High Unauthorized User Access High High Password Controls
High
Physical Access
End-User Responsibilities
Access Controls
Insurance
Unauthorized Physical Access Low Medium Motion Sensors and Alarm System
Medium
Security Cameras
Control Authorized Use
Hardware Security
Physical Security
Unauthorized Viewing Medium Medium Screen SaversMedium
Privacy Screens
Electrical Anomalies Medium High Electrical Services Contingency PlanHigh
Physical Security
Hardware Failure Medium High Data Integrity
HighBank Processing Hardware
EDP Contingency Procedures
Software Failure Medium High Data Software Availability
Medium
Bank Processing Software
Incident Response Plan
Host Processing Systems
Software Security
Data and Software Availability
Media Failure Medium Low Data Integrity
LowDisaster Recovery
Data and Software Availability
Communications Failure Low Medium Telecommunications Services Low
![Page 21: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/21.jpg)
19
Traditional IT Risk Assessment Process View Core Processor example in attached spreadsheet
Asset Value Threat Likelihood Impact ControlOverall
Risk Rating
Natural Disaster Low High Contingency and Business Resumption Plan
MediumData Integrity
Incident Response Plan
Insurance
Other Disasters Low High Contingency and Business Resumption Plan
Medium
Data Integrity
Fire Control
Incident Response Plan
Insurance
Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium
User Error Medium Low Dual Control Procedures Low
Accidental Disclosure, Social Engineering Medium Medium Dial-up Access
MediumEncryption
Information Requests
File Transfers
Fraudulent Transactions Medium High Separation of DutiesMedium
System Activity Logs
Maintenance Error Medium Low Modifications
LowModification Procedures
Software Change Control
Host Processing Systems
Improper Use Medium Medium System Activity Logs
MediumModifications, Dual Control Procedures
Acceptable Use
![Page 22: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/22.jpg)
Exercise 2 ‐ Instructions
What do you agree with?
What do you disagree with?
What story is this risk assessment telling?
How would the bank allocate resources if you provided them with this assessment?
20
![Page 23: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/23.jpg)
Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor
A management process to identify, measure, mitigate and monitor to allocate resources
21
![Page 24: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/24.jpg)
5 Step IT Risk Assessment Process
22
Step 0 Inventory:
Step 1 Risk Identification
Step 2 Risk Measurement
Step 3Risk Mitigation
Step 4Risk Monitoring
Inherent Risk
Residual Risk
![Page 25: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/25.jpg)
5 Step IT Risk Assessment Process
23
Step 1 - Inventory:Identify all assets,
vendors and service providers
Step 2 - Develop Priorities:
Protection Profile (CIAV)
Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)?
Step 4 - System Controls:
What system safeguards does the bank want to
implement?
Step -5-Demonstrate Compliance:
ReportingImprove the process
Document Residual Risk
Inherent Risk
Residual Risk
![Page 26: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/26.jpg)
IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them
BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information
and making decisions (not compiling a risk assessment spreadsheet)
24
![Page 27: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/27.jpg)
Top Risk Assessment Products
25
Archer www.archer‐tech.com KansasbSECURE www.brintech.com TexasCoNetrix www.conetrix.com TexasModulo www.modulo.com Seattle
Riskkey www.riskkey.com Texas
RiskWatch www.riskwatch.com Maryland
Scout www.locknet‐inc.com WisconsinTRAC www.tracadvantage.com South Dakota
WolfPAC www.wolfandco.com Maryland
![Page 28: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/28.jpg)
IT Assets
![Page 29: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/29.jpg)
Protection Profile
![Page 30: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/30.jpg)
Threats
![Page 31: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/31.jpg)
Controls
![Page 32: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/32.jpg)
Protection Profile Report
![Page 33: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/33.jpg)
![Page 34: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/34.jpg)
The more important the asset, the more risk you want to reduce risk.
Acceptable levels of risk are identified and measured against.
Risk Appetite
![Page 35: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/35.jpg)
Commercial Account AssessmentsCommercial Banking Fraud
33
![Page 36: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/36.jpg)
Commercial Account Takeover
• Cyber‐criminals are targeting commercial accounts
• Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E)
• Schumer Bill introduced in 2012 to Reg E “Schools and Municipalities”
34
![Page 37: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/37.jpg)
Commercial Banking Fraud• January 22, 2009• Experi‐Metal Inc. ‐ Sterling Heights, MI• Sues Comerica Bank ($60M) ‐ Dallas, TX• An EMI employee opened and clicked on links within a
phishing email• $1.9M stolen, $560,000 was not recoverable• 47 wires in one day to foreign and domestic accounts which
EMI never wire to before• Ruling: Bank failed to detect the fraud and must pay Experi‐
Metal $560,000 in losses.
35
![Page 38: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/38.jpg)
Small Business Security
70% lack basic security controls
Get to the basics with each small business
Conduct a risk assessment looking for these basic security controls
Firewall,
Strong passwords,
Malware Protection
Etc.
36
![Page 39: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/39.jpg)
37
![Page 40: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/40.jpg)
Finger Pointing and ACH Risk
38
![Page 41: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/41.jpg)
Mitigating ACH Fraud in Community Banks
• Layered Information Security Program
• Enhanced Focus on Security Awareness
• Risk Assess Corporate Account Portfolio and Take Action
39
![Page 42: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/42.jpg)
Commercial Account Takeover FFIEC Guidance
FFIEC’s “Interagency Supplement to Authentication in an Internet Banking Environment” states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging
threats. Increased multi‐factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness.
CSBS CATO Guidance
40
![Page 43: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/43.jpg)
Bottom Line
Need to develop a way for your bank to assess the risk of commercial accounts
41
![Page 44: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/44.jpg)
ACH Regulatory ComplianceREGULATION
Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud
Meet FFIEC Guidance
Meet CSBS Guidance
Actions
Controls at the Bank Corporate account security is part of
your layered security program
Minimum list of 9 security controls in the FFIEC supplement
Controls at the Business CATO Risk Assessment
List of controls in the CSBS guidance
Customer Education
Contracts/Documentation
42
![Page 45: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/45.jpg)
Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out‐Of‐Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment
recipients IP reputation‐based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education
Controls at Your Bank
43
![Page 46: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/46.jpg)
How do You Assess Merchant Risk?
44
![Page 47: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/47.jpg)
5 Step IT Risk Assessment Process
45
Step 0 Inventory:
Step 1 Risk Identification
Step 2 Risk Measurement
Step 3Risk Mitigation
Step 4Risk Monitoring
Inherent Risk
Residual Risk
![Page 48: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/48.jpg)
Commercial Account AssessmentsCommercial Banking Fraud
![Page 49: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/49.jpg)
Bottom Line
Need to develop a way for your bank to assess the risk of commercial accounts
![Page 50: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/50.jpg)
48
![Page 51: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/51.jpg)
49
![Page 52: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/52.jpg)
Assessment Results
50
![Page 53: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/53.jpg)
Track Progress
51
![Page 54: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/54.jpg)
Easily Create a campaign
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
52
![Page 55: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/55.jpg)
Choose from a huge library of phishing templates
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
53
![Page 56: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/56.jpg)
Realistic Templates
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
54
![Page 57: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/57.jpg)
Educate them WHEN they click
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
55
![Page 58: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/58.jpg)
Other Phishing Tools
Wombat Phishme QuickPhish Tandem Phishing
Most of these tools offer a free trial
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
56
![Page 59: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/59.jpg)
Enterprise Risk Management
57
![Page 60: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/60.jpg)
Enterprise Risk Management (ERM)
58
ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO)
ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management in a changing operating environment. (Protiviti consulting firm)
![Page 61: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/61.jpg)
Business Processes
59
Administrative Affiliate Back‐Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology
![Page 62: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/62.jpg)
Threat Areas
60
Operational Reputational Compliance Financial Strategic
Categories commonly used in FFEIC booklets.
![Page 63: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/63.jpg)
ERM – Risk Mitigation Goals
61
![Page 64: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/64.jpg)
ERM – Protection Profile
62
![Page 65: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/65.jpg)
ERM ‐ Threats
63
![Page 66: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/66.jpg)
ERM ‐ Controls
64
![Page 67: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/67.jpg)
ERM ‐ Reporting
65
![Page 68: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/68.jpg)
Report – Risk Mitigation
66
![Page 69: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/69.jpg)
Report – Threat Source
67
![Page 70: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/70.jpg)
68
REPORT – PEER COMPARISON
![Page 71: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/71.jpg)
Bank Secrecy Act Assessments
69
![Page 72: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/72.jpg)
Bank Secrecy Act (BSA)
70
The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an “anti‐money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311‐5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] ).
![Page 73: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/73.jpg)
BSA Program Components
71
Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for
managing BSA compliance (BSA compliance officer). Training for appropriate personnel.
http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_008.htm
![Page 74: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/74.jpg)
Risk Driven BSA Program
72
![Page 75: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/75.jpg)
BSA – Account Types
73
![Page 76: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/76.jpg)
BSA – Risk Areas
74
![Page 77: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/77.jpg)
BSA – Controls
75
![Page 78: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/78.jpg)
BSA – Reports
76
![Page 79: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/79.jpg)
Report – Account Risk
77
![Page 80: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/80.jpg)
Cyber Security Assessment
www.protectmybank.com
©2015 Secure Banking
![Page 81: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/81.jpg)
FFIEC CA Tool (3 parts)
Three (3) major components1. Rating your Inherent Risk for Cybersecurity threats based
on your size and complexity
2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats
3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.
www.protectmybank.com
©2015 Secure Banking 79
![Page 82: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/82.jpg)
Cybersecurity Inherent Risk
Very PRESCRIPTIVE
Really getting to the Size and Complexity issue originally stated by GLBA
Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats
www.protectmybank.com
©2015 Secure Banking 80
![Page 83: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/83.jpg)
Cybersecurity Inherent Risk
Five Inherent Risk Areas1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
4. Organizational Characteristics
5. External Threats
www.protectmybank.com
©2015 Secure Banking 81
![Page 84: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/84.jpg)
www.protectmybank.com
©2015 Secure Banking 82
![Page 85: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/85.jpg)
Cybersecurity Maturity
Measure Maturity in 5 Domains (+ Assessment Factors)1. Cyber Risk Management and Oversight
Governance, Risk Management, Resources, and Training
2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing
3. Cybersecurity Controls Preventative, Detective, and Corrective controls
4. External Dependency ManagementExternal Connections and (Vendor) Relationship Management
5. Cyber Incident Management and ResilienceIncident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting
www.protectmybank.com
©2015 Secure Banking 83
![Page 86: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/86.jpg)
What is Cybersecurity Maturity?
Determining whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness
I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents?
www.protectmybank.com
©2015 Secure Banking 84
![Page 87: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/87.jpg)
Determining Maturity Level Within each component, “declarative statements” describe activities supporting the assessment factor at each maturity level
“All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level“
What this actually means: Identify the controls you have in place, starting with “baseline” controls and escalating up in order to determine maturity levels
www.protectmybank.com
©2015 Secure Banking 85
![Page 88: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/88.jpg)
www.protectmybank.com
©2015 Secure Banking 86
![Page 89: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/89.jpg)
Increasing Maturity
©2015 Secure Banking www.protectmybank.com
![Page 90: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/90.jpg)
![Page 91: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/91.jpg)
![Page 92: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/92.jpg)
![Page 93: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/93.jpg)
![Page 94: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/94.jpg)
![Page 95: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/95.jpg)
![Page 96: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/96.jpg)
![Page 97: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/97.jpg)
![Page 98: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/98.jpg)
![Page 99: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/99.jpg)
![Page 100: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/100.jpg)
![Page 101: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/101.jpg)
![Page 102: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/102.jpg)
Risk Assessment Best Practices Determine which kind of assessment is the most important for your
bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision‐making Don’t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement
100
![Page 103: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/103.jpg)
Review of Goals Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and
inefficiencies Learn how to expand and mature:
IT risk assessment
Corporate account assessments (CATO)
Enterprise Risk Management
BSA Risk Management
Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules
101
![Page 104: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/104.jpg)
Risk Assessment Schedule
102
![Page 105: Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident Response I.T. Audit 6 Layered Information Security Program Documentation ... Electrical](https://reader035.vdocuments.mx/reader035/viewer/2022070913/5fb4a0a6395f4b60ca09b5e1/html5/thumbnails/105.jpg)
Dr. Kevin Streff
– Professor of Cybersecurity at Dakota State University
• [email protected]• (605) 270‐0790
– Founder: SBS Cybersecurity, LLC.• www.sbscyber.com• [email protected]• (605) 270‐0790