new ffiec management guidancettsmedia.ttstrain.com/cunewffiecguide061516.pdf · 2.rating your...

1

New FFIEC Management Guidance

JUNE 15, 2016

Dr. Kevin Streff

Founder: Secure Banking Solutions, LLC

www.protectmybank.com

Goals• Understand New FFIEC Management Guidance

◦ Governance

◦ Risk Management

◦ IT Risk Management

◦ Examination Procedures

• Answer Questions◦ Newly Integrated Cybersecurity Expectations

◦ Clarification around Chief Information Security Officer Role

◦ Direct Information Security Reporting to Board

◦ Executive Management Expectations

◦ IT Risk Assessment Process Overview

◦ Integration of IT into ERM

www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 2

2

Gramm‐Leach‐Bliley Act

• Management must develop a written information security program

• What is the “M” in the CAMEL rating?

• Don’t just do good security things, have a well managed program

• Don’t rely on individual heroism, have a well managed program

3

The Information Security Program is the way management demonstratesto regulators that information security is being managed at the credit union

www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC

Regulator Requirements: Gramm‐Leach‐Bliley Act

•Gramm‐Leach‐Bliley Act requires you to develop and implement an Information Security Program and conduct Risk Assessments◦ A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a credit union’s operations and the nature and scope of its activities.

◦ Prior to implementing an information security program, a credit union must first conduct a risk assessment which entails:

◦ Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.

◦ Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information.

◦ Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks.


3

Layered Security Approach

5www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC


4



5



6

FFIEC IT Exam Handbook ‐Management

• Understand New FFIEC Management Guidance◦ Governance

◦ Risk Management

◦ IT Risk Management

◦ Examination Procedures

• Answer Questions◦ Newly Integrated Cybersecurity Expectations

◦ Clarification around Chief Information Security Officer Role

◦ Direct Information Security Reporting to Board

◦ Executive Management Expectations

◦ IT Risk Assessment Process Overview

◦ Integration of IT into ERM


I. Governance• BOD ‐ oversee

• Senior Management ‐ implement


Governance refers to how financial institutions manage and control their institution

Includes: • roles, • responsibilities, • processes, • tools, • authorities, • Accountabilities, and • monitoring

7

IT Management• IT management is responsible for IT performance and

administering the day‐to‐day operation of an institution.

• IT management should perform the following: ◦ Implement IT governance.

◦ Implement effective processes for ITRM, including those that relate to cybersecurity.

◦ Review and annually approve processes for ITRM.

◦ Assess the institution’s inherent IT risks across the institution.

◦ Provide regular reports to the board on IT risks, IT strategies, and IT changes.

◦ Establish and coordinate priorities between the IT department and lines of business.

◦ Establish a formal process to obtain, analyze, and respond to information on threats and vulnerabilities by developing a repeatable threat intelligence and collaboration program.

◦ Ensure that hiring and training practices are governed by appropriate policies to maintain competent and trained staff.


IT Responsibilities & Functions• An effective IT risk management structure.

• A comprehensive information security program.

• A formal project management process.

• An enterprise‐wide business continuity planning function.

• An accurate and timely process for information systems reporting.


8

II. Risk Management• Enterprise risk management

• Focuses primarily on operational risk

• Also deals with strategic, compliance and reputational risk as well

• Management should have a comprehensive view of operations and business processes and put in countermeasures to control the risk.


III. IT Risk Management• Financial institution management should develop an

effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: ◦ Identify risks to information and technology assets within the financial institution or controlled by third‐party providers.

◦ Measure the level of risk. ◦ Mitigate the risks to an acceptable residual risk level in conformance with the board’s risk appetite.

◦ Monitor changing risk levels and report the results of the process to the board and senior management.


9

Risk Identification• Management should identify the risks associated

with the types of MFS being offered as part of the institution’s strategic plan.

• Management should incorporate the identification of risks associated with mobile devices, products, services, and technologies into the financial institution’s existing risk management process.


Risk Categories• Strategic

• Operational◦ Technology

◦ Mobile Web Site

◦ Mobile Application

◦ Mobile Payments

• Compliance

• Reputational


10

Risk Measurement• Measuring the level & types

of risks involved in MFS.

• Measure potential risks across all risk categories.

• Determine likelihood & impact.

• Prioritize results to determine which controls may be appropriate.

• Ongoing and updated.


Risk Mitigation• Develop and implement policies and procedures.

• Audit coverage should include MFS

• Strategic risk mitigation

• Operational risk mitigation

• Reputational risk mitigation

• Compliance risk mitigation


11

Risk Mitigation• Policies, Standards and Procedures

• Personnel

• Information Security

• Business Continuity

• Software Development and Acquisition

• IT Operations

• Insurance

• Vendor Management


Monitoring & Reporting• Financial institution management should have

appropriate performance monitoring systems for assessing whether the product or service is meeting operational expectations.


12

Monitoring & Reporting• Include limits on the level of acceptable risk exposure

that management and the board are willing to assume.

• Identify specific objectives and performance criteria, including quantitative benchmarks for evaluating success of the product or service.


Monitoring & Reporting• Periodically compare actual results with projections

and qualitative benchmarks to detect and address adverse trends or concerns in a timely manner.

• Modify the business plan, when appropriate, based on the performance of the product or service. Such changes may include exiting the activity should actual results fail to achieve projections.


13

Top Risk Assessment Products

25

Archer www.archer‐tech.com KansasbSECURE www.brintech.com Texas

CoNetrix www.conetrix.com Texas

Modulo www.modulo.com Seattle

Riskkey www.riskkey.com Texas

RiskWatch www.riskwatch.com Maryland

Scout www.locknet‐inc.com Wisconsin

TRAC www.tracadvantage.com South Dakota

WolfPAC www.wolfandco.com Maryland

www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC


14



15



16

Cyber Risk Assessment


Overview


17

FFIEC CA Tool (3 parts)

• Three (3) major components1. Rating your Inherent Risk for Cybersecurity

threats based on your size and complexity

2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats

3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.


Increasing Maturity


18

SBS Cyber‐RISKtm Tool

• Goals of the FREE Cyber‐RISKtm tool:

1. Automate the Cybersecurity Assessment Tool

2. Save you from creating your own spreadsheet

3. Make your life easier and more efficient

4. Provide you with one‐click reports

5. Improve the process by tying the Inherent Risk and Cybersecurity Maturity processes together more intuitively

6. Access to your own personal Information Security Expert if you need us!



19



20



21



22



23


Monitoring & Reporting• Metrics

• Performance Benchmarks

• Service Level Agreements

• Policy Compliance

• Effectiveness of Controls

• Quality Assurance and Quality Control

• Reporting


24

Exam Procedure• 14 Objectives


Objective 1: Determine the appropriate scope and objectives for the examination.


25

Objective 2: Determine whether the board of directors oversees and senior management appropriately establishes an effective governance structure that includes oversight of IT activities.


Objective 3: As part of the ITRM structure, determine whether financial institution management has defined IT responsibilities and functions. Verify the existence of well‐defined responsibilities and expectations between risk management and IT functional areas, such as information security, project management, business continuity, and information systems reporting.


26

Objective 4: Determine the adequacy of the institution’s IT operations planning and investment. Assess the adequacy of the risk assessment and the overall alignment with the institution’s business strategy, including planning for IT resources and budgeting.


Objective 5: Along with the IT audit and compliance departments, the HR department can serve as an influencing function for IT. Determine the adequacy of the institution’s HR function to ensure its ability to attract and retain a competent workforce.


27

Objective 6: Evaluate management’s review and oversight of IT controls, including the other influencing functions of IT audit and compliance.


Objective 7: Determine whether the institution’s risk management program facilitates effective risk identification and measurement and provides support for risk decisions within ITRM.


28

Objective 8: Determine whether the board of directors oversees and senior management proactively mitigates operational risk.


Objective 9: Determine whether management implements an ITRM process that supports the overall enterprise‐wide risk management process.


29

Objective 10: Determine whether the institution maintains a risk identification process that is coordinated and consistent across the enterprise.


Objective 11: Determine whether institution management maintains a risk measurement process that is coordinated and consistent across the enterprise.


30

Objective 12: Determine whether financial institution management effectively implements satisfactory risk mitigation practices.


Objective 13: Determine whether IT management develops satisfactory measures for defining and monitoring metrics, performance benchmarks, service level agreements, compliance with policies, effectiveness of controls, and quality assurance and control. Determine whether management developed satisfactory reporting of ITRM activities.


31

Objective 14: Discuss corrective action and communicate findings.


Layered Security Approach


32



33

Contact Info

• Dr. Kevin Streff

◦ Dakota State University

◦ [email protected]

◦ 605.270.0790

◦ Secure Banking Solutions, LLC

◦ www.protectmybank.com

◦ [email protected]

◦ 605.270.0790


Thank You!


Upcoming CUWebinarsJune 17th - New Customer Due Diligence Rules:

Part One Legal Entity Customers

July 7th - Ransomware Spurs New Guidance

July 14th - Critical issues on Share Accounts: Identifying Your Member

July 20th - Regulation CC: Update and Review

August 5th - ALERT! New Customer Due Diligence Rules: Part Two Consumers

August 10th - Best-Ever Compliance Checklist for Consumer Loans

Don’t forget about our listing of OnDemand programs at CUWebinars.com!

Wesley KavelarisTTS800‐831‐[email protected]

new ffiec management guidancettsmedia.ttstrain.com/cunewffiecguide061516.pdf · 2.rating your...

Documents