Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit...
Transcript of Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit...
![Page 1: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/1.jpg)
Cyber Security Auditing for Credit UnionsACUIA Fall MeetingOctober 7-9, 2015
![Page 2: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/2.jpg)
Topics
IntroductionCyber Security Auditing Program
Discuss an effective and compliant Cyber Security Auditing Program from an:
Internal audit department’s roleIndependent External Security Auditor’s Role
The role and effects of the IT Risk Assessments in a Cyber Security Audit Program
![Page 3: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/3.jpg)
Introduction
Jim Soenksen-CEOPIVOT Group LLC • A National Independent Audit, Assessment and
Compliance Firm providing exclusively Data Privacy and Protection Services
OfficesAtlantaOrlandoDallasChicago- Coming Soon!
![Page 4: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/4.jpg)
Cyber Security Audit Program DNA
![Page 5: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/5.jpg)
Your Obligations
Protect Member’s DataComplianceAwarenessCommunicationWell Informed Policy AssumptionsReliable ReportingAttestation of ResultsCurrent and RelevantRisk Based Program and Assessment
![Page 6: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/6.jpg)
Internal Auditor’s Role
Develop Enterprise Audit Program• Compliance• Policies• Internal Controls
IndependenceRisk BaseLeverage Departments ReportingOutsource as Required or Needed
![Page 7: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/7.jpg)
Independent External Auditor’s Role
Information Security Program-Independent AttestationTesting areas of program where resources or expertise does not existCompliance-ISO, PCISpecial Situations• Validate BC/DR• Insider Fraud• Incident Response• Vendor Management
![Page 8: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/8.jpg)
2015 Data Privacy Regulations
GLBA/NCUA Reg 748 A&BFFIEC AuthenticationFFIEC Social MediaPCITR-39/TG-3State and Federal Data Breach Notification LawsCISPA 2015Enterprise Risk Management
![Page 9: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/9.jpg)
2015 NCUA Examination Focus
New Cyber Security Risk ExamIT ExamDDoSIncident ResponseBC/DREnterprise Risk ManagementVendor ManagementRemediation Progress
![Page 10: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/10.jpg)
Check Lists
Examination PreparationFFIEC Authentication Self AssessmentNew Cybersecurity Exam Questionnaire New Cyber Security Risk AssessmentPCI SAQ
![Page 11: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/11.jpg)
Biggest Voids-Internal Audit
Expertise/KnowledgeInterdepartmental CoordinationAuditing ToolsChanging Regulations/Exam Requirements Incident ResponseBack Up and Disaster RecoveryIT ExpertisePhysical SecurityBoard AwarenessRisk BasedRisk Analysis Tools
![Page 12: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/12.jpg)
External vs. Internal
Develop Enterprise Audit PlanDetermine In-House Expertise and ResourcesOutsource or Train where Lack of Expertise Determine Required Outsource• Financials• Information Security Program• Website/Marketing Compliance• PCI
![Page 13: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/13.jpg)
How does IT Risk Assessments Fit?
![Page 14: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/14.jpg)
Risk Based Program
Data Breach/LeakageAsset ProtectionNon-ComplianceReputationSystem CompromiseIncrease CostsMisused ResourcesUniformed DecisionsMissed Opportunities
![Page 15: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/15.jpg)
Major Data Breach Prevention
IT ControlsEncryptionVulnerability ManagementSocial EngineeringVendor ManagementTrainingInternal FraudMobile Applications ControlIncident Response ProgramInfo/Sec Control TestingIndependent Security and Compliance Audits
![Page 16: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/16.jpg)
Credit Union’s Biggest Threats
Social EngineeringVendor ManagementMobile DisastersPhysical DisastersInsider FraudCredit/Debit CardsUnencrypted Data Incident Response
![Page 17: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/17.jpg)
FFIEC Cyber Risk Assessment Tool
Benefits to the Institution For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following: Identifying factors contributing to and determining the institution’s overall cyber risk. Assessing the institution’s cybersecurity preparedness. Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks. Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state. Informing risk management strategies
![Page 18: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/18.jpg)
Cyber Risk Domains
![Page 19: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/19.jpg)
FFIEC Cyber Risk Assessment Tool
![Page 20: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/20.jpg)
Inherent Risk Ratings
![Page 21: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/21.jpg)
Maturity Model
![Page 22: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/22.jpg)
Risk/Maturity Relationship Matrix
![Page 23: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/23.jpg)
Implementation
![Page 24: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/24.jpg)
Who does What???
![Page 25: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/25.jpg)
Linkage to ERM
![Page 26: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/26.jpg)
Your Risk Appetite & Profile
26
Reputation
Customer Changes
Product/Services Management & Development
Competition
Qualified Personnel
Transaction ProcessingErrors & Interruptions
Access to Complete, Accurate & Valid
Information (Internal Reporting)
Third-Party Vendor Management
Disclosure of Non-Public Information
Credit
Liquidity
Investment
Counterparty
Exchange Rates
Legal & Regulatory
Requirements
Rating Agency
Requirements
External Performance
Reporting
![Page 27: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/27.jpg)
Take Aways
Including Cyber Security in Internal Audit ProgramsWhen to OutsourceInformation Security BasicsCybersecurity Risk AssessmentsIntegrating into ERM
![Page 28: Cyber Security Auditing for Credit Unions - ACUIA.org 15... · Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015. Topics Introduction ... The role and](https://reader030.fdocuments.us/reader030/viewer/2022040121/5ea4a45ae0cc8f642166e00e/html5/thumbnails/28.jpg)
Thank you!
Contact PIVOT Group….• Jim Soenksen, CEO• Call: 404-419-2163• Email: [email protected]• www.pivotgroup.com