Regulatory Update: The FFIEC Cybersecurity Assessment Tool...
Transcript of Regulatory Update: The FFIEC Cybersecurity Assessment Tool...
![Page 1: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/1.jpg)
September 22, 2015
Regulatory Update: The FFIEC Cybersecurity Assessment Tool (CAT)
© 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 2: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/2.jpg)
Today’s Presenters Meet the ProcessUnity Team
2
Ed Thomas Senior Director, Marketing
Gary Phipps Director, Risk Solutions
© 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 3: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/3.jpg)
ProcessUnity Risk Suite Comprehensive, Flexible, Scalable
Easy to Use
Cloud Based
Deploys Quickly Senior Project Managers Proven Methodologies Data Migration Tools
Secure, Single Application Automatic System Upgrades Technical Support Included
Simple, Point & Click Configuration Alerts & Notifications Online Help System
RISK SUITE
Enterprise Risk
Regulatory Compliance
Operational Risk
SOX Compliance
Incident Management
Cybersecurity
Offer Management
Third-Party Risk
Policy & Procedures
INTEGRATION
Analytics Data Synchronization
Tableau – SAP / Ariba – RSA / Archer – Oracle
Thomson Reuters – LexisNexis – Dun & Bradstreet
Salesforce.com – Microsoft Office
![Page 4: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/4.jpg)
4
Agenda • Cybersecurity in the news
• What is the FFIEC CAT?
• Where does the CAT live
• The path forward: Cybersecurity process overview
© 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 5: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/5.jpg)
Reading the Tea Leaves: On the Way to Legislation?
![Page 6: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/6.jpg)
Cybersecurity In the News The Consequences of Data Breach Incidents
6 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 7: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/7.jpg)
The Road to Legislation
“Experts seem to agree that it’s only a matter of time before information security is mandated by law. Over the past few years, various incarnations of bills have been proposed. While security chiefs understand the scrutiny, they have concerns about security becoming a compliance burden.
They worry that this will cause businesses to lose sight of what really matters: focusing on their strategy and thinking about next threats.” - PWC
7 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 8: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/8.jpg)
FFIEC Cybersecurity Assessment Tool
![Page 9: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/9.jpg)
FFIEC Cybersecurity Assessment Tool
• “OCC examiners will begin incorporating the Assessment into examinations in late 2015.”
• Based on the IT Examination Handbook and NIST
• “…process for financial institutions to measure their cybersecurity preparedness over time.”
• “This process is intended to complement, not replace, an institutions risk management process.”
9 © 2015 ProcessUnity, Inc. All Rights Reserved.
Overview
![Page 10: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/10.jpg)
Where does the CAT fit in?
10 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
IT Risk Universe
• Many IT control activities overlap • Understanding the overlap is key • Test once, satisfy many approach
IT Control Framework
![Page 11: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/11.jpg)
Where does the CAT fit in?
11 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
• Many IT control activities overlap • Understanding the overlap is key • Test once, satisfy many approach
IT Risk Universe
IT Control Framework
![Page 12: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/12.jpg)
IT Risk Universe
IT Control Framework
Where does the CAT fit in?
12 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
• Many IT control activities overlap • Understanding the overlap is key • Test once, satisfy many approach
FFIEC Cybersecurity Assessment Tool
Inherent Risk – Maturity = GAP
Identify gaps in your IT Control Framework
![Page 13: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/13.jpg)
Finding the GAP (CAT End State)
13 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 14: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/14.jpg)
Finding the GAP (CAT End State)
14 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 15: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/15.jpg)
The Path Forward: An Effective Cybersecurity Process (Step 1 – The Inherent Risk Assessment)
![Page 16: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/16.jpg)
FFIEC Cybersecurity Assessment Tool
16
Assessment One: Inherent Risk Profile Matrix
![Page 17: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/17.jpg)
FFIEC Cybersecurity Assessment Tool
17
Assessment One: Inherent Risk Profile Matrix
![Page 18: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/18.jpg)
Establish the Assessment
18 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 19: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/19.jpg)
Establish the Assessment
19 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 20: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/20.jpg)
Kickoff the Inherent Risk Assessment
20 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 21: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/21.jpg)
Complete the Inherent Risk Assessment
21 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 22: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/22.jpg)
Complete the Inherent Risk Assessment
22 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 23: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/23.jpg)
Inherent Risk Summary
23 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 24: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/24.jpg)
Inherent Risk Summary
24 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 25: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/25.jpg)
Inherent Risk Detail
25 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 26: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/26.jpg)
The Path Forward: An Effective Cybersecurity Process (Step 2 – The Maturity Assessment)
![Page 27: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/27.jpg)
FFIEC Cybersecurity Assessment Tool Assessment Two: Cybersecurity Maturity Matrix
27
![Page 28: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/28.jpg)
FFIEC Cybersecurity Assessment Tool Assessment Two: Cybersecurity Maturity Matrix
28
![Page 29: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/29.jpg)
FFIEC Cybersecurity Assessment Tool Assessment Two: Cybersecurity Maturity Matrix
29
![Page 30: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/30.jpg)
Establish the Assessment
30 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 31: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/31.jpg)
Establish the Assessment
31 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 32: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/32.jpg)
Establish the Assessment
32 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 33: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/33.jpg)
Complete the Maturity Assessment
33 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 34: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/34.jpg)
Achieved / Not Achieved
34 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 35: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/35.jpg)
Achieved / Not Achieved
35 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 36: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/36.jpg)
Control Impact and GAP
36 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 37: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/37.jpg)
Closing the GAP
37 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 38: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/38.jpg)
Closing the GAP
38 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
![Page 39: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/39.jpg)
Summary: Managing Cyber Risk
![Page 40: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/40.jpg)
Three Steps to Keep Cyber Risk Out
40 © 2015 ProcessUnity, Inc. All Rights Reserved.
Adjust your control framework and effectiveness to move up the maturity continuum
Identify your institution’s inherent risk level for each cyber category
Evaluate your maturity level and the maturity level required to reach risk equilibrium
September 22, 2015
![Page 41: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/41.jpg)
ProcessUnity Can Help Comprehensive, Flexible, Scalable
Easy to Use
Cloud Based
Deploys Quickly Senior Project Managers Proven Methodologies Data Migration Tools
Secure, Single Application Automatic System Upgrades Technical Support Included
Simple, Point & Click Configuration Alerts & Notifications Online Help System
RISK SUITE
Enterprise Risk
Regulatory Compliance
Operational Risk
SOX Compliance
Incident Management
Cybersecurity
Offer Management
Third-Party Risk
Policy & Procedures
INTEGRATION
Analytics Data Synchronization
Tableau – SAP / Ariba – RSA / Archer – Oracle
Thomson Reuters – LexisNexis – Dun & Bradstreet
Salesforce.com – Microsoft Office
![Page 42: Regulatory Update: The FFIEC Cybersecurity Assessment Tool ...info.processunity.com/rs/638-QKL-150/images/... · RISK SUITE Enterprise Risk . Regulatory Compliance . Operational Risk](https://reader035.fdocuments.us/reader035/viewer/2022062311/5fd13ef80c5299645e185c1f/html5/thumbnails/42.jpg)
42 September 22, 2015 © 2015 ProcessUnity, Inc. All Rights Reserved.
Get Started on the Road to Automation with a Custom Demo www.processunity.com/contact
INHERENT RISK MATURITY SUMMARY GAP IDENTIFICATION