The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers...
Transcript of The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers...
![Page 1: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/1.jpg)
The Building Blocks of a Strong ISP
Dr. Kevin Streff
Founder, Secure Banking Solutions
www.protectmybank.com
Iowa Bankers Association
2015 IBA Technology Conference
![Page 2: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/2.jpg)
Agenda
• Emerging Technologies and Security Threats in Banks
• Designing an Effective Information Security Program
• Conducting World-Class Risk Assessments
2
![Page 3: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/3.jpg)
Hot Technologies
Banking Technologies
• Branch of the Future• Advanced Payment
Systems• Mobile Delivery Systems• Remote Deposit Products• Customer Relationship
Management (CRM)
Infrastructure Technologies
• Cloud• Virtualization• Cybersecurity Products
– DLP– MSS– ERM Tools
• Continuous Monitoring
3
Core replacement projects are important
![Page 4: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/4.jpg)
Technology
Driving the need for a well managed information security program that starts with risk assessment
• Leads to all kinds of issues– Document retention– I.T. examination– Compliance– Financial– Support– Expertise– Security– Data Privacy
• Your bank needs to get good with technology
• Your bank needs to get good at information protection– Not individual heroism
![Page 5: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/5.jpg)
©Secure Banking Solutions 2015
Online vs. Mobile
• Online banking is commodity
• Mobile banking revolution is over
5
![Page 6: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/6.jpg)
©Secure Banking Solutions 2015
Layered Security Approach
6
![Page 7: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/7.jpg)
©Secure Banking Solutions 2015
7
Gramm-Leach-Bliley Act
• Management must develop a written information security program meeting the security standards of Part 364, Appendix B
• What is the “M” in the CAMEL rating?
The Information Security Program is the way management demonstratesto regulators that information security is being managed at the bank
![Page 8: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/8.jpg)
©Secure Banking Solutions 2015
8
Regulator Requirements:Current Framework
• Management Focused Examination
• Documented risk-based Information Security Program (ISP) that provides sufficient controls – as determined by the Risk Assessments
• Independent review of controls for compliance and adequacy – as verified by IT Audit, Penetration Test and
Vulnerability Assessment
![Page 9: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/9.jpg)
©Secure Banking Solutions 2015
9
Written Information Security Program
• Includes administrative, technical, & physical safeguards appropriate to the bank’s size and complexity and the nature and scope of activities
• Represented by a set of policies, procedures and standards that implement controls identified in the risk assessment
• ISP = Documentation + Activities
![Page 10: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/10.jpg)
Top Security Threats
1. Hacking
2. Data Leakage
3. Social Engineering
4. Corporate Account Takeover
5. Vendor Risk
6. ATM
“Small and medium sized banks are in the cross-hairs of the cyber criminal”
Howard Schmidt, Cybersecurity Secretary for the White House10
![Page 11: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/11.jpg)
Hacking
Threat #1
11
![Page 12: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/12.jpg)
©Secure Banking Solutions 2015
Hacking
• Small and medium-sized businesses are the new target– Won’t get caught, won’t get prosecuted, fewer
security controls, etc.
• Hackers are Organized– Used to be for fun, now it is for profit
• How it works– Find a computer/network vulnerability and
exploit it12
![Page 13: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/13.jpg)
©Secure Banking Solutions 2015
Hacker Tools Examples
• Tools to hack your bank are downloadable– http://sectools.org/
• Default passwords are all available– http://www.phenoelit.org/dpl/dpl.html
• Economy is available to sell stolen data (“underground markets”)– http://krebsonsecurity.com/2013/12/cards-stol
en-in-target-breach-flood-underground-markets/
13
![Page 14: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/14.jpg)
©Secure Banking Solutions 2015
14
![Page 15: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/15.jpg)
![Page 16: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/16.jpg)
©Secure Banking Solutions 2015
• How much time would it take to recover if all of your computers got a virus tomorrow?– Data Loss– Down Time– Cost to replace vs. fix
Threat: Downtime
“Of those businesses that experience a disaster and have no emergency plan, 43% never reopen; of those that do reopen, only 29% are still operating two years later.”
![Page 17: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/17.jpg)
©Secure Banking Solutions 2015
RansonWare
• Demand payments or will destroy your data and/or your machine
17
![Page 18: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/18.jpg)
©Secure Banking Solutions 2015
Critical Infrastructure Protection
• White House is concerned that our nation’s critical electronic infrastructure
• PDD63
• APT
• "Terrorism remains the FBI's top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country“– Ex-FBI Director Robert Mueller
18
![Page 19: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/19.jpg)
Data Leakage
Threat #2
19
![Page 20: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/20.jpg)
©Secure Banking Solutions 2015
Data Leakage
• Data Leakage is about insiders leaking customer information out of your bank
• Most attention is paid to outsiders breaking into your network (aka hackers)
• Malicious Behavior
• Accidental
20
![Page 21: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/21.jpg)
Social Engineering
Threat #3
21
![Page 22: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/22.jpg)
©Secure Banking Solutions 2015
22
Social Engineering
• What is Social Engineering?– Exploitation of human nature for
the gathering of sensitive information.
– Tool attackers use to gain knowledge about employees, networks, vendors or other business associates.
![Page 23: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/23.jpg)
©Secure Banking Solutions 2015
23
Sample Social Engineering Methods
• Phishing/Pharming
• Telephone (Remote Impersonation)
• Dumpster Diving
• Impersonation
• E-mail Scams
• USB Sticks
![Page 24: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/24.jpg)
Corporate Account Takeover
Threat #4
24
![Page 25: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/25.jpg)
©Secure Banking Solutions 2015
Small Business Security
• 70% lack basic security controls
• Conduct a risk assessment looking for these basic security controls
– Firewall,– Strong passwords,– Malware Protection– Etc.
25
![Page 26: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/26.jpg)
©Secure Banking Solutions 2015
Finger Pointing?
26
![Page 27: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/27.jpg)
Vendor Attacks
Threat #6
27
![Page 28: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/28.jpg)
©Secure Banking Solutions 2015
Vendor Attacks
• Criminals understand that vast amounts of data are stored and transacted thru bank vendors
• TJX, Heartland, Target, etc.
• Target – RAM Scraping
• While you are outsourcing the task, your bank remains responsible for the data
• Vendor Management Program
28
![Page 29: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/29.jpg)
ATM Fraud
Threat #6
29
![Page 30: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/30.jpg)
©Secure Banking Solutions 2015
ATM Fraud
• Skimmers
• Cyber heists
• Remote Access Issues
• Active Ports Being Compromised
30
![Page 31: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/31.jpg)
©Secure Banking Solutions 2015
31
![Page 32: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/32.jpg)
©Secure Banking Solutions 2015
32
![Page 33: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/33.jpg)
©Secure Banking Solutions 2015
Skimmer Overlay
33
![Page 34: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/34.jpg)
©Secure Banking Solutions 2015
Skimmer Camera
34
![Page 35: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/35.jpg)
©Secure Banking Solutions 2015
ATMs
• The ATM environment has changed
• Used to be most banks:– Closed network– Non Windows
• Today, most ATMs are on your bank’s network and run Windows
35
![Page 36: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/36.jpg)
©Secure Banking Solutions 2015
36
![Page 37: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/37.jpg)
©Secure Banking Solutions 2015
ATM Cyber Heists
37
![Page 38: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/38.jpg)
©Secure Banking Solutions 2015
38
Gramm-Leach-Bliley Act
• Management must develop a written information security
• What is the “M” in the CAMEL rating?
The Information Security Program is the way management demonstrates to regulators that
information security is being managed at the bank
![Page 39: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/39.jpg)
©Secure Banking Solutions 2015
IT Exam
• Verifies the bank’s Information Security Program– Assessments and audits
• Five areas:– Risk Management– Operations Security– Audit– Business Continuity– Vendor Management
39
![Page 40: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/40.jpg)
©Secure Banking Solutions 2015
Recent Regulation• FFIEC Authentication Supplement
• CSBS CATO Regulation
• FFIEC ATM Regulation
• FFIEC DDoS Regulation
• OCC and FDIC Vendor Management Regulation
• FFIEC Social Media Guidance
• Appendix J
• FFIEC Cybersecurity Assessment Tool40
![Page 41: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/41.jpg)
Question for you…
What is your bank doing to mitigate the risks of:
– Hacking– Data Leakage– Social Engineering– Corporate Account
Takeover– ATM Fraud– Vendor Attacks
Answer Should Be:
• Layered Security Program1.Risk Assessment
2.Customer Awareness and Education
3.Business Continuity & Incident Response
4. Information Sharing
5.Effective Auditing
41
![Page 42: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/42.jpg)
42
![Page 43: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/43.jpg)
43
![Page 44: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/44.jpg)
©Secure Banking Solutions 2015
Asset Management
• Inventory assets• Policy and procedure for:
– Adding assets– Retiring assets– Cleansing assets
• ISO standard is big into asset management• Think about how many information leaks involve
not accounting for assets– Laptops– Tapes– Etc.
44
![Page 45: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/45.jpg)
©Secure Banking Solutions 2015
Vulnerability Assessment
DefinitionTechnical scan of your networked equipment that identifies vulnerabilities, conducted from inside the bank.
ScopeAll networked equipment, examples include:– Core Banking Server– Servers– Workstations– Voice Over IP
45
![Page 46: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/46.jpg)
©Secure Banking Solutions 2015
Penetration Testing
Definition• Technical scan conducted from outside the bank on any
equipment that is exposed to the internet. Simulates the process that a hacker would use to gain access to bank information.
ScopeInclude all your public IP addresses (even unused IP’s)–Email Server–Web Server–Internet Banking Server–VPN connections
46
![Page 47: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/47.jpg)
©Secure Banking Solutions 2015
Security Awareness
• Security Awareness is the degree or extent to which every member of staff understands:– the importance of security– the levels of security appropriate to the
organization– their individual security responsibilities– ... and acts accordingly.
47
![Page 48: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/48.jpg)
Employees: Security Awareness
• Acceptable Use Policy• Annual Security Awareness Training• Email Reminders• Online Training System• Posters/Calendars• Security Awareness Day• Member Appreciation Day• Games• Social Engineering Tests• InfraGard Certification
48
![Page 49: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/49.jpg)
©Secure Banking Solutions 2015
Posters/Calendars
49
![Page 50: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/50.jpg)
©Secure Banking Solutions 2015
Posters/Calendars
50
![Page 51: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/51.jpg)
©Secure Banking Solutions 2015
Security Awareness Day
• Hold a “Security Awareness Day” at your bank to demonstrate to your customers how important this issue is to the bank
• Hand out materials that can help them safely bank with you
• Target audience: customers– HOWEVER: employees get involved and get
more security conscious as well
51
![Page 52: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/52.jpg)
Security Awareness Training
11/22/2015
Welcome to… SECURITY FEUD!
52
![Page 53: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/53.jpg)
©Secure Banking Solutions 2015
Certification
• InfraGard– Training program for staff on information security
to promote awareness of front-line and support staff
– https://infragardawareness.com/– Tweleve lessons (4-9 minutes each)
• SBS– Six security certifications for board, management
and professionals at your bank– 14 hours per certification
53
![Page 54: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/54.jpg)
Customers: Security Awareness
• Awareness Information on Website
• Posters
• Security Awareness Day
• Customer Appreciation Day
• Lunch and Learns
54
![Page 55: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/55.jpg)
©Secure Banking Solutions 2015
Emergency Preparedness
• Disaster Recovery
• Business Continuity
• Pandemic Bird Flu
• Incident Response
55
![Page 56: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/56.jpg)
©Secure Banking Solutions 2015
Incident Response
• Documenting how an organization will respond to security breaches– Who is in charge?– When do you notify customers?– Etc.
• The point is to have the activities planned out before an incident occurs and everyone is in crisis mode
56
![Page 57: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/57.jpg)
©Secure Banking Solutions 2015
Audit
Determine the presence of controls and test the effectiveness of those controls through an independent and objective evaluation.
• Risk assessment identifies the controls
• ISP = policies, procedures and guidelines that document controls
• IT audit reviews compliance and adequacy of controls
57
![Page 58: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/58.jpg)
©Secure Banking Solutions 2015
Organizational Chart
• Provides an overview of the personnel working at the bank
• Looking for the following roles (sample):– Information Security Officer– Information Technology– Auditor– Compliance Officer
• Who is doing what!
58
![Page 59: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/59.jpg)
©Secure Banking Solutions 2015
Committees
• Is management involved in IT decisions?• Audit committee?• BOD?• Checks and balances…not just one person• Weekly, Monthly, or quarterly• Made up of people who can make decisions• Can work out issues before presenting to the board
(i.e., policy changes)• Can handle issues so that some things don’t need to
go to the board (procedure changes)
59
![Page 60: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/60.jpg)
©Secure Banking Solutions 2015
Network Diagram• Picture representation of your network• Includes connectivity to:
– Internet– Branches– Service Providers– Etc.
• Important because:– Communicates the network to staff and examiners– Support maintenance and troubleshooting network
issues– Plan for addition of new technology– Be helpful for business continuity
60
![Page 61: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/61.jpg)
61
![Page 62: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/62.jpg)
©Secure Banking Solutions 2015
Use your ISP
• Any new technology is handled by your ISP – (EXAMPLE: Merchant Capture)
• Any new security threat is handled by your ISP – (EXAMPLE: Data Leakage)
62
![Page 63: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/63.jpg)
©Secure Banking Solutions 2015
Documentation
• Codifies management direction regarding layered security program– Policies, procedures, standards, etc.
• Provides evidence of a layered security program– Demonstrates compliance– Demonstrates good security
63
![Page 64: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/64.jpg)
©Secure Banking Solutions 2015
Information Security Program Documentation
![Page 65: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/65.jpg)
Minimum ISP Documentation• Risk Assessment• Policies• Procedures• Standards• Guidelines• Plans
– Audit– Business Continuity– Incident Response
• Security Awareness Materials• Training Log• Vendor Assessments• Minutes
– Board of Director Meetings– I.T. Committee Meetings– Audit Committee Meetings
• Strategies• Test Results
– Audit– Penetration Test– Vulnerability Assessment– Social Engineering– Configuration Test– Web Test– Wireless Test
• Exams– State– Federal
• Misc.– Network Diagram– Organizational Chart– Contracts– Memos– Reports 65
![Page 66: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/66.jpg)
©Secure Banking Solutions 2015
Comprehensive Audit
• Audits will assess people, processes, and technology.
• A balanced audit program works as follows: – people are assessed with a social
engineering test, – processes are assessed with an IT audit, and– technology is assessed with a penetration
test and vulnerability assessment.66
![Page 67: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/67.jpg)
©Secure Banking Solutions 2015
Layered Audit Approach
67
![Page 68: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/68.jpg)
©Secure Banking Solutions 2015
Assessments
• I.T.
• Vendor
• Corporate Account
• BIA
• ERM
• Cyber
• Etc.
68
![Page 69: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/69.jpg)
©Secure Banking Solutions 2015
IT Risk Assessment Process
69
![Page 70: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/70.jpg)
IT Assessment
70
![Page 71: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/71.jpg)
![Page 72: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/72.jpg)
![Page 73: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/73.jpg)
![Page 74: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/74.jpg)
![Page 75: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/75.jpg)
![Page 76: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/76.jpg)
Vendor Assessments
76
![Page 77: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/77.jpg)
©Secure Banking Solutions 2015
Vendor Management
• Given the increased reliance on outside firms for technology-related products and services, management must identify and mitigate risk in these technology decisions
• Vendor Management• Technology Service Provider Management• Just because you outsource your technology does not
mean you outsource your information protection responsibilities
• Need to manage your vendors to ensure they are protecting your nonpublic information (customer and financial information)
77
![Page 78: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/78.jpg)
Policy Generation
![Page 79: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/79.jpg)
Policy Generation
![Page 80: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/80.jpg)
Policy Sample
![Page 81: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/81.jpg)
Third Party Information
![Page 82: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/82.jpg)
Cost Benefit Analysis
![Page 83: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/83.jpg)
Reference Evaluation
![Page 84: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/84.jpg)
Comparing Threats
![Page 85: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/85.jpg)
Documenting Controls
![Page 86: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/86.jpg)
Residual Risk Score
• Pay attention to the residual risk• Notice that vendor 2 has done the most to
reduce the risk of information security threats
![Page 87: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/87.jpg)
©Secure Banking Solutions 2015
Due Diligence
![Page 88: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/88.jpg)
Contract Review
![Page 89: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/89.jpg)
Contract Review
![Page 90: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/90.jpg)
Management
![Page 91: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/91.jpg)
Commercial Account Assessments
Commercial Banking Fraud
![Page 92: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/92.jpg)
©Secure Banking Solutions 2015
92
![Page 93: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/93.jpg)
©Secure Banking Solutions 2015
CATO Guidance
• FFIEC’s “Interagency Supplement to Authentication in an Internet Banking Environment” states the following activities to mitigate commercial account takeover
• CSBS CATO Guidance
• FDIC CATO Guidance
93
BOTTOM LINE:Your bank must develop a process to assess the cybersecurity risk to your commercial accounts
![Page 94: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/94.jpg)
©Secure Banking Solutions 2015
94
![Page 95: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/95.jpg)
©Secure Banking Solutions 2015
95
![Page 96: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/96.jpg)
©Secure Banking Solutions 2015
Assessment Results
96
![Page 97: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/97.jpg)
Enterprise Risk Management
![Page 98: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/98.jpg)
Business Processes Threat areas
• Administrative• Affiliate• Back-Office• Customer Service• Finance• Lending• Marketing• Regulatory• Retail (Deposits)• Information Technology
• Operational
• Reputational
• Compliance
• Financial
• Strategic
98
Categories commonly used in FFEIC booklets.
![Page 99: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/99.jpg)
©Secure Banking Solutions 2015
ERM – Risk Mitigation Goals
99
![Page 100: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/100.jpg)
©Secure Banking Solutions 2015
ERM – Protection Profile
100
![Page 101: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/101.jpg)
©Secure Banking Solutions 2015
ERM - Threats
101
![Page 102: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/102.jpg)
©Secure Banking Solutions 2015
ERM - Controls
102
![Page 103: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/103.jpg)
©Secure Banking Solutions 2015
Report – Risk Mitigation
103
![Page 104: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/104.jpg)
©Secure Banking Solutions 2015
104
REPORT – PEER COMPARISON
![Page 105: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/105.jpg)
©Secure Banking Solutions 2015
Risk Assessment Best Practices
• Determine which kind of assessment is the most important for your bank and invest accordingly
• Mature your program• Have repeatable processes for each kind of
assessment• Assign an owner for each kind of assessment• Create a policy and program for each kind of
assessment• Leverage tools to promote consistency and good
decision-making• Don’t use the manual spreadsheet technique!• Produce your documentation along the way• Ensure management/board involvement
![Page 106: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/106.jpg)
FFIEC Cybersecurity Assessment Tool
©2015 Secure Banking Solutions, LLC
www.protectmybank.com
![Page 107: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/107.jpg)
©Secure Banking Solutions 2015
Overview
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
![Page 108: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/108.jpg)
©Secure Banking Solutions 2015
FFIEC CA Tool (3 parts)
• Three (3) major components1. Rating your Inherent Risk for Cybersecurity
threats based on your size and complexity
2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats
3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
108
![Page 109: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/109.jpg)
©Secure Banking Solutions 2015
Cybersecurity Inherent Risk
• Very PRESCRIPTIVE
• Really getting to the Size and Complexity issue originally stated by GLBA
• Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
109
![Page 110: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/110.jpg)
©Secure Banking Solutions 2015
Cybersecurity Inherent Risk
• Five Inherent Risk Areas1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
4. Organizational Characteristics
5. External Threats
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
110
![Page 111: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/111.jpg)
©Secure Banking Solutions 2015
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
111
![Page 112: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/112.jpg)
©Secure Banking Solutions 2015
Cybersecurity MaturityMeasure Maturity in 5 Domains (+ Assessment Factors)
1. Cyber Risk Management and Oversight• Governance, Risk Management, Resources, and Training
2. Threat Intelligence and Collaboration • Threat Intelligence, Monitoring & Analyzing, and Info Sharing
3. Cybersecurity Controls • Preventative, Detective, and Corrective controls
4. External Dependency Management• External Connections and (Vendor) Relationship
Management
5. Cyber Incident Management and Resilience• Incident Resilience Planning, Detection, Response, &
Mitigation, and Escalation & Reporting
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
112
![Page 113: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/113.jpg)
©Secure Banking Solutions 2015
What is Cybersecurity Maturity?
• Determining whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness
• I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents?
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
113
![Page 114: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/114.jpg)
©Secure Banking Solutions 2015
How does Cybersecurity Maturity work?
Measured by 5 Cybersecurity Maturity Levels
1.Baseline
2.Evolving
3.Intermediate
4.Advanced
5.Innovative
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
114
![Page 115: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/115.jpg)
©Secure Banking Solutions 2015
Determining Maturity Level
• Within each component, “declarative statements” describe activities supporting the assessment factor at each maturity level
• “All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level“
• What this actually means:– Identify the controls you have in place, starting
with “baseline” controls and escalating up in order to determine maturity levels
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
115
![Page 116: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/116.jpg)
©Secure Banking Solutions 2015
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
116
![Page 117: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/117.jpg)
©Secure Banking Solutions 2015
Determining Maturity
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
117
![Page 118: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/118.jpg)
©Secure Banking Solutions 2015
Domains and Assessment Factors
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
118
![Page 119: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/119.jpg)
©Secure Banking Solutions 2015
Inherent Risk vs. Maturity
• All good Risk Management processes help make decisions and set goals
• How does one determine Inherent Risk versus Cybersecurity Maturity?
• And more importantly, what is the right Inherent Risk vs. Maturity level?
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
119
![Page 120: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/120.jpg)
©Secure Banking Solutions 2015
Increasing Maturity
©2015 Secure Banking Solutions, LLC
www.protectmybank.com
![Page 121: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/121.jpg)
©Secure Banking Solutions 2015
Inherent Risk vs. Maturity
• “No single expected level for an institution”• “An institution’s inherent risk profile and
maturity levels will change over time as threats, vulnerabilities, and operational environments change.”
• “Management should consider reevaluating the institution’s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.”
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
121
![Page 122: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/122.jpg)
©Secure Banking Solutions 2015
Other IMPORTANT take-aways
• Is this new FFIEC Cybersecurity Assessment Tool (CAT) a replacement for my IT Risk Assessment?– Absolutely not! This FFIEC CAT is a self-
assessment of cybersecurity preparedness only, not a determination of risks and controls around your confidential non-public information
• The assessment process is not a one-time project or process, but rather an ongoing assessment that the institution will be expected to keep up and utilize on an ongoing basis.
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
122
![Page 123: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/123.jpg)
©Secure Banking Solutions 2015
Who is responsible for the CAT?
• It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity
• The President/CEO will be expected to DRIVE this Cybersecurity Assessment process and the Board of Directors needs to understand what the results of this Cybersecurity Assessment mean
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
123
![Page 124: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/124.jpg)
©Secure Banking Solutions 2015
SBS Tool
• Introducing:–FREE SBS Cyber-RISK™ Tool to Aid
in Capture and Reporting–Did I mention it is FREE?
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
124
![Page 125: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/125.jpg)
©Secure Banking Solutions 2015
Cyber-RISK Tool
• Goals of the FREE Cyber-RISKtm tool:1. Automate the Cybersecurity Assessment Tool2. Save you from creating your own spreadsheet3. Make your life easier and more efficient4. Provide you with one-click reports5. Improve the process by tying the Inherent Risk
and Cybersecurity Maturity processes together more intuitively
6. Get you peer comparison data (down the road)7. Access to your own personal Information
Security Expert if you need us!
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
125
![Page 126: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/126.jpg)
©Secure Banking Solutions 2015
Additional Cyber Security Resources
• SBS Cybersecurity Assessment Blog: – https://www.protectmybank.com/ffiec-cyberse
curity-assessment-resources/
• Pre-register for the Cyber-RISK tool:– https://www.protectmybank.com/register/
• SBS Institute Certifications:– https://www.protectmybank.com/sbsinstitute/
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
126
![Page 127: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/127.jpg)
SUMMARY
127
![Page 128: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/128.jpg)
10 Steps Your Bank Can TakeFind the right partner…
1. Focus on and invest in mitigating the big 5
2. Implement a layered security program
3. Automate I.T. risk assessment
4. Work with merchants regarding CATO risks
5. Mature education/training program
6. Evaluate cyber security
7. Mature vendor management
8. Produce minimum documentation
9. Run effective committees
10.Investigate tools and partners to help
128
![Page 129: The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers Association 2015 IBA Technology.](https://reader035.fdocuments.us/reader035/viewer/2022062519/5697bff81a28abf838cbf113/html5/thumbnails/129.jpg)
Contact Info
• Dr. Kevin Streff
– Dakota State University• [email protected]• 605.256.5259
– Secure Banking Solutions, LLC• www.protectmybank.com• [email protected]• 605.270.0790
129