0717GLBAISandITRiskAssessment：0717glbaisanditriskassessment.ppt

,GLBA&IS/IT Risk Assessments,Presented by Kristina Buckley of Buckley Technology Group,Understanding New Vendor Management Risks and Key Areas for Improvement,GLBA Risk Assessment Report,GLBA Program,Requires Financial Institution to ensure the security,confidentiality,and integrity of customer information.The bank is required to develop and maintain a written program to assess,manage and control risks associated with customer non-public information.Program must include the monitoring and review of appropriate audits and documentation.Annual Report to board is required by GLBA.Employee information should also be protected.,GLBA Program,Program should include incident response and security breach notification.It is the banks regulatory requirement to notify customers of a security breach so it is critical the banks contract includes a security notification clause 24 hours.The program safeguards are intended to:Insure the security and confidentiality of customer records and information;Protect against any anticipated threats or hazards to the security or integrity of such records;and Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.,GLBA Risk Assessment Report,Objectives of assessment are as follows:Identify the services/business processes from the banks vendor management and BCP program that have a high NPI Risk level.For each of the business processes:Identify the supporting systems involved and any associated input and output of data.Identify the security controls in place for each identified supporting system.Identify existing internal and external threats associated with each business process.,GLBA Risk Assessment Report,Objectives of assessment are as follows:Identify existing controls in place to mitigate risks.Identify additional controls to be considered to mitigate risks.Identify related vendors and their security practices associated with the business process.,GLBA Risk Assessment Report,Document the Threat Level Rating Scale Used:High:Threat could lead to disclosure of customer information,significant impact to the reputation of the bank,significant financial loss,interrupt customer service for an unacceptable period of time,and not be in compliance.Medium:Threat could cause interruption or delay in service to customers,impact to the reputation of the bank,moderate financial loss for the bank.Low:Threat considered low given mitigating controls in place.,GLBA Risk Assessment Report,Document the Threat Level Rating Scale Used:,GLBA Risk Assessment Report,Document the Threat Level of Effort Scale Used:High:Changes or enhancements that are expected to involve significant incremental costs and/or require significant involvement by administrators and/or significant changes to end-users.Medium:Changes or enhancements that are expected to involve moderate incremental costs and/or require moderate involvement of administrators and little or no direct impact to end-users.Low:Changes or enhancements that are considered to be both low cost and to require moderate to low involvement by administrators and/or minimal to no impact to end-users.,GLBA Risk Assessment Report,Document the Threat Level of Effort Scale Used:,GLBA Risk Assessment Report,For each Business Process:The vendor name Associated business process with a high NPI risk ratingThe ownerThe assigned GLBA Risk Rating(High)An assigned Level of Effort(High,Medium or Low as defined below)A description of GLBA findingsAn explanation of the risks associated with the finding/observationRecommendations for further risk mitigationFinancial Institutions Update(include possible mitigating controls),GLBA Risk Assessment Report,GLBA Risk Assessment Report,Other components you may want to add to the table identified on previous screen depending upon the size and complexity of your financial institution.Risk Areas Risk CategoriesLikelihoodImpactInherent RiskExisting Mitigating ControlsResidual Risk,GLBA Risk Assessment Report,Report should document the total number of business processes within each Risk Level and the findings.You will identify during the assessment a number of business processes that share vulnerabilities.,GLBA Risk Assessment Report,GLBA MatrixOption 2,For each Business Process:,GLBA MatrixOption 2,GLBA Matrix Option 2:,Questions you may want to add to Matrix:External access points(employee and vendors).Related applications.Security controls for each application.Regulator retention guidelines are met.,GLBA Matrix Option 2:,Questions you may want to add to Matrix:Network directories that may contain data.Do the vendor employees have access to the NPI on their PCs,laptop,etc.outside of the financial institutions control?Does vendor subcontract with third parties to perform any components related to NPI.,IT/IS Risk Assessment,An IT/IS risk assessment should be performed annually on high NPI risk vendors as part of GLBA.It should also be performed for any prospective vendor or changed relationship.Business change Product changeControls are changedRegulations are changed(even if your contract states they will remain in compliance),IT/IS Risk Assessment,The Business Owner(Contract)is responsible for the Vendor and the Risk Assessment process however IT needs to get involved and be part of the formal process.Require business owners get ITs sign-off.Report and Matrix noted earlier can be used to document Risk Assessments,IT/IS Risk Assessment,IT/IS Questions for a Prospect or Product Risk Assessment(refer to sample doc):Identify All new hardware and software involved in product.Is this cloud based?Is software and hardware compatible to Banks existing infrastructure?Document expected network infrastructure to ensure it is truly compatible and to identify additional needs.Document expected PC,laptop and device configuration.,IT/IS Risk Assessment,IT/IS Questions for a Prospect or Product Risk Assessment(refer to sample doc):Identify Any firewall,IDS,IPS changes?New servers(traditional or virtual).New licensing requirements.New telecommunication needs.,IT/IS Risk Assessment,IT/IS Questions for a Prospect or Product Risk Assessment(refer to sample doc):Identify Wireless required or being introduced?Remote access rights and encryption required.Who is responsible for patch maintenance for items above?,Risk AssessmentWebsite Hosting,Some Questions to consider:Does the vendor provide hosting to other financial institutions?Are they aware of the related regulatory guidance?What can they provide you for Security Documentation?SSAE16?What can they provide you for Pen Testing and Monitoring?Objective third party and frequency,Risk AssessmentWebsite Hosting,Some Questions to consider:Application design and known vulnerabilities?(open source)Security Breach notification procedures(in contract)Website hosting infrastructure Private or public serverRemote Access,Risk AssessmentWebsite Hosting,Some Questions to consider:Business Continuity Outside of your regionRedundancyBackup policy,Monitoring,Review all due diligence documentation.Question if reports are not being updated at a minimum of every two yearsReview of Penetration Test resultsIf they are regulated ensure you are reviewing audit reports.,Documentation Red Flags,Be cautious if you run into any of the following during Risk Assessment or Documentation review:IS Policies are not based on any accepted security standard(ISO27001)No formal training and security awareness program noted for employees and subcontractorsEncryption does not exist on vendor employee laptops,Documentation Red Flags,Cant provide PEN tests(S/B at a minimum annual)Weak remote access standardsWeak BCP/DR PlanWeak data media handling,retention,disposal and return practicesDifficulty providing the overall material,Cybercrime InitiativeResources,.The FS-ISAC is a member-owned,nonprofit and private financial sector initiative.Its primary function is to share timely,relevant,and actionable physical and cyber security threat and incident information to enhance the ability of the financial services sector to prepare for,respond to,and mitigate the risk associated with these threats.Both the U.S.Department of Treasury and the U.S.Department of Homeland Security rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis.,Cybercrime InitiativeResources,Members receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats.Provides an anonymous information-sharing capability across the entire financial services industry that enables institutions to exchange information regarding physical and cyber security threats,as well as vulnerabilities,incidents,and potential protective measures and practices.,Cybercrime InitiativeResources,United States Computer Emergency Readiness Team(US-CERT)The Department of Homeland Securitys US-CERT facilitates the coordination of cyber information sharing and provides cyber vulnerability and threat information through its national Cyber Awareness System.Financial institutions may learn more about US-CERT and subscribe to receive security alerts,tips and other updates through its website at www.us-cert.gov.Cyber Security Page 2,Cybercrime InitiativeResources,U.S.Secret Service Electronic Crimes Task Force(ECTF)The Electronic Crimes Task Force teams local,state and federal law enforcement personnel with prosecutors,private industry,and academia to maximize what each has to offer in an effort to combat cyber criminal activity.For more information on the Electronic Crimes Task Forces please visit www.secretservice.gov/ectf.shtml.,Cybercrime InitiativeResources,FBI InfraGard InfraGard is an information sharing forum between the FBI and the private sector.InfraGard operates more than 60 chapters that conduct local meetings pertinent to their area.Information about InfraGard may be obtained at www.infragard.org.,Related Rules and Regulations,FDIC IT Exam Officers VM Guidance and QuestionnaireIT Examination Handbook Outsourcing Technology Services Part of FFIEC IT Rating(URSIT)Part 364-B FDIC Rule and RegulationsFFIEC IT Handbook(excel),THANK YOUKris Buckley,P781.258.0618,