View
7
Download
0
Category
Preview:
Citation preview
1
New FFIEC Management Guidance
JUNE 15, 2016
Dr. Kevin Streff
Founder: Secure Banking Solutions, LLC
www.protectmybank.com
Goals• Understand New FFIEC Management Guidance
◦ Governance
◦ Risk Management
◦ IT Risk Management
◦ Examination Procedures
• Answer Questions◦ Newly Integrated Cybersecurity Expectations
◦ Clarification around Chief Information Security Officer Role
◦ Direct Information Security Reporting to Board
◦ Executive Management Expectations
◦ IT Risk Assessment Process Overview
◦ Integration of IT into ERM
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 2
2
Gramm‐Leach‐Bliley Act
• Management must develop a written information security program
• What is the “M” in the CAMEL rating?
• Don’t just do good security things, have a well managed program
• Don’t rely on individual heroism, have a well managed program
3
The Information Security Program is the way management demonstratesto regulators that information security is being managed at the credit union
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
Regulator Requirements: Gramm‐Leach‐Bliley Act
•Gramm‐Leach‐Bliley Act requires you to develop and implement an Information Security Program and conduct Risk Assessments◦ A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a credit union’s operations and the nature and scope of its activities.
◦ Prior to implementing an information security program, a credit union must first conduct a risk assessment which entails:
◦ Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.
◦ Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information.
◦ Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 4
3
Layered Security Approach
5www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
6www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
4
7www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 8
5
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 9
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 10
6
FFIEC IT Exam Handbook ‐Management
• Understand New FFIEC Management Guidance◦ Governance
◦ Risk Management
◦ IT Risk Management
◦ Examination Procedures
• Answer Questions◦ Newly Integrated Cybersecurity Expectations
◦ Clarification around Chief Information Security Officer Role
◦ Direct Information Security Reporting to Board
◦ Executive Management Expectations
◦ IT Risk Assessment Process Overview
◦ Integration of IT into ERM
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 11
I. Governance• BOD ‐ oversee
• Senior Management ‐ implement
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 12
Governance refers to how financial institutions manage and control their institution
Includes: • roles, • responsibilities, • processes, • tools, • authorities, • Accountabilities, and • monitoring
7
IT Management• IT management is responsible for IT performance and
administering the day‐to‐day operation of an institution.
• IT management should perform the following: ◦ Implement IT governance.
◦ Implement effective processes for ITRM, including those that relate to cybersecurity.
◦ Review and annually approve processes for ITRM.
◦ Assess the institution’s inherent IT risks across the institution.
◦ Provide regular reports to the board on IT risks, IT strategies, and IT changes.
◦ Establish and coordinate priorities between the IT department and lines of business.
◦ Establish a formal process to obtain, analyze, and respond to information on threats and vulnerabilities by developing a repeatable threat intelligence and collaboration program.
◦ Ensure that hiring and training practices are governed by appropriate policies to maintain competent and trained staff.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 13
IT Responsibilities & Functions• An effective IT risk management structure.
• A comprehensive information security program.
• A formal project management process.
• An enterprise‐wide business continuity planning function.
• An accurate and timely process for information systems reporting.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 14
8
II. Risk Management• Enterprise risk management
• Focuses primarily on operational risk
• Also deals with strategic, compliance and reputational risk as well
• Management should have a comprehensive view of operations and business processes and put in countermeasures to control the risk.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 15
III. IT Risk Management• Financial institution management should develop an
effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following: ◦ Identify risks to information and technology assets within the financial institution or controlled by third‐party providers.
◦ Measure the level of risk. ◦ Mitigate the risks to an acceptable residual risk level in conformance with the board’s risk appetite.
◦ Monitor changing risk levels and report the results of the process to the board and senior management.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 16
9
Risk Identification• Management should identify the risks associated
with the types of MFS being offered as part of the institution’s strategic plan.
• Management should incorporate the identification of risks associated with mobile devices, products, services, and technologies into the financial institution’s existing risk management process.
17www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
Risk Categories• Strategic
• Operational◦ Technology
◦ Mobile Web Site
◦ Mobile Application
◦ Mobile Payments
• Compliance
• Reputational
18www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
10
Risk Measurement• Measuring the level & types
of risks involved in MFS.
• Measure potential risks across all risk categories.
• Determine likelihood & impact.
• Prioritize results to determine which controls may be appropriate.
• Ongoing and updated.
19www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
Risk Mitigation• Develop and implement policies and procedures.
• Audit coverage should include MFS
• Strategic risk mitigation
• Operational risk mitigation
• Reputational risk mitigation
• Compliance risk mitigation
20www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
11
Risk Mitigation• Policies, Standards and Procedures
• Personnel
• Information Security
• Business Continuity
• Software Development and Acquisition
• IT Operations
• Insurance
• Vendor Management
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 21
Monitoring & Reporting• Financial institution management should have
appropriate performance monitoring systems for assessing whether the product or service is meeting operational expectations.
22www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
12
Monitoring & Reporting• Include limits on the level of acceptable risk exposure
that management and the board are willing to assume.
• Identify specific objectives and performance criteria, including quantitative benchmarks for evaluating success of the product or service.
23www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
Monitoring & Reporting• Periodically compare actual results with projections
and qualitative benchmarks to detect and address adverse trends or concerns in a timely manner.
• Modify the business plan, when appropriate, based on the performance of the product or service. Such changes may include exiting the activity should actual results fail to achieve projections.
24www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
13
Top Risk Assessment Products
25
Archer www.archer‐tech.com KansasbSECURE www.brintech.com Texas
CoNetrix www.conetrix.com Texas
Modulo www.modulo.com Seattle
Riskkey www.riskkey.com Texas
RiskWatch www.riskwatch.com Maryland
Scout www.locknet‐inc.com Wisconsin
TRAC www.tracadvantage.com South Dakota
WolfPAC www.wolfandco.com Maryland
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 26
14
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 27
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 28
15
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 29
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 30
16
Cyber Risk Assessment
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 31
Overview
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 32
17
FFIEC CA Tool (3 parts)
• Three (3) major components1. Rating your Inherent Risk for Cybersecurity
threats based on your size and complexity
2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats
3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 33
Increasing Maturity
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 34
18
SBS Cyber‐RISKtm Tool
• Goals of the FREE Cyber‐RISKtm tool:
1. Automate the Cybersecurity Assessment Tool
2. Save you from creating your own spreadsheet
3. Make your life easier and more efficient
4. Provide you with one‐click reports
5. Improve the process by tying the Inherent Risk and Cybersecurity Maturity processes together more intuitively
6. Access to your own personal Information Security Expert if you need us!
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 35
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 36
19
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 37
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 38
20
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 39
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 40
21
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 41
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 42
22
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 43
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 44
23
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 45
Monitoring & Reporting• Metrics
• Performance Benchmarks
• Service Level Agreements
• Policy Compliance
• Effectiveness of Controls
• Quality Assurance and Quality Control
• Reporting
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 46
24
Exam Procedure• 14 Objectives
47www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
Objective 1: Determine the appropriate scope and objectives for the examination.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 48
25
Objective 2: Determine whether the board of directors oversees and senior management appropriately establishes an effective governance structure that includes oversight of IT activities.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 49
Objective 3: As part of the ITRM structure, determine whether financial institution management has defined IT responsibilities and functions. Verify the existence of well‐defined responsibilities and expectations between risk management and IT functional areas, such as information security, project management, business continuity, and information systems reporting.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 50
26
Objective 4: Determine the adequacy of the institution’s IT operations planning and investment. Assess the adequacy of the risk assessment and the overall alignment with the institution’s business strategy, including planning for IT resources and budgeting.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 51
Objective 5: Along with the IT audit and compliance departments, the HR department can serve as an influencing function for IT. Determine the adequacy of the institution’s HR function to ensure its ability to attract and retain a competent workforce.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 52
27
Objective 6: Evaluate management’s review and oversight of IT controls, including the other influencing functions of IT audit and compliance.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 53
Objective 7: Determine whether the institution’s risk management program facilitates effective risk identification and measurement and provides support for risk decisions within ITRM.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 54
28
Objective 8: Determine whether the board of directors oversees and senior management proactively mitigates operational risk.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 55
Objective 9: Determine whether management implements an ITRM process that supports the overall enterprise‐wide risk management process.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 56
29
Objective 10: Determine whether the institution maintains a risk identification process that is coordinated and consistent across the enterprise.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 57
Objective 11: Determine whether institution management maintains a risk measurement process that is coordinated and consistent across the enterprise.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 58
30
Objective 12: Determine whether financial institution management effectively implements satisfactory risk mitigation practices.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 59
Objective 13: Determine whether IT management develops satisfactory measures for defining and monitoring metrics, performance benchmarks, service level agreements, compliance with policies, effectiveness of controls, and quality assurance and control. Determine whether management developed satisfactory reporting of ITRM activities.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 60
31
Objective 14: Discuss corrective action and communicate findings.
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 61
Layered Security Approach
62www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
32
63www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
64www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
33
Contact Info
• Dr. Kevin Streff
◦ Dakota State University
◦ kevin.streff@dsu.edu
◦ 605.270.0790
◦ Secure Banking Solutions, LLC
◦ www.protectmybank.com
◦ kevin@protectmybank.com
◦ 605.270.0790
65www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC
Thank You!
www.protectmybank.com ©2016 SECURE BANKING SOLUTIONS, LLC 66
Upcoming CUWebinarsJune 17th - New Customer Due Diligence Rules:
Part One Legal Entity Customers
July 7th - Ransomware Spurs New Guidance
July 14th - Critical issues on Share Accounts: Identifying Your Member
July 20th - Regulation CC: Update and Review
August 5th - ALERT! New Customer Due Diligence Rules: Part Two Consumers
August 10th - Best-Ever Compliance Checklist for Consumer Loans
Don’t forget about our listing of OnDemand programs at CUWebinars.com!
Wesley KavelarisTTS800‐831‐0678info@TTStrain.comCUWebinars.com
Recommended