Embed Size (px)
Citation preview
PreparingForYourNextNCUAITExamVisit
James Harris is the CEO of Compliance Advisory Services, LLC, ana:onallyknowninforma:onsecurityconsul:ngandriskmanagementfirm.
Hehasover26yearsofexperienceinthebanking/creditunionindustry.His exper:se is in all areas of informa:on systems security, Gramm-LeachBlileyAct,PCI,andSarbanesOxleyAct. James is formerbankerand FDIC examiner, with a unique ability to reduce complex legalconceptstoplainEnglish.
Easiestwaytocontactme:[email protected]
CopyrightedbyComplianceAdvisoryServices,LLC 1
PreparingForYourNextNCUAITExamVisit
Jamesholdsmanycybersecuritycer:fica:ons:• JD LawDegree• CISSP Cer:fiedInforma:onSystemSecurityProfessional• CISA Cer:fiedInforma:onSystemsAuditor• CEH Cer:fiedEthicalHacker• CHFI Cer:fiedHackingForensicInves:gator• CPT Cer:fiedPentester• OPST OpenSourceProfessionalSecurityTester
CopyrightedbyComplianceAdvisoryServices,LLC 2
PreparingForYourNextNCUAITExamVisit
• IsyourcreditunionpreparedforyournextregulatoryITExam?
• Whereshouldyoubegin?
• Whataretheregulatorsgoingtofocuson?
• Whataretheregulatorsgoingtoask?
CopyrightedbyComplianceAdvisoryServices,LLC 3
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?• ObtainacopyofyourlastExam
• DeterminealloftheIT/InfoSecfindingsnotedintheexam
• Transferthosefindingsontoa“trackingsheet”
CopyrightedbyComplianceAdvisoryServices,LLC 4
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?
• DeterminewhetherallpriorITExamFindingshavebeencorrected• Ifnot,correctthemimmediately• Iftheywerecorrectedthennotethatonthe“trackingsheet’• Do the same for any andall internal&external ITAudits since the
lastexam
CopyrightedbyComplianceAdvisoryServices,LLC 5
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?
• Makesureyourimportantpoliciesandriskassessmentsareuptodate.
Ø Informa:onSecurityProgram&RiskAssessmentØ ITPolicyØ E-BankingPolicy&RiskAssessmentØ IncidentResponsePlan–donotforget(DDoS&Ransomwarelanguage)Ø BCP/DRPlan(testitannually)
CopyrightedbyComplianceAdvisoryServices,LLC 6
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?
• MobileDevicePolicy-BYOD• MobileBankingPolicy(remembermobiledepositlanguage&limits)• WireTransferPolicy–(donotforget:boardapprovedlimits)• InstantIssueDebit/CreditCardPolicy&RiskAssessment[donotforget]
CopyrightedbyComplianceAdvisoryServices,LLC 7
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtofocuson?
• HasyourboardreceiveddocumentedCyberSecurityTraining?• HasyourboardreceivedCyberIntelligenceSummariesonaregularbasis?[FS-ISAC]• HasyourboardreceivedyourGLBAAnnualStatusReportontheInfoSecProgram?• DoyourITCommigeeregularlyconvene(quarterlyoratleast4:mesayear)?• AreyourITCommigeeminutesprovidedtotheboard?• DoyouhaveawrigenITStrategicPlan(3yrforward-lookingplan)?• Haveyoucompletedadocumentedannualreviewofcri:calvendors?
CopyrightedbyComplianceAdvisoryServices,LLC 8
PreparingForYourNextNCUAITExamVisit
Whataretheregulatorsgoingtofocuson?• AreyouproperlymanagingandcontrollingriskwithallaspectofE-Banking
Ø CustomerAuthen:ca:on(MFA)–MustbeMFAØ BillPaymentlimitsØ WireTransfers–Outofbandcall-backsØ ACHOrigina:ons–:meofmonth,typicaldollaramount,numberofiteminfile,etc
CopyrightedbyComplianceAdvisoryServices,LLC 9
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask?
• LogicalControlsSejngs–Network,CoreBankingPlalorm,andmajorApps
Ø Pwdminlength?Ø Pwdcomplexityenabled?Ø Pwdchangeinterval?Ø Time-outsejng?Ø Lockoutsejng?Ø PwdHistory?
CopyrightedbyComplianceAdvisoryServices,LLC 10
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask?
• Printscreensofthefollowing–Network:
Ø Screenprintsshowingthemembersofthebuilt-inAdministratorgroupØ ScreenprintsofDomainAdministratorsØ ScreenprintsofEnterpriseAdministratorsØ ScreenprintsshowingGuestGroupmembers&whichoneshavebeendisabledØ Permissionsfortwokeynetworkshares–Accoun:ngandHR?
Ø
CopyrightedbyComplianceAdvisoryServices,LLC 11
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask
• Printscreensforthefollowing–Mainframe:
Provideacopyofthefollowingfiles:• /etc/passwd• /etc/security/user• /.rhosts• /etc/hosts.equiv• /etc/inetd.conf• /etc/services
CopyrightedbyComplianceAdvisoryServices,LLC 12
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask
• CybersecurityRiskAssessmentTool(CATTool)
Ø HowdidyourCUcompleteit?(Individualorcommigee)Ø Howlongdidittaketofinishit?(theyneeda:meframe)
• TheNCUAhasmadeitarequirementtocomplete!
• WhatwasyourCU’sInherentRisk?Theywillwanttoreviewtheques:ons&answers• DidyoufullymeetBaselineRequirements?Par:aldoesn’tcount!!!
CopyrightedbyComplianceAdvisoryServices,LLC 13
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask
• NCUAwillcompleteseveraloftheirITAuditPrograms.
Ø IT–ItemsNeededØ IT–748Expanded(MostITexaminerscompletethisone)Ø IT–An:-Virus&Malware(Op:onal)Ø IT–AuditProgram(Op:onal)Ø IT–BusinessCon:nuity(MostITexaminerscompletethisone)Ø IT–ElectronicBanking(Required)Ø IT–Networks(MostITexaminerscompletethisone)Ø IT–PolicyChecklist(Op:onal)Ø IT-Firewalls(Op:onal)Ø IT–IDS/IPS(Op:onal)Ø IT–PenTestReview(MostITexaminerscompletethisone)Ø IT–Physical&Environment(MostITexaminerscompletethisone)Ø IT–RemoteAccess(MostITexaminerscompletethisone)Ø IT–Virtualiza:on(Op:onal)Ø IT–WirelessNetworks(Op:onal)
CopyrightedbyComplianceAdvisoryServices,LLC 14
PreparingForYourNextNCUAITExamVisit
• ReviewpriorITexamresults.• CorrectallpriorITExam/AuditFindings• UnderstandwhatITexaminersarelookingfor.• ReviewandupdateallIT/InfoSecpolicies&riskassessments• Ensurelogicalcontrolsareappropriate.• Understandwhatques:onsexaminerswillask.• CompleteyourCATTool.
CopyrightedbyComplianceAdvisoryServices,LLC 15
PreparingForYourNextNCUAITExamVisit
Thankyouforyour:meandagen:on!GoodluckwithyournextITexam.JamesHarris,JD,CISSP,CISA,CEH,CHFI,[email protected]:n,Texas502-552-0559
CopyrightedbyComplianceAdvisoryServices,LLC 16
CopyrightedbyComplianceAdvisoryServices,LLC 17
