Successfully Implementing a Virtual ISO€¦ · • eSAT –(electronic Security Awareness Training) • AMP Services (Advanced Malware Protection) • ISABRA Policy • Incident

© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®

Successfully Implementing a Virtual ISO –

A Customer’s Perspective

Presented by: Viviana Campanaro and Tom Williams, Gladiator

Featuring Sue Ozburn, Cashmere Valley BankNovember 29, 2018

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.

Presenters

Tom WilliamsBusiness Continuity Strategy

[email protected]

Sue OzburnCashmere Valley Bank

[email protected]

Viviana CampanaroSales Engineer

[email protected]

mailto:[email protected]

mailto:[email protected]


Agenda

• State of Information Security for FIs

• Examiners position on Information Security

• Role and Responsibilities of the Information Security Officer (ISO)

• How our Bank Implemented the virtual ISO Service –Cashmere Valley Bank

• The Gladiator vISO (Virtual Information Security Officer) Service

• Q&A


State of Information Security for Financial

Institutions

In the News


Regulators Making Information Security a Priority

The FFIEC releases a revised Information Security

booklet - FFIEC, September 9, 2016

FFIEC Releases Updates to Cybersecurity

Assessment Tool

- FFIEC, May 31, 2017

FFIEC Releases Cybersecurity

Assessment Tool - FFIEC, June 30, 2015

Financial Regulators Release Revised

Management Booklet- FFIEC, November 10, 2015

FFIEC Issues Statement on Safeguarding

the Cybersecurity of Interbank Messaging

and Payment Networks - FFIEC, June 7, 2016

The FFIEC published frequently asked questions (FAQ)

guide related to the Cybersecurity Assessment Tool

- FFIEC, October 17, 2016

New York State Department of Financial Services

Proposed 23 NYCRR 500 - Cybersecurity

Requirements for Financial Services Companies

- NYSDFS, December 28, 2016

The FDIC launches the Information Technology

Risk Examination (InTREx) Program - FFIEC, June 30, 2016


Examiners position on Information Security

Independent Information Security

Officer (ISO) or Committee

Sufficient knowledge and training of ISO

Separate InfoSec oversight from IT

Rightsized InfoSec program

Source: FFIEC Guidelines 2006


Information Security Officer Responsibilities

✓ Information Security Policies✓ InfoSec Training

✓ Business Continuity

Planning

✓ InfoSec Risk Assessment

✓ Vendor Management

✓ Vulnerability Assessment

✓ Compliance/Risk

Committee

✓ Incident Reporting

✓ Audit / Exam

Information


Options to implement Information Security Governance

• Hire an ISO

• Appoint ISO Committee

• Outsource ISOAccepted by FFIEC


Hire Individual ISO

• Dedicated resource

• In-house expertise

• No vendor management

Pros (+) Cons (-)

• Costly

▪ Ave. $215k salary

• Competitive

• Low unemployment

• High turnover


ISO Committee

• Multiple resources

• Shared responsibilities

• No vendor management

• Slow decision making

– Many cooks in the

kitchen

• Limited expertise

• Limited accountability

Pros (+) Cons (-)


Outsourced/Virtual ISO

• Certified and experienced professionals

• Increased capabilities

• Cost effective

• No staff turnover

• Ensure compliance

• Individual consultants

• Service levels

• Vendor management

Pros (+) Cons (-)


Customer Profile:

Cashmere Valley Bank - Sue Ozburn – EVP, CIO


Cashmere Valley Bank

• Location: Cashmere, WA

• Asset Size: $1,523,936,000

• Employees: 262

• Branch Locations: 12

• Insurance Agency

• Retail Investment Services

• Core Application: Silverlake – In-house


JHA Risk Services

• Gladiator vISO

• Centurion Hosted High Availability – Core Replication

• Centurion Business Continuity Planning

• eSAT – (electronic Security Awareness Training)

• AMP Services (Advanced Malware Protection)

• ISABRA Policy

• Incident Alert

• MITS (Managed IT Services)

• ESM for Core, iPay and NetTeller


How Our Bank Implemented the vISO Service

Sue Ozburn, CIO


Why we decided to go with vISO

• We did not have the required talent in our geography

• To recruit talent to this area would require us to pay a

high salary

• Concern that the person would leave for a higher salary

and better opportunity after we trained them and they

gained experience

• Regulators were providing substantial pressure to

implement the separation of the CIO and ISO


Information Security Officer Responsibilities

✓ Information Security Policies✓ InfoSec Training

✓ Business Continuity

Planning

✓ InfoSec Risk Assessment

✓ Vendor Management

✓ Audit / Exam Information✓ Vulnerability Assessment

✓ Compliance/Risk

Committee

✓ Incident Reporting

Before / After vISO Implementation – IS Policies

• Policies were bare minimum with

several holes based on the

changing of times.

• Policies contradicted each other

and it was impossible to keep up

with making sure changes were

made in each sections.

• Timeliness to the Board for

approval each year kept extending

later and later.

Before After

• Policies are clear and can be understood.

• Policies are updated on time.

• Policies aren’t just policies that quote the

regulations (scripture), they state exactly

what we are doing. (Nothing is worse

than saying you are doing something and

not do it.).

• Policies have references to the

Regulation, page number and paragraph

(if needed).

• Policies are thorough and we have been

praised for them by auditors/regulators.

Before / After vISO Implementation – Risk Assessment

• Our risk assessment was short and

poorly done.

• Our risk categories were green, yellow

and red and did not have supporting

information or documentation of

testing to validate the rating.

• It was incomplete and I was

embarrassed to provide it to

regulators, but didn’t really have time

or resources to rebuild the wheel.

Before After

• I’m very proud of the asset based

risk assessment and management

relies on it and therefore focuses

budgeting and resources to the

areas with the highest residual

risk.

• All controls are thoroughly tested,

documented, validated and results

are comprehensive. Regulators

LOVE it.

Before / After vISO Implementation – BCP

• We used Microsoft Word and Excel,

which made it difficult to update.

• BCP before the vISO was really just

best effort.

• We were criticized on the testing

we’d done in that it wasn’t thorough

enough.

• The BIA (Business Impact Analysis)

needed considerable development

to determine where the real risks

were.

Before After

• We now use the Centurion COPE BCP

Software Tool which improves the

process.

• We have a well planned, laid out

schedule of updates for each area of

the BCP, including the BIA.

• The testing is well thought out and we

make sure we test all critical

applications and scenarios based on

the BIA. .

• vISO makes sure we are on track and

holds us accountable to get it done.

Before / After vISO Implementation – Vendor Management

• We struggled with spreadsheets

and the considerable time it takes

to gather the information and

analyze the SOC reports, financial

statements and all the rest.

Before After

• We have a well laid out plan to complete

the entire vendor management program

on an annual basis with the proper

Board reporting..

• Test for mandatory vendor management

activities and assist in managing manual

trigger activities.

• Provide guidance and expertise for

addressing vendor management

requirements. This may include direct

communications with auditors and

regulators.


Before / After vISO Implementation – Audits

• Each audit we struggled

with what to give the

auditors as proof of a

control.

Before After

• We have a standard set of

information clearly documented

for each audit request.

• We have the information

automated in many areas and it

is much easier to access it.


Before / After vISO Implementation – Vulnerability

Assessments

• We contracted with a

company to do periodic

vulnerability assessments

and that was good, but what

do we do with the results?

Before After

• The vISO makes sure the vulnerability reports are being done on time and helps us understand what should be done to repair any findings.

• The expertise is wonderful.


Before / After vISO Implementation - Compliance

• The overall IT Compliance

was “good luck at best.”

• We are not experts in

everything and we

recognized the need for

better expertise in this area.

Before After

• The entire Information

Security Program is in full

compliance with all

regulations and well

documented.

Before / After vISO Implementation – Incident Reporting

• We have an in-house ticketing

system and there was no

automation between incidents and

the ticketing system. We had to

manually enter them.

• We had this as everyone’s

responsibility. Therefore it simply

wasn’t getting done.

• When an examiner/auditor would

ask for the list of incidents, we

might have a half-dozen

documented – not good.

Before After

• We now utilize the Gladiator

Vault – the incidents are

documented and resolved

timely.

• Well done – examiners love

it.

Before / After vISO Implementation –

Information Security Training

• IS training was hated!

Everyone hated it so much

that they would wait until

the last day and would just

get together as a group and

take the tests together just

to get it done.

• No one really learned

anything;

Before After

• Training is spread out

throughout the year and is

continuous.

• This training program is

provided through several

sources.

• No one complains and

training is no longer past due

(on a regular basis).


Gladiator vISO Service


vISO Service Elements

Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation

Written Information Security ProgramPolicies, Procedures, Forms

Ongoing Compliance ManagementAudit Support, Monthly Meetings

Reporting


Trending: Virtual ISO Services

IS Strategy

Certified security &

compliance

Experienced

Policies

Assessments

Reporting

Training


Virtual Information Security Officer

Validate information

security programEmpower

management’s

oversight

Protect your

reputation and

your customers’ data

Provide visibility

into information

controls

PROVIDE



Evaluate your Information Security Program (ISP)

✓ Check regulatory requirements

✓ Who owns the Program? Separate from IT?

✓ Are current InfoSec tasks handled correctly?

✓ Determine skills and experience in house

✓ Will you outsource ISO tasks? Need to hire an ISO?

✓ Report findings to the Board for approval



THANK YOU!

Next in our Maturing Your Cybersecurity Program series:

What the Disaster Taught Us – A Bank’s Lessons Learned from

Executing their Business Continuity Plan

Wednesday, December 12, 2018

3:00 PM EST / 2:00 PM CST


Gladiator® Solutions

Managed IT Hosted Network Solutions

Centurion® - BC/DRIT Regulatory Compliance

Managed Security

Documents

Successfully Implementing a Virtual ISO€¦ · • eSAT –(electronic Security Awareness Training) • AMP Services (Advanced Malware Protection) • ISABRA Policy • Incident