Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident...

transcript

Lecture Materials

MANAGING SECURITY RISK IN BANKING

Kevin Streff Professor of Cybersecurity

Dakota State University kevin.streff@dsu.edu

605-270-0790

Founder SBS Cybersecurity, LLC

Kevin.streff@sbscyber.com 605-270-0790

August 9 - 11, 2017

IT Risk Assessment2017 Graduate School of Banking at University of Wisconsin

Dr. Kevin StreffFounder: SBS Cybersecurity, LLCwww.sbscyber.com

Goals Understand the top risk assessment issues that cause problems and inefficiencies

Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management

Watch how leading tools enable quicker and better risk assessment

Review risk assessment best practices2

Regulator Requirements: Gramm‐Leach‐Bliley Act

• Gramm‐Leach‐Bliley Act requires you to develop and implement an Information Security Program and conduct Risk AssessmentsA comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank’s operations and the nature and scope of its activities.

Prior to implementing an information security program, a bank must first conduct a risk assessment which entails:

Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.

Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information.

Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks.

Gramm‐Leach‐Bliley Act Management must develop a written information security program

What is the “M” in the CAMELS rating? Don’t just do good security things, have a well managed program

Don’t rely on individual heroism, have a well managed program

The Information Security Program is the way management demonstratesto regulators that information security is being managed at the financial institution

Gramm‐Leach‐Bliley Act

• Gramm‐Leach‐Bliley Act requires your financial institution to develop and implement 1) an Information Security Programand 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution’s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment

I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit

Layered Information Security Program

Documentation

Boards & Committees

Question

What is the OUTCOME of good IT risk assessment?

Exercise 1 – Allocating Resources

Exercise 1

Your bank has $25,000 of additional spending to put towards security in 2017.

You were just provided the chart

How would you allocate the $25,000?

Maturing Your Risk Assessment Bank

Internal & External

System & Organizational

Third Party Vendors

Business Partners

Downstream Partners

Commercial Merchant

Correspondent Banking

ACH Origination

Enterprise Risk Bank Secrecy Act Cyber Risk

Capability Maturity Model

Level 0 – Initial Any sort of process at all

Level 1 – Repeatable Processes are documented and practiced

Level 2 – Defined Processes are consistent and known within the organization

Level 3 – Quantitatively Managed Processes are measured quantitatively and evaluated

Level 4 – Optimized Processes continually improve with new technologies or methods

Level of Assessment(CMM Levels)

Level of Risk

Low Medium High

Bank Threats Goal

3rd Party Threats Goal

CommercialThreats Goal

Bank Assessments

What is IT Risk Assessment?

“The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources”‐ Streff, 2017

Exercise 2 – Reviewing a Risk Assessment

Traditional IT Risk Assessment Process View Core Processor example in attached spreadsheet

Asset Value Threat Likelihood Impact ControlOverall

Risk Rating

Core Processor High Unauthorized User Access High High Password Controls

Physical Access

End-User Responsibilities

Access Controls

Insurance

Unauthorized Physical Access Low Medium Motion Sensors and Alarm System

Medium

Security Cameras

Control Authorized Use

Hardware Security

Physical Security

Unauthorized Viewing Medium Medium Screen SaversMedium

Privacy Screens

Electrical Anomalies Medium High Electrical Services Contingency PlanHigh

Physical Security

Hardware Failure Medium High Data Integrity

HighBank Processing Hardware

EDP Contingency Procedures

Software Failure Medium High Data Software Availability

Medium

Bank Processing Software

Incident Response Plan

Host Processing Systems

Software Security

Data and Software Availability

Media Failure Medium Low Data Integrity

LowDisaster Recovery

Data and Software Availability

Communications Failure Low Medium Telecommunications Services Low

Traditional IT Risk Assessment Process View Core Processor example in attached spreadsheet

Asset Value Threat Likelihood Impact ControlOverall

Risk Rating

Natural Disaster Low High Contingency and Business Resumption Plan

MediumData Integrity

Insurance

Other Disasters Low High Contingency and Business Resumption Plan

Medium

Data Integrity

Fire Control

Insurance

Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium

User Error Medium Low Dual Control Procedures Low

Accidental Disclosure, Social Engineering Medium Medium Dial-up Access

MediumEncryption

Information Requests

File Transfers

Fraudulent Transactions Medium High Separation of DutiesMedium

System Activity Logs

Maintenance Error Medium Low Modifications

LowModification Procedures

Software Change Control

Host Processing Systems

Improper Use Medium Medium System Activity Logs

MediumModifications, Dual Control Procedures

Acceptable Use

Exercise 2 ‐ Instructions

What do you agree with?

What do you disagree with?

What story is this risk assessment telling?

How would the bank allocate resources if you provided them with this assessment?

Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor

A management process to identify, measure, mitigate and monitor to allocate resources

5 Step IT Risk Assessment Process

Step 0 Inventory:

Step 1 Risk Identification

Step 2 Risk Measurement

Step 3Risk Mitigation

Step 4Risk Monitoring

Inherent Risk

Residual Risk

Step 1 - Inventory:Identify all assets,

vendors and service providers

Step 2 - Develop Priorities:

Protection Profile (CIAV)

Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)?

Step 4 - System Controls:

What system safeguards does the bank want to

implement?

Step -5-Demonstrate Compliance:

ReportingImprove the process

Document Residual Risk

Inherent Risk

Residual Risk

IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them

BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information

and making decisions (not compiling a risk assessment spreadsheet)

Top Risk Assessment Products

Archer www.archer‐tech.com KansasbSECURE www.brintech.com TexasCoNetrix www.conetrix.com TexasModulo www.modulo.com Seattle

Riskkey www.riskkey.com Texas

RiskWatch www.riskwatch.com Maryland

Scout www.locknet‐inc.com WisconsinTRAC www.tracadvantage.com South Dakota

WolfPAC www.wolfandco.com Maryland

IT Assets

Protection Profile

Threats

Controls

Protection Profile Report

The more important the asset, the more risk you want to reduce risk.

Acceptable levels of risk are identified and measured against.

Risk Appetite

Commercial Account AssessmentsCommercial Banking Fraud

Commercial Account Takeover

• Cyber‐criminals are targeting commercial accounts

• Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E)

• Schumer Bill introduced in 2012 to Reg E “Schools and Municipalities”

Commercial Banking Fraud• January 22, 2009• Experi‐Metal Inc. ‐ Sterling Heights, MI• Sues Comerica Bank ($60M) ‐ Dallas, TX• An EMI employee opened and clicked on links within a

phishing email• $1.9M stolen, $560,000 was not recoverable• 47 wires in one day to foreign and domestic accounts which

EMI never wire to before• Ruling: Bank failed to detect the fraud and must pay Experi‐

Metal $560,000 in losses.

Small Business Security

70% lack basic security controls

Get to the basics with each small business

Conduct a risk assessment looking for these basic security controls

Firewall,

Strong passwords,

Malware Protection

Finger Pointing and ACH Risk

Mitigating ACH Fraud in Community Banks

• Layered Information Security Program

• Enhanced Focus on Security Awareness

• Risk Assess Corporate Account Portfolio and Take Action

Commercial Account Takeover FFIEC Guidance

FFIEC’s “Interagency Supplement to Authentication in an Internet Banking Environment” states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging

threats. Increased multi‐factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness.

CSBS CATO Guidance

Bottom Line

Need to develop a way for your bank to assess the risk of commercial accounts

ACH Regulatory ComplianceREGULATION

Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud

Meet FFIEC Guidance

Meet CSBS Guidance

Actions

Controls at the Bank Corporate account security is part of

your layered security program

Minimum list of 9 security controls in the FFIEC supplement

Controls at the Business CATO Risk Assessment

List of controls in the CSBS guidance

Customer Education

Contracts/Documentation

Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out‐Of‐Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment

recipients IP reputation‐based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education

Controls at Your Bank

How do You Assess Merchant Risk?

Step 0 Inventory:

Step 1 Risk Identification

Step 2 Risk Measurement

Step 3Risk Mitigation

Step 4Risk Monitoring

Inherent Risk

Residual Risk

Commercial Account AssessmentsCommercial Banking Fraud

Bottom Line

Need to develop a way for your bank to assess the risk of commercial accounts

Assessment Results

Track Progress

Easily Create a campaign

Consulting Networ

k Security

Choose from a huge library of phishing templates

Consulting Networ

k Security

Realistic Templates

Consulting Networ

k Security

Educate them WHEN they click

Consulting Networ

k Security

Other Phishing Tools

Wombat Phishme QuickPhish Tandem Phishing

Most of these tools offer a free trial

Consulting Networ

k Security

Enterprise Risk Management

Enterprise Risk Management (ERM)

ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO)

ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management in a changing operating environment. (Protiviti consulting firm)

Business Processes

Administrative Affiliate Back‐Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology

Threat Areas

Operational Reputational Compliance Financial Strategic

Categories commonly used in FFEIC booklets.

ERM – Risk Mitigation Goals

ERM – Protection Profile

ERM ‐ Threats

ERM ‐ Controls

ERM ‐ Reporting

Report – Risk Mitigation

Report – Threat Source

REPORT – PEER COMPARISON

Bank Secrecy Act Assessments

Bank Secrecy Act (BSA)

The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an “anti‐money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311‐5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] ).

BSA Program Components

Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for

managing BSA compliance (BSA compliance officer). Training for appropriate personnel.

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_008.htm

Risk Driven BSA Program

BSA – Account Types

BSA – Risk Areas

BSA – Controls

BSA – Reports

Report – Account Risk

Cyber Security Assessment

www.protectmybank.com

FFIEC CA Tool (3 parts)

Three (3) major components1. Rating your Inherent Risk for Cybersecurity threats based

on your size and complexity

2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats

3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.

Cybersecurity Inherent Risk

Very PRESCRIPTIVE

Really getting to the Size and Complexity issue originally stated by GLBA

Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats

Cybersecurity Inherent Risk

Five Inherent Risk Areas1. Technologies and Connection Types

2. Delivery Channels

3. Online/Mobile Products and Technology Services

4. Organizational Characteristics

5. External Threats

Cybersecurity Maturity

Measure Maturity in 5 Domains (+ Assessment Factors)1. Cyber Risk Management and Oversight

Governance, Risk Management, Resources, and Training

2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing

3. Cybersecurity Controls Preventative, Detective, and Corrective controls

4. External Dependency ManagementExternal Connections and (Vendor) Relationship Management

5. Cyber Incident Management and ResilienceIncident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting

What is Cybersecurity Maturity?

Determining whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness

I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents?

Determining Maturity Level Within each component, “declarative statements” describe activities supporting the assessment factor at each maturity level

“All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level“

What this actually means: Identify the controls you have in place, starting with “baseline” controls and escalating up in order to determine maturity levels

Increasing Maturity

Risk Assessment Best Practices Determine which kind of assessment is the most important for your

bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision‐making Don’t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement

Review of Goals Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and

inefficiencies Learn how to expand and mature:

IT risk assessment

Corporate account assessments (CATO)

Enterprise Risk Management

BSA Risk Management

Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules

Risk Assessment Schedule

Dr. Kevin Streff

– Professor of Cybersecurity at Dakota State University

• Kevin.streff@dsu.edu• (605) 270‐0790

– Founder: SBS Cybersecurity, LLC.• www.sbscyber.com• Kevin.streff@sbscyber.com• (605) 270‐0790

Lecture Materials MANAGING SECURITY RISK IN BANKING Kevin ... · Business Continuity Incident...

Documents