Your State Association Presents
Preparing for & Conducting a FFIEC IT
Audit in 2016
Program Materials
Use this document to follow along with the webinar
presentation. Please test your system before the broadcast.
Be sure to print enough copies for all listeners.
Friday, August 12, 2016
Presented by: Jim Stempak
Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526 FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs
1
© 2016 Crowe Horwath LLP
Hello.Preparing for & Conducting an FFIEC IT Audit in 2016
August 12, 2016
Brought to you by your State Bankers Association
© 2016 Crowe Horwath LLP
© 2016 Crowe Horwath LLP 2
Meet your presenters…
Jim StempakCrowe Horwath, LLP Principal, Risk Consulting [email protected]
2
© 2016 Crowe Horwath LLP 3
Event Preparation
Make sure your speakers are turned up on your computer. You should be hearing music playing in the background.
If you do not have computer speakers available and need to hear the audio over a phone line instead, please dial in to this number: 1 (855) 267-3984 followed by your unique audio code in your reminder email
In order to use the Q&A function during the webinar you will need to exit full screen mode.
If you are experiencing any technical issues please contact Support one of the following ways: Live Chat: Enter a question in the Q&A Box on the left-hand side of your webinar
screen. Email: [email protected] Call: 877-988-7526
FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs
© 2016 Crowe Horwath LLP 4
We value your input…
After the event you will receive an email with instructions and a link to an online evaluation form
Please forward this email to all listeners in your bank
An evaluation must be completed in order to receive your event participation certificate
3
© 2016 Crowe Horwath LLP 5
Registration Policy
Your registration entitles you to one web connection at the same physical location. However, you may have unlimited participants in the same room.
You have received a unique link for today’s event. If your organization has only paid for one registration and attempts to connect additional sites by forwarding the link, they will not be able to access the broadcast.
Don't forget, your organization has access to a recorded copy of this presentation online for 30 days following the broadcast.
© 2016 Crowe Horwath LLP 6
Agenda Items
Technology Risk Assessment Cybersecurity Assessment Tool - CAT
Information Technology Risk Examination Program – InTREx
Regulatory Changes
Internal IT Audit Planning
Internal IT Audit Expectations, Scope, and Approach
Internal Audit Execution
4
© 2016 Crowe Horwath LLP 7
Technology Risk and Cybersecurity Assessments
What is the difference between Technology Risk and Cybersecurity Assessments?
ISA
IPA EPA
ITGC
© 2016 Crowe Horwath LLP 8
Technology Risk and Cybersecurity Assessments
Information General Controls Review Testing the organization's internal control framework to provide assurance over the
confidentiality, integrity and availability of data.
Information Security Assessment Identifying vulnerabilities that an active hostile threat might exploit.
Internal Penetration Assessment Penetration test that would simulate what an insider attack could accomplish from
within the organization
External Penetration Assessment Penetration test that would simulate what an attacker could possibly attempt from the
outside
5
© 2016 Crowe Horwath LLP 9
Internal IT Audit Planning
Review regulatory guidance
FFIEC Cybersecurity Tool
InTRex Program
FFIEC IT Handbooks - Management
Review prior three year’s audit findings
Positive and negative trends
Status – remediated or open
Review most current exam reports
Review business initiatives for the coming year
Review significant changes in human resources, processes and / or systems for the coming year
Review effectiveness of internal controls
Review prior year’s internal IT audit plan and scope
Update IT or Internal IT Audit Risk Assessment
© 2016 Crowe Horwath LLP 10
Internal IT Audit Planning
New and revised
regulatory guidance
6
© 2016 Crowe Horwath LLP 11
Cybersecurity Assessment Tool
Review 2015 Results of Self Assessment Inherent Risk Profile Least
Minimal
Moderate
Significant
Most
Maturity Ratings By Domain – Cyber Risk Management and Oversight, Threat Intelligence and Collaboration,
Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience.
Baseline
Evolving
Intermediate
Advanced
Innovative
© 2016 Crowe Horwath LLP 12
Cybersecurity Assessment Tool
What do 2015 Results of Self Assessment Tell You? Risk Appetite
Gaps by Domain
Perform Self Assessment for 2016 Where were there changes and why?
How will you change you audit program?
How did you provide evidence for your responses?
7
© 2016 Crowe Horwath LLP 13
InTREx Program
As part of your audit planning
Complete Information Technology Profile
Perform Self Assessment for 2016
Review each section of exam program
Audit
Management
Development and Acquisition
Support and Delivery
Information Security Standards
How will you change you audit program?
© 2016 Crowe Horwath LLP 14
IT Handbook Updates Since Last Audit Cycle
Management Handbook
Appendix E: Mobile Financial Services to the Retail Payment Systems Handbook
How do these change impact the Bank and you?
Who is responsible for reviewing these changes and staying current?
8
© 2016 Crowe Horwath LLP 15
Internal IT Audit Planning
Changes to the IT Environment
ApplicationsApplications
DatabasesDatabases
Operating SystemsOperating Systems
Servers / InfrastructureServers / Infrastructure
© 2016 Crowe Horwath LLP 16
Internal IT Audit Planning
Changes that could impact your IT environment
Service ChannelsService Channels
ProductsProducts
Third Party VendorsThird Party Vendors
IT GovernanceIT Governance
9
© 2016 Crowe Horwath LLP 17
Internal IT Audit Expectations, Scope and Approach
Follow-up on prior audit and exam findings
© 2016 Crowe Horwath LLP 18
Business Continuity
Management Oversight / Responsibility
Business Impact Analysis(BIA)
Disaster Recovery
Incident Response
Testing Table Top
Live exercises
Don’t forget third-parties and vendors
10
© 2016 Crowe Horwath LLP 19
Polling question one: What is an example of a change that could impact your IT environment?
a) New IT Management or IT Personnelb) Adding new features to your mobile banking solutionc) Introduction of FinTech Solution at the Bankd) All of the abovee) Unsure / don’t know
© 2016 Crowe Horwath LLP 20
Development and Acquisition
In-House Changes versus Vendor Changes
Policies and Procedures
Project Management
Monitoring IT Access Rights and
Segregation of Duties
11
© 2016 Crowe Horwath LLP 21
E- Banking
Internet Banking versus Mobile Banking
Risk Assessments
Technology Risks
Operational Risk by Product
Multi-Factor Authentication
Reliance on Vendors
© 2016 Crowe Horwath LLP 22
Polling question two: Since our bank outsources application development activities, we don’t have to worry as much?
a) Trueb) Falsec) Unsure / don’t know
12
© 2016 Crowe Horwath LLP 23
Information Security
Cybersecurity Overview
Cybersecurity Definition and Frameworks
Logical Access
Penetration Testing
Information Security Assessment
© 2016 Crowe Horwath LLP 24
Who is the Threat?
The Insider Threat
“Script Kiddies”
Targeted Attacks
Advanced Persistent Threats
• Employee, partners, contractors• Typically highest likelihood of monetary impact• Example: Disgruntled employee
• Attackers leveraging widely available tools• Looking for targets of opportunity• Example: Website defacement
• Advanced attacks with specific targets • Worms, Application Vulnerabilities• Example: Stuxnet, Conficker, Sasser
• Looking for targets of value• Often includes botnets• Highly knowledgeable, highly funded• Example: Lulzsec, Nation Sponsored
13
© 2016 Crowe Horwath LLP 25
Attack ScenarioInitial Point of Entry
The Point of Entry represents how the attacker obtains initial access. Examples could include social engineering, unpatched Internet accessible systems, or weak passwords on externally accessible systems.
Fortify Access and Access DataAs the attacker pivots around the network, they continue to attempt to escalate their authority until they have the necessary access. They will typically fortify their access by installing malware or backdoors to maintain access. The administrator credentials the attacker obtained likely has authority to the cardholder network, where they can install card harvesting malware to capture credit card data.
Pivot PointThe initial access typically does not provide the information the attacker is looking for. They will leverage the access they do have to try to increase authority on the network. This could be occur through shared passwords, unpatched systems, or excessive privileges. In the Mandiant report, the attackers leveraged misconfigured devices and shared passwords to eventually obtain domain administrator authority.
Data ExfiltrationOnce the attacker has data, they need to get it out of the network. This can be completed through email or FTP. Malware can write the cards to a temp file on the database, which can then be copied to a server, then to a workstation that has Internet access, where is can be sent via FTP to the attacker.
© 2016 Crowe Horwath LLP 26
Cybersecurity or Information Security?
• Many are still asking and many still have differences of opinion. Information Security IT Security Information Assurance
• Reflection of where we are Information Security is the protection of information in all forms;
intellectual, hardcopy, softcopy/electronic Cybersecurity is the protection of information in the cyber “space” IT Security (same as cybersecurity but sounds cooler)
14
© 2016 Crowe Horwath LLP 27
What is Cybersecurity?
Gartner:
"Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.“
DoD:
"A comprehensive cybersecurity program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current , threats and enable timely response and recovery."
© 2016 Crowe Horwath LLP 28
Simplest Definition
“Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”
Regardless of the source of definition, objectives still continue to be:
The Triad of Security – CIA of “CRITICAL DATA”
Confidentiality
Integrity
Availability
Who does it impact?
Anyone, individual or organization, connected to the internet
Source: Merriam Dictionary
15
© 2016 Crowe Horwath LLP 29
Trends in Cybersecurity
Expect Cyber attacks
More Frequent, varied and mobile
Center stage and becoming more public
More corporate accountability and resulting litigation
More regulatory pressure
As a result of the above four trends, other sub-trends are:
Standard frameworks
Growing workforce
Expanded research
Mobile coverage
© 2016 Crowe Horwath LLP 30
The NIST Cybersecurity Framework is Born
Cyber Security Executive Order 13636 February 2013 State of the Union
Increasing the sharing of information (Real Time) for “Critical Infrastructure”
Calls for risk-based set of industry standards and best practices
First Version Released on February 12, 2014. “Framework for Improving Critical Infrastructure Cybersecurity”
Public and Private input
Both Protection and Reaction
Voluntary
NIST is seeking commentary based on this release, Version 2 anticipated NIST has said that they will “continue to serve in the capacity of ‘convener and coordinator’ at least
through version 2.0 of the Framework.”
The latest update was released on December 15, 2014. A formal RFI asking for further feedback will be issued.
16
© 2016 Crowe Horwath LLP 31
The NIST Cybersecurity Framework – Core
1. Framework Core
Functions Identify
Protect
Detect
Respond
Recover
Categories
Subcategories
Informative References
© 2016 Crowe Horwath LLP 32
Identify
• Asset Management
• Business Environment
• Governance• Risk
Assessment• Risk
Management Strategy
Protect
• Access Control• Awareness and
Training• Data Security• Information
Protection Processes and Procedures
• Maintenance• Protective
Technology
Detect
• Anomalies and Events
• Security Continuous Monitoring
• Detection Processes
Respond
• Response Planning
• Communications• Analysis• Mitigation• Improvements
Recover
• Recovery Planning
• Improvements• Communications
Who Does What? – Framework Functions
Primarily Info Sec Controlled
17
© 2016 Crowe Horwath LLP 33
Cybersecurity – Regulators Expectations
FFIEC Federal Financial Institutions Examination Council
Established the Cybersecurity and Critical Infrastructure Working Group in June 2013
Created the Cybersecurity Assessment Exam designed for federal and state banking regulators to assess cybersecurity threats and mitigations.
Builds upon the FFIEC IT Handbook, to include: Assessing complexity of the institution’s IT environment
and how it’s IT services are managed.
Assessing an institution’s current and overall cybersecuritypreparedness, including: Risk management and oversight
Threat intelligence and collaboration
Cybersecurity controls
External dependency management
Cyber incident management and resilience
© 2016 Crowe Horwath LLP 34
Risk Management
• What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our financial institution?
• How is accountability determined for managing cyber risks across our financial institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?
• What is the process for ensuring ongoing employee awareness and effective response to cyber risks?
18
© 2016 Crowe Horwath LLP 35
Threat Intelligence
• What is the process to gather and analyze threat and vulnerability information from multiple sources? • How do we leverage this information to improve risk management practices? • What reports are provided to our board on cyber events and trends? • Who is accountable for maintaining relationships with law enforcement?
© 2016 Crowe Horwath LLP 36
External Management
• How is our financial institution connecting to third parties and ensuring they are managing their cybersecurity controls?
• What are our third parties’ responsibilities during a cyber attack? How are these outlined in incident response plans?
19
© 2016 Crowe Horwath LLP 37
Cybersecurity Controls• What is the process for determining and implementing preventive, detective, and corrective controls on our
financial institution’s network? • Does the process call for a review and update of controls when our financial institution changes its IT
environment? • What is our financial institution’s process for classifying data and determining appropriate controls based on
risk? • What is our process for ensuring that risks identified through our detective controls are remediated?
© 2016 Crowe Horwath LLP 38
Cybersecurity Response
• In the event of a cyber attack, how will our financial institution respond internally and with customers, third parties, regulators, and law enforcement?
• How are cyber incident scenarios incorporated in our financial institution’s business continuity and disaster recovery plans? Have these plans been tested?
20
© 2016 Crowe Horwath LLP 39
Incident Response Planning (IRP) – Key Items
1. Understand your “Data” before creating an IRP. In other words determine data that you are trying to protect and the level of protection. Knowing this and the ways that data can be accessed is important for developing the appropriate response to an incident
2. Inventory incidents or scenarios and classify them into manageable categories or buckets
3. Understand the threats that you are likely to face – start off with “known” threats and then create a source for new and emerging threats for on-going monitoring
4. Determine the stakeholders and define the IR “TEAM”. At a minimum this team should include: Corporate Communications, Legal, Compliance, Line of business representative(s), IT, and External Forensics Partner or Vendor
5. Set up a “Command Center” and Command Center Leader – could be a conference room
6. Incident – containment and investigation strategy
7. Evidence preservation strategy
8. Overall communication plan including customers, media, federal and state agencies
9. Conduct a post-mortem or lessons learned and update IRP procedures
© 2016 Crowe Horwath LLP 40
Logical Access
Access Provisioning Process
Password/Account Settings/Access Appropriateness FFIEC Compliant
Determining which applications are financially significant
Operating System and Database Level Elevated Access
21
© 2016 Crowe Horwath LLP 41
Penetration Testing
External Penetration Assessment Technical Services Review
Web Applications
Stealth Penetration
Remote Social Engineering Email/Telephone/Social Media
Internal Penetration Assessment Onsite Social Engineering/Physical Security Review/USB Drop
Remote option with Pwnie Exress PwnPlug
Advanced Persistent Threat (APT) Prevention / Data Loss Prevention (DLP) What channels can we utilize to get data out? Can it be detected?
Wireless Testing
Who performs Penetration Testing and how are they selected
© 2016 Crowe Horwath LLP 42
Management
IT Governance
Roles and Responsibilities
Risk Management
IT Risk Management
Information Security Officer Independence
and Segregation of Duties
Planning/Budgeting
Policies / End User Responsibilities
Board Oversight
22
© 2016 Crowe Horwath LLP 43
Operations
In House versus Outsourced
Monitoring Back Room Operations / Back-ups
Incident Response Plan
© 2016 Crowe Horwath LLP 44
Outsourced Technology Services / Vendor Management
Plan and Organize Policies, Procedures, and Administration
Documentation and Reporting
Third-Party Risk Program Integration
Execution Risk Assessment
Due Diligence and Third-Party Selection
Contract Negotiation
Delegation of Duties
Monitor and Evaluate Ongoing Due Diligence
Termination
Independent Reviews
23
© 2016 Crowe Horwath LLP 45
Outsourced Technology Services / Vendor Management
Points to Consider When Finalizing Scope: Outsourced Technology Service Providers, Critical Vendors, or Enterprise Wide
Assessment
Board and Management Oversight
Vendor Risk Assessment
RFP / Solicitation Process
Specific Contract Clauses
Proper SSAE 16/SOC Report Review
Performance(SLA) Monitoring
© 2016 Crowe Horwath LLP 46
Retail Payment Systems
Remote Capture Branch Capture
Remote Deposit Capture
Consumer Deposit Capture (assess during E-Banking)
Different kinds of payment methods
How many locations and types of locations are originating payments? Testing should include appropriate sample of both internal and external parties Branches
Customers
24
© 2016 Crowe Horwath LLP 47
Polling question four: When it comes to Retail Payment Systems, what does RDC Stand for?
a) Remote Desktop Controlb) Romeo Delta Charliec) Remote Deposit Captured) Unsure/don’t know
© 2016 Crowe Horwath LLP 48
Wholesale Payment Services
Interbank Payment
Physical Security
Security Awareness
Business Continuity
25
© 2016 Crowe Horwath LLP 49
Internal Audit Execution
Update Risk Assessment(s)
Develop Audit Plan with Audit Units
Perform Required Process Steps for Each Audit Unit Audit Scope Report Client Assistance Letter Opening Meeting Fieldwork Exit Meeting Draft Report Management Responses Final Report
Board Reporting
Board Education and Training
© 2016 Crowe Horwath LLP 50
Cybersecurity at the Board Level
Recent ISACA and IIA Research Foundation Report
Cybersecurity: “What the Board of Directors Needs to Ask”1. Does the organization use a security framework?
2. What are the organization's top five cybersecurity risks?
3. How are employees made aware of their cybersecurity role?
4. Are external and internal threats considered when planning a cybersecurity program?
5. How is cybersecurity oversight managed in the organization?
6. If a breach occurs, is there a strong response protocol?
26
© 2016 Crowe Horwath LLP 51
Cybersecurity at the Board Level
1. Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
2. Understand the legal implications of cyber risks as it relates to a company's specific situation.
3. Have adequate access to cybersecurity expertise and discuss cyber-risk management regularly at board meetings.
4. Directors should expect management to establish a risk management framework with adequate staffing and budget.
5. Board and management discussion of risks should identify which risks to avoid, accept, mitigate, or transfer through insurance, and plans for each tactic.
© 2016 Crowe Horwath LLP 52
Questions?
27
© 2016 Crowe Horwath LLP 53
Would you be interested in further discussion?
Jim Stempak, PrincipalCrowe Risk [email protected]
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2016 Crowe Horwath LLP