Preparing for & Conducting a FFIEC IT Audit in 2016 · over a phone line instead, please dial in to...

Your State Association Presents

Preparing for & Conducting a FFIEC IT

Audit in 2016

Program Materials

Use this document to follow along with the webinar

presentation. Please test your system before the broadcast.

Be sure to print enough copies for all listeners.

Friday, August 12, 2016

Presented by: Jim Stempak

Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526 FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs

mailto:[email protected]

https://bankers.confedge.com/ap/eSite/?i=faq

1

© 2016 Crowe Horwath LLP

Hello.Preparing for & Conducting an FFIEC IT Audit in 2016

August 12, 2016

Brought to you by your State Bankers Association

© 2016 Crowe Horwath LLP

© 2016 Crowe Horwath LLP 2

Meet your presenters…

Jim StempakCrowe Horwath, LLP Principal, Risk Consulting [email protected]

2


Event Preparation

Make sure your speakers are turned up on your computer. You should be hearing music playing in the background.

If you do not have computer speakers available and need to hear the audio over a phone line instead, please dial in to this number: 1 (855) 267-3984 followed by your unique audio code in your reminder email

In order to use the Q&A function during the webinar you will need to exit full screen mode.

If you are experiencing any technical issues please contact Support one of the following ways: Live Chat: Enter a question in the Q&A Box on the left-hand side of your webinar

screen. Email: [email protected] Call: 877-988-7526

FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs


We value your input…

After the event you will receive an email with instructions and a link to an online evaluation form

Please forward this email to all listeners in your bank

An evaluation must be completed in order to receive your event participation certificate

3


Registration Policy

Your registration entitles you to one web connection at the same physical location. However, you may have unlimited participants in the same room.

You have received a unique link for today’s event. If your organization has only paid for one registration and attempts to connect additional sites by forwarding the link, they will not be able to access the broadcast.

Don't forget, your organization has access to a recorded copy of this presentation online for 30 days following the broadcast.


Agenda Items

Technology Risk Assessment Cybersecurity Assessment Tool - CAT

Information Technology Risk Examination Program – InTREx

Regulatory Changes

Internal IT Audit Planning

Internal IT Audit Expectations, Scope, and Approach

Internal Audit Execution

4


Technology Risk and Cybersecurity Assessments

What is the difference between Technology Risk and Cybersecurity Assessments?

ISA

IPA EPA

ITGC


Technology Risk and Cybersecurity Assessments

Information General Controls Review Testing the organization's internal control framework to provide assurance over the

confidentiality, integrity and availability of data.

Information Security Assessment Identifying vulnerabilities that an active hostile threat might exploit.

Internal Penetration Assessment Penetration test that would simulate what an insider attack could accomplish from

within the organization

External Penetration Assessment Penetration test that would simulate what an attacker could possibly attempt from the

outside

5



Review regulatory guidance

FFIEC Cybersecurity Tool

InTRex Program

FFIEC IT Handbooks - Management

Review prior three year’s audit findings

Positive and negative trends

Status – remediated or open

Review most current exam reports

Review business initiatives for the coming year

Review significant changes in human resources, processes and / or systems for the coming year

Review effectiveness of internal controls

Review prior year’s internal IT audit plan and scope

Update IT or Internal IT Audit Risk Assessment



New and revised

regulatory guidance

6


Cybersecurity Assessment Tool

Review 2015 Results of Self Assessment Inherent Risk Profile Least

Minimal

Moderate

Significant

Most

Maturity Ratings By Domain – Cyber Risk Management and Oversight, Threat Intelligence and Collaboration,

Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience.

Baseline

Evolving

Intermediate

Advanced

Innovative


Cybersecurity Assessment Tool

What do 2015 Results of Self Assessment Tell You? Risk Appetite

Gaps by Domain

Perform Self Assessment for 2016 Where were there changes and why?

How will you change you audit program?

How did you provide evidence for your responses?

7


InTREx Program

As part of your audit planning

Complete Information Technology Profile

Perform Self Assessment for 2016

Review each section of exam program

Audit

Management

Development and Acquisition

Support and Delivery

Information Security Standards

How will you change you audit program?


IT Handbook Updates Since Last Audit Cycle

Management Handbook

Appendix E: Mobile Financial Services to the Retail Payment Systems Handbook

How do these change impact the Bank and you?

Who is responsible for reviewing these changes and staying current?

8



Changes to the IT Environment

ApplicationsApplications

DatabasesDatabases

Operating SystemsOperating Systems

Servers / InfrastructureServers / Infrastructure



Changes that could impact your IT environment

Service ChannelsService Channels

ProductsProducts

Third Party VendorsThird Party Vendors

IT GovernanceIT Governance

9


Internal IT Audit Expectations, Scope and Approach

Follow-up on prior audit and exam findings


Business Continuity

Management Oversight / Responsibility

Business Impact Analysis(BIA)

Disaster Recovery

Incident Response

Testing Table Top

Live exercises

Don’t forget third-parties and vendors

10


Polling question one: What is an example of a change that could impact your IT environment?

a) New IT Management or IT Personnelb) Adding new features to your mobile banking solutionc) Introduction of FinTech Solution at the Bankd) All of the abovee) Unsure / don’t know


Development and Acquisition

In-House Changes versus Vendor Changes

Policies and Procedures

Project Management

Monitoring IT Access Rights and

Segregation of Duties

11


E- Banking

Internet Banking versus Mobile Banking

Risk Assessments

Technology Risks

Operational Risk by Product

Multi-Factor Authentication

Reliance on Vendors


Polling question two: Since our bank outsources application development activities, we don’t have to worry as much?

a) Trueb) Falsec) Unsure / don’t know

12


Information Security

Cybersecurity Overview

Cybersecurity Definition and Frameworks

Logical Access

Penetration Testing

Information Security Assessment


Who is the Threat?

The Insider Threat

“Script Kiddies”

Targeted Attacks

Advanced Persistent Threats

• Employee, partners, contractors• Typically highest likelihood of monetary impact• Example: Disgruntled employee

• Attackers leveraging widely available tools• Looking for targets of opportunity• Example: Website defacement

• Advanced attacks with specific targets • Worms, Application Vulnerabilities• Example: Stuxnet, Conficker, Sasser

• Looking for targets of value• Often includes botnets• Highly knowledgeable, highly funded• Example: Lulzsec, Nation Sponsored

13


Attack ScenarioInitial Point of Entry

The Point of Entry represents how the attacker obtains initial access. Examples could include social engineering, unpatched Internet accessible systems, or weak passwords on externally accessible systems.

Fortify Access and Access DataAs the attacker pivots around the network, they continue to attempt to escalate their authority until they have the necessary access. They will typically fortify their access by installing malware or backdoors to maintain access. The administrator credentials the attacker obtained likely has authority to the cardholder network, where they can install card harvesting malware to capture credit card data.

Pivot PointThe initial access typically does not provide the information the attacker is looking for. They will leverage the access they do have to try to increase authority on the network. This could be occur through shared passwords, unpatched systems, or excessive privileges. In the Mandiant report, the attackers leveraged misconfigured devices and shared passwords to eventually obtain domain administrator authority.

Data ExfiltrationOnce the attacker has data, they need to get it out of the network. This can be completed through email or FTP. Malware can write the cards to a temp file on the database, which can then be copied to a server, then to a workstation that has Internet access, where is can be sent via FTP to the attacker.


Cybersecurity or Information Security?

• Many are still asking and many still have differences of opinion. Information Security IT Security Information Assurance

• Reflection of where we are Information Security is the protection of information in all forms;

intellectual, hardcopy, softcopy/electronic Cybersecurity is the protection of information in the cyber “space” IT Security (same as cybersecurity but sounds cooler)

14


What is Cybersecurity?

Gartner:

"Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.“

DoD:

"A comprehensive cybersecurity program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current , threats and enable timely response and recovery."


Simplest Definition

“Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”

Regardless of the source of definition, objectives still continue to be:

The Triad of Security – CIA of “CRITICAL DATA”

Confidentiality

Integrity

Availability

Who does it impact?

Anyone, individual or organization, connected to the internet

Source: Merriam Dictionary

15


Trends in Cybersecurity

Expect Cyber attacks

More Frequent, varied and mobile

Center stage and becoming more public

More corporate accountability and resulting litigation

More regulatory pressure

As a result of the above four trends, other sub-trends are:

Standard frameworks

Growing workforce

Expanded research

Mobile coverage


The NIST Cybersecurity Framework is Born

Cyber Security Executive Order 13636 February 2013 State of the Union

Increasing the sharing of information (Real Time) for “Critical Infrastructure”

Calls for risk-based set of industry standards and best practices

First Version Released on February 12, 2014. “Framework for Improving Critical Infrastructure Cybersecurity”

Public and Private input

Both Protection and Reaction

Voluntary

NIST is seeking commentary based on this release, Version 2 anticipated NIST has said that they will “continue to serve in the capacity of ‘convener and coordinator’ at least

through version 2.0 of the Framework.”

The latest update was released on December 15, 2014. A formal RFI asking for further feedback will be issued.

16


The NIST Cybersecurity Framework – Core

1. Framework Core

Functions Identify

Protect

Detect

Respond

Recover

Categories

Subcategories

Informative References


Identify

• Asset Management

• Business Environment

• Governance• Risk

Assessment• Risk

Management Strategy

Protect

• Access Control• Awareness and

Training• Data Security• Information

Protection Processes and Procedures

• Maintenance• Protective

Technology

Detect

• Anomalies and Events

• Security Continuous Monitoring

• Detection Processes

Respond

• Response Planning

• Communications• Analysis• Mitigation• Improvements

Recover

• Recovery Planning

• Improvements• Communications

Who Does What? – Framework Functions

Primarily Info Sec Controlled

17


Cybersecurity – Regulators Expectations

FFIEC Federal Financial Institutions Examination Council

Established the Cybersecurity and Critical Infrastructure Working Group in June 2013

Created the Cybersecurity Assessment Exam designed for federal and state banking regulators to assess cybersecurity threats and mitigations.

Builds upon the FFIEC IT Handbook, to include: Assessing complexity of the institution’s IT environment

and how it’s IT services are managed.

Assessing an institution’s current and overall cybersecuritypreparedness, including: Risk management and oversight

Threat intelligence and collaboration

Cybersecurity controls

External dependency management

Cyber incident management and resilience


Risk Management

• What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our financial institution?

• How is accountability determined for managing cyber risks across our financial institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?

• What is the process for ensuring ongoing employee awareness and effective response to cyber risks?

18


Threat Intelligence

• What is the process to gather and analyze threat and vulnerability information from multiple sources? • How do we leverage this information to improve risk management practices? • What reports are provided to our board on cyber events and trends? • Who is accountable for maintaining relationships with law enforcement?


External Management

• How is our financial institution connecting to third parties and ensuring they are managing their cybersecurity controls?

• What are our third parties’ responsibilities during a cyber attack? How are these outlined in incident response plans?

19


Cybersecurity Controls• What is the process for determining and implementing preventive, detective, and corrective controls on our

financial institution’s network? • Does the process call for a review and update of controls when our financial institution changes its IT

environment? • What is our financial institution’s process for classifying data and determining appropriate controls based on

risk? • What is our process for ensuring that risks identified through our detective controls are remediated?


Cybersecurity Response

• In the event of a cyber attack, how will our financial institution respond internally and with customers, third parties, regulators, and law enforcement?

• How are cyber incident scenarios incorporated in our financial institution’s business continuity and disaster recovery plans? Have these plans been tested?

20


Incident Response Planning (IRP) – Key Items

1. Understand your “Data” before creating an IRP. In other words determine data that you are trying to protect and the level of protection. Knowing this and the ways that data can be accessed is important for developing the appropriate response to an incident

2. Inventory incidents or scenarios and classify them into manageable categories or buckets

3. Understand the threats that you are likely to face – start off with “known” threats and then create a source for new and emerging threats for on-going monitoring

4. Determine the stakeholders and define the IR “TEAM”. At a minimum this team should include: Corporate Communications, Legal, Compliance, Line of business representative(s), IT, and External Forensics Partner or Vendor

5. Set up a “Command Center” and Command Center Leader – could be a conference room

6. Incident – containment and investigation strategy

7. Evidence preservation strategy

8. Overall communication plan including customers, media, federal and state agencies

9. Conduct a post-mortem or lessons learned and update IRP procedures


Logical Access

Access Provisioning Process

Password/Account Settings/Access Appropriateness FFIEC Compliant

Determining which applications are financially significant

Operating System and Database Level Elevated Access

21


Penetration Testing

External Penetration Assessment Technical Services Review

Web Applications

Stealth Penetration

Remote Social Engineering Email/Telephone/Social Media

Internal Penetration Assessment Onsite Social Engineering/Physical Security Review/USB Drop

Remote option with Pwnie Exress PwnPlug

Advanced Persistent Threat (APT) Prevention / Data Loss Prevention (DLP) What channels can we utilize to get data out? Can it be detected?

Wireless Testing

Who performs Penetration Testing and how are they selected


Management

IT Governance

Roles and Responsibilities

Risk Management

IT Risk Management

Information Security Officer Independence

and Segregation of Duties

Planning/Budgeting

Policies / End User Responsibilities

Board Oversight

22


Operations

In House versus Outsourced

Monitoring Back Room Operations / Back-ups

Incident Response Plan


Outsourced Technology Services / Vendor Management

Plan and Organize Policies, Procedures, and Administration

Documentation and Reporting

Third-Party Risk Program Integration

Execution Risk Assessment

Due Diligence and Third-Party Selection

Contract Negotiation

Delegation of Duties

Monitor and Evaluate Ongoing Due Diligence

Termination

Independent Reviews

23


Outsourced Technology Services / Vendor Management

Points to Consider When Finalizing Scope: Outsourced Technology Service Providers, Critical Vendors, or Enterprise Wide

Assessment

Board and Management Oversight

Vendor Risk Assessment

RFP / Solicitation Process

Specific Contract Clauses

Proper SSAE 16/SOC Report Review

Performance(SLA) Monitoring


Retail Payment Systems

Remote Capture Branch Capture

Remote Deposit Capture

Consumer Deposit Capture (assess during E-Banking)

Different kinds of payment methods

How many locations and types of locations are originating payments? Testing should include appropriate sample of both internal and external parties Branches

Customers

24


Polling question four: When it comes to Retail Payment Systems, what does RDC Stand for?

a) Remote Desktop Controlb) Romeo Delta Charliec) Remote Deposit Captured) Unsure/don’t know


Wholesale Payment Services

Interbank Payment

Physical Security

Security Awareness

Business Continuity

25


Internal Audit Execution

Update Risk Assessment(s)

Develop Audit Plan with Audit Units

Perform Required Process Steps for Each Audit Unit Audit Scope Report Client Assistance Letter Opening Meeting Fieldwork Exit Meeting Draft Report Management Responses Final Report

Board Reporting

Board Education and Training


Cybersecurity at the Board Level

Recent ISACA and IIA Research Foundation Report

Cybersecurity: “What the Board of Directors Needs to Ask”1. Does the organization use a security framework?

2. What are the organization's top five cybersecurity risks?

3. How are employees made aware of their cybersecurity role?

4. Are external and internal threats considered when planning a cybersecurity program?

5. How is cybersecurity oversight managed in the organization?

6. If a breach occurs, is there a strong response protocol?

26


Cybersecurity at the Board Level

1. Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

2. Understand the legal implications of cyber risks as it relates to a company's specific situation.

3. Have adequate access to cybersecurity expertise and discuss cyber-risk management regularly at board meetings.

4. Directors should expect management to establish a risk management framework with adequate staffing and budget.

5. Board and management discussion of risks should identify which risks to avoid, accept, mitigate, or transfer through insurance, and plans for each tactic.


Questions?

27


Would you be interested in further discussion?

Jim Stempak, PrincipalCrowe Risk [email protected]

Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2016 Crowe Horwath LLP

Date post:	05-May-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Preparing for & Conducting a FFIEC IT Audit in 2016 · over a phone line instead, please dial in to...

Documents