Post on 22-Aug-2020
© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®
Successfully Implementing a Virtual ISO –
A Customer’s Perspective
Presented by: Viviana Campanaro and Tom Williams, Gladiator
Featuring Sue Ozburn, Cashmere Valley BankNovember 29, 2018
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Presenters
Tom WilliamsBusiness Continuity Strategy
ManagerToWilliams@jackhenry.com
Sue OzburnCashmere Valley Bank
sozburn@cashmerevalleybank.com
Viviana CampanaroSales Engineer
VCampanaro@jackhenry.com
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Agenda
• State of Information Security for FIs
• Examiners position on Information Security
• Role and Responsibilities of the Information Security Officer (ISO)
• How our Bank Implemented the virtual ISO Service –Cashmere Valley Bank
• The Gladiator vISO (Virtual Information Security Officer) Service
• Q&A
© 2017 Jack Henry & Associates, Inc.®4© 2017 Jack Henry & Associates, Inc.®
State of Information Security for Financial
Institutions
In the News
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Regulators Making Information Security a Priority
The FFIEC releases a revised Information Security
booklet - FFIEC, September 9, 2016
FFIEC Releases Updates to Cybersecurity
Assessment Tool
- FFIEC, May 31, 2017
FFIEC Releases Cybersecurity
Assessment Tool - FFIEC, June 30, 2015
Financial Regulators Release Revised
Management Booklet- FFIEC, November 10, 2015
FFIEC Issues Statement on Safeguarding
the Cybersecurity of Interbank Messaging
and Payment Networks - FFIEC, June 7, 2016
The FFIEC published frequently asked questions (FAQ)
guide related to the Cybersecurity Assessment Tool
- FFIEC, October 17, 2016
New York State Department of Financial Services
Proposed 23 NYCRR 500 - Cybersecurity
Requirements for Financial Services Companies
- NYSDFS, December 28, 2016
The FDIC launches the Information Technology
Risk Examination (InTREx) Program - FFIEC, June 30, 2016
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Examiners position on Information Security
Independent Information Security
Officer (ISO) or Committee
Sufficient knowledge and training of ISO
Separate InfoSec oversight from IT
Rightsized InfoSec program
Source: FFIEC Guidelines 2006
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Information Security Officer Responsibilities
✓ Information Security Policies✓ InfoSec Training
✓ Business Continuity
Planning
✓ InfoSec Risk Assessment
✓ Vendor Management
✓ Vulnerability Assessment
✓ Compliance/Risk
Committee
✓ Incident Reporting
✓ Audit / Exam
Information
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Options to implement Information Security Governance
• Hire an ISO
• Appoint ISO Committee
• Outsource ISOAccepted by FFIEC
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Hire Individual ISO
• Dedicated resource
• In-house expertise
• No vendor management
Pros (+) Cons (-)
• Costly
▪ Ave. $215k salary
• Competitive
• Low unemployment
• High turnover
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
ISO Committee
• Multiple resources
• Shared responsibilities
• No vendor management
• Slow decision making
– Many cooks in the
kitchen
• Limited expertise
• Limited accountability
Pros (+) Cons (-)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Outsourced/Virtual ISO
• Certified and experienced professionals
• Increased capabilities
• Cost effective
• No staff turnover
• Ensure compliance
• Individual consultants
• Service levels
• Vendor management
Pros (+) Cons (-)
© 2017 Jack Henry & Associates, Inc.®13© 2017 Jack Henry & Associates, Inc.®
Customer Profile:
Cashmere Valley Bank - Sue Ozburn – EVP, CIO
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Cashmere Valley Bank
• Location: Cashmere, WA
• Asset Size: $1,523,936,000
• Employees: 262
• Branch Locations: 12
• Insurance Agency
• Retail Investment Services
• Core Application: Silverlake – In-house
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
JHA Risk Services
• Gladiator vISO
• Centurion Hosted High Availability – Core Replication
• Centurion Business Continuity Planning
• eSAT – (electronic Security Awareness Training)
• AMP Services (Advanced Malware Protection)
• ISABRA Policy
• Incident Alert
• MITS (Managed IT Services)
• ESM for Core, iPay and NetTeller
© 2017 Jack Henry & Associates, Inc.®16© 2017 Jack Henry & Associates, Inc.®
How Our Bank Implemented the vISO Service
Sue Ozburn, CIO
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Why we decided to go with vISO
• We did not have the required talent in our geography
• To recruit talent to this area would require us to pay a
high salary
• Concern that the person would leave for a higher salary
and better opportunity after we trained them and they
gained experience
• Regulators were providing substantial pressure to
implement the separation of the CIO and ISO
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Information Security Officer Responsibilities
✓ Information Security Policies✓ InfoSec Training
✓ Business Continuity
Planning
✓ InfoSec Risk Assessment
✓ Vendor Management
✓ Audit / Exam Information✓ Vulnerability Assessment
✓ Compliance/Risk
Committee
✓ Incident Reporting
Before / After vISO Implementation – IS Policies
• Policies were bare minimum with
several holes based on the
changing of times.
• Policies contradicted each other
and it was impossible to keep up
with making sure changes were
made in each sections.
• Timeliness to the Board for
approval each year kept extending
later and later.
Before After
• Policies are clear and can be understood.
• Policies are updated on time.
• Policies aren’t just policies that quote the
regulations (scripture), they state exactly
what we are doing. (Nothing is worse
than saying you are doing something and
not do it.).
• Policies have references to the
Regulation, page number and paragraph
(if needed).
• Policies are thorough and we have been
praised for them by auditors/regulators.
Before / After vISO Implementation – Risk Assessment
• Our risk assessment was short and
poorly done.
• Our risk categories were green, yellow
and red and did not have supporting
information or documentation of
testing to validate the rating.
• It was incomplete and I was
embarrassed to provide it to
regulators, but didn’t really have time
or resources to rebuild the wheel.
Before After
• I’m very proud of the asset based
risk assessment and management
relies on it and therefore focuses
budgeting and resources to the
areas with the highest residual
risk.
• All controls are thoroughly tested,
documented, validated and results
are comprehensive. Regulators
LOVE it.
Before / After vISO Implementation – BCP
• We used Microsoft Word and Excel,
which made it difficult to update.
• BCP before the vISO was really just
best effort.
• We were criticized on the testing
we’d done in that it wasn’t thorough
enough.
• The BIA (Business Impact Analysis)
needed considerable development
to determine where the real risks
were.
Before After
• We now use the Centurion COPE BCP
Software Tool which improves the
process.
• We have a well planned, laid out
schedule of updates for each area of
the BCP, including the BIA.
• The testing is well thought out and we
make sure we test all critical
applications and scenarios based on
the BIA. .
• vISO makes sure we are on track and
holds us accountable to get it done.
Before / After vISO Implementation – Vendor Management
• We struggled with spreadsheets
and the considerable time it takes
to gather the information and
analyze the SOC reports, financial
statements and all the rest.
Before After
• We have a well laid out plan to complete
the entire vendor management program
on an annual basis with the proper
Board reporting..
• Test for mandatory vendor management
activities and assist in managing manual
trigger activities.
• Provide guidance and expertise for
addressing vendor management
requirements. This may include direct
communications with auditors and
regulators.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Before / After vISO Implementation – Audits
• Each audit we struggled
with what to give the
auditors as proof of a
control.
Before After
• We have a standard set of
information clearly documented
for each audit request.
• We have the information
automated in many areas and it
is much easier to access it.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Before / After vISO Implementation – Vulnerability
Assessments
• We contracted with a
company to do periodic
vulnerability assessments
and that was good, but what
do we do with the results?
Before After
• The vISO makes sure the vulnerability reports are being done on time and helps us understand what should be done to repair any findings.
• The expertise is wonderful.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Before / After vISO Implementation - Compliance
• The overall IT Compliance
was “good luck at best.”
• We are not experts in
everything and we
recognized the need for
better expertise in this area.
Before After
• The entire Information
Security Program is in full
compliance with all
regulations and well
documented.
Before / After vISO Implementation – Incident Reporting
• We have an in-house ticketing
system and there was no
automation between incidents and
the ticketing system. We had to
manually enter them.
• We had this as everyone’s
responsibility. Therefore it simply
wasn’t getting done.
• When an examiner/auditor would
ask for the list of incidents, we
might have a half-dozen
documented – not good.
Before After
• We now utilize the Gladiator
Vault – the incidents are
documented and resolved
timely.
• Well done – examiners love
it.
Before / After vISO Implementation –
Information Security Training
• IS training was hated!
Everyone hated it so much
that they would wait until
the last day and would just
get together as a group and
take the tests together just
to get it done.
• No one really learned
anything;
Before After
• Training is spread out
throughout the year and is
continuous.
• This training program is
provided through several
sources.
• No one complains and
training is no longer past due
(on a regular basis).
© 2017 Jack Henry & Associates, Inc.®28© 2017 Jack Henry & Associates, Inc.®
Gladiator vISO Service
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
vISO Service Elements
Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation
Written Information Security ProgramPolicies, Procedures, Forms
Ongoing Compliance ManagementAudit Support, Monthly Meetings
Reporting
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Trending: Virtual ISO Services
IS Strategy
Certified security &
compliance
Experienced
Policies
Assessments
Reporting
Training
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Virtual Information Security Officer
Validate information
security programEmpower
management’s
oversight
Protect your
reputation and
your customers’ data
Provide visibility
into information
controls
PROVIDE
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Evaluate your Information Security Program (ISP)
✓ Check regulatory requirements
✓ Who owns the Program? Separate from IT?
✓ Are current InfoSec tasks handled correctly?
✓ Determine skills and experience in house
✓ Will you outsource ISO tasks? Need to hire an ISO?
✓ Report findings to the Board for approval
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
THANK YOU!
Next in our Maturing Your Cybersecurity Program series:
What the Disaster Taught Us – A Bank’s Lessons Learned from
Executing their Business Continuity Plan
Wednesday, December 12, 2018
3:00 PM EST / 2:00 PM CST
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Gladiator® Solutions
Managed IT Hosted Network Solutions
Centurion® - BC/DRIT Regulatory Compliance
Managed Security