Cybersecurity Webinar Series - Assessing Your Biggest ... · Cybersecurity Webinar Series -...
21
© 2019 Jack Henry & Associates, Inc. ® 1 © 2019 Jack Henry & Associates, Inc. ® Viviana Campanaro – CISSP Senior Security & Compliance Sales Engineer Cybersecurity Webinar Series - Assessing Your Biggest Security Risks Before It Is Too Late October 29, 2019
Transcript of Cybersecurity Webinar Series - Assessing Your Biggest ... · Cybersecurity Webinar Series -...
© 2019 Jack Henry & Associates, Inc.®1 © 2019 Jack Henry & Associates, Inc.®
Viviana Campanaro – CISSPSenior Security & Compliance Sales Engineer
Cybersecurity Webinar Series -Assessing Your Biggest Security Risks Before It Is Too Late
October 29, 2019
© 2019 Jack Henry & Associates, Inc.®2
RISK is all around us…
Presenter
Presentation Notes
Risk is defined as “the possibility that something undesirable will occur”. It is always around us. We make decisions about risks every day. Decisions to avoid a risk, reduce a risk, transfer a risk, or take a risk we understand. When we ride a bike or a horse we accept the risk of a fall, but wear a helmet to reduce the effects of the fall should it happen, and we carry health insurance in case we fall and get injured. When we leave our home we lock the doors to reduce the risk of an intruder getting in. Perhaps we also install alarm systems, or don’t plant freakishly huge trees that could come crashing down during a storm. When we get in our cars, we wear our seat belts to reduce the risk of an injury if an accident occurs. Maybe we have backup cameras and driver assist systems, and we may drive defensively, paying attention to the road ahead. But we carry insurance to transfer the risk of something bigger we may not be able to protect from. Think of another example of risks you make take, reduce or transfer every day.
© 2019 Jack Henry & Associates, Inc.®3
• Where is your biggest risk?• What is most valuable?• Where could you lose the most?
Avoid, Reduce, Transfer, Accept
Presenter
Presentation Notes
At work, risk assessments can make us groan and very seldom make us happy, mostly because there are different types of assessments that can be used to manage different types of risk. For example credit risk in a volatile interest rate market is assessed very differently than operational risk of cybersecurity, system failures or service disruptions. We check the compliance box, but don’t always have a complete picture of the issues that could result in a significant breach at the FI. So, how do we bridge the gap between the business objectives of our FI and their corresponding security risks? FI risks are challenging to assess because we may not fully understand them. You constantly need to think >>> Where is your biggest risk? What is most valuable to your FI? And where do you stand to lose the most? And also,>>> when do we Avoid a risk, Reduce a risk, Transfer a risk or Accept it? These are the common risk strategies that can bridge that gap. Let’s explore some examples…
© 2019 Jack Henry & Associates, Inc.®4
Risk Strategies - Accept
Presenter
Presentation Notes
Sometimes organizations may accept a risk that would be so catastrophic that insuring against it is just not feasible, too costly. An example of accepting risk is any potential losses not covered by insurance or over the insured amount. In locations prone to accidents or natural disasters, businesses may carry insurance, but they still accept the risk of total loss. Accepting risk is when a business acknowledges that the potential loss from a risk is not great enough to warrant spending money to avoid it.
© 2019 Jack Henry & Associates, Inc.®5
Risk Strategies
• Reduce
• Transfer
• Avoid
Presenter
Presentation Notes
In the financial industry we often choose to Reduce risk, for example, deciding on specific lending practices, avoid bad loans, or loan participation, educating and monitoring your employees, performing periodic audits to reduce monetary Losses to internal fraud: head teller stealing trash cash $20k in 1 yr. Transfer the risk of physical damage or monetary losses due to natural disasters or cyberattacks by retaining insurance. Avoid risk by operating in areas less prone to blizzards or earthquakes, tornado or flooding. Avoid lending risk by extending only certain types of loans.
© 2019 Jack Henry & Associates, Inc.®6
Keys for Success
Presenter
Presentation Notes
Here are some of the lessons we have learned and things I have observed in my travels throughout my Information Security career. <bank story>
© 2019 Jack Henry & Associates, Inc.®7
Roles and Responsibilities• Specific• Measurable• Auditable• Reasonable• Timely
Presenter
Presentation Notes
We need to go back to basics. It is not sufficient to do one-pagers of security roles and responsibilities simply because ‘we know what our job/or their job is’. The primary reason for documenting R&Rs is to ensure proper action and consistency in the tasks we need to perform. We can take a SMART approach to documenting R&Rs: Specific means the difference between, “IT Manager is responsible for file servers” and “IT Manager is responsible for patching servers”, in a very basic example. One big reason is to ensure the responsibility of the business owners is included. IT does not own everything. The other big reason is AUDITs: this goes to the measurable, auditable and reasonable approach to R&Rs. The FFIEC’s Information Security IT Booklet, section I.B Responsibility and Accountability states: “Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. Information security management responsibilities may be distributed across various lines of business depending on where the risk decisions are made and the institution's size, complexity, culture, nature of operations, or other factors.”
© 2019 Jack Henry & Associates, Inc.®8
Title
Risk Appetite
Aligned with your business strategy
Presenter
Presentation Notes
Risk appetite is often under-utilized in the IT and Security areas.
© 2019 Jack Henry & Associates, Inc.®9
Example of Risk
Appetite -OCC
Risk Category Risk AppetiteSupervision LowHuman Capital ModerateStrategic LowReputation LowTechnology LowOperational LowLegal ModerateFinancial Low
Technology Risk – The risk that information technology processing, security, stability, capacity, and performance jeopardizes core agency operations. This risk is a function of the resilience of the agency’s technology infrastructure against external threats and business resiliency planning and execution. […]
Presenter
Presentation Notes
The OCC has nine general categories of risk in their appetite . Here is their summary representation of each level of risk appetite by general risk category.
© 2019 Jack Henry & Associates, Inc.®10
Example of Risk
Appetite -OCC
Risk Category Risk AppetiteSupervision LowHuman Capital ModerateStrategic LowReputation LowTechnology LowOperational LowLegal ModerateFinancial Low
Operational Risk – The risk that people, processes, systems, or external events impede the OCC’s ability to meet its objectives. This risk is a function of internal controls, employee conduct, process efficiency, third-party oversight, physical security, and business continuity planning. […]
Presenter
Presentation Notes
The OCC has nine general categories of risk in their appetite . Here is their summary representation of each level of risk appetite by general risk category.
© 2019 Jack Henry & Associates, Inc.®11
Common Language
Consistent Risks and Controls
© 2019 Jack Henry & Associates, Inc.®12
Common Language – Cybersecurity Assessment Tool
Risk Levels
Presenter
Presentation Notes
Snapshot of the FFIEC’s CAT User’s Guide, 2017 showing the categories of activities, services and products, along with associated risk levels based on the quality and quantity of the corresponding activity.
© 2019 Jack Henry & Associates, Inc.®13
Common Language – Cybersecurity Assessment Tool
Risk Categories1. Technologies and Connection Types2. Delivery Channels3. Online/Mobile Products and Tech Services4. Organizational Characteristics5. External Threats
Risk Levels1. Least2. Minimal3. Moderate4. Significant5. Most
Activities, Services, Products
• ISP connections• Mobile presence• Prepaid cards• Wire transfers
• Mergers/Acquisitions• Changes in IT/IS Staff• Locations• Attempted cyber attacks
Presenter
Presentation Notes
Inherent Risk Profile assessment helps establish the path forward for how to manage your information security program and initiatives. Makes you really look and think about your environment, to find the potential vulnerability that can make the difference between security and publicity.
© 2019 Jack Henry & Associates, Inc.®14
Common Language – Cybersecurity Assessment Tool
Maturity Domains1. Domain 1: Cyber Risk Management and Oversight2. Domain 2: Threat Intelligence and Collaboration3. Domain 3: Cybersecurity Controls4. Domain 4: External Dependency Management5. Domain 5: Cyber Incident Management and Resilience
Activities, Services, Products
• ISP connections• Mobile presence• Prepaid cards• Wire transfers
• Mergers/Acquisitions• Changes in IT/IS Staff• Locations• Attempted cyber attacks
1. Baseline2. Evolving3. Intermediate4. Advanced5. Innovative
Maturity Levels
Presenter
Presentation Notes
Maturity strategy example: Domain 1 – Cyber Risk Management and Oversight: Risk Mgmt assessment factor: you might want to plant for higher maturity of your risk management program or practices. Domain 3 – Cybersecurity Controls: Preventative Controls assessment factor: Access and Data management: you might want to plan for multifactor authentication for all critical systems, or third party access to your network.
© 2019 Jack Henry & Associates, Inc.®15
Common Language – Case Study
Identify Key Business Risk Areas Define Security RisksApply Regulatory Lense
Business Risks• Operational
– Internal Fraud– System Failures– Business Disruption– Clients, Products,
Business Practices• Legal/Regulatory• Reputational• Credit• Insurance• Market• Liquidity
• FFIEC• PCI• SOX• GLBA• State Laws
1. Confidentiality-Privacy2. Confidentiality-InfoSec3. Fraud/Theft4. Availability5. Disaster6. Third Party7. Financial Reporting
Integrity8. Regulatory Compliance
Presenter
Presentation Notes
This is an example of a Financial Institution which used this process to establish a common framework of risks and controls they could use consistently to perform their security risk assessments against the FI’s critical assets and business processes.
© 2019 Jack Henry & Associates, Inc.®16
Common Language – Case Study
Defined Security Risks1. Confidentiality-Privacy 2. Confidentiality-InfoSec 3. Fraud/Theft 4. Availability 5. Disaster 6. Third Party 7. Financial Reporting Integrity 8. Regulatory Compliance
Risk Levels
1. Insignificant2. Minor3. Moderate4. Major5. Extensive
1. Access Management2. Availability3. Security Awareness Training4. Change/Config Management5. Control Verification and Testing6. Data Management7. Encryption8. Fraud and Theft9. Incident Management/DR10. Legal11. Logging/Monitoring12. Physical Security13. Privacy14. Roles & Responsibilities15. Audits 16. System Defense/Network
Security17. Third Party Management
Controls
Presenter
Presentation Notes
Based on the level of risk, controls can be applied that are commensurate/appropriate to mitigate the risk. This lends itself to a GRC (Governance Risk and Compliance) model which can be automated to reduce the time to complete risk assessments, as well as ensure transparency and consistency.
© 2019 Jack Henry & Associates, Inc.®17
Perform Annually Business Operations
Asset Inventory Critical Processes
Implement Controls Appropriate Consistent
Assess Risk Risk Categories Risk Levels
Validate & Test Controls are
appropriate
Monitor & Report Controls are Effective Risk Profile
Audits / Examinations Independent Validation
Presenter
Presentation Notes
This is the best way to assess your security risks before it’s too late. Prevention is key.
© 2019 Jack Henry & Associates, Inc.®18
Assess your security risks before it’s too late…
Document SMART Roles and Responsibilities
Refer to your Risk Appetite Statement
Use a Common Language of Risks and Controls
Presenter
Presentation Notes
Consulting organizations can help you assess your risks effectively and consistently, but you must establish the structure to do so in the context of your specific business strategy and culture. Talk with your preferred vendor or trusted advisor about risk assessment services and assistance with managing your information security program.
© 2019 Jack Henry & Associates, Inc.®19
Peace of mind
Presenter
Presentation Notes
Spend the time upfront to avoid headaches and feel confident in the results you can help deliver to your customers and members.
© 2019 Jack Henry & Associates, Inc.®20
Additional Resources
Visit the ProfitStars Cybersecurity Awareness Resource Center at https://discover.profitstars.com/cyber-security/
Attend our Cybersecurity Forum Events! More info athttps://discover.jackhenry.com/jack-henry-cybersecurity-forum
Join our upcoming webinars in this series:Machine Learning and the Latest Protection methods – Thu, December 12, 2019, 2 pm ET
Cyber Threats and Trends for 2020 – Tue, January 14, 2020, 2 pm ET
© 2019 Jack Henry & Associates, Inc.®21
Thank you for your time
Questions!
