IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History •...
Transcript of IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History •...
![Page 1: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/1.jpg)
IT Policies & Procedures
Speakers:
Elizabeth Allison, CISA, CRISC, CFSA, Sr. Information Security Analyst, Keesler FCUMichael Barrack, Director – IT Security and Compliance, D+H
![Page 2: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/2.jpg)
How to Create an Effective Information Security Program
Elizabeth Allison, CISA, CRISC, CFSASr. Information Security Analyst
Keesler Federal Credit Union
![Page 3: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/3.jpg)
Introduction-Elizabeth Allison, CISA, CRISC, CFSA
As the Sr. Information Security Analyst at Keesler Federal Credit Union, Elizabeth is responsible for development, management, and implementation of the Information Technology Security Program. Elizabeth has delivered many presentations on the successful implementation of IT Risk Management, Security Framework, and Employee Security Awareness Training programs. She has over 14 years of experience in Internal Audit, Information Security, and Risk Management, and has served on the board of directors for her local ISACA, Institute of Internal Auditors (IIA), and InfraGard chapters.
After serving on the IT recovery team after Hurricane Katrina, she retained her experiences and perfected the art of creating a policy and procedures framework that provides value in a real life environment and still meets regulatory requirements. She has designed and implemented numerous programs and processes including security incident response, and change management. She has performed and facilitated control and compliance reviews, risk assessments, social engineering, and cyber-crime table top exercises.
![Page 4: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/4.jpg)
Agenda• What is an Information Security Program?• So Many Regulations, Where Do You Start?• Effective Policies and Procedures • Resources
![Page 5: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/5.jpg)
INFORMATION SECURITY PROGRAMWHAT IS IT?
A Documented, Verifiable Strategy
To Ensure Availability, Confidentiality, and Integrity of your Members’ Sensitive Information.
If it is not written down, it does not exist!
![Page 6: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/6.jpg)
The Rapid Advancement of Technology is Driving the Increase in
Regulatory Compliance The definition of Security Programs
is Evolving Just as Fast!
Organization Infrastructure and Related Data Protection Activities Outside of the Data Center Must be Documented, and
Ongoing.
![Page 7: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/7.jpg)
Security Program Benefits
• Ability to Defend the Organization Against Liability Lawsuits for Inadequate Preparation Against Cyber Attacks
• Costs of Responding to a Data Breach• Employees Know What is Expected of Them
![Page 8: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/8.jpg)
Security Program Benefits
Documented Security Programs make us happy!
The Auditors Job is to Audit Your PoliciesWhat Do They Do When There Are No
Programs/Policies Documented??
![Page 9: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/9.jpg)
What Does Your Institution Do To Protect Sensitive Information?
• Security Cameras?• Network Firewalls?• User Name/Passwords?• Data Backups?• Windows Updates?• Vendor Background Checks?• Policies/Procedures?• Internet Filters?
• Split Combinations?• Controlled System Access?• Software Installation
Restrictions?• Robbery Training?• Check Member
Identification?• Mandatory Week Vacation?
![Page 10: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/10.jpg)
Everyone Has A Security Program
It Just Needs To Be DocumentedOr
Refreshed to Meet Current Requirements.
![Page 11: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/11.jpg)
Key Elements of a Security Program• Governance• Policies & Procedures• Risk Management• Training & Awareness• Security Controls• Ongoing Monitoring
![Page 12: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/12.jpg)
A. Incident ManagementI. Security Incident Response Team (SIRT)II. Incident EscalationIII. Incident Response
B. Security AwarenessI. Security PortalII. Employee TrainingIII. Testing and Benchmarking
C. Log ManagementD. Risk ManagementE. Vendor Management
Sample Program Outline
![Page 13: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/13.jpg)
Program RefreshWhere Do You Start?
Management Buy-In
Compile a List of Regulations
Perform an Assessment of Your Current Program
![Page 14: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/14.jpg)
The Perfect Self-AssessmentNCUA Aires Checklists
![Page 15: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/15.jpg)
![Page 16: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/16.jpg)
POLICY VS PROCEDURES
![Page 17: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/17.jpg)
Policies and ProceduresPolicies and Procedures Are The Foundation
Must Be ConsistentCreate Policy Templates
![Page 18: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/18.jpg)
Key Elements of a Policy
• Objective• Scope• Policy• Date of Last Revision• Enforcement/Roles
• Review/Change History
• Resources• Logo• Policy Naming
Convention
Consistency is a MUST!
![Page 19: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/19.jpg)
SAMPLE POLICY FEATURES:
![Page 20: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/20.jpg)
![Page 21: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/21.jpg)
![Page 22: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/22.jpg)
Policy Tips• Management must review and approve all
polices and procedures • Policies should be approved by the Board of
Directors. • Evidence of Changes/Reviews/Approvals
![Page 23: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/23.jpg)
Communicate Policies to Employees
Employee Acknowledgement-Evidence
Acknowledgement-Physical or Digital
Policy Tips
![Page 24: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/24.jpg)
Document Changes/Review History
![Page 25: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/25.jpg)
Employee Acknowledgement
![Page 26: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/26.jpg)
Some Policies Have a Smaller AudienceFor Example:Acceptable Use Policy-All Employees
System Administrator Policy- IT Department
Policy Tips
![Page 27: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/27.jpg)
Ongoing Maintenance
Annual Reviews and Approval by Management and the Board of Directors
Changes in Regulations, Processes, Systems, Controls
![Page 28: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/28.jpg)
Resources
NCUA Aires Checklists
Security Services-Consulting Benefits
College University Websites
![Page 29: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/29.jpg)
![Page 30: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/30.jpg)
Resources
• CUNA Technology Council File Library • NIST (National Institute of Standards and Technology)
• SANS.org (Information Technology Institute)
• ISO (International Organization for Standardization)
![Page 31: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/31.jpg)
Resources• ISACA (Information Security and Control Association)
– COBIT Framework
• IIA (Institute of Internal Auditors) – COSO Framework
• FISMA (Federal Information Security Management Act)
![Page 32: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/32.jpg)
Keep Your Objectives Real
Compliance Alone Does Not Mean
Your Institution is Secure
The Titanic Passed All Compliance Checks!
![Page 33: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/33.jpg)
Introduction – Michael Barrack
• More than 25 years experience serving Financial Institutions• Former CEO of iPay Technologies, LLC• Former CIO of several Community Banks• The responsible executive for IT regulatory examinations both
as a Banker and service provider • Has been serving FI Clients since 2007 by:
o Delivering services to Banks and Credit Unions nationwideo Developing IT Compliance programs that meet the regs.o Providing advice, direction and solutions
• Lives outside of Las Vegas Nevada (and doesn’t gamble)
![Page 34: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/34.jpg)
Agenda The dynamic IT regulatory/security landscape
How Credit Unions should respond
What are the implications for IT Policies
Other drivers of change
How to get the most out of your updated policies
![Page 35: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/35.jpg)
FFIEC – CEO Webinar Pilot program assessing
Cyber Risk
Our experience
IT regulations/threats never more dynamic
![Page 36: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/36.jpg)
The question is: Why
![Page 37: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/37.jpg)
“Exhibit A”
![Page 38: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/38.jpg)
Target by the Numbers*
* Source – Krebs on Security, Brian Krebs
200 Million
53.7 Million
46%
400 Million The number of credit and debit cards stolen between Nov. 27 and Dec. 15, 2013
Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards
Estimated income generated by hackers
Drop in profits in Q4, 2013 compared with 2012
Target by the Numbers
![Page 39: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/39.jpg)
Smaller Financial Institutions Hit
![Page 40: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/40.jpg)
Smaller Financial Institutions Hit
![Page 41: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/41.jpg)
How Credit Unions Should Respond
![Page 42: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/42.jpg)
One Path – Outsource to Specialists1. Evaluate providers 2. Assess expertise3. Select and
standardize IT risk management methodology
4. Select automation5. Focus on decision
making
![Page 43: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/43.jpg)
Seek organizations who do this full time Entire department of professionals familiar with: Financial Institution IT regulatory requirements Changes in the IT Security Threat landscape How other credit unions have met the challenge
Experience with: IT risk management IT policy coverage Making policy/risk assessment actionable
Select FI IT Compliance Providers
![Page 44: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/44.jpg)
Implications for IT Policies
![Page 45: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/45.jpg)
Updates to IT Policies
![Page 46: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/46.jpg)
Updates to IT Policies
![Page 47: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/47.jpg)
Updates to IT Policies
![Page 48: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/48.jpg)
Updates to IT Policies
![Page 49: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/49.jpg)
Updates to IT Risk Assessment
![Page 50: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/50.jpg)
Stay Current with Change
![Page 51: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/51.jpg)
Other Drivers of Change Examination Currents
What other Credit Unions are doing/experiencing
NCUA hot buttons
IT examination trends and focus
Emerging IT controls
Data Encryption at rest
Mobile device management
![Page 52: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/52.jpg)
Information Security Training…. Website surfing Email protocol The power of policy comes
when people connect itto their responsibilities
Making IT Policies Effective - Training
![Page 53: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/53.jpg)
How do Information Security responsibilities vary by job function?
Making IT Policies Effective - Relevance
![Page 54: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/54.jpg)
Making IT Policies Effective - Relevance
![Page 55: IT Policies & Procedures Policies & Procedures Speakers: Elizabeth Allison, CISA, ... History • Resources • Logo ... – COBIT Framework](https://reader031.fdocuments.in/reader031/viewer/2022022507/5aca93a37f8b9a7d548df43a/html5/thumbnails/55.jpg)
Questions?