Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security Awareness & Training
Management Awareness Training
description
Transcript of Management Awareness Training
infotex
Dan Hadaway CISA, CISMManaging Partnerinfotex
Management Awareness Training
Awareness Training Series
infotex
Objectives
• What is IT Governance, and what does a typical IT Governance program look like?
• What is the management team’s role in the IT Governance Program?
• What is the ISO’s role?• What should the management team know
to ensure proper IT Governance?• How can management help manage
technology risk?
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
In this next section
• We will become familiar with the “workshop portal” and this presentation.
• We will hear credentials that can be used to log onto the workshop portal.
• We will learn what is on the “workshop portal.”
infotex
infotex
Available Tools . . .
• IT Audit Test Types• The ISO Job Description• Awareness Training Procedure• Management Awareness
Training Procedure• Governance Policy
Development Chart
infotex
Available Tools . . .
• Management Guidelines for Social Media
• User Guidelines for Social Media
• Management Talking Points for Mobile Banking and Social Media
infotex
Available Tools . . .
• Wireless Banking Article (Top Five Risks)
• Wireless Banking Article• Wireless Banking Risk
Assessment• Wireless Banking Due
Diligence Kit
infotexinfotex
Our Credentials
• Information Security– CISAs, CISMs, CISSPs– Developed my first AUP in 1988– Updating our process annually– Been doing Annual UAT for banks since 2002
• GLBA, BSA, OFAC, FACTA, HIPAA• Assessments, IT Audits, Consulting• Managed Services (Network Monitoring)
infotexinfotex
Nomenclature
• Information Security Strategy• Information Security Program• IT Risk Management Program• IT Governance Program
Essentially the same thing.
infotexinfotex
IT Governance Program
• Combines:– Serve Business Mission– Manage Technology Risk
(information security)
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
In this next section
• We will learn five basic tenets of IT Governance that all management team members should know.
• We will learn why IT Governance is concerned with Risk Management
• We will learn “the one control” and why this workshop is important.
infotex
infotexinfotex
#1
infotexinfotex
#1: Serve the Mission
Information Technology must be aligned with the Business Strategy of the bank!
infotexinfotex
Strategy Alignment
• Facilitate business tactics– Assists in business processes– Creates a competitive edge– Increases Communication with “all four
corners of the bank” especially customers.
– Provides accurate information to management
infotexinfotex
Strategy Alignment
• Deliver a Return on Investment– Tangible Return
• Check 21 takes advantage of quicker check processing. Imaging System reduces paper costs.
• Fees charged for various services.
– Intangible Return• Firewall mitigates risk of internet hacking.• On-line Banking provides convenience to
customers.
infotexinfotex
Management Role
• Determine technologies that will best facilitate business tactics.
• Determine appropriate time to deploy new technologies (Apply Pressure)
infotexinfotex
Management Role
• Search and Selection Process– Cost/Benefit Benefit/Risk When???– Risk Analysis– Requirements Definition– Request for Proposal
infotexinfotex
Management Role
• Negotiate Contracts(as per Vendor Management Procedure)
• Implementation – From a user perspective– Return to risk analysis– Return to cost/benefit analysis– Return to features analysis
• Ongoing Vendor Due Diligence (as per Vendor Management Procedure)
infotexinfotex
When is the appropriate time?
Roger’s Diffusion Theory of Innovation• Innovators •Early adopters•Early majority•Late majority •Laggards
Everett M. Rogers' Diffusion of Innovations
infotex 1. Align IT with Business Strategy
Stages of Innovation
•Knowledge•Persuasion•Decision• Implementation•Confirmation
Risk Assessment?
Security Controls
Everett M. Rogers' Diffusion of Innovations
infotex 1. Align IT with Business Strategy
Early Adopters in Banking
•Physical Security• Information Security
Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations
infotex 1. Align IT with Business Strategy
Late Majority / Laggard
•Virtualization•Cloud Computing•Social Media•Telecommuting
Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations
Softwareforcloudcomputing.com
infotex 1. Align IT with Business Strategy
Risk/Benefit Evolution Curve
Val
ue
Time
Features, Sophistication
Price, Problems
infotex 1. Align IT with Business Strategy
Risk/Benefit Evolution Curve
Val
ue
Time
Features, Sophistication
Price, Problems
infotex 1. Align IT with Business Strategy
Risk/Benefit Evolution Curve
Val
ue
Time
Features, Sophistication
Price, Problems
Innovator
Early Adopter
Early Majority Late MajorityLaggards
infotex 1. Align IT with Business Strategy
infotexinfotex
Digital Video Security
• Innovators • Early adopters• Early majority• Late majority • Laggards
2012
infotexinfotex
Secure Messaging
• Innovators • Early adopters• Early majority• Late majority • Laggards
2012
infotexinfotex
Remote Access in Banks
• Innovators • Early adopters• Early majority• Late majority • Laggards
2010
infotexinfotex
Social Media in Banks
• Innovators • Early adopters• Early majority• Late majority • Laggards 2011
infotexinfotex
Wireless Banking
• Innovators • Early adopters• Early majority• Late majority • Laggards
2013
infotexinfotex
#2
infotexinfotex
#2: Manage the Risk
Information, Technology,
and Information Technology
expose the bank to risk!
infotexinfotex
#2) The Risk Spectrum
• There is no such thing as 100% security!
Ignore it? Obsession?
infotexinfotex
#2) The Risk Spectrum
• There is no such thing as 100% security!
Ignore it? FFIEC Guidelines
infotexinfotex
How do you decide?
• There is no such thing as 100% security!
Ignore it? FFIEC Guidelines
Risk-basedRemediation
infotexinfotex
Principle Number Two
Information Security is about
ACCEPTING RISK.
infotexinfotex
#3
infotex
A process questionA process question
When you are finishedserving a customer, what do you typically do?
A. Cross Customer Service off the to-do list.
B. File the experience away as one you hope you’ll never have to do again.
C. Learn from the experience and try to serve the next customer better.
D. Move on to the next project.
infotexinfotex
Fundamental #3
infotexinfotex
Which means . . .
• No crossing it off the list.• No filing it away.• No wishing you never have to deal
with it again.
infotexinfotex
And means . . .
• Its cyclical.• You learn from each cycle.• It is constantly improving (we hope).
• It’s about managing risk and ensuring alignment with other business processes.
infotexinfotex
And to improve . . . .
• We must start by measuring.
But remember that metrics are all relative.
infotexinfotex
Fundamental #3
infotexinfotex
#4
infotex
Important Point QuestionImportant Point Question
What is the Number 1 form
of Identity Theft?
A. Pretext Calling
B. Drive-by Attacks (Trojan Horses installed by rogue websites.)
C. Insider Data Theft
D. Phishing
E. Other
infotexinfotex
Source: Javelin Research 2009 Identity Fraud Survey Reporta survey of 25,000 adults.
infotexinfotex
4) It’s not really Technical
TechnologyPeople
Policy Process
infotexinfotex
IT requires a Team Approach
• Risk must be measured and managed using a multi-disciplinary approach.
• Risk is mitigated by establishing controls in the form of policies, procedures, and tools.
• Risk Management Controls involve “all four corners of the bank.”
infotexinfotex
Four Corners of the Bank
infotex
Four Corners of the BankBoard of Directors
OversightCommittee
ManagementTeam
Technical TeamUsers
VendorsLaw Enforcement
Academia
Customers
infotexinfotex
Information Security Officer
• Measures, Manages, Reports Information Security Risk
• Interacts with all four corners.• Facilitates development and
continuous improvement of security controls.
• Delivers an Annual Report directly to the board.
infotexinfotex
Information Security Officer
• Works with Management to:– Measure and Control Risk– Develop and enforce Security Controls – Plan Response to Negative Incidents
(Policy Violation, Security, Disaster)
– Manage Vendor Risk– Authorize Access to IT Assets– Inventory and manage IT Assets– Escalate Risk Acceptance Decisions
(to the Board of Directors)
infotexinfotex
#5
infotexinfotex
infotex
Four Risk Factors
Threats
Vulnerabilities
Impact Severity
Likelihood
infotexinfotex
Threats
• Terrorists • Hackers• Scammers / Con-
men /Fraudsters / Thieves
• Vandals• Technology Itself• Users / Vendors• Nosy Neighbors• Ex-Spouses
infotexinfotex
We can’t take it lightly
• Zeus • Software suite designed to help
hackers attack banks.
infotexinfotex
Marc Rogers, Purdue University
infotexinfotex
. . . zooming in . . .
infotexinfotex
Vulnerabilities
• Airplanes • Ports• Subway System• Buildings• Public Places
• E-mail• Browsers• Network Access
• Users
• > 300 considered in Risk Assessment
infotexinfotex
Impact Severity
• Almost 3000 people
• Financial System• Airlines• Convenience
• Customers’ Identities
• Horror Stories
• Heartland Payment System ($7/card, 20,000 cards)
• Reputation
infotexinfotex
Likelihood
• It can happen on American Soil
• Technology Itself Very High
• Pretext Calling High• Phishing High
• Hacking Medium
• Physical Breach Low– Still happens though!
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
In this next section
• We will learn about the Federal Financial Institution Examination Council (FFIEC) and it’s published “guidelines” for information technology, and why these guidelines become audit frameworks.
• We will see a quick summary of “management responsibilities for IT.”
• We will review a “map” of the typical bank’s IT Governance Program
• We will learn how the management team “plugs in” to the IT Governance Program.
infotex
infotexinfotex
Types of Risk
• Transaction Risk– Data Corruption Problems– Social Engineering– Customer Errors (Internet Banking)
• Legal Risk– Obscene Jokes in E-mail– Privacy Violations– Unlicensed Software
infotexinfotex
Types of Risk
• Financial Risk– Early Adapter of Technology– Vendor Solvency– Cost of Security Breaches
• Operational Risk– Virus Attacks– Denial of Service (DoS) Attacks– Project Management Risk
infotexinfotex
Types of Risk
• Reputational Risk– Any Security Incident
presents some reputational risk.
– Poor Incident Response can turn a minor incident into a major incident.
infotexinfotex
Types of Risk
• Compliance Risk– GLBA– HIPAA, CIPA, SOX– PCI, BS12000, ITIL, CobiT– BSA, OFAC, US Patriot Act– FACTA– SB1386
infotexinfotex
Gramm Leach Bliley Act
Specifically, Title V of the GLBA, called "Disclosure of Nonpublic Personal Information," is intended to ensure security and confidentiality of customers' records and information, protect the integrity of such information, and protect against unauthorized access to such information.
infotexinfotex
Thank goodness for the . . .
infotexinfotex
The FFIEC
• Federal Reserve System (FRB) • Federal Deposit Insurance
Corporation (FDIC) • National Credit Union Administration
(NCUA) • Office of the Comptroller of the
Currency (OCC) • Office of Thrift Supervision (OTS)
infotexinfotex
The FFIEC
Information Security
Work Program
IT Audit Work Program
Information Security
Handbook
IT Audit Handbook
Boilerplates
infotex
Management Responsibilities
A quick summary
Awareness Training Series
infotexinfotex
Summary of Responsibilities
• Understand how IT aligns with bank and department business strategy and work with IT to ensure appropriate alignment.
• Know the IT Governance program, how it works, the ISO’s role, and your role in the various sub-programs.
• Be familiar with technology risk that the bank faces.
• Enforce technology controls.• Activate awareness of staff members.
infotexinfotex
What does an IT Governance Program include?
(according to FFIEC Guidelines)
infotexinfotex
The FFIEC
Information Security
Work Program
IT Audit Work Program
Information Security
Handbook
IT Audit Handbook
Boilerplates
How about a map?
infotexinfotex
IT Governance Program
The combined
policy,procedures,
and toolsabout a
particularissue can be
referred to as a
“Program.”
Policy
Procedure
Tools (standards, guidelines,
applications, forms, websites, etc.)
infotexinfotex
Authentication Example
A procedure enforces a board level
policy using tools called
for in the procedure.
AUP
AuthenticationProcedures
Passwords Out-of-Pocket Questions
Visitor Authorization Process
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Risk Analysis Program
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Access Management
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Incident Response
Program
infotexinfotex
Incident Response
• Awareness is an important part of incident response.
CIRT
ISO
Everybody
• Board of Directors• Law Enforcement• Customers
(Could be steering committee.)
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Asset Management
Program
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Business Continuity Program
infotexinfotex
Scenario Responses
Pandemic Ice Storm Tornado Flood Fire
Risk AnalysisBusiness
Continuity Plan
Business Continuity Program
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Procedure
Vendor Management Program
GovernancePolicy
Vendor Management
Policy
Search and Selection
ContractNegotiations
Security SanctionsPolicy
Assigned SecurityResponsibility
OngoingDue Diligence
ThresholdRisk Assessment
ThresholdRisk Assessment
Vendor AgreementTemplate
Vendor Request
Detailed Risk Assessment
Risk Analysis
Vendor Risk Determination Table
Checklists
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Security Standards
infotexinfotex
Security Standards
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Awareness Program
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Vendor ManagementProgram
Due DiligenceRequest Letter
Awareness Program
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
IT Governance Policy
CommitteeMembership
Board Member
ManagementTeam
End Users(rotated)
Establish SteeringCommittee
Authorize the ISO
Requires Trainingat all levels
Report CriticalSecurity Breaches
DefineGovernance
Align ITwith Business
Delineates Annual Report to the Board
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
In this next section
• We will learn why a multidisciplinary approach to technology risk assessments is critical.
• We will find out the types of threats that need to be considered in a risk assessment.
• We will see a typical risk assessment process.
infotex
infotexinfotex
Summary: Managers Should
• Clearly support all aspects of the information security program;
• Implement the information security program as approved by the board of directors;
• Establish appropriate policies, procedures, and controls;
• Participate in assessing the effect of security issues on the financial institution and its business lines and processes;
infotexinfotex
Summary: Managers Should
• Delineate clear lines of responsibility and accountability for information security risk management decisions;
• Define risk measurement definitions and criteria;
• Establish acceptable levels of information security risks; and
• Oversee risk mitigation activities.
infotexinfotex
That’s straight out of FFIECguidelines (page 6,
Information Security Handbook)
infotexinfotex
Information Security ProgramEquals
IT Governance Program
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
Risk Analysis Program
infotexinfotex
Four Primary Risk Assessments
Risk Assessments
VendorRisk Determination
Business Impact Analysis
TechnologyRisk Assessment
AssetCriticalityAnalysis
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2010/2011• ISO Job Description & Interactions
In this next section
• We will learn the primary purposes of an IT Audit.
• We will understand the need for risk-based auditing
• We will learn the different types of audit tests.
• We will be exposed to the need for good IT Audit metrics.
infotex
infotexinfotex
The IT Audit
infotexinfotex
Three Primary Purposes
• Alignment with business mission• Appropriate risk management• Compliance with applicable law
infotexinfotex
Alignment w/ Business Mission
• Strategy Alignment• Facilitate Execution of Business
Tactics• Demonstrate Return on Investment
infotexinfotex
Risk Management Assurance
• Test of Risk Assessment Process • Test of Management Awareness• Test of Declared Controls• Test of User Awareness• Escalate Risk Acceptance decisions
to the Board of Directors
infotexinfotex
Comply with the Law!
• FFIEC Guidelines as the Framework• CobiT as Framework for SOX banks• State laws may introduce individual
compliance framework needs (SB1386 in California)
infotexinfotex
Risk-based Auditing
• Ensures testing is appropriate• Delivers Value to Audit Process• Relies heavily on bank risk
assessment
infotexinfotex
Risk-based Auditing
• Test the controls that protect the highest value assets.
• Test the controls that protect the most likely targeted assets.
• Test the controls that management has declared mitigate the MOST risk (highest delta control value).
infotexinfotex
Risk-based Auditing
Inherent Risk Residual RiskDelta Control
infotexinfotex
Types of IT Audit Tests
• Technical• Non-technical
infotexinfotex
But first …
• Capture-the-flag versus assessment
infotexinfotex
Types of IT Audit Tests
• IT Governance Review– GLBA Compliance– Policy and Procedure Review– Testing of Non-technical Controls– Involves interviewing “all four
corners” of the bank
infotexinfotex
Types of IT Audit Tests
• Technical Vulnerability Assessments– Perimeter
• Penetration Testing• Vulnerability Scanning of Perimeter• Confirmation
– Internal Network• Vulnerability Scanning• Network Configuration Audit• Confirmation
infotexinfotex
Types of IT Audit Tests
• Social Engineering Tests– Two purposes
• Test Awareness• Test Incident Response
– Spear Phishing– Pretext Calling– Password File Analysis– Orchestrated Attacks
infotexinfotex
IT Physical Security
• Physical Breach Tests• Walk-through’s• Dumpster Diving
– Trash-can Diving
• Physical Security Checklists
infotexinfotex
Checklist Tests
• IT Governance• Physical Security• Network Configuration Audits
Be careful that findingsare risk ranked.
infotexinfotex
Risk Metrics
• Should be based on likelihood and impact
• Some auditors will also factor in ease of remediation
• You should be interested in residual risk, anticipated residual risk, and risk reduction (or “delta control”)
infotexinfotex
Risk Metrics
• Comparing risk from one year to the next, or from one bank to the next, is difficult
• What’s important is knowing that the management team understands the metrics and the risk
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
In this next section
• We will learn the primary purposes of the annual Vendor Due Diligence Review.
infotex
infotexinfotex
Procedure
Vendor Management Program
GovernancePolicy
Vendor Management
Policy
Search and Selection
ContractNegotiations
Security SanctionsPolicy
Assigned SecurityResponsibility
OngoingDue Diligence
ThresholdRisk Assessment
ThresholdRisk Assessment
Vendor AgreementTemplate
Vendor Request
Detailed Risk Assessment
Risk Analysis
Vendor Risk Determination Table
Checklists
infotexinfotex
Selection Process
Risk AssessmentRequirements
Definition vs. RFPResponses
Due Diligence
Evaluation
infotexinfotex
Vendor Due Diligence Checklist
• Makes the annual review go so much better!
• . . . . . . at least after the first one.
infotexinfotex
Vendor Risk Assessment Process
ThresholdRisk
Assessment
Vendor Due DiligenceRequest
Due Diligence Checklist
Missing Controls
RiskManagement
Program
Reportto Board
DetailedRisk Assessment
infotexinfotex
Missing controls and anticipated safeguards should input into the IT Risk Assessment.
Outputs of Annual Review
infotexinfotex
Remember this diagram?
Risk Assessments
VendorDue Diligence
Business Impact Analysis
TechnologyRisk Assessment
infotexinfotex
Remember this diagram?
Risk Assessments
VendorDue Diligence
Business Impact Analysis
TechnologyRisk Assessment
This (and missing vendor controls)is where Vendor Due Diligence plugsinto the overall Risk AssessmentProcess.
infotexinfotex
Missing controls and anticipated safeguards should input into the IT Risk Assessment.
They will be deployed as per risk severity in a reasonable period of time.
Outputs of Annual Review
infotexinfotex
Finally, risk acceptance decisions should be escalated to the board of directors by the ISO in the Annual Report.
Outputs of Annual Review
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
In this next section
• We will learn some of the fundamental responsibilities of the Information Security Officer.
• We will see how the ISO interacts with various areas of the bank.
• We will understand how we can utilize the ISO to better manage our own technology risk.
infotex
infotexinfotex
RiskAnalysis
Awareness
SecurityStandards
VendorManagement
BusinessContinuity
AssetManagement
Incident Response
AccessManagement
GovernancePolicy
Information Information TechnologyTechnologyGovernance Governance ProgramProgram
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Vendor ManagementProgram
Due DiligenceRequest Letter
Awareness Program
infotexinfotex
GovernancePolicy
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
Awareness Program
infotexinfotex
Risk ManagementProgram
AwarenessProgram
ManagementAwareness
Training
TechnicalAwareness
Training
UserAwareness
Training
CustomerAwareness
Training
Board of Directors
Management Team
infotexinfotex
• Board Awareness Training (video webcast is available)
• Annual Report– Risk Analysis Executive Summary– Vendor Due Diligence Results– Summary of Critical Security Breaches– Strategy
• Policy Approval Process
BAT Tools
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
infotexinfotex
New Risks in 2011/2012
• Targeted Malware attacks (Zeus, Russian Business Network, Chinese, and spin-offs)
• Social Media Usage (by employees AND the bank)
• Mobile Banking Deployment
infotexinfotex
Orchestrated Attacks
• Usually combining:– Malware from drive-by attack sites– Phishing– Pretext Calling
• Assets Attacked:– Customer credentials– ACH– On-line Banking
infotexinfotex
Social Media
• Bank site risks– Compliance (disclosures)– Negative Comments– Poor Content
• Employee risks– General Users– Management Team Members
infotexinfotex
Wireless Banking Risks
1. Late Majority Adoption2. Tepid Adoption3. Security Risk4. Compliance Risk5. Strategic Risk
infotex Horse Before the Cart: Top 5 Mobile Banking Risks
infotexinfotex
Today’s Agenda
• Management Awareness Resources • Five Tenets of IT Governance• The IT Governance Program
– The Risk Assessment– Information Technology Audits– Vendor Due Diligence– Awareness Training
• New Risks for 2011/2012• The 2011 Audit Results
In this next section
• We will learn some of the fundamental responsibilities of the Information Security Officer.
• We will see how the ISO interacts with various areas of the bank.
• We will understand how we can utilize the ISO to better manage our own technology risk.
infotex
infotexinfotex
ISO Job Description
• The single point of contact . . . liaison . . . for all matters involving Information Security (and often IT Governance as a whole.)
• The “inside consultant” on IT Security Matters.
• The person who teaches us how to manage technology risk.
infotexinfotex
ISO Teams
• Steering Committee: Member• Technical Staff: Member • CIRT: Team Leader• Risk Assessment: Team Leader• Vendor Management: Team Leader• Business Continuity Plan:
sometimes the BCP coordinator, often not.
infotexinfotex
What the ISO does . . .
• Writes policies and procedures.• Filters vulnerability news down to
what the bank needs to know.• Writes agendas and reports for
various meetings.• Activates awareness through
reminders, tests, and training.
infotexinfotex
ISO Job Description
• Maintain the IT Governance Program• Ensure through measurement and
testing that the controls in the IT Governance Program are adequate and are being enforced.
• Escalate Risk Acceptance Decisions to the Board
• Educate, Motivate, and Activate Awareness.
infotexinfotex
Awareness Life Cycle
Educate
Motivate
Activate
infotexinfotex
Four Corners
Board of Directors
OversightCommittee
ManagementTeam
Technical TeamUsers
Vendors
Customers
infotexinfotex
Board Level
• Educate
• Motivate
• Activate
• Annual Report, Awareness Training
• Risk Analysis, VDD Results, Audit Findings
• Policy Approval, Strategy, Budget
infotexinfotex
Management Team
• Educate
• Motivate
• Activate
• Annual Awareness Training, Applicable Policies and Procedures (see distribution list)
• Annual Report to the Board, Audit Results
• Risk Analysis, Vendor Due Diligence
infotexinfotex
Technical Team
• Educate
• Motivate
• Activate
• IT Audit Program, Security Standards, Policies and Procedures, Comprehension Testing, BCP Testing Plan
• Auditing, Monitoring, Testing, Vulnerability Assessments
• Vulnerability Reports, Conferences, CPE
infotexinfotex
Users
• Educate
• Motivate
• Activate
• Acceptable Use Policy
• Annual Awareness Training, Comprehension Tests
• Social Engineering Tests, Exercises, Reminders
infotexinfotex
Customers
• Educate
• Motivate
• Activate
• Flyers, Knowledgeable Employees
• Annual Awareness Training
• Stuffers, Web Site Announcements
infotexinfotex
Vendors
• Educate
• Motivate
• Activate
• Due Diligence Request Letter, Phone Call
• Contract Negotiations, Due Diligence Request Letter, AP New Vendor Form
• Ongoing discussion emphasizing security. A call when something doesn’t seem right.
infotex
• Information Security Officer Job Description
On the Portal . . .
infotexinfotex
How should we summarize?
infotexinfotex
Interactions
infotexinfotex
ISO must interact with:
• Board of Directors– Annual Report to the Board – Risk Acceptance Decisions– Policy Approval
infotexinfotex
ISO must interact with:
• Oversight Committee– Internal Auditing– Monitoring– Audit Reports– Vulnerability Assessments
infotexinfotex
ISO must interact with:
• Management Team– Risk Analysis– Training– Vendor Due Diligence– Access Authorization Review– Budget– Incident Response
infotexinfotex
ISO Must Interact With:
• The you-wouldn’t-expect interactions– Human Resources
• Policy Development and Enforcement• Incident Response Team• Risk Assessment• Orientation
– Marketing• Customer Awareness Training• Public Presence Security Controls• Use of Social Media
infotexinfotex
ISO must interact with:
• Technical Team– Security Standards– Incident Response– Vulnerability Assessments– Audits– Network Monitoring
infotexinfotex
ISO must interact with:
• Users (all employees)– Acceptable Use Policy– Annual Awareness Training– Policy Enforcement– Security Reminders and Notices– Testing– Incident Response– Answering Questions
infotexinfotex
ISO must interact with:
• Vendors– Vendor Risk Analysis– Vendor Due Diligence Requirements– Risk Acceptance
infotexinfotex
ISO must interact with:
• Customers– Customer Awareness Training– Incident Response
infotexinfotex
Thank you!
Don’t forget the
Evaluations!
infotex
The Workshop Portal
• List of boilerplates and related websites.• Electronic Version of Documents, Articles,
and Boilerplates for your use.– mat2009.infotex.com (all lower case)– Your user name . . . mat2009 (all lower case)– Th3!b@#1 is the password.
• Portal is classified “internal use.”