If you can't read please download the document
View
166
Download
0
Embed Size (px)
Slide 1
Lord of the Keys:
Maturing your IS Program Using the NIST Cybersecurity Framework and FFIEC Cybersecurity Maturity Assessment
1
Reasons to MatureBreaches and ImpactWNB PostureNIST Cybersecurity FrameworkFFIEC Maturity Assessment Tool
AgendaPage 2 of 117
I.S.E. Peoples Choice Awardhttp://www.ten-inc.com/ise/central/default.asphttps://www.surveymonkey.com/r/CEN_PCVOTING
Background
LinkedIn Profile: Marc Crudgington
President signs to improve cybersecurity in the critical infrastructure, 02/2013 Executive Order 13636 Covers those associated with payment cards (banks, merchants, tech), 12/2004PCI RequiredProtecting customer data is paramount to the banks reputation/trust Right thing to doWhy Act?
Cybersecurity Awareness, IT Handbook, Frequency of attacks, 11/2015; Mitigate attacks, 03/2015; Participate in Intel Sharing, 11/2014 FFIECPrivate sector information sharing, 02/2015; National Action Plan and Cybersecurity Commission, 02/2016Executive OrderReleases Cybersecurity Assessment Tool, recommends financial institutions use or a similar tool, 06/2015 FFIECWhy Act?
Why Act?
ID10Ts exist and they want their
6
Company Breaches
Effects on Economy
Effects on EconomyIP: 70% of value of public companies
Annual losses: estimated over $300B
China: +$107B sales and +2.1M jobsIP Intensive43%: ITRC account of breaches
2013: 8.8M records stolen
1.8M: Victims of Identity TheftHealthcare2013: 856 reported breaches
Q1 2014: 98.3% of data exposed
37%: Breaches affected the sectorFinance/Business
Effects on Economy1M+ jobs lost and a $200B cost in 2010 Based on estimate of 5,080 jobs per $1B0.5% ($70B)or 1% ($140B) of National IncomeGlobally - $350B or $700BHealthcare: $7B for HIPAA 2013 lossesSMBs: 80% file bankruptcy or suffer significant financial lossesS&P 500: $136.5B due to AP Twitter hack
Effects on Economy
2015201320122011$214
$194$188$201
$2172014
Effects on EconomyEnterprisesSMBsAttack TypeIncidentProf Svcs $109kBus. Opp. $457kPreventionNew IT Sec $57kTraining $26k
Total $649kIncidentProf Svcs $13kBus. Opp. $23kPreventionNew IT Sec $9kTraining $5k
Total $50kTargetedEnt. $2.4MSMB $92kPhishingEnt. $57kSMB $26kDDoSEnt. $57kSMB $26k
Effects on EconomyLoss of IP and Confidential InformationCybercrimeLoss of sensitive business information-stock market manipulationOpportunity costs, including service and employment disruptions, and reduced trust for online activitiesThe additional cost of securing networks, insurance, and recovery from cyber attacksReputational damage
Defense-in-Depth 2.0Traffic Flow / Security Layers
Internet
Cybersecurity Maturity Timeline
2012/2013201420152016STARTContinuous improvementBegin assessing program, developing strategy; PCIComplete maturity assessment engagement; evaluate report, next stepsEvaluate/implement framework, tools implementation, continue PCI pathContinue implementation of framework, tools, PCI; self/regulator assessment, engage 3rd party
Organizational understanding to manage cybersecurity risksAppropriate activities to identify the occurrence of a cybersecurity eventAppropriate activities to take action regarding a detected cybersecurity eventMaintain plans for resilience and to restore services impactedAppropriate safeguards to ensure delivery of servicesFramework CoreIdentifyProtectDetectRespondRecover
Framework Function/CategoryFunctionCategoryIdentifyAsset Management (6)Business Environment (5)Governance (4)Risk Assessment (6)Risk Management Strategy (3)ProtectAccess Control (5)Awareness and Training (5)Data Security (7)Information Protection Processes (12)Maintenance (2)Protective Technology (4)
Framework Function/Category cont.FunctionCategoryDetectAnomalies and Events (5)Security Continuous Monitoring (8)Detection Processes (5)RespondResponse Planning (1)Communications (5)Analysis (4)Mitigation (3)Improvements (2)RecoverRecovery Planning (1)Improvements (2)Communications (3)
Framework Subcategories
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties, are understood and managed
Subcategories specific outcomes of technical and/or management activities (requirements, controls, guidelinesIdentify: ID.GV-1Detected events are analyzed to understand attack targets and methodsDetect: DE.AE-2Protections against data leaks are implementedProtect: PR.DS-5
What We DidParticipated in Framework Request for InformationReviewed Framework upon releaseDetermined how Framework fit into our current IS ProgramDeclared NIST Cybersecurity Framework as our foundational IS Program frameworkIncorporated NIST Cybersecurity Framework into our IS ProgramInternal Audit performed Cybersecurity / GLBA Audit
FFIEC Inherent Risk ProfileOnline/Mobile Products and Technology ServicesTechnologies and Connection TypesOrganizational CharacteristicsExternal Threats
= Inherent Risk
Delivery Channels
Inherent Risks SamplesCategoryRisk LevelsLeastMinimalModerateSignificantMostPersonal devices allowed to connect to the corporate networkNoneOnly one device type available;
