Lord of the Keys:
Maturing your IS Program Using the NIST Cybersecurity Framework and FFIEC Cybersecurity Maturity Assessment
• Reasons to Mature
• Breaches and Impact
• WNB Posture
• NIST Cybersecurity Framework
• FFIEC Maturity Assessment Tool
Agenda
Page 2 of 117
I.S.E. People’s Choice Awardhttp://www.ten-inc.com/ise/central/default.asphttps://www.surveymonkey.com/r/CEN_PCVOTING
Background
LinkedIn Profile: Marc Crudgington
President signs to improve cybersecurity in the critical infrastructure, 02/2013
Executive Order 13636
Covers those associated with payment cards (banks, merchants, tech), 12/2004
PCI Required
Protecting customer data is paramount to the banks reputation/trust
Right thing to do
Why Act?
Cybersecurity Awareness, IT Handbook, Frequency of attacks, 11/2015; Mitigate attacks, 03/2015; Participate in Intel Sharing, 11/2014
FFIEC
Private sector information sharing, 02/2015; National Action Plan and Cybersecurity Commission, 02/2016
Executive Order
Releases Cybersecurity Assessment Tool, recommends financial institutions use or a similar tool, 06/2015
FFIEC
Why Act?
Company Breaches
Effects on Economy
28%
8%10%
8%
46%Jobs in US Economy
IP Intensive Finance
Healthcare Energy
Other
Effects on Economy
• IP: 70% of value of public companies
• Annual losses: estimated over $300B
• China: +$107B sales and +2.1M jobs
IP Intensive
• 43%: ITRC account of breaches
• 2013: 8.8M records stolen
• 1.8M: Victims of Identity Theft
Healthcare
• 2013: 856 reported breaches
• Q1 2014: 98.3% of data exposed
• 37%: Breaches affected the sector
Finance/Business
Effects on Economy
• 1M+ jobs lost and a $200B cost in 2010 • Based on estimate of 5,080 jobs per $1B
• 0.5% ($70B)or 1% ($140B) of National Income• Globally - $350B or $700B
• Healthcare: $7B for HIPAA 2013 losses• SMBs: 80% file bankruptcy or suffer significant
financial losses• S&P 500: $136.5B due to AP Twitter hack
Effects on Economy
2015201320122011
$214 $19
4 $188
$201
$217
2014
Effects on Economy
Associated CostsEnterprises SMB’s Attack Type
Incident- Prof Svcs $109k- Bus. Opp. $457kPrevention- New IT Sec $57k- Training $26k
Total $649k
Incident- Prof Svcs $13k- Bus. Opp. $23kPrevention- New IT Sec $9k- Training $5k
Total $50k
Targeted- Ent. $2.4M- SMB $92kPhishing- Ent. $57k- SMB $26kDDoS- Ent. $57k- SMB $26k
Effects on Economy
• Loss of IP and Confidential Information• Cybercrime• Loss of sensitive business information-stock market
manipulation• Opportunity costs, including service and employment
disruptions, and reduced trust for online activities• The additional cost of securing networks, insurance,
and recovery from cyber attacks• Reputational damage
Defense-in-Depth 2.0
Perimeter CoreLaptops /
TabletsPhishingScannersPhones
Web Apps
Internet F/W
Remote Access
F/WExtranet VPN F/W
Email GWWeb GW
2FAIDS
Load BalancerThreat IntelDMZ
File Xport
Internet F/W
Payment Sys F/W
PC’s IPS ServersScannersServer
MonitorEvent
MonitorDB
Monitor
PCI F/W Critical Servers
Traffic Flow / Security Layers
Internet
Cybersecurity Maturity Timeline
2012/
2013
2014
2015
2016
START
Continuous improvement
Begin assessing program, developing strategy; PCI
Complete maturity assessment engagement; evaluate report, next steps
Evaluate/implement framework, tools implementation, continue PCI path
Continue implementation of framework, tools, PCI; self/regulator assessment, engage 3rd party
Organizational understanding to
manage cybersecurity risks
Appropriate activities to identify the occurrence of a cybersecurity event
Appropriate activities to take action
regarding a detected cybersecurity event
Maintain plans for resilience and to restore services
impacted
Appropriate safeguards to
ensure delivery of services
Framework Core
IdentifyProtect
DetectRespond
Recover
Framework Function/Category
Function Category
Identify
Asset Management (6)Business Environment (5)Governance (4)Risk Assessment (6)Risk Management Strategy (3)
Protect
Access Control (5)Awareness and Training (5)Data Security (7)Information Protection Processes (12)Maintenance (2)Protective Technology (4)
Framework Function/Category cont.
Function Category
DetectAnomalies and Events (5)Security Continuous Monitoring (8)Detection Processes (5)
Respond
Response Planning (1)Communications (5)Analysis (4)Mitigation (3)Improvements (2)
RecoverRecovery Planning (1)Improvements (2)Communications (3)
Framework Subcategories
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties, are understood and managed
• Subcategories – specific outcomes of technical and/or management activities (requirements, controls, guidelines
Identify: ID.GV-1
Detected events are analyzed to understand attack targets and methods
Detect: DE.AE-2
Protections against data leaks are implemented
Protect: PR.DS-5
What We Did
• Participated in Framework Request for Information• Reviewed Framework upon release• Determined how Framework fit into our current IS
Program• Declared NIST Cybersecurity Framework as our
foundational IS Program framework• Incorporated NIST Cybersecurity Framework into our IS
Program• Internal Audit performed Cybersecurity / GLBA Audit
FFIEC Inherent Risk Profile
Online/Mobile Products and Technology Services
Technologies and Connection Types
Organizational Characteristics
External Threats
= Inherent Risk
Delivery Channels
Inherent Risks Samples
CategoryRisk Levels
Least Minimal Moderate Significant MostPersonal devices allowed to connect to the corporate network
None Only one device type available; <5% employees; email
Multiple device types; <10% employees; e-mail
Multiple device types; <25% emp.; e-mail, some apps
Any device; >25% employees; all apps accessed
Online presence (customer)
No web facing Website/Social media
Delivery channel, customer comm.
Wholesale, retail account origination
Internet apps serve as channel
Issue debit or credit cards
Do not issue debit or credit cards
Issue through a third party; <10,000 cards
Issue third party; between 10,000 – 50,000 cards
Issue directly; between 50,000 – 100,000 cards
Issue directly; >100,000 cards outstanding; issue on behalf
Changes in IT and IS staffing
Key positions filled; low turnover
Staff vacancies exist for non-critical roles
Some turnover in key or senior positions
Frequent turnover in key or senior staff
Vacancies Sr. staff long periods; IT/IS turnover high
Attempted Cyber Attacks
None <100 monthly, generic phishing
<500, targeted phishing, DDoS
>500-100k, spear phishing, threat reports, DDoS
<100k, persistent attacks & DDoS
Inherent Risks
Inherent Risk Levels
Least Minimal Moderate Significant Most
Cybersecurity Maturity Level
for Each
Domain
Innovative
Advanced
Intermediate
Evolving
Baseline
Level 1 Level 2 Level 3 Level 4 Level 5
FFIEC Maturity Levels
Baseline - minimum expectations required by law and regulations or recommended in supervisory guidance
Evolving - additional formality of documented procedures and policies that are not already required
Intermediate - detailed, formal processes, controls are validated and consistent
Advanced - cyber security practices and analytics that are integrated across lines of business.
Least Mature Most Mature
Innovative - driving innovation in people, processes, and technology for the institution and the industry to manage cyber risks.
FFIEC Cybersecurity Domains
2
3
4
5
Cyber Risk Management and Oversight
1
Threat Intelligence and Collaboration
External Dependency Management
Cyber Incident Mgmt. and Resilience
Cybersecurity Controls
Cybersecurity Assessment Factors
Cybersecurity MaturityDomain Assessment Factor
Cyber Risk Management and Oversight
Governance (Oversight, Strategy/Policies, IT Asset Management), Risk Management, Resources, Training and Culture
Threat Intelligence and Collaboration
Threat Intelligence, Monitoring and Analyzing, Information Sharing
Cybersecurity Controls Preventative Controls, Detective Controls, Corrective Controls
External Dependency Management
Connections, Relationship Management
Cyber Incident Management and Resilience
Incident Resilience Planning, Strategy, Detection, Response, and Mitigation, Escalation and Reporting
Cybersecurity Maturity Statements
Domain 2: Threat Intelligence and Collaboration, Assessment Factor: Information Sharing, Statement: Information Sharing
Evolving: A formal & secure process is in place to share threat & vulnerability information with
other entities
Advanced: Relationships exist with employees of peer institutions for sharing cyber threat
intelligence
Domain 3: Cybersecurity Controls, Assessment Factor: Detective Controls, Statement: Anomalous Activity Detection
Baseline: Elevated Privileges are Monitored Innovative: The institution has a mechanism for real-time automated risk scoring of threats
Domain 1: Cyber Risk Management and Oversight, Assessment Factor: GovernanceStatement: OversightBaseline: The budgeting process includes
information security related expenses and toolsAdvanced: Management has a formal process to
continuously improve cybersecurity oversight
What We Did
• Started maturing when hired in 08/2012• Assess program, changed IS Committee meeting,
recommending anomalous behavior tools• Utilized other maturity assessments: Gartner 03/2013,
reassess in early 2015• Surprise!: The FFIEC releases their maturity assessment on
06/30/2015• Collaborated with CIO/CRO to complete the assessment• Worked with regulators (OCC) to complete assessment to
Evolving level• Engaged a 3rd party consulting/audit firm to complete
assessment
Do you haveany questions? ???
Recommended
