RiskWatch for Credit Unions™

957 views
793 views

Published on

RiskWatch for Credit Unions™ will assist you in conducting a full risk assessment to meet the NCUA, Part 748 Standard. A complete standards library includes all security risk assessment elements for Credit Unions, including GLBA (Gramm Leach Bliley Act) Standards, as well as the Red Flags Identity Theft Requirement. Affordable and easy to use, RiskWatch makes it easy to meet regulator\'s requirements for risk assessment with both web-based and server-based online questionnaires that automatically write management reports with working papers, graphics, and complete audit trails.

RiskWatch Software is recommended by regulators because it assists the management and Board of the credit union to demonstrate compliance with existing requirements and prepares the risk assessment required annually by NCUA. Whether the Credit Union wants to conduct it\'s own assessment, or have RiskWatch assist in gathering information, hosting surveys, or analyzing and printing reports, RiskWatch for Credit Unions™ makes it easy. The product analyzes and managers technical service providers and the risk involved in outsourcing as well.

Published in: Economy & Finance, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
957
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • RiskWatch for Credit Unions™

    1. 1. RISKWATCH SOFTWARE STREAMLINES RISK ASSESSMENTS FOR GLBA, RED FLAG, NCUA PART 748, BSA and FFIEC REQUIREMENTS RiskWatch for Credit Unions
    2. 2. RiskWatch for Credit Unions CUNA & NCUA approved Software for Risk Assessments to meet NCUA 748 & FFIEC Guidelines
    3. 3. BECOME A CHARTER MEMBER of the Risk Assessment Service Group <ul><li>Greatly Reduced Costs </li></ul><ul><li>Built-in Training & Consulting Support </li></ul><ul><li>Total Backroom Service </li></ul><ul><li>The BEST Way to Meet Regulators Requirements </li></ul>
    4. 4. The Environment <ul><ul><li>Information Technology </li></ul></ul><ul><ul><li>IT has become the important part of most organizations </li></ul></ul><ul><ul><li>New federal and international standards require more IT risk. </li></ul></ul><ul><li>Regulatory Compliance </li></ul><ul><ul><li>Sarbanes Oxley has increased the accountability of management </li></ul></ul><ul><ul><li>New regulations for credit unions - Red Flags </li></ul></ul><ul><ul><li>NCUA expects risk assessments to be performed on every credit union system </li></ul></ul>
    5. 5. Current/Changing View of IT <ul><li>A poll by Deloitte Consulting from 450 directors of publicly traded companies reveal the following: </li></ul><ul><li>11% of boards discuss IT at every meeting </li></ul><ul><ul><li>14% of boards are “completely and actively involved” in IT strategy. </li></ul></ul><ul><ul><li>10% of boards relegate IT matters to a board committee. </li></ul></ul><ul><ul><li>Directors who report a higher level of involvement in IT matters have a better understanding of IT’s importance to their business and their performance. </li></ul></ul><ul><ul><li>Directors report that effectiveness in executing on IT strategy correlates to better financial performance. </li></ul></ul><ul><ul><li>Source: SOX Institute Presentation January 08 </li></ul></ul>
    6. 6. What Companies Need <ul><li>Recent Feb 08 report included findings from 800 organizations </li></ul><ul><ul><li>What organizations Need in a IT GRC Solution </li></ul></ul><ul><ul><ul><li>42% Risk Analysis and management </li></ul></ul></ul><ul><ul><ul><li>34% Automated process for identifying, measuring, and monitoring operational risk </li></ul></ul></ul><ul><ul><ul><li>32% Feature aligning IT Policy, risk, operations management with business initiatives </li></ul></ul></ul><ul><ul><ul><li>29% Documented Policies and Procedures </li></ul></ul></ul><ul><ul><ul><li>22% Business process modeling </li></ul></ul></ul><ul><ul><li>Data Source: Aberdeen Group, Feb 08 </li></ul></ul>
    7. 7. Compliance Regulations, Standards and Guidelines <ul><li>Information Security/ISO 17799 </li></ul><ul><li>NIST 800-26, NIST 800-53 </li></ul><ul><li>ISO/IEC 1779:2005 </li></ul><ul><li>ISO/IEC 27001 </li></ul><ul><li>Office of Management and Budget (OMB) A-123, A-124, A-127, and A-130 </li></ul><ul><li>COBIT 4 </li></ul><ul><li>Physical Security </li></ul><ul><li>RiskWatch for Physical Security </li></ul><ul><li>NERC – CIP 002-009 ( North American Electric Reliability Council) Critical Infrastructure Protection </li></ul><ul><li>Nuclear Power Generators NRC (Nuclear Regulatory Commission) & NEI (Nuclear Energy Institute) </li></ul><ul><li>Financial & Regulatory Compliance -Credit Unions </li></ul><ul><li>GLBA (Gramm Leach Bliley Act) </li></ul><ul><li>FFIEC Audit Framework for Information Security and for Risk Analysis </li></ul><ul><li>California SB 1386 (Identity Theft) </li></ul><ul><li>NCUA Part 748 </li></ul><ul><li>Red Flag - FACT </li></ul><ul><li>Sarbanes Oxley Act </li></ul><ul><li>Pandemic Flu Guidelines </li></ul><ul><li>HIPAA </li></ul><ul><li>Health Insurance Portability and Accountability Act of 1996 </li></ul>
    8. 8. Action Summary from the FFIEC IT Examination Handbook, July 2006 and NCUA Part 748 <ul><li>“ Financial institutions must maintain an ongoing </li></ul><ul><li>Information security risk assessment that: </li></ul><ul><li>Gathers data regarding the information and technology assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements. </li></ul><ul><li>Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and </li></ul><ul><li>Prioritizes the risk present due to threats and vulnerabilities to determine appropriate levels of training, controls and testing necessary for mitigation”. </li></ul>FFIEC – July 2006
    9. 9. Red Flag - Identity Theft
    10. 10. Red Flag Deadline: November 2008 <ul><li>The final rules require each financial institution to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to: </li></ul><ul><li>Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program; </li></ul><ul><li>Detect red flags that have been incorporated into the Program; </li></ul><ul><li>Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and </li></ul><ul><li>Ensure the Program is updated periodically to reflect changes in risks from identity theft. </li></ul><ul><li>The attached final rulemaking is issued by the Board of Governors of the Federal Reserve System,FDIC, FTC, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The final rules are effective on January 1, 2008. Covered financial institutions and creditors must comply with the rules by November 1, 2008 </li></ul>
    11. 11. NEW FFIEC Guidance, July 27, 2006 Applies to Credit Unions
    12. 13. <ul><li>RESPONSIBILITY AND ACCOUNTABILITY </li></ul><ul><li>The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for </li></ul><ul><li>􀂃 Central oversight and coordination, </li></ul><ul><li>􀂃 Assignment of responsibility, </li></ul><ul><li>􀂃 Risk assessment and measurement, </li></ul><ul><li>􀂃 Monitoring and testing, </li></ul><ul><li>􀂃 Reporting, and </li></ul><ul><li>􀂃 Acceptable residual risk. </li></ul>
    13. 14. What Is Risk Assessment ? <ul><li>A process used to determine what controls are needed to protect critical or sensitive assets adequately & cost-effectively. </li></ul><ul><li>The process examines five variable functions: </li></ul><ul><ul><li>1. Specific Assets to be protected (value) </li></ul></ul><ul><ul><li>2. Potential Threats to the various assets </li></ul></ul><ul><ul><li>3. Vulnerabilities that would allow the threats to materialize </li></ul></ul><ul><ul><li>4. Kinds of Losses that the threats could cause </li></ul></ul><ul><ul><li>5. Safeguards that would reduce the loss or eliminate the threats </li></ul></ul>
    14. 15. RiskWatch Clients
    15. 16. NCUA 12 CFR 7 Subchapter A, Part 748, Sections 353.1-353.3 <ul><li>A . Involve the Board of Directors . The board of directors or an appropriate committee of the board of each credit union should: </li></ul><ul><li>1. Approve the credit union's written information security policy and program; and </li></ul><ul><li>2. Oversee the development, implementation, and maintenance of the credit union's information security program, including assigning specific responsibility for its implementation and reviewing reports from management. </li></ul><ul><li>B. Assess Risk. Each credit union should: </li></ul><ul><li>1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems; </li></ul><ul><li>2. Assess the likelihood and potential damage of these threats , taking into consideration the sensitivity of member information; and </li></ul><ul><li>3. Assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks. </li></ul>
    16. 17. <ul><li>C. Manage and Control Risk. Each credit union should: </li></ul><ul><li>1. Design its information security program to control the identified risks , commensurate with the sensitivity of the information as well as the complexity and scope of the credit union's activities. </li></ul><ul><li>a. Access controls on member information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing member information to unauthorized individuals who may seek to obtain this information through fraudulent means; </li></ul><ul><li>b. Access restrictions </li></ul><ul><li>c. Encryption of electronic member information </li></ul><ul><li>d. Procedures designed to ensure that member information system modifications are consistent </li></ul><ul><li>e. Dual controls procedures, segregation of duties, and employee background checks for employees </li></ul><ul><li>f. Monitoring systems and procedures to detect actual and attempted attacks </li></ul><ul><li>g. Response programs that specify actions to be taken </li></ul><ul><li>h. Measures to protect against destruction, loss, or damage of member information due to potential environmental hazards, such as fire and water damage or technical failures. </li></ul><ul><li>2. Train staff to implement the credit union's information security program . </li></ul><ul><li>3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the credit union's risk assessment . </li></ul>
    17. 18. RiskWatch Software Meets all New Compliance Requirements <ul><li>Meets Risk Assessment Guidelines of and FFIEC IT Examiner’s Handbook Security Guidelines & ISO 27001 </li></ul><ul><li>Does the Risk Assessment Required by 2-Factor or Multi-Factor Authentication Standard (FFIEC FIL-103, Oct. 2005) on Internet Systems and 3 rd Parties </li></ul><ul><li>Includes GLBA, SB 1386 </li></ul><ul><li>Includes the PCI Standard (Payment Card Industry) </li></ul>
    18. 19. Data Aggregation & Analysis Financial Data Software Automatically Analyses Over 3 Million Linking Relationships Risk = Asset  Loss  Threat  Vulnerability Loss Delays & Denials Fines Disclosure Modification Direct Loss Asset Applications Database Financial Data Hardware System Software Threat Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Vulnerability Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control Fines Disclosure Modification Fraud Loss of Data Acceptable Use Authentication Privacy Access Control
    19. 20. WHAT’S RISKWATCH? <ul><li>Since 1993, RiskWatch has been the Leader in Security Risk Assessment Software </li></ul><ul><li>NIST-CSE Model Builder’s Workshop on Risk Assessment & the NSA Rating Model Workshops 1988 - 1995 </li></ul><ul><li>Participated in the Working Group to Write DOD Directive on Risk Management under the Office of the Secretary of Defense, 1996-1998. </li></ul><ul><li>Participated in Dept. of Justice Working Group on Vulnerability Assessment Models for Homeland Security, 2003 </li></ul><ul><li>ASIS International, ITSC Council - Caroline Hamilton </li></ul><ul><li>IBM Data Governance Council – Caroline Hamilton </li></ul>
    20. 21. RiskWatch is The First Choice in Security Risk Assessment Software <ul><li>Proven Methodology - Field Tested with Users for over Ten Years and Guaranteed to Meet Federal Risk Assessment Requirements </li></ul><ul><li>Automated Survey Utility </li></ul><ul><li>Completely Customizable by Users </li></ul><ul><li>Favorable Gartner Group Rating </li></ul><ul><li>First Choice for Top Tier Consultants </li></ul><ul><li>Based on the latest Federal and Audit Standards </li></ul>
    21. 22. RiskWatch Products 9.3 <ul><li>RiskWatch for Credit Unions </li></ul><ul><li>RiskWatch for Banks & Financial Institutions </li></ul><ul><li>RiskWatch for ISO 17799 & 27001 </li></ul><ul><li>RiskWatch for HIPAA </li></ul><ul><li>RiskWatch for Sarbanes Oxley (SOX) </li></ul><ul><li>RiskWatch for Federal Systems </li></ul><ul><li>RiskWatch for Electrical Utilities (NERC) </li></ul><ul><li>RiskWatch for Nuclear Power (NEI-NRC) </li></ul><ul><li>RiskWatch for Physical & Homeland Security </li></ul><ul><li>CASEWORKS </li></ul>
    22. 23. From the Gartner Group Report “ RiskWatch, Inc., is positioned as the leading &quot;rescuer&quot; of a massive private and public market constrained by fear of loss in terms of dollars and human life. Its unique form of rescue is in its before-the-fact nature. The RiskWatch tools credibly guide the users through a process to qualify its security situation concerning threats, assets, potential loss, vulnerabilities, and safeguards. The client has the opportunity to establish its own image and foundation of security through RiskWatch's regulatory and quality compliance and accreditation tools and functions . Through its quantitative methods and automated functions, RiskWatch arms the analysts and decision-makers with a solid risk management analysis based on the ALE balanced with the ROI. Once the client establishes the security policies—the plan is deployed and its life cycle managed within the framework of RiskWatch. RiskWatch brings financially realized value to the client and the management vehicle and standards to follow”.
    23. 24. RISKWATCH ® Value <ul><li>Reduces time involved in performing a Risk Analysis by 70% </li></ul><ul><li>Users are able to customize software to fit their own profile </li></ul><ul><li>Meets audit requirements for risk assessment </li></ul><ul><li>Content is frequently updated and shipped to users. </li></ul><ul><li>Web-based survey process – involves management and user community. </li></ul><ul><li>Quantifies risk and provides ROI metrics </li></ul><ul><li>Automated report generation including working papers and complete management-ready case summary report </li></ul>
    24. 25. Why RiskWatch Stays Number One <ul><li>“ What sets RiskWatch apart from its competitors is its focus on risk analysis for security management, its ability to handle large volumes of information, and its large number of customizable features”. -- Gartner Group </li></ul><ul><li>RiskWatch has Hundreds of Users </li></ul><ul><li>Complete Technical Support – Gold & Platinum Levels of Support </li></ul><ul><li>Ambassador Program for Extra Support </li></ul><ul><li>Comprehensive Training Programs Monthly </li></ul><ul><li>On-Site Training Also Available by Request </li></ul>
    25. 26. ELEMENTS OF A METRICS-BASED RISK ASSESSMENT APPROACH ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS
    26. 27. RISKWATCH ® Risk Assessment Process Automated Survey Management Process Management Data Aggregation & Analysis Content (Rules & Data) Risk Analysis Customization Reporting Respondents Analyst(s)
    27. 28. Progress at a Glance – Tracks the Case
    28. 29. Data Aggregation & Analysis Financial Data Software Automatically Analyses Over 3 Million Linking Relationships Risk = Asset  Loss  Threat  Vulnerability Loss Delays & Denials Fines Disclosure Modification Direct Loss Asset Applications Database Financial Data Hardware System Software Threat Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Vulnerability Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control Fines Disclosure Modification Fraud Loss of Data Acceptable Use Authentication Privacy Access Control
    29. 30. Valuing Assets – RiskWatch Auto- Populates Asset Values
    30. 31. RISKWATCH PROVIDES AGGREGATED THREAT DATA OR YOU CAN OVERWRITE STANDARD AVERAGES WITH YOUR OWN ORGANIZATIONAL DATA <ul><li>Quantified threat data is hard to find . </li></ul><ul><li>Categories of Threats: </li></ul><ul><li>Natural Disasters, Criminal Activity </li></ul><ul><li>Terrorism, Theft, Systems Failures </li></ul><ul><li>Collect data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs. </li></ul><ul><li>Use data from internally collected sources </li></ul>
    31. 32. THREAT FREQUENCIES ARE PROVIDED AND CAN ALSO BE TAILORED WITH CUSTOMER DATA SUCH AS PENETRATION TEST DATA
    32. 33. Web-Based Surveys Facilitate Respondent Answers Automated Survey Management
    33. 34. YOU CAN SELECT QUESTIONS THAT MAP EXACTLY TO THE FFIEC, ISO-17799, GLBA or SB 1386 STANDARD
    34. 35. Each question uses actual security regulations as control standards and is linked to appropriate Functional Areas
    35. 36. Respondents Can Answer Questions over the Web with full ASP functionality
    36. 37. Fully Automated Web-based Surveys make it Easy to Involve Key Employees <ul><li>Over the web, via ASP link </li></ul><ul><li>Questionnaire Diskettes </li></ul><ul><li>E-mail Attach File </li></ul><ul><li>On a laptop with analyst present </li></ul><ul><li>With Paper Questionnaires </li></ul>USERS DON’T HAVE TO HAVE RISKWATCH TO ANSWER ELECTRONIC SURVEYS
    37. 38. Pre-selects Appropriate Loss Categories <ul><li>Delays and Denials of Service </li></ul><ul><li>Disclosure </li></ul><ul><li>Direct Loss (Data Loss) </li></ul><ul><li>Modification of Data </li></ul><ul><li>Indirect Loss </li></ul><ul><li>Intangibles (Reputation) </li></ul>
    38. 39. INCLUDES ALL IT-REQUIRED SAFEGUARD CATEGORIES
    39. 40. EACH POTENTIAL SAFEGUARD INCLUDES DEFAULT VALUES FOR COST, MAINTENANCE AND LIFE CYCLE
    40. 41. Reports Results From Dozens Of Employees Are Instantly Aggregated And Analyzed.
    41. 42. RESULTS FROM THE RISK ASSESSMENTS <ul><li>Measurable data which can be benchmarked </li></ul><ul><li>Prove validity of findings with full audit trails </li></ul><ul><li>Standardized methodology meets regulator’s standards </li></ul><ul><li>Writes a variety of fully automated management reports, including working papers. </li></ul>
    42. 43. MITIGATION STRATEGIES 1. Accept Risk 2. Transfer Risk 2. Mitigate Risk 3. Better Risk Reactions 5. Dealing with Residual Risk
    43. 44. The Case Summary Report Is Pre-Written for Management
    44. 45. EASY TO UNDERSTAND GRAPHS ILLUSTRATE OVERALL COMPLIANCE VS. NON-COMPLIANCE
    45. 46. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
    46. 47. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
    47. 48. Track Compliance by Individual
    48. 49. Vulnerability reports include complete audit trails and powerful analysis tools
    49. 50. Looking at Loss Expectancy by Type of Loss
    50. 51. RiskWatch Calculates the Return on Investment & Recommends Cost Effective Security Controls. In this example, finishing and updating the Disaster Recovery Plan had a 2000-1 ROI – that means for every dollar spent on updating the plan (estimated at $1000)– the organization saves $2,000,000 <ul><li>Finish Disaster Recovery Plan 2000:1 </li></ul><ul><li>Finish the Security Plan 1200:1 </li></ul><ul><li>Complete Security Training 943:1 </li></ul>
    51. 52. SAFEGUARD REPORT -- RECOMMENDED CONTROLS BY RETURN ON INVESTMENT
    52. 53. Demonstrates Reduction in Loss Expectancy by Applying Overlapping Layers of Protection from Implementing Top Recommended Controls
    53. 54. THE BOTTOM LINE <ul><li>Regulators are going to continue to push for more risk assessments to be performed annually. </li></ul><ul><li>A RiskWatch risk assessment is the foundation of the IT security program, and Governance, Risk and Compliance program. </li></ul><ul><li>RiskWatch is the best way to meet NCUA risk analysis requirements, and self-assess compliance by requirement. </li></ul><ul><li>4. Get Special Pricing and Free Training in Annapolis by emailing [email_address] . </li></ul>
    54. 55. www.riskwatch.com

    ×