SlideShare a Scribd company logo

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks

West Monroe Partners
West Monroe Partners

Cybersecurity is an area of growing concern for financial institutions, especially in the face of recent high-profile data breaches. In June of this year, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Self Assessment Tool (CAT) to help institutions determine their risks and evaluate their preparedness.

Business
1 of 17
Download to read offline
BUSINESS CONSULTANTS DEEP TECHNOLOGISTS FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. West Monroe Partners is large enough to tackle our clients’ toughest challenges and nimble enough to adapt to unique requirements with custom solutions.Established in 2002 Founded by a team from Arthur Andersen, West Monroe is a full-service business and technology consulting firm. People Over 600 career consultants, confident enough to engage in constructive debate and understand that it’s okay to disagree. Organization We are 100% employee owned. We answer to our people and our clients only. Global reach but geographically close We serve global clients, locally by partnering with BearingPoint Europe and Grupo Assa. 2
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. In 2009 and 2010 named one of Crain’s Chicago Business “Best 20 Places to Work in Chicago” 3 Named by National Association of Business Resources as one of Chicago’s “101 Best and Brightest Companies to Work For” in 2006, 2007, 2008, 2009 and 2012 Early 2000s Early 2000s In 2008, 2011, 2012, 2013, 2014 and 2015 Seattle Business Magazine named West Monroe “Best Large Company Headquartered Outside Washington” From 2010-2015 named as a “Top Workplace” by the Chicago Tribune Named one of Consulting Magazines “Best Small Firms to Work For” for second straight year in 2010 In 2012, 2013, 2014 and 2015 named one of the top Managed Service Providers in North America by MSP mentor In 2011 named to Columbus Business First’s 2011 “Best Places to Work” In 2012, 2013, 2014 and 2015 named one of Consulting magazine’s “Best Large Firms to Work For” In 2013 and 2014 named to Great Place to Work “Best Small & Medium Workplaces” list published in FORTUNE magazine 2011 2012 2013 2014 In 2012, 2014 and 2015, the Puget Sound Business Journal selected West Monroe Partners as a finalist for Washington's Best Workplaces Selected for the 2013 “Inner City 100” by The Initiative for a Competitive Inner City (ICIC) and FORTUNE In 2008, 2009, 2011, 2012, 2013 and 2015 named by Crain’s Chicago Business as one of its “Fast Fifty” 2015
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.  West Monroe’s Security team was built from the ground up with a blending of deep technologists and a focus on strategic security consulting  We emphasize security as a component of an overall risk management approach, meaning we focus on strategic solutions and helping organizations to operationalize their security investments  Where most security consultancies focus on addressing security through tactical assessments and solutions, we deliver prioritized roadmaps that address the areas that will most effectively improve your security posture and reduce risk West Monroe Partners: An uncommon blend of business consultants and deep technologists solving security challenges in today’s business climate 4
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Federal Financial Institutions Examination Council FRBFederal Reserve Bank - “The Fed” OCCOffice of the Comptroller of the Currency FDICFederal Deposit Insurance Corporation NCUANational Credit Union Association CFPBConsumer Financial Protection Bureau SLC State Liaison Committee CSBSConference of State Banking Supervisors ACSSSAmerican Council of State Savings Supervisors NASCUSNat. Assoc. of State Credit Union Supervisors Starting in late 2015, examiners will begin using a new assessment tool to better understand risks and controls related to cybersecurity
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. There are two pieces of the FFIEC tool that must be accomplished, in order 6 1 2Technologies and Connections Delivery Channels Online, Mobile, and Tech. Services Org. Characteristics External Threats
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The Cybersecurity Maturity profile worksheet is hierarchically structured, similar to most compliance frameworks 7 Domain Assessment Factor Component Maturity Level Declarative Statement
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. By combining the information from the Inherent Risk and Maturity profiles, gaps can be assessed 8 1 2 3 3 8 21 7 0  Y N N N N            
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. On its own, use of the FFIEC CAT has clear strengths and weaknesses 9 Easy to conduct Ordained by regulators Good coverage Contextual Thoroughly mapped Lack of detailed gap analysis Little flexibility Hard for non-technologists to digest Difficult to represent findings
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Depending on the ability of your organization to respond to regulatory guidance, additional support or use of alternate frameworks may help 10
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Subcategories further divide a Category into specific outcomes of technical and/or management activities. Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. The NIST Framework Core identifies underlying key Categories and Subcategories for each Function, and maps them to Informative References 11 Identify Protect Detect Respond Recover Function Category Subcategory Informative References  Asset Management  Business Environment  Risk Assessment  Risk Management Strategy  Access Control  Awareness and Training  Data Security  Information Protection Procedures  Maintenance  Protective Technology  Anomalies and Events  Security Continuous Monitoring  Detection Processes  Response Planning  Communications  Analysis  Mitigation  Improvements  Recovery Planning  Improvements  Communications Governance Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The FFIEC Cybersecurity Assessment Tool directly aligns with the NIST Cybersecurity Framework 12 NIST Framework: Industry Alignment The FFIEC Cybersecurity Assessment Tool (FFIEC CAT) provides a statement by statement and page by page comparison from the NIST Cybersecurity Framework (NIST CSF) to the FFIEC CAT. FFIEC Cybersecurity Assessment Tool NIST Cybersecurity Framework Example of the NIST CSF mapping to the FFIEC CAT:
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The Core of the NIST Cybersecurity Framework further aligns to other Frameworks 13 NIST Framework: Industry Alignment Organizations with successful implementations of NIST CSF can benefit from its synergy with other Frameworks The NIST CSF Core contains Informative References which are specific sections of other Frameworks that illustrate a method to achieve the outcomes associated with each of the Core’s Subcategories. Example of the NIST CSF Core referring to other Frameworks: Other Frameworks NIST Cybersecurity Framework Function Category Subcategory Informative References ·      CCS CSC 1 ·      COBIT 5 BAI09.01, BAI09.02 ·      ISA 62443-2-1:2009 4.2.3.4 ·      ISA 62443-3-3:2013 SR 7.8 ·      ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 ·      NIST SP 800-53 Rev. 4 CM-8 Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. IDENTIFY(ID) ID.AM-1: Physical devices and systems within the organization are inventoried
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. By assessing both the current state and desired state profiles, an organization can determine the most impactful areas of focus 14 PRISMA Scale Govern Protect Recover Identify Respond Detect Identify Protect Detect Respond Recover Govern NIST / WMP Framework Implementation TestingProcedures Org. IntegrationPolicies
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.15 The NIST framework can be leveraged to monitor and objectively evaluate an organization’s security maturity and associated progress Function Current Rating Desired Rating GOVERN 1.5 3.6 IDENTIFY 1.1 3.5 PROTECT 1.4 3.5 DETECT 1.4 3.2 RESPOND 1.5 3.5 RECOVER 1.2 3.1 LEGEND Govern Protect Recover Identify Respond Detect
© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. At the end of the day, regulators will demand more than a completed checklist 16
Questions & Discussion 17 JERIN MAY Director - Infrastructure and Security - Seattle Desk 206.905.0209 Cell 206.920.0958 jmay@westmonroepartners.com ROSS MILLER Manager – Infrastructure and Security - Seattle Desk 206.905.0167 Cell 517.525.1843 rmiller@westmonroepartners.com

Recommended

Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce IntegrationJoshua Hoskins
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
A complete Salesforce implementation guide on how to implement Salesforce
A complete Salesforce implementation guide on how to implement SalesforceA complete Salesforce implementation guide on how to implement Salesforce
A complete Salesforce implementation guide on how to implement SalesforceSoftweb Solutions
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Manage Salesforce Like a Pro with Governance
Manage Salesforce Like a Pro with GovernanceManage Salesforce Like a Pro with Governance
Manage Salesforce Like a Pro with GovernanceSalesforce Admins
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from SymantecArrow ECS UK
 
Manage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkManage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkSalesforce Developers
 

Recommended

Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce IntegrationJoshua Hoskins
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
A complete Salesforce implementation guide on how to implement Salesforce
A complete Salesforce implementation guide on how to implement SalesforceA complete Salesforce implementation guide on how to implement Salesforce
A complete Salesforce implementation guide on how to implement SalesforceSoftweb Solutions
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Manage Salesforce Like a Pro with Governance
Manage Salesforce Like a Pro with GovernanceManage Salesforce Like a Pro with Governance
Manage Salesforce Like a Pro with GovernanceSalesforce Admins
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from SymantecArrow ECS UK
 
Manage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkManage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkSalesforce Developers
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATO
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATOAUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATO
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATOAsmaranies Harun
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
Einstein Next Best Action (NBA)
Einstein Next Best Action (NBA)Einstein Next Best Action (NBA)
Einstein Next Best Action (NBA)Amit Chaudhary
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
EN 6.3: 2 IT-Compliance und IT-Sicherheitsmanagement
EN 6.3: 2 IT-Compliance und IT-SicherheitsmanagementEN 6.3: 2 IT-Compliance und IT-Sicherheitsmanagement
EN 6.3: 2 IT-Compliance und IT-SicherheitsmanagementSven Wohlgemuth
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patternsusolutions
 
Building strong foundations apex enterprise patterns
Building strong foundations apex enterprise patternsBuilding strong foundations apex enterprise patterns
Building strong foundations apex enterprise patternsandyinthecloud
 
Salesforce Trailhead Live Stockholm 2018
Salesforce Trailhead Live Stockholm 2018Salesforce Trailhead Live Stockholm 2018
Salesforce Trailhead Live Stockholm 2018Eva-Lotta Laurin
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Choosing the Right Demo Environment (Salesforce Partners)
Choosing the Right Demo Environment (Salesforce Partners)Choosing the Right Demo Environment (Salesforce Partners)
Choosing the Right Demo Environment (Salesforce Partners)Salesforce Partners
 
Welcome to Premier Success Plans
Welcome to Premier Success PlansWelcome to Premier Success Plans
Welcome to Premier Success PlansBruce Ma
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeDavid Ochel
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Cohesive Networks
 

More Related Content

What's hot

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATO
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATOAUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATO
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATOAsmaranies Harun
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
Einstein Next Best Action (NBA)
Einstein Next Best Action (NBA)Einstein Next Best Action (NBA)
Einstein Next Best Action (NBA)Amit Chaudhary
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
EN 6.3: 2 IT-Compliance und IT-Sicherheitsmanagement
EN 6.3: 2 IT-Compliance und IT-SicherheitsmanagementEN 6.3: 2 IT-Compliance und IT-Sicherheitsmanagement
EN 6.3: 2 IT-Compliance und IT-SicherheitsmanagementSven Wohlgemuth
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patternsusolutions
 
Building strong foundations apex enterprise patterns
Building strong foundations apex enterprise patternsBuilding strong foundations apex enterprise patterns
Building strong foundations apex enterprise patternsandyinthecloud
 
Salesforce Trailhead Live Stockholm 2018
Salesforce Trailhead Live Stockholm 2018Salesforce Trailhead Live Stockholm 2018
Salesforce Trailhead Live Stockholm 2018Eva-Lotta Laurin
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Choosing the Right Demo Environment (Salesforce Partners)
Choosing the Right Demo Environment (Salesforce Partners)Choosing the Right Demo Environment (Salesforce Partners)
Choosing the Right Demo Environment (Salesforce Partners)Salesforce Partners
 
Welcome to Premier Success Plans
Welcome to Premier Success PlansWelcome to Premier Success Plans
Welcome to Premier Success PlansBruce Ma
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 

What's hot (20)

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATO
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATOAUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATO
AUDIT PROGRAM LOGICAL SECURITY BY LANCE M TURCATO
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
 
Einstein Next Best Action (NBA)
Einstein Next Best Action (NBA)Einstein Next Best Action (NBA)
Einstein Next Best Action (NBA)
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
EN 6.3: 2 IT-Compliance und IT-Sicherheitsmanagement
EN 6.3: 2 IT-Compliance und IT-SicherheitsmanagementEN 6.3: 2 IT-Compliance und IT-Sicherheitsmanagement
EN 6.3: 2 IT-Compliance und IT-Sicherheitsmanagement
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patterns
 
Building strong foundations apex enterprise patterns
Building strong foundations apex enterprise patternsBuilding strong foundations apex enterprise patterns
Building strong foundations apex enterprise patterns
 
Salesforce Trailhead Live Stockholm 2018
Salesforce Trailhead Live Stockholm 2018Salesforce Trailhead Live Stockholm 2018
Salesforce Trailhead Live Stockholm 2018
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Choosing the Right Demo Environment (Salesforce Partners)
Choosing the Right Demo Environment (Salesforce Partners)Choosing the Right Demo Environment (Salesforce Partners)
Choosing the Right Demo Environment (Salesforce Partners)
 
Welcome to Premier Success Plans
Welcome to Premier Success PlansWelcome to Premier Success Plans
Welcome to Premier Success Plans
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 

Viewers also liked

NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeDavid Ochel
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Cohesive Networks
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...Brent Guglielmino
 
Cyber Criminals And Cyber Defense
Cyber Criminals And Cyber DefenseCyber Criminals And Cyber Defense
Cyber Criminals And Cyber DefenseKigose
 
Cyber defense electronic warfare (ew)
Cyber defense electronic warfare (ew)Cyber defense electronic warfare (ew)
Cyber defense electronic warfare (ew)ntc thailand
 
Blue team pp_(final_4-12-11)[1]
Blue team pp_(final_4-12-11)[1]Blue team pp_(final_4-12-11)[1]
Blue team pp_(final_4-12-11)[1]Jamie Jackson
 
Herramientas wb yakeline
Herramientas wb yakeline Herramientas wb yakeline
Herramientas wb yakeline Yake Isco
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsLinkurious
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...Dr. Bippin Makoond
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 

Viewers also liked (20)

NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best Practice
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...
Better Cyber Security Through Effective Cyber Deterrence_The Role of Active C...
 
Cyber Criminals And Cyber Defense
Cyber Criminals And Cyber DefenseCyber Criminals And Cyber Defense
Cyber Criminals And Cyber Defense
 
Cyber defense electronic warfare (ew)
Cyber defense electronic warfare (ew)Cyber defense electronic warfare (ew)
Cyber defense electronic warfare (ew)
 
Blue team pp_(final_4-12-11)[1]
Blue team pp_(final_4-12-11)[1]Blue team pp_(final_4-12-11)[1]
Blue team pp_(final_4-12-11)[1]
 
Herramientas wb yakeline
Herramientas wb yakeline Herramientas wb yakeline
Herramientas wb yakeline
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analytics
 
Smart grid security
Smart grid securitySmart grid security
Smart grid security
 
Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
N-Able Summit AUS Finance
N-Able Summit AUS FinanceN-Able Summit AUS Finance
N-Able Summit AUS Finance
 

Similar to FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
The forrester wave™ endpoint security software as a service, q2 2021
The forrester wave™ endpoint security software as a service, q2 2021The forrester wave™ endpoint security software as a service, q2 2021
The forrester wave™ endpoint security software as a service, q2 2021Andy Kwong
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010Donald E. Hester
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsSubhajit Bhuiya
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firmsRobert Westmacott
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJSherry Jones
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docxevonnehoggarth79783
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy AbiramiManikandan5
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Doeren Mayhew
 

Similar to FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks (20)

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
The forrester wave™ endpoint security software as a service, q2 2021
The forrester wave™ endpoint security software as a service, q2 2021The forrester wave™ endpoint security software as a service, q2 2021
The forrester wave™ endpoint security software as a service, q2 2021
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
 
Strategic Cybersecurity
Strategic CybersecurityStrategic Cybersecurity
Strategic Cybersecurity
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firms
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
 

Recently uploaded

Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...SOFTTECHHUB
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsKnowledgeSeed
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Aggregage
 
Customizable Contents Restoration Training
Customizable Contents Restoration TrainingCustomizable Contents Restoration Training
Customizable Contents Restoration TrainingCalvinarnold843
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
Paul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate ProfessionalPaul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate ProfessionalPaul Turovsky
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Entrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextEntrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextP&CO
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfASGITConsulting
 
71368-80-4.pdf Fast delivery good quality
71368-80-4.pdf Fast delivery good quality71368-80-4.pdf Fast delivery good quality
71368-80-4.pdf Fast delivery good qualitycathy664059
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Fundamentals Welcome and Inclusive DEIB
Fundamentals Welcome and Inclusive DEIBFundamentals Welcome and Inclusive DEIB
Fundamentals Welcome and Inclusive DEIBGregory DeShields
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataExhibitors Data
 

Recently uploaded (20)

WAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdfWAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdf
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
 
Toyota and Seven Parts Storage Techniques
Toyota and Seven Parts Storage TechniquesToyota and Seven Parts Storage Techniques
Toyota and Seven Parts Storage Techniques
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applications
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
 
Customizable Contents Restoration Training
Customizable Contents Restoration TrainingCustomizable Contents Restoration Training
Customizable Contents Restoration Training
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
Paul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate ProfessionalPaul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate Professional
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Entrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextEntrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider context
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdf
 
Authentically Social - presented by Corey Perlman
Authentically Social - presented by Corey PerlmanAuthentically Social - presented by Corey Perlman
Authentically Social - presented by Corey Perlman
 
71368-80-4.pdf Fast delivery good quality
71368-80-4.pdf Fast delivery good quality71368-80-4.pdf Fast delivery good quality
71368-80-4.pdf Fast delivery good quality
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Fundamentals Welcome and Inclusive DEIB
Fundamentals Welcome and Inclusive DEIBFundamentals Welcome and Inclusive DEIB
Fundamentals Welcome and Inclusive DEIB
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors Data
 

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks

  • 1. BUSINESS CONSULTANTS DEEP TECHNOLOGISTS FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks
  • 2. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. West Monroe Partners is large enough to tackle our clients’ toughest challenges and nimble enough to adapt to unique requirements with custom solutions.Established in 2002 Founded by a team from Arthur Andersen, West Monroe is a full-service business and technology consulting firm. People Over 600 career consultants, confident enough to engage in constructive debate and understand that it’s okay to disagree. Organization We are 100% employee owned. We answer to our people and our clients only. Global reach but geographically close We serve global clients, locally by partnering with BearingPoint Europe and Grupo Assa. 2
  • 3. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. In 2009 and 2010 named one of Crain’s Chicago Business “Best 20 Places to Work in Chicago” 3 Named by National Association of Business Resources as one of Chicago’s “101 Best and Brightest Companies to Work For” in 2006, 2007, 2008, 2009 and 2012 Early 2000s Early 2000s In 2008, 2011, 2012, 2013, 2014 and 2015 Seattle Business Magazine named West Monroe “Best Large Company Headquartered Outside Washington” From 2010-2015 named as a “Top Workplace” by the Chicago Tribune Named one of Consulting Magazines “Best Small Firms to Work For” for second straight year in 2010 In 2012, 2013, 2014 and 2015 named one of the top Managed Service Providers in North America by MSP mentor In 2011 named to Columbus Business First’s 2011 “Best Places to Work” In 2012, 2013, 2014 and 2015 named one of Consulting magazine’s “Best Large Firms to Work For” In 2013 and 2014 named to Great Place to Work “Best Small & Medium Workplaces” list published in FORTUNE magazine 2011 2012 2013 2014 In 2012, 2014 and 2015, the Puget Sound Business Journal selected West Monroe Partners as a finalist for Washington's Best Workplaces Selected for the 2013 “Inner City 100” by The Initiative for a Competitive Inner City (ICIC) and FORTUNE In 2008, 2009, 2011, 2012, 2013 and 2015 named by Crain’s Chicago Business as one of its “Fast Fifty” 2015
  • 4. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.  West Monroe’s Security team was built from the ground up with a blending of deep technologists and a focus on strategic security consulting  We emphasize security as a component of an overall risk management approach, meaning we focus on strategic solutions and helping organizations to operationalize their security investments  Where most security consultancies focus on addressing security through tactical assessments and solutions, we deliver prioritized roadmaps that address the areas that will most effectively improve your security posture and reduce risk West Monroe Partners: An uncommon blend of business consultants and deep technologists solving security challenges in today’s business climate 4
  • 5. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Federal Financial Institutions Examination Council FRBFederal Reserve Bank - “The Fed” OCCOffice of the Comptroller of the Currency FDICFederal Deposit Insurance Corporation NCUANational Credit Union Association CFPBConsumer Financial Protection Bureau SLC State Liaison Committee CSBSConference of State Banking Supervisors ACSSSAmerican Council of State Savings Supervisors NASCUSNat. Assoc. of State Credit Union Supervisors Starting in late 2015, examiners will begin using a new assessment tool to better understand risks and controls related to cybersecurity
  • 6. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. There are two pieces of the FFIEC tool that must be accomplished, in order 6 1 2Technologies and Connections Delivery Channels Online, Mobile, and Tech. Services Org. Characteristics External Threats
  • 7. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The Cybersecurity Maturity profile worksheet is hierarchically structured, similar to most compliance frameworks 7 Domain Assessment Factor Component Maturity Level Declarative Statement
  • 8. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. By combining the information from the Inherent Risk and Maturity profiles, gaps can be assessed 8 1 2 3 3 8 21 7 0  Y N N N N            
  • 9. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. On its own, use of the FFIEC CAT has clear strengths and weaknesses 9 Easy to conduct Ordained by regulators Good coverage Contextual Thoroughly mapped Lack of detailed gap analysis Little flexibility Hard for non-technologists to digest Difficult to represent findings
  • 10. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Depending on the ability of your organization to respond to regulatory guidance, additional support or use of alternate frameworks may help 10
  • 11. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Subcategories further divide a Category into specific outcomes of technical and/or management activities. Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. The NIST Framework Core identifies underlying key Categories and Subcategories for each Function, and maps them to Informative References 11 Identify Protect Detect Respond Recover Function Category Subcategory Informative References  Asset Management  Business Environment  Risk Assessment  Risk Management Strategy  Access Control  Awareness and Training  Data Security  Information Protection Procedures  Maintenance  Protective Technology  Anomalies and Events  Security Continuous Monitoring  Detection Processes  Response Planning  Communications  Analysis  Mitigation  Improvements  Recovery Planning  Improvements  Communications Governance Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.
  • 12. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The FFIEC Cybersecurity Assessment Tool directly aligns with the NIST Cybersecurity Framework 12 NIST Framework: Industry Alignment The FFIEC Cybersecurity Assessment Tool (FFIEC CAT) provides a statement by statement and page by page comparison from the NIST Cybersecurity Framework (NIST CSF) to the FFIEC CAT. FFIEC Cybersecurity Assessment Tool NIST Cybersecurity Framework Example of the NIST CSF mapping to the FFIEC CAT:
  • 13. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The Core of the NIST Cybersecurity Framework further aligns to other Frameworks 13 NIST Framework: Industry Alignment Organizations with successful implementations of NIST CSF can benefit from its synergy with other Frameworks The NIST CSF Core contains Informative References which are specific sections of other Frameworks that illustrate a method to achieve the outcomes associated with each of the Core’s Subcategories. Example of the NIST CSF Core referring to other Frameworks: Other Frameworks NIST Cybersecurity Framework Function Category Subcategory Informative References ·      CCS CSC 1 ·      COBIT 5 BAI09.01, BAI09.02 ·      ISA 62443-2-1:2009 4.2.3.4 ·      ISA 62443-3-3:2013 SR 7.8 ·      ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 ·      NIST SP 800-53 Rev. 4 CM-8 Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. IDENTIFY(ID) ID.AM-1: Physical devices and systems within the organization are inventoried
  • 14. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. By assessing both the current state and desired state profiles, an organization can determine the most impactful areas of focus 14 PRISMA Scale Govern Protect Recover Identify Respond Detect Identify Protect Detect Respond Recover Govern NIST / WMP Framework Implementation TestingProcedures Org. IntegrationPolicies
  • 15. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.15 The NIST framework can be leveraged to monitor and objectively evaluate an organization’s security maturity and associated progress Function Current Rating Desired Rating GOVERN 1.5 3.6 IDENTIFY 1.1 3.5 PROTECT 1.4 3.5 DETECT 1.4 3.2 RESPOND 1.5 3.5 RECOVER 1.2 3.1 LEGEND Govern Protect Recover Identify Respond Detect
  • 16. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. At the end of the day, regulators will demand more than a completed checklist 16
  • 17. Questions & Discussion 17 JERIN MAY Director - Infrastructure and Security - Seattle Desk 206.905.0209 Cell 206.920.0958 jmay@westmonroepartners.com ROSS MILLER Manager – Infrastructure and Security - Seattle Desk 206.905.0167 Cell 517.525.1843 rmiller@westmonroepartners.com