SlideShare a Scribd company logo

ISACA ISSA Presentation

Download as PPTX, PDF
Marc Crudgington, MBA
Marc Crudgington, MBA
1 of 29
Lord of the Keys: Maturing your IS Program Using the NIST Cybersecurity Framework and FFIEC Cybersecurity Maturity Assessment
• Reasons to Mature • Breaches and Impact • WNB Posture • NIST Cybersecurity Framework • FFIEC Maturity Assessment Tool Agenda Page 2 of 117
I.S.E. People’s Choice Award http://www.ten-inc.com/ise/central/default.asp https://www.surveymonkey.com/r/CEN_PCVOTING Background LinkedIn Profile: Marc Crudgington
President signs to improve cybersecurity in the critical infrastructure, 02/2013 Executive Order 13636 Covers those associated with payment cards (banks, merchants, tech), 12/2004 PCI Required Protecting customer data is paramount to the banks reputation/trust Right thing to do Why Act?
Cybersecurity Awareness, IT Handbook, Frequency of attacks, 11/2015; Mitigate attacks, 03/2015; Participate in Intel Sharing, 11/2014 FFIEC Private sector information sharing, 02/2015; National Action Plan and Cybersecurity Commission, 02/2016 Executive Order Releases Cybersecurity Assessment Tool, recommends financial institutions use or a similar tool, 06/2015 FFIEC Why Act?
Why Act? ID10Ts exist and they want their…
Company Breaches
Effects on Economy 28% 8% 10% 8% 46% Jobs in US Economy IP Intensive Finance Healthcare Energy Other
Effects on Economy • IP: 70% of value of public companies • Annual losses: estimated over $300B • China: +$107B sales and +2.1M jobs IP Intensive • 43%: ITRC account of breaches • 2013: 8.8M records stolen • 1.8M: Victims of Identity Theft Healthcare • 2013: 856 reported breaches • Q1 2014: 98.3% of data exposed • 37%: Breaches affected the sector Finance/Business
Effects on Economy • 1M+ jobs lost and a $200B cost in 2010 • Based on estimate of 5,080 jobs per $1B • 0.5% ($70B)or 1% ($140B) of National Income • Globally - $350B or $700B • Healthcare: $7B for HIPAA 2013 losses • SMBs: 80% file bankruptcy or suffer significant financial losses • S&P 500: $136.5B due to AP Twitter hack
Effects on Economy 2015201320122011 $214 $194 $18 8 $201 $217 2014
Effects on Economy Associated Costs Enterprises SMB’s Attack Type Incident - Prof Svcs $109k - Bus. Opp. $457k Prevention - New IT Sec $57k - Training $26k Total $649k Incident - Prof Svcs $13k - Bus. Opp. $23k Prevention - New IT Sec $9k - Training $5k Total $50k Targeted - Ent. $2.4M - SMB $92k Phishing - Ent. $57k - SMB $26k DDoS - Ent. $57k - SMB $26k
Effects on Economy • Loss of IP and Confidential Information • Cybercrime • Loss of sensitive business information-stock market manipulation • Opportunity costs, including service and employment disruptions, and reduced trust for online activities • The additional cost of securing networks, insurance, and recovery from cyber attacks • Reputational damage
Defense-in-Depth 2.0 Perimeter Core Laptops / Tablets Phishing Scanners Phones Web Apps Internet F/W Remote Access F/W Extranet VPN F/W Email GW Web GW 2FA IDS Load Balancer Threat Intel DMZ File Xport Internet F/W Payment Sys F/W PC’s IPS Servers Scanners Server Monitor Event Monitor DB Monitor PCI F/W Critical Servers Traffic Flow / Security Layers Internet
Cybersecurity Maturity Timeline Continuous improvement Begin assessing program, developing strategy; PCI Complete maturity assessment engagement; evaluate report, next steps Evaluate/implement framework, tools implementation, continue PCI path Continue implementation of framework, tools, PCI; self/regulator assessment, engage 3rd party
Organizational understanding to manage cybersecurity risks Appropriate activities to identify the occurrence of a cybersecurity event Appropriate activities to take action regarding a detected cybersecurity event Maintain plans for resilience and to restore services impacted Appropriate safeguards to ensure delivery of services Framework Core Identify Protect Detect Respond Recover
Framework Function/Category Function Category Identify Asset Management (6) Business Environment (5) Governance (4) Risk Assessment (6) Risk Management Strategy (3) Protect Access Control (5) Awareness and Training (5) Data Security (7) Information Protection Processes (12) Maintenance (2) Protective Technology (4)
Framework Function/Category cont. Function Category Detect Anomalies and Events (5) Security Continuous Monitoring (8) Detection Processes (5) Respond Response Planning (1) Communications (5) Analysis (4) Mitigation (3) Improvements (2) Recover Recovery Planning (1) Improvements (2) Communications (3)
Framework Subcategories Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties, are understood and managed • Subcategories – specific outcomes of technical and/or management activities (requirements, controls, guidelines Identify: ID.GV-1 Detected events are analyzed to understand attack targets and methods Detect: DE.AE-2 Protections against data leaks are implemented Protect: PR.DS-5
What We Did • Participated in Framework Request for Information • Reviewed Framework upon release • Determined how Framework fit into our current IS Program • Declared NIST Cybersecurity Framework as our foundational IS Program framework • Incorporated NIST Cybersecurity Framework into our IS Program • Internal Audit performed Cybersecurity / GLBA Audit
FFIEC Inherent Risk Profile Online/Mobile Products and Technology Services Technologies and Connection Types Organizational Characteristics External Threats = Inherent Risk Delivery Channels
Inherent Risks Samples Category Risk Levels Least Minimal Moderate Significant Most Personal devices allowed to connect to the corporate network None Only one device type available; <5% employees; email Multiple device types; <10% employees; e- mail Multiple device types; <25% emp.; e-mail, some apps Any device; >25% employees; all apps accessed Online presence (customer) No web facing Website/Social media Delivery channel, customer comm. Wholesale, retail account origination Internet apps serve as channel Issue debit or credit cards Do not issue debit or credit cards Issue through a third party; <10,000 cards Issue third party; between 10,000 – 50,000 cards Issue directly; between 50,000 – 100,000 cards Issue directly; >100,000 cards outstanding; issue on behalf Changes in IT and IS staffing Key positions filled; low turnover Staff vacancies exist for non- critical roles Some turnover in key or senior positions Frequent turnover in key or senior staff Vacancies Sr. staff long periods; IT/IS turnover high Attempted Cyber Attacks None <100 monthly, generic phishing <500, targeted phishing, DDoS >500-100k, spear phishing, threat reports, DDoS <100k, persistent attacks & DDoS
Inherent Risks Inherent Risk Levels Least Minimal Moderate Significant Most CybersecurityMaturityLevelfor EachDomain Innovative Advanced Intermediate Evolving Baseline
Level 1 Level 2 Level 3 Level 4 Level 5 FFIEC Maturity Levels Baseline - minimum expectations required by law and regulations or recommended in supervisory guidance Evolving - additional formality of documented procedures and policies that are not already required Intermediate - detailed, formal processes, controls are validated and consistent Advanced - cyber security practices and analytics that are integrated across lines of business. Least Mature Most Mature Innovative - driving in novation in people, processes, and technology for the institution and the industry to manage cyber risks.
FFIEC Cybersecurity Domains 2 3 4 5 Cyber Risk Management and Oversight1 Threat Intelligence and Collaboration External Dependency Management Cyber Incident Mgmt. and Resilience Cybersecurity Controls
Cybersecurity Assessment Factors Cybersecurity Maturity Domain Assessment Factor Cyber Risk Management and Oversight Governance (Oversight, Strategy/Policies, IT Asset Management), Risk Management, Resources, Training and Culture Threat Intelligence and Collaboration Threat Intelligence, Monitoring and Analyzing, Information Sharing Cybersecurity Controls Preventative Controls, Detective Controls, Corrective Controls External Dependency Management Connections, Relationship Management Cyber Incident Management and Resilience Incident Resilience Planning, Strategy, Detection, Response, and Mitigation, Escalation and Reporting
Cybersecurity Maturity Statements Domain 2: Threat Intelligence and Collaboration, Assessment Factor: Information Sharing, Statement: Information Sharing Evolving: A formal & secure process is in place to share threat & vulnerability information with other entities Advanced: Relationships exist with employees of peer institutions for sharing cyber threat intelligence Domain 3: Cybersecurity Controls, Assessment Factor: Detective Controls, Statement: Anomalous Activity Detection Baseline: Elevated Privileges are Monitored Innovative: The institution has a mechanism for real-time automated risk scoring of threats Domain 1: Cyber Risk Management and Oversight, Assessment Factor: Governance Statement: Oversight Baseline: The budgeting process includes information security related expenses and tools Advanced: Management has a formal process to continuously improve cybersecurity oversight
What We Did • Started maturing when hired in 08/2012 • Assess program, changed IS Committee meeting, recommending anomalous behavior tools • Utilized other maturity assessments: Gartner 03/2013, reassess in early 2015 • Surprise!: The FFIEC releases their maturity assessment on 06/30/2015 • Collaborated with CIO/CRO to complete the assessment • Worked with regulators (OCC) to complete assessment to Evolving level • Engaged a 3rd party consulting/audit firm to complete assessment
Do you have any questions? ??

Recommended

Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in HealthcareQuick Heal Technologies Ltd.
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
Eliminating the Confusion Surrounding Cyber Insurance
Eliminating the Confusion Surrounding Cyber InsuranceEliminating the Confusion Surrounding Cyber Insurance
Eliminating the Confusion Surrounding Cyber InsuranceInternetwork Engineering (IE)
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...
Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...
Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...Netpluz Asia Pte Ltd
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 

Recommended

Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in HealthcareQuick Heal Technologies Ltd.
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
Eliminating the Confusion Surrounding Cyber Insurance
Eliminating the Confusion Surrounding Cyber InsuranceEliminating the Confusion Surrounding Cyber Insurance
Eliminating the Confusion Surrounding Cyber InsuranceInternetwork Engineering (IE)
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...
Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...
Cyber Risk Management in the New Digitalisation Age - Mitigating Risk with Cy...Netpluz Asia Pte Ltd
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident ReportCommunity IT Innovators
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
Web application firewall solution market
Web application firewall solution marketWeb application firewall solution market
Web application firewall solution marketSameerShaikh225
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance Netpluz Asia Pte Ltd
 
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...ijtsrd
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and SystemParam Nanavati
 
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...Konstantinos Demertzis
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
C02
C02C02
C02newbie2019
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWPICPE
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
license
licenselicense
licenseSameer Jaber
 
1010
10101010
1010Hafida Seghier
 

More Related Content

What's hot

2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident ReportCommunity IT Innovators
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
Web application firewall solution market
Web application firewall solution marketWeb application firewall solution market
Web application firewall solution marketSameerShaikh225
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...ijtsrd
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and SystemParam Nanavati
 
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...Konstantinos Demertzis
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWPICPE
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
 

What's hot (20)

Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
 
2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutions
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges
 
Web application firewall solution market
Web application firewall solution marketWeb application firewall solution market
Web application firewall solution market
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance
 
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and System
 
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
C02
C02C02
C02
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security Solution
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 

Viewers also liked

Nuevo documento de textohkl
Nuevo documento de textohklNuevo documento de textohkl
Nuevo documento de textohklGisela001
 
Be Social Media-Centric
Be Social Media-Centric Be Social Media-Centric
Be Social Media-Centric CMRS Group
 
RIB Cybersecurity
RIB CybersecurityRIB Cybersecurity
RIB CybersecurityAndy Kim
 
habilidas administrativasTecnificacionyvaloragregado
habilidas administrativasTecnificacionyvaloragregadohabilidas administrativasTecnificacionyvaloragregado
habilidas administrativasTecnificacionyvaloragregadoLuis Alfredo Gomez Ccente
 
10 Things for a Likeable 2016
10 Things for a Likeable 201610 Things for a Likeable 2016
10 Things for a Likeable 2016CMRS Group
 
Animales domésticos
Animales domésticosAnimales domésticos
Animales domésticosrosariogomezv
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 

Viewers also liked (16)

license
licenselicense
license
 
1010
10101010
1010
 
venta de cuyes en lima
venta de cuyes en limaventa de cuyes en lima
venta de cuyes en lima
 
Expos charito
Expos charitoExpos charito
Expos charito
 
5
55
5
 
Nuevo documento de textohkl
Nuevo documento de textohklNuevo documento de textohkl
Nuevo documento de textohkl
 
Resume
ResumeResume
Resume
 
Be Social Media-Centric
Be Social Media-Centric Be Social Media-Centric
Be Social Media-Centric
 
RIB Cybersecurity
RIB CybersecurityRIB Cybersecurity
RIB Cybersecurity
 
habilidas administrativasTecnificacionyvaloragregado
habilidas administrativasTecnificacionyvaloragregadohabilidas administrativasTecnificacionyvaloragregado
habilidas administrativasTecnificacionyvaloragregado
 
10 Things for a Likeable 2016
10 Things for a Likeable 201610 Things for a Likeable 2016
10 Things for a Likeable 2016
 
HDPOS smart for Restaurant
HDPOS smart for RestaurantHDPOS smart for Restaurant
HDPOS smart for Restaurant
 
Animales domésticos
Animales domésticosAnimales domésticos
Animales domésticos
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Silabario
SilabarioSilabario
Silabario
 
dsadsa146
dsadsa146dsadsa146
dsadsa146
 

Similar to ISACA ISSA Presentation

Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityNetworkCollaborators
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksBlancco
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideDLT Solutions
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveAvinantaTarigan
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concernsJohn Napier
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsSolarWinds
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramMatt Moneypenny
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management ProgramTripwire
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 

Similar to ISACA ISSA Presentation (20)

Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacks
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User Perspective
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concerns
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 

ISACA ISSA Presentation

  • 1. Lord of the Keys: Maturing your IS Program Using the NIST Cybersecurity Framework and FFIEC Cybersecurity Maturity Assessment
  • 2. • Reasons to Mature • Breaches and Impact • WNB Posture • NIST Cybersecurity Framework • FFIEC Maturity Assessment Tool Agenda Page 2 of 117
  • 3. I.S.E. People’s Choice Award http://www.ten-inc.com/ise/central/default.asp https://www.surveymonkey.com/r/CEN_PCVOTING Background LinkedIn Profile: Marc Crudgington
  • 4. President signs to improve cybersecurity in the critical infrastructure, 02/2013 Executive Order 13636 Covers those associated with payment cards (banks, merchants, tech), 12/2004 PCI Required Protecting customer data is paramount to the banks reputation/trust Right thing to do Why Act?
  • 5. Cybersecurity Awareness, IT Handbook, Frequency of attacks, 11/2015; Mitigate attacks, 03/2015; Participate in Intel Sharing, 11/2014 FFIEC Private sector information sharing, 02/2015; National Action Plan and Cybersecurity Commission, 02/2016 Executive Order Releases Cybersecurity Assessment Tool, recommends financial institutions use or a similar tool, 06/2015 FFIEC Why Act?
  • 6. Why Act? ID10Ts exist and they want their…
  • 8. Effects on Economy 28% 8% 10% 8% 46% Jobs in US Economy IP Intensive Finance Healthcare Energy Other
  • 9. Effects on Economy • IP: 70% of value of public companies • Annual losses: estimated over $300B • China: +$107B sales and +2.1M jobs IP Intensive • 43%: ITRC account of breaches • 2013: 8.8M records stolen • 1.8M: Victims of Identity Theft Healthcare • 2013: 856 reported breaches • Q1 2014: 98.3% of data exposed • 37%: Breaches affected the sector Finance/Business
  • 10. Effects on Economy • 1M+ jobs lost and a $200B cost in 2010 • Based on estimate of 5,080 jobs per $1B • 0.5% ($70B)or 1% ($140B) of National Income • Globally - $350B or $700B • Healthcare: $7B for HIPAA 2013 losses • SMBs: 80% file bankruptcy or suffer significant financial losses • S&P 500: $136.5B due to AP Twitter hack
  • 12. Effects on Economy Associated Costs Enterprises SMB’s Attack Type Incident - Prof Svcs $109k - Bus. Opp. $457k Prevention - New IT Sec $57k - Training $26k Total $649k Incident - Prof Svcs $13k - Bus. Opp. $23k Prevention - New IT Sec $9k - Training $5k Total $50k Targeted - Ent. $2.4M - SMB $92k Phishing - Ent. $57k - SMB $26k DDoS - Ent. $57k - SMB $26k
  • 13. Effects on Economy • Loss of IP and Confidential Information • Cybercrime • Loss of sensitive business information-stock market manipulation • Opportunity costs, including service and employment disruptions, and reduced trust for online activities • The additional cost of securing networks, insurance, and recovery from cyber attacks • Reputational damage
  • 14. Defense-in-Depth 2.0 Perimeter Core Laptops / Tablets Phishing Scanners Phones Web Apps Internet F/W Remote Access F/W Extranet VPN F/W Email GW Web GW 2FA IDS Load Balancer Threat Intel DMZ File Xport Internet F/W Payment Sys F/W PC’s IPS Servers Scanners Server Monitor Event Monitor DB Monitor PCI F/W Critical Servers Traffic Flow / Security Layers Internet
  • 15. Cybersecurity Maturity Timeline Continuous improvement Begin assessing program, developing strategy; PCI Complete maturity assessment engagement; evaluate report, next steps Evaluate/implement framework, tools implementation, continue PCI path Continue implementation of framework, tools, PCI; self/regulator assessment, engage 3rd party
  • 16. Organizational understanding to manage cybersecurity risks Appropriate activities to identify the occurrence of a cybersecurity event Appropriate activities to take action regarding a detected cybersecurity event Maintain plans for resilience and to restore services impacted Appropriate safeguards to ensure delivery of services Framework Core Identify Protect Detect Respond Recover
  • 17. Framework Function/Category Function Category Identify Asset Management (6) Business Environment (5) Governance (4) Risk Assessment (6) Risk Management Strategy (3) Protect Access Control (5) Awareness and Training (5) Data Security (7) Information Protection Processes (12) Maintenance (2) Protective Technology (4)
  • 18. Framework Function/Category cont. Function Category Detect Anomalies and Events (5) Security Continuous Monitoring (8) Detection Processes (5) Respond Response Planning (1) Communications (5) Analysis (4) Mitigation (3) Improvements (2) Recover Recovery Planning (1) Improvements (2) Communications (3)
  • 19. Framework Subcategories Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties, are understood and managed • Subcategories – specific outcomes of technical and/or management activities (requirements, controls, guidelines Identify: ID.GV-1 Detected events are analyzed to understand attack targets and methods Detect: DE.AE-2 Protections against data leaks are implemented Protect: PR.DS-5
  • 20. What We Did • Participated in Framework Request for Information • Reviewed Framework upon release • Determined how Framework fit into our current IS Program • Declared NIST Cybersecurity Framework as our foundational IS Program framework • Incorporated NIST Cybersecurity Framework into our IS Program • Internal Audit performed Cybersecurity / GLBA Audit
  • 21. FFIEC Inherent Risk Profile Online/Mobile Products and Technology Services Technologies and Connection Types Organizational Characteristics External Threats = Inherent Risk Delivery Channels
  • 22. Inherent Risks Samples Category Risk Levels Least Minimal Moderate Significant Most Personal devices allowed to connect to the corporate network None Only one device type available; <5% employees; email Multiple device types; <10% employees; e- mail Multiple device types; <25% emp.; e-mail, some apps Any device; >25% employees; all apps accessed Online presence (customer) No web facing Website/Social media Delivery channel, customer comm. Wholesale, retail account origination Internet apps serve as channel Issue debit or credit cards Do not issue debit or credit cards Issue through a third party; <10,000 cards Issue third party; between 10,000 – 50,000 cards Issue directly; between 50,000 – 100,000 cards Issue directly; >100,000 cards outstanding; issue on behalf Changes in IT and IS staffing Key positions filled; low turnover Staff vacancies exist for non- critical roles Some turnover in key or senior positions Frequent turnover in key or senior staff Vacancies Sr. staff long periods; IT/IS turnover high Attempted Cyber Attacks None <100 monthly, generic phishing <500, targeted phishing, DDoS >500-100k, spear phishing, threat reports, DDoS <100k, persistent attacks & DDoS
  • 23. Inherent Risks Inherent Risk Levels Least Minimal Moderate Significant Most CybersecurityMaturityLevelfor EachDomain Innovative Advanced Intermediate Evolving Baseline
  • 24. Level 1 Level 2 Level 3 Level 4 Level 5 FFIEC Maturity Levels Baseline - minimum expectations required by law and regulations or recommended in supervisory guidance Evolving - additional formality of documented procedures and policies that are not already required Intermediate - detailed, formal processes, controls are validated and consistent Advanced - cyber security practices and analytics that are integrated across lines of business. Least Mature Most Mature Innovative - driving in novation in people, processes, and technology for the institution and the industry to manage cyber risks.
  • 25. FFIEC Cybersecurity Domains 2 3 4 5 Cyber Risk Management and Oversight1 Threat Intelligence and Collaboration External Dependency Management Cyber Incident Mgmt. and Resilience Cybersecurity Controls
  • 26. Cybersecurity Assessment Factors Cybersecurity Maturity Domain Assessment Factor Cyber Risk Management and Oversight Governance (Oversight, Strategy/Policies, IT Asset Management), Risk Management, Resources, Training and Culture Threat Intelligence and Collaboration Threat Intelligence, Monitoring and Analyzing, Information Sharing Cybersecurity Controls Preventative Controls, Detective Controls, Corrective Controls External Dependency Management Connections, Relationship Management Cyber Incident Management and Resilience Incident Resilience Planning, Strategy, Detection, Response, and Mitigation, Escalation and Reporting
  • 27. Cybersecurity Maturity Statements Domain 2: Threat Intelligence and Collaboration, Assessment Factor: Information Sharing, Statement: Information Sharing Evolving: A formal & secure process is in place to share threat & vulnerability information with other entities Advanced: Relationships exist with employees of peer institutions for sharing cyber threat intelligence Domain 3: Cybersecurity Controls, Assessment Factor: Detective Controls, Statement: Anomalous Activity Detection Baseline: Elevated Privileges are Monitored Innovative: The institution has a mechanism for real-time automated risk scoring of threats Domain 1: Cyber Risk Management and Oversight, Assessment Factor: Governance Statement: Oversight Baseline: The budgeting process includes information security related expenses and tools Advanced: Management has a formal process to continuously improve cybersecurity oversight
  • 28. What We Did • Started maturing when hired in 08/2012 • Assess program, changed IS Committee meeting, recommending anomalous behavior tools • Utilized other maturity assessments: Gartner 03/2013, reassess in early 2015 • Surprise!: The FFIEC releases their maturity assessment on 06/30/2015 • Collaborated with CIO/CRO to complete the assessment • Worked with regulators (OCC) to complete assessment to Evolving level • Engaged a 3rd party consulting/audit firm to complete assessment
  • 29. Do you have any questions? ??