This was our final presentation for the EY Trajectory Program. This was the presentation we created in conjunction with the Third Party Risk Management workstream and the Regulatory Compliance workstream. We presented our findings to a panel of EY partners and senior managers in NYC.
Ernst Bank's Third Party and Cybersecurity Assessment
1. TRILOGY CONSULTING APRIL 29, 2016
TRILOGY CONSULTING
THIRD PARTY RISK MANAGEMENT
CYBERSECURITY
REGULATORY COMPLIANCE
2. 2
Overall Agenda
Assessment Overview and Results
Cybersecurity Overview
Assessment Results
Research & Analysis
Issues Recommendation Roadmap Recommendations
Recommendations Value of the Solution Takeaways
Third Party Risk Management Cybersecurity Regulatory Compliance
3. 3
Executive Summary
Third Party Risk
Management
Cybersecurity Regulatory Compliance
OCC Gap Analysis Questionnaire
NIST Framework Core
Assessment Questionnaire
FFIEC Control Listing
These are the findings across the three workstreams:
1. Auditing gaps in vendor
contractual agreements
2. Limited maturity in review
depth
3. Undefined roles and
responsibilities
1. Asset management can be
improved
2. Risk mitigation strategy can be
enhanced
3. Awareness and training can be
more robust
1. Operational structure and
accountability system can be
improved
2. Security controls and training
can be updated
3. Documentation and
monitoring system can be
strengthened
4. 4
Value of the Solution to Ernst Bank
Global Presence
8 Million
Consumers
7 Million
Amount of Active Users world-
wide using online mobile
banking
1.5 Billion
Total Amount of Money
in Deposit
6. 6
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Agenda
Assessment
Overview and
Results
Issues Recommendations
7. 7
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
OCC 2013-29 Overview and Results
Planning Due Diligence
Contract
Negotiation
Ongoing
Monitoring
Termination
Description
Provides detail
on how the
bank will select,
assess, and
oversee a third
party
Includes a
detailed process
on how to
properly select
a third party
Contains
detailed
documentation
on each party's
rights and
responsibilities
Consists of
comprehensive
assessments of
the third party
to ensure
contract
compliance
Explains how
and why a
contract may be
ended and how
to deal with
shared property
Score Moderate Minor Minor Moderate Minor
8. 8
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
100%
Results
Planning Due Diligence
Contract
Negotiation
Ongoing
Monitoring
Termination
Score Moderate Minor Minor Moderate Minor
55%
19%
7%
19%
69%
15%
16%
75%
8%
11%
6%
44%
37%
19%
9. 9
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Identified Third Party Risk Issues
Issue Recommendation
1. Auditing gaps in vendor
contractual agreements
1. Update contract requirements
2. Limited maturity in review
depth
2. Develop proper ongoing
monitoring for third and
fourth parties
3. Undefined roles and
responsibilities
3.1 Define risk management
committee
3.2 Employee training
10. 10
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Recommendation One
Issue Recommendation
1. Auditing gaps in vendor
contractual agreements
1. Update contract requirements
11. 11
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Contract Requirements
Ernst Bankās right to conduct annual reports for high risk
vendors and offsite reviews for low risk vendors
Ernst Bankās right to monitor the third partyās compliance
The frequency in which the third party will submit control
audits and reports
Ernst Bankās right to an external transfer in the event of
business disruption
Activities that cannot be subcontracted
Procedures for notifying the bank in writing whenever service
disruptions and security breaches pose a risk to Ernst Bank
12. 12
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Recommendation Two
Issue Recommendation
2. Limited depth in reviewing
vendors and their subcontractors
2. Develop proper ongoing
monitoring for third and
fourth parties
13. 13
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Third Party Monitoring Process
Reports to be collected:
1. Service-level agreement
reports
2. Performance reports
3. Audit reports
4. Control testing results
14. 14
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Fourth Party Monitoring Flowchart
Identify all fourth
party providers
Assess what activities
and information are
being subcontracted
Develop a
Non-Disclosure
Agreement
Perform annual
reviews and onsite
reviews with third
party vendor
Assess changes to
fourth party's
financial situation,
insurance coverage,
etc.
Report to
Centralized
Data Repository
Is the fourth
party a high risk
vendor?
Vendor self
assessment
Collect reports
every 2-3 years
Report to
Centralized
Data Repository
Yes
No
15. 15
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Issue Recommendation
3. Undefined Roles and
Responsibilities
3.1 Define risk management
committee
3.2 Employee Training
Recommendation Three
16. 16
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Define Risk Management Committee
A Risk Management Committee
Composed Of:
1. Executive and non-executive directors
2. Lawyers
3. Risk Professionals
4. IT Support Specialists
Purpose:
ā¢ Review all vendor contracts
ā¢ Perform all onsite reviews and monitoring
procedures
ā¢ Monitor Ernst Bankās risk profile
ā¢ Define risk review activities regarding
decisions such as new acquisitions
ā¢ Report to the Senior Management
17. 17
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Formal Training Program
ļEnsure employees are
adequately trained and
the people in charge
have certification to be
qualified for their roles
Ernst Bank
Certification of
Employees
ā¢ Certification for
vendor and IT
managers
ā¢ Defines roles and
responsibilities
of each position
Training
Programs for
Third Parties
ā¢ Identifies what is
expected of the
third party and
their roles and
responsibilities
ā¢ Reduce risk of
misconduct by
third parties
18. 18
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Certification of Employees
Third Party Risk
Management
Certification
Programs
Certified Third Party Risk
Professional(CTPRP)
Certified Regulatory
Vendor Program
Manager(CRVPM)
Certified Risk and
Compliance Management
Professional (CRCMP)
ā¢ Managing the vendor life cycle
ā¢ Vendor Risk Identification and
Rating
ā¢ Test and 2 day training course
ā¢ Be recognized as a professional in
the field
ā¢ Knowledge required to build,
implement, and manage a 3rd party
oversight program
ā¢ 6 hour training course
ā¢ Understand international
standards and principles in IT
risk management
ā¢ Understanding of the OCC
bulletin
ā¢ 2,800 slide course and 3 exams
19. 19
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Third Party Training Programs
ā¢ "[The] DOJ and SEC also assess whether the company has informed third parties of the companyās
compliance program and commitment to ethical and lawful business practices and, where
appropriate, whether it has sought assurances from third parties, through certifications and
otherwise, of reciprocal commitments. These can be meaningful ways to mitigate third-party risk.
(p.60-61)ā āSEC
ā¢ Implementation:
ā¢ Have clear anti-bribery and third party supply chain statements in your code
of conduct as well as separate policies;
ā¢ Identify and rank the risks of third parties
ā¢ Complete appropriate risk based due diligence on the risk level of each third
party before engaging them, and continuously monitor the third parties for
any red flags (optimally using an automated system), and
ā¢ Ensure that third parties have an effective compliance program in place, and
are aware of and trained on your companyās expectations with respect to
bribery and corruption
21. 21
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Cyber Security Agenda
Cybersecurity
Overview
Assessment
Results
Recommendation
Roadmap
Value of the
Solution
22. 22
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Importance to Ernst Bank
2020: $170 B
$400 M to
$500 M
Annual Cost of Cyberattacks
1.5 M $14 B
Amount the Federal
Government will spend
on cybersecurity in
2016
Cybersecurity is
growing in size
and importance
Source: New York State Department of Financial Services
Increase in cyber breaches from 2012
Of Phishing Scams are targeted at financial institutions
Of intrusions lead to account takeovers
62%
76%
46%
23. 23
Cybersecurity Overview
Scope
ā¢ Ernst Bank requires a high-level cybersecurity awareness training program that targets employees at
every level
ā¢ Create a data flow inventory system to target areas susceptible to cyber threats
ā¢ Develop a comprehensive asset management system that inventories all systems, software,
applications, and devices used within the bank
Approach
ā¢ Risk Assessment tool needed to analyze and outline current cyber security infrastructure
ā¢ Based on assessment results develop a comprehensive plan for firm security
ā¢ NIST Cyber Security Framework outlines the guidelines and standards needed to implement a well
protected system
Solutions
ā¢ Cyber security risk assessment questionnaire rooted in the NIST Framework Core
ā¢ Visual breakdown of Ernst Bankās cyber security risks, along with details on the scoring methodology
ā¢ Roadmap for improvement created by cyber security experts and tailored to Ernst Bankās specific cyber
security needs
24. 24
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
NIST Framework Core
Functions Purpose
Identify What assets need protection?
Protect What safeguards are available?
Detect What technologies can identify incidents?
Respond
What technologies can contain impacts of
incidents?
Recover What techniques can restore capabilities?
25. 25
Risk Assessment Tool
25
ļ Each question is based off a NIST Framework Core control
ļ Once all five functions of questions have been filled out, the tool will generate the
results and in depth analysis of Ernst Bank
ļ Identify potential weak points in the current infrastructure
26. 26
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Scoring Breakdown
ā¢ The cyber security protocols, procedures, and
implementations of Ernst Bank go above and beyond industry
standards, with no major improvements necessary
1 (Minor)
ā¢ There are some areas of the cyber security system
implementation that require updates, but the majority of the
system is up to industry standards
2 (Moderate)
ā¢ Significant updates in the policies and infrastructure of the
cyber security system are required3 (Major)
ā¢ Drastic updates in the policies and infrastructure of the cyber
security system are needed urgently; even minor threats may
cause substantial damage to valuable data and assets
4 (Critical)
27. 27
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Breakdown of Functions
ļEach question is scored based on
the response given and the weight
assigned to its category
ļOverall risk is broken down and
presented function by function
ļFunctions are given risk ratings of:
Minor, Moderate, Major and Critical
ļRisk breakdown graphs show the
level of risk mitigation (taller bars
equate to more secure systems)
28. 28
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Breakdown of Categories
ļEach framework function is broken down by category
ļWeak categories within each function are identified to help fix vulnerabilities within Ernst
Bankās overall cyber security system
29. 29
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Critical Risk Categories
Control Area Description Current Controls Recommendation
Asset Management The data, personnel, devices, systems,
and facilities that enable the organization
to achieve business purposes are
identified and managed consistent with
their relative importance to business
objectives and the organizationās risk
strategy.
Inventory systems, data flows, and external
systems are not catalogued. This can result in
loosely managed software, misplaced or lost
data, or data exposure to malicious entities.
New device purchases and distributions should be catalogued
and the inventory system continuously updated. This allows
monitoring applications for weak points in the current
hardware and software infrastructure.
Cataloguing all data flows will make data more reachable and
remains within a secure and monitored environment.
Risk Management
Strategy
The organizationās priorities, constraints,
risk tolerances, and assumptions are
established and used to support
operational risk decisions.
The current system does not identify and rank
vulnerabilities based on their potential fallout.
Organizational risk tolerances are not clearly
defined and managed. This can lead to an
unsuitable amount of risk by not
implementing sufficient security measures.
Identify possible risks and consequences of assets being
comprised. Then determine the acceptable risk level and work
to minimize factors that could comprise the acceptable risk
level.
Awareness and
Training
The organizationās personnel and
partners are provided cybersecurity
awareness education and are adequately
trained to perform their information
security-related duties and
responsibilities consistent with related
policies, procedures, and agreements.
Employees are only trained in cyber security
practices when they are hired but are not
subject to continuous training. Like regular
employees, privileged users are not subject to
formal training. Users that have enhanced
access present a higher risk to key
information.
Ernst Bank needs to implement frequent training classes. The
physical hardware and software can only safeguard a network to
a certain degree, the human element is always a risk. Regular
training can help reduce the risk of social hacking. Users that
have access to more pertinent information within the data
hierarchy need to have more advanced and frequent training.
The following categories received a score of critical. Improvements are necessary immediately to bring these categories
up to NIST framework standards.
30. 30
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Major Risk Categories
30
Control Area Description Current Controls Recommendation
Governance The policies, procedures, and processes to manage
and monitor the organizationās regulatory, legal,
risk, environmental, and operational
requirements are understood and inform the
management of cybersecurity risk.
Organizational policies do not always
take cyber security risk into account.
Revise current policies to place a greater emphasis on cyber
security risk. This will help increase awareness and mitigate
risk due to employee error.
Analysis Response to breaches are executed and recovery
activities are conducted.
Notifications from detection systems
are not investigated
The CIO, Senior Manager, and Cyber Security Manager
should receive text and email alerts based on the severity of
notifications. This establishes a clear path of accountability
and responsibility.
Mitigation In the case of a breach, actions are taken to
contain the event, mitigate effects and minimize
repercussions.
Response planning is not updated
based on prior incidents.
To more effectively contain and mitigate incidents, Ernst
bank must update their response plans based on a record of
prior incidents.
Communications Activities are communicated and coordinated
with internal and external parties.
Response plans are not properly
executed in the occurrence of a breach
due to a lack of defined roles and
responsibilities from employees.
A detailed plan outlining employee roles and responsibilities
needs to be created. This will help Ernst Bank employees
properly respond to a breach when it occurs.
The following categories received a score of major risk. In order to bring these categories up to NIST Framework
standards, improvements are necessary.
31. 31
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Quick Win- Coordinate a CSIRT
ā¢ Mitigate and contain all breaches until the network is deemed safe
ā¢ Develop policies and procedures for use in case of breach
ā¢ Establish reporting guidelines for employees and methods for response
planning
ā¢ Coordinate a communication network between all levels of employees and
other relevant groups.
ā¢ Clearly define roles and responsibilities for all levels of employees
ā¢ Assist in creating and maintaining a inventory system for Ernst Bank
Assemble an Computer Security Incident Response team to properly mitigate and
investigate all cyber incidents
32. 32
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Quick Win- Asset Management
User log in
Deposit mobile
check
End-to-end
encryption of
check
Sent to Ernst
Bank server
Check processed
Stored in data
center for record
retention
ļ Inventory all software and
hardware in place
ļ Develop data flow maps of the
entire Ernst Bank network
ļ Identify potential risks in the
systems in place
ļPeriodically review all systems
to detect obscurities
33. 33
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Quick Win- Routine Employee Training
Send out phishing tests through a randomized selection system to
track effectiveness of employee training
Have privileged users attend upper-level training seminars
Contract an outside firm to provide monthly cyber security training
34. 34
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Implementing Employee Training
Management Training Guidelines
Additional monthly training on data security
and new potential threats
Outline risks associated with higher access
based on standings within company
Evaluate effectiveness of breach reporting
system and how to respond if a breach is
suspected
Employee Training Guidelines
Discuss essential cyber security practices to
implement in the workplace
Conduct monthly training about new
potential phishing scams and attacks
Define policies and guidelines on reporting
possible breaches
35. 35
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Value For Ernst Bank
Ernst Bankās cyber
security system will be
strengthened by
implementing quick
win solutions
Ernst Bank cyber
security will be aligned
with NIST Framework
standards
Ernst Bank employees
will be more aware of
potential cyber security
threats
38. 38
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Regulatory Compliance Timeline
2/1 2/15 2/29 3/14 3/28 4/11 4/25
Construct Project Timeline
Prepare a Control Listing From FFIEC IT Booklets
Draft a Workflow for Regulatory Compliance Department
Establish a Risk Rating Scale & Scoring Methodology
Execute a Gap Analysis & Develop a Mapping Matrix
Define Remaining Questions for Compliance Controls
Develop a Risk Assessment Tool
Send Assessment Tool to Ernst Bank for Completion
Analyze Results From the Risk Assessment Tool
Prepare and Present Final Presentation
39. 39
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Operations
Outsourcing
Information Security
Management
Research
Research & Analysis Recommendations Takeaways
Goal: Develop a regulatory compliance program to proactively identify,
evaluate and manage compliance with regulatory requirements.
Federal Financial
Institution Examination
Council (FFIEC)
ā¢ Formal US
Government
interagency body
ā¢ IT Examination
Handbook InfoBase
40. 40
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Analysis
Research & Analysis Recommendations Takeaways
28%
28%
20%
24%
Risk Breakdown
Minor Moderate Major Critical
2.29 2.43
2.75
Quality of Controls Likelihood Impact
Risk by Type
2.20 2.50
1.67
3.00
Information
Security
Outsourcing Operations Management
Risk by FFIEC Category
Ernst Bank has moderate risk
41. 41
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Key Findings from Risk Tool
Current State Recommendations
1. Operational structure and
accountability system can be
improved
1.1 New hierarchy
1.2 New workflow
1.3 Block system
2. Security controls and training
can be updated
2.1 Training program and
notification system
3. Documentation and
monitoring system can be
strengthened
3.1 Centralized data repository
and benchmarking
Research & Analysis Recommendations Takeaways
42. 42
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Recommendation 1.1: Hierarchy
Senior
Management
Team
Leaders
Team
Managers
Analyst
Teams
Management
Legal
Information
Security
Outsourcing
Operations
Team Leaders
ā¢ 1 Domestic & 1 Foreign leader
Team Managers and Analyst Teams
ā¢ 1 for each main location of Ernst Bank
Research & Analysis Recommendations Takeaways
Finding 1: Operational structure and accountability system can be improved
43. 43
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Research & Analysis Recommendations Takeaways
Identification
Risk discovery
Analysis
Benchmark
Classification
Block system
Mitigation
Risk resolution
Monitoring
Continuous
evaluation
Achieves optimal operational efficiency and maximum compliance levels
Recommendation 1.2: Workflow
Finding 1: Operational structure and accountability system can be improved
44. 44
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Block
A
ā¢ Urgent
Block
B
ā¢ Near-
Immediate
Block
C
ā¢ Distant
Central
Data
Repository
Research & Analysis Recommendations Takeaways
Recommendation 1.3: Block System
Finding 1: Operational structure and accountability system can be improved
Block B Example:
Central Securities
Depositories (CSD)
Regulation
Block A Example:
Dodd-Frank Title IV
Block C Example:
Potential Regulations
45. 45
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Recommendation 2.1: Training
ā¢ Security Updates
ā¢ Online Training Portals
Frequent E-Blasts to
all Employees
ā¢ Security Awareness Training
ā¢ Compliance Focus
Awareness and
Procedural Training
ā¢ New Workflow System
ā¢ Recommended Hierarchy
Security
Responsibilities
Reorganization
Finding 2: Security controls and training can be updated
Research & Analysis Recommendations Takeaways
46. 46
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Regulations enter central data repository
Create industry benchmarks
Calculate internal metrics
Compare metrics to benchmarks
Research & Analysis Recommendations Takeaways
Finding 3: Documentation and monitoring system can be strengthened
Recommendation 3.1: Data Repository
47. 47
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Implementation Considerations
1. Operational structure and
accountability system can be
improved
1.1 New hierarchy
1.2 New workflow
1.3 Block system
ā¢ Hiring of additional staff
ā¢ Training program
2. Security controls and training
can be updated
2.1 Training program and
notification system
ā¢ Training program
3. Documentation and
monitoring system can be
strengthened
3.1 Centralized data repository
and benchmarking
ā¢ Virtual and physical data
repository system
ā¢ Calculating metrics
Findings Recommendations Implementation
Research & Analysis Recommendations Takeaways
48. 48
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Roadmap
Research & Analysis Recommendations Takeaways
People
(2 Months)
Hire analysts underneath
team managers
Management
(1 Month)
Hire team managers at
each data center
Training
(7 Months)
Block system, notification
system and third party
training
Benchmarks
(4 Months)
Metrics are calculated to
measure compliance
Data Repository
(3 Months)
Implement data
repository to store
relevant compliance data
49. 49
TRILOGY CONSULTING REGULATORY COMPLIANCE APRIL 29, 2016
Value of Solutions
Cost savings and
increased revenue
Lower
risk
of
noncompliance
Higher
reputational
excellence
Scalability
Employee
efficiency
Customer
satisfaction
Research & Analysis Recommendations Takeaways
52. 52
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Classifying High Risk Vendors
Foreign sub-contractors
Number of 4th parties involved
Critical activities
Volume of financial transaction processed
53. 53
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
A Challenging Landscape
Foreign Corrupt
Practice Act (FCBA)
UK Bribery Act
Gramm-Leach-Bliley Act
12 CFR Part 30 of the OCC
The Bank Service Company Act
OCC Bulletin 2013-29
CFPB Bulletin 2012-03
Notice of Deficiency
The OCC may request a compliance plan
to be submitted under itās āenforceable
guidelinesā under the 12 CFR Part 30. If
the bank fails to do so, it may face civil
monetary penalties.
54. 54
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Penalties for Non-Compliance
Situation:
ā¢ A major bank outsourced
identity protection
products to customers but
violated CFPB and FTC
acts
Situation:
ā¢ A credit card company
outsourced two vendors
who violated several acts
Result:
ā¢ $6.15 Million in
Reinstitution
ā¢ $80 Million in Civil
Penalties
Result:
ā¢ $144.5 Million in
Reinstitution
ā¢ $43.7 Million in Civil
Penalties
55. 55
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Third Party Risk Management Program
Structure
Board of Directors
Internal Audit
Governance
Enterprise Risk Committee Bank Management
Legal & Compliance
Risk Management Committee
IT Support Specialist Risk Professionals
Executive & Non-Executive Directors
Business Unit
Third Parties
Subcontractors
Third Line of Defense
Second Line
of Defense
First Line of Defense
56. 56
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Overview of Assessment Tool
Planning
Due diligence
and third-
party selection
Contract
negotiation
Ongoing
monitoring
Termination
Qualitative OCC gap analysis
Assessment tool sections refer to the five stages of
the vendor management life cycle
57. 57
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Employee Certification
ā¢ Certified Third Party Risk Professional (CTPRP) recognition validates expertise,
provides professional credibility, recognition, and marketability of an individual
ā¢ Shared Assessment Program, which developed CTPRP, has been setting the
industry standard for targeting vendor risk since 2005. It constantly strives to
streamline the risk assessment process and to develop faster, cost efficient ways
to conduct assessments
ā¢ CTPRP professionals will demonstrate an understanding of TPRM including:
ā¢ Managing the vendor life cycle
ā¢ Vendor Risk identification and rating
ā¢ Knowledge of the fundamentals of vendor risk assessment, monitoring, and management
ā¢ Requirements:
ā¢ Attend the Shared Assessments Program CTPRP Workshop
ā¢ Successfully pass the Shared Assessments CTPRP Examination
ā¢ Hold a minimum of five years experience as a risk management professional, in a
position(s) that demonstrates proficiency in assessment, management and remediation of
third party risk issues
58. 58
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Item Member
Non-
Member
Workshop &
Exam
$695 $795
Annual
Maintenance
Fee (Year 1 & 2)
$75 $75
CTPRP
Renewal Fee
(Year 3)
$149 $149
Corporate
Discounts
Discount
Amount
5-25 registrants 10%
26-50 registrants 15%
51+ registrants 20%
Certification Program Pricing
59. 59
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
CTPRP Programs
ā¢ Amount of Certifications per year ~ 4 vendor managers and 4 IT
managers
ā¢ Cost of certification ~ $5,724 one time cost
ā¢ Renewal fees ~
ā¢ $600 for years 1 and 2
ā¢ $1,192 for year 3
ā¢ Cost of third party failure ~ $1.3 million to $35 million
ā¢ Certified managers will then hold 1 week long training sessions with
employees so they are better involved in the process
ā¢ Minimal cost because managers will be the ones holding the training
sessions
ā¢ Value added to all members of the organization
60. 60
TRILOGY CONSULTING THIRD PARTY RISK MANAGEMENT APRIL 29, 2016
Recommendation
Line of Defense Model can fuel Ernst Bankās performance by:
Reducing gaps in risk coverage
Reducing business confusion in dealing with risk
Reducing layers of redundant controls
Reducing complex and inconstant reporting
63. 63
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Minor Categories
In these categories, Ernst Bank has the foundation of a secure system as defined by the NIST framework.
These categories are of extremely low risk to Ernst Bank and do not require adjustment at this time.
Control Area Description Current Controls Recommendation
Business
Environment
The organizationās goals and objectives are
comprehended to its full potential by the
company. Using these identified goals and
objectives the company is able to identify the
necessary performance measures needed to
mitigate risk.
mission, objectives, stakeholders, and activities
are understood and prioritized; this information is
used to inform cybersecurity roles,
responsibilities, and risk management decisions.
The organizations goals and objectives
are fully comprehended and outlined.
Ernst bank has identified the
performance measures to mitigate risks
and it is clearly understood and
prioritized within the company.
No recommendation is needed at this time.
Maintenance Software and hardware maintenance is properly
preformed as outlined by company policies and
procedures.
Software and hardware maintenance is
performed frequently by Ernst Bank.
No recommendation is needed at this time.
Detection Processes Detection processes and procedures are
maintained and tested to adequately and timely
be aware of anomalous events.
Current detection processes in place
meet NIST framework standards and
are frequently tested and updated.
No recommendation is needed at this time.
64. 64
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Moderate Categories
In these categories, Ernst Bank meets the standard guidelines as defined by the NIST framework. These categories pose an intermediate
level of risk to Ernst Bank and while they may need improvement, the investment to improve these areas is not necessary at this time.
Control Area Description Current Controls Recommendation
Access Control Data access is permitted to authorized
users, processes, transactions and
hardware on the network.
Data access is satisfactorily authorized
amongst users, processes and transactions
on a network.
Currently meets requirements.
Data Security Data is properly managed and protected
in order to maintain privacy, and security
of information
Data is satisfactorily managed and
protected in order to maintain privacy and
security of information
Currently meets requirements.
Security Continuous Monitoring Network is monitored at intervals to
identify potential cyber security threats
and verify that the network is protected.
Network is satisfactorily monitored at
intervals to identify potential cyber security
threats and verify that the network is
protected.
Currently meets requirements.
Recovery Planning Recovery processes in the event of a
breach are in place and incorporate past
breaches
Recovery processes are in place in the event
of a breach. Incorporation of past breaches
as reference is not frequently incorporated
Use of past breaches can help teach Ernst
Bank ways to identify vulnerabilities in its
network and be more prepared in the case of
a repeat event.
Information Protections, Processes, and
Procedures
Policies in place identify roles, and
responsibilities amongst employees and
the procedures in place protect the
network and data assets
Policies in place identify roles and
responsibilities amongst employees.
Employee training on cyber risks in
minimal.
More frequent employee training on cyber
risks is needed.
65. 65
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Roles at Ernst Bank
ļCEO will have final approval on any major changes to the cyber security
system. He or she will assess the plan in accordance with all other parts
of the business to determine the resources available to implement the
change.
ļCIO will take the idea from the senior manager and work in tandem
with the CCO as well as other officers, such as CFO, to assess the level of
change required in the plan as well as the cost/benefit analysis.
ļSenior Managers will utilize the experience of cyber security managers
and third party risk assessment teams to determine the best way to
implement updated policies and infrastructure.
ļCyber Security Managers will work on completing the questionnaire to
to identify potential flaws in the system. They will assist in development
and implementation of the newly designed cyber security system.
66. 66
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Wrongful Activity From Cyber Intrusions
This is a breakdown of the wrongful activity resulting from cyber intrusions within financial institutions.
With this information, Ernst Bank can prepare for the impact of a cyber security breach
Account Takeovers,
46%
Identity Theft, 18%
Telecommunication
Network
Disruptions, 15%
Data Integrity
Breaches, 9%
67. 67
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
IT Intrusions at Financial Institutions
This is a breakdown of the most common IT intrusions affecting financial institutions. With this information, Ernst
Bank can focus their attention on the most common cyber threats in order to protect themselves
Malware, 22%
Phishing, 21%
Pharming, 7%Botnets, 7%
Other, 43%
68. 68
TRILOGY CONSULTING CYBERSECURITY APRIL 29, 2016
Monetary Losses from Cyber Threats
0% 20% 40% 60% 80%
Customer Reimbursements
Audit & Consulting Services
Deployment of Detection Software,
Services, & Policies
Loss of Consumer Business
Damage to Brand Reputation