More Related Content
Similar to NFA Interpretive Notice on Info Security (20)
NFA Interpretive Notice on Info Security
- 1. Informa(on
Systems
Security
Programs
Na(onal
Futures
Associa(on
9070
-‐
NFA
COMPLIANCE
RULES
2-‐9,
2-‐36
AND
2-‐49:
INFORMATION
SYSTEMS
SECURITY
PROGRAMS
hNp://www.nfa.futures.org/nfamanual/NFAManual.aspx?RuleID=9070&Sec(on=9
Wesley.Moore@Quarule.com
- 2. What
Comprises
the
Informa(on
Systems
Security
Program?
Regulatory
rules
Five
areas
of
an
Informa.on
Systems
Security
Program
(ISSP):
1. Wri<en
Program
2. Security
and
Risk
Analysis
3. Deployment
of
Protec.ve
Measures
Against
Iden.fied
Threats
and
Vulnerabili.es
4. Response
and
Recovery
from
Threats
to
Electronic
Systems
5. Employee
Training
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
2
- 3. Do
We
Have
a
WriNen
Informa(on
Security
Systems
Program
(ISSP)?
Regulatory
rules
a) Members
must
adopt
and
enforce
a
wri<en
ISSP
designed
to
provide
safeguards
and
protect
against
security
threats
or
hazards
to
their
technology
systems.
b) The
wri<en
ISSP
must
be
appropriate
to
the
Member's
size,
complexity
of
opera.ons,
type
of
customers
and
counterpar.es,
the
sensi.vity
of
the
data
accessible
within
its
systems,
and
its
electronic
interconnec.vity
with
other
en..es.
c) There
are
several
cybersecurity
best
prac.ces
and
standards
readily
available,
including
those
promulgated
by
SANS,
OWASP,
ISACA's
COBIT
5,
and
NIST.
Key
Compliance
Ques(ons
1. Does
the
Member
have
a
wri<en
ISSP?
2. Is
the
ISSP
appropriate
for
the
Member’s
specific
needs?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
3
- 4. Do
We
Analyze
Security
and
Risk?
There
are
many
different
types
of
internal
and
external
threats,
including:
a) Loss,
destruc.on
or
thea
of
data;
b) A<acks
by
viruses,
spyware
and
other
malware;
and
c) Intercep.on
and
compromising
of
electronic
transmissions.
Key
Compliance
Ques(ons
1. Does
the
Member
keep
track
of
their
hardware
and
soaware?
2. Has
the
Member
reviewed
the
vulnerabili.es
of
their
electronic
infrastructure?
3. Is
the
Member’s
data
secure?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
4
- 5. Do
We
Assess
and
Priori(ze?
Members
must
assess
and
priori.ze
the
risks
associated
with
the
use
of
their
informa.on
technology
systems.
Regulatory
rules
a) Es.mate
the
severity
of
the
poten.al
threats;
b) Perform
a
vulnerability
analysis;
and
c) Decide
how
to
manage
the
risks
of
these
threats.
Key
Compliance
Ques(ons
1. Have
there
been
any
past
incidents?
2. What
are
the
known
threats
iden.fied
by
other
en..es?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
5
- 6. How
Do
We
Protect
Against
Iden(fied
Threats
and
Vulnerabili(es?
A
Member
should
document
in
their
ISSP
the
safeguards
that
they
deploy
aaer
reviewing
and
priori.zing
threats
and
vulnerabili.es.
These
safeguards
will
depend
on
the
Member’s
specific
needs,
and
can
include:
a) Physically
protec.ng
buildings,
equipment
and
assets;
b) Using
and
maintaining
up-‐to-‐date
firewall,
an.-‐virus
and
an.-‐malware
soaware;
c) Limi.ng
both
physical
and
electronic
access;
d) Ensuring
that
systems
are
regularly
and
properly
updated;
e) Deploying
encryp.on
soaware;
f) Preven.ng
the
use
of
unauthorized
soaware;
g) Backing
up
systems
and
data;
and
h) Ensuring
that
mobile
devices
are
subject
to
similar
applicable
safeguards.
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
6
- 7. How
Do
We
Detect
Poten(al
Threats
and
Vulnerabili(es?
Regulatory
rules
Members
should
also
document
and
implement
reasonable
procedures
to
detect
poten.al
threats,
including
new
and
emerging
threats.
Key
Compliance
Ques(ons
1. What
procedures
does
Member
have
in
place?
2. Do
those
procedures
meet
the
proper
standards?
3. Is
the
Member
a
part
of
a
threat
sharing
organiza.on
which
can
alert
the
Member
of
new
and
emerging
threats?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
7
- 8. How
Do
We
Respond
to
Threats
to
Electronic
Systems?
Regulatory
rules
Members
should
create
an
incident
response
plan
to
provide
a
framework
to
manage
detected
security
incidents,
analyze
their
poten(al
impact
and
take
appropriate
measures
to
contain
and
mi.gate
their
threat.
The
response
plan
should
list
out
how
the
Member
will
address
poten(al
incidents,
including
how
it
will
communicate
and
escalate
incidents
internally,
and
how
it
will
communicate
externally
with
customers,
counterpar.es,
regulators,
and
law
enforcement.
The
Member’s
response
plan
should
also
include
how
the
Member
plans
to
restore
compromised
systems
and
data,
and
how
it
will
incorporate
lessons
learned
into
the
ISSP.
Key
Compliance
Ques(ons
1. Does
the
Member
have
a
response
plan?
2. Does
the
response
plan
detail
how
to
determine
the
level
and
type
of
threat
and
how
to
respond?
3. Does
the
response
plan
detail
how
restore
compromised
systems
and
data?
4. Does
the
response
plan
detail
who,
how
and
when
to
communicate
details
of
an
incident?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
8
- 9. Does
Everyone
Know
What
to
Do?
Regulatory
rules
A
Member's
ISSP
should
contain
a
descrip.on
of
the
Member's
educa(on
and
training
rela.ng
to
informa.on
security
for
all
appropriate
personnel.
This
training
program
should
be
conducted
for
employees
upon
hiring
and
periodically
during
their
employment,
and
should
be
appropriate
to
the
security
risks
the
Member
faces
as
well
as
the
composi.on
of
its
workforce.
Key
Compliance
Ques(ons
1. Are
the
Member’s
employees
trained
in
informa.on
security?
2. Does
the
Member
train
employees
on
informa.on
security
both
at
hiring
and
throughout
employment?
3. Is
the
training
appropriate
for
the
risks
and
the
workforce?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
9
- 10. How
Do
We
Know
if
the
Info
Systems
Security
Plan
(ISSP)
is
Effec(ve?
Regulatory
rules
A
Member
should
monitor
and
regularly
review
the
effec(veness
of
its
ISSP,
including
the
efficacy
of
the
safeguards
deployed,
and
make
appropriate
adjustments.
The
review
should
be
done
at
least
once
every
year,
and
may
be
done
by
in-‐house
staff
with
appropriate
knowledge
or
by
engaging
an
independent
third-‐party
informa.on
security
specialist.
Key
Compliance
Ques(ons
1. Does
the
Member
schedule
regular
reviews
of
its
ISSP?
2. Does
the
Member
have
qualified
employees
who
can
perform
the
review
or
does
the
Member
need
to
hire
an
outside
party?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
10
- 11. Are
Third-‐Party
Service
Providers
Secure?
Regulatory
rules
A
Member’s
ISSP
should
also
address
the
risks
posed
by
third-‐party
service
providers
that
have
access
to
a
Member's
systems,
operate
outsourced
systems
for
the
Member
or
provide
cloud-‐
based
services
to
the
Member.
Since
the
Member
does
not
control
the
third-‐party
service
providers,
it
is
crucial
that
the
Member
perform
due
diligence
on
a
service
provider's
security
prac.ces
and
avoid
using
third
par.es
whose
security
standards
are
not
comparable
to
the
Member's
standards
in
a
par.cular
area
or
ac.vity.
A
Member
should
also
place
appropriate
access
controls
to
their
informa.on
systems
and
data
and
have
a
procedure
to
remove
access
when
a
service
provider
is
no
longer
providing
services.
Key
Compliance
Ques(ons
1. Does
the
Member
keep
a
list
of
any
service
providers
it
employs?
2. Does
the
Member
monitor
the
security
prac.ces
of
its
service
providers?
3. Does
the
Member
have
access
controls
in
place
to
prevent
improper
access?
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
11
- 12. ISSP
Resources
SANS
Ins.tute
(SANS)
–
h<ps://www.sans.org/
Open
Web
Applica.on
Security
Project
(OWASP)
–
h<ps://www.owasp.org
ISACA's
Control
Objec.ves
for
Informa.on
and
Related
Technology
(COBIT)
5
–
h<ps://cobitonline.isaca.org/
Na.onal
Ins.tute
of
Standards
and
Technology
(NIST)
–
h<ps://www.nist.gov/
©
2014-‐2016
Quarule,
Inc.
-‐
Confiden.al
&
Proprietary
12