Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks

1,824 views

Published on

Cybersecurity is an area of growing concern for financial institutions, especially in the face of recent high-profile data breaches. In June of this year, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Self Assessment Tool (CAT) to help institutions determine their risks and evaluate their preparedness.

Published in: Business
  • Be the first to comment

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks

  1. 1. BUSINESS CONSULTANTS DEEP TECHNOLOGISTS FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks
  2. 2. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. West Monroe Partners is large enough to tackle our clients’ toughest challenges and nimble enough to adapt to unique requirements with custom solutions.Established in 2002 Founded by a team from Arthur Andersen, West Monroe is a full-service business and technology consulting firm. People Over 600 career consultants, confident enough to engage in constructive debate and understand that it’s okay to disagree. Organization We are 100% employee owned. We answer to our people and our clients only. Global reach but geographically close We serve global clients, locally by partnering with BearingPoint Europe and Grupo Assa. 2
  3. 3. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. In 2009 and 2010 named one of Crain’s Chicago Business “Best 20 Places to Work in Chicago” 3 Named by National Association of Business Resources as one of Chicago’s “101 Best and Brightest Companies to Work For” in 2006, 2007, 2008, 2009 and 2012 Early 2000s Early 2000s In 2008, 2011, 2012, 2013, 2014 and 2015 Seattle Business Magazine named West Monroe “Best Large Company Headquartered Outside Washington” From 2010-2015 named as a “Top Workplace” by the Chicago Tribune Named one of Consulting Magazines “Best Small Firms to Work For” for second straight year in 2010 In 2012, 2013, 2014 and 2015 named one of the top Managed Service Providers in North America by MSP mentor In 2011 named to Columbus Business First’s 2011 “Best Places to Work” In 2012, 2013, 2014 and 2015 named one of Consulting magazine’s “Best Large Firms to Work For” In 2013 and 2014 named to Great Place to Work “Best Small & Medium Workplaces” list published in FORTUNE magazine 2011 2012 2013 2014 In 2012, 2014 and 2015, the Puget Sound Business Journal selected West Monroe Partners as a finalist for Washington's Best Workplaces Selected for the 2013 “Inner City 100” by The Initiative for a Competitive Inner City (ICIC) and FORTUNE In 2008, 2009, 2011, 2012, 2013 and 2015 named by Crain’s Chicago Business as one of its “Fast Fifty” 2015
  4. 4. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.  West Monroe’s Security team was built from the ground up with a blending of deep technologists and a focus on strategic security consulting  We emphasize security as a component of an overall risk management approach, meaning we focus on strategic solutions and helping organizations to operationalize their security investments  Where most security consultancies focus on addressing security through tactical assessments and solutions, we deliver prioritized roadmaps that address the areas that will most effectively improve your security posture and reduce risk West Monroe Partners: An uncommon blend of business consultants and deep technologists solving security challenges in today’s business climate 4
  5. 5. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Federal Financial Institutions Examination Council FRBFederal Reserve Bank - “The Fed” OCCOffice of the Comptroller of the Currency FDICFederal Deposit Insurance Corporation NCUANational Credit Union Association CFPBConsumer Financial Protection Bureau SLC State Liaison Committee CSBSConference of State Banking Supervisors ACSSSAmerican Council of State Savings Supervisors NASCUSNat. Assoc. of State Credit Union Supervisors Starting in late 2015, examiners will begin using a new assessment tool to better understand risks and controls related to cybersecurity
  6. 6. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. There are two pieces of the FFIEC tool that must be accomplished, in order 6 1 2Technologies and Connections Delivery Channels Online, Mobile, and Tech. Services Org. Characteristics External Threats
  7. 7. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The Cybersecurity Maturity profile worksheet is hierarchically structured, similar to most compliance frameworks 7 Domain Assessment Factor Component Maturity Level Declarative Statement
  8. 8. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. By combining the information from the Inherent Risk and Maturity profiles, gaps can be assessed 8 1 2 3 3 8 21 7 0  Y N N N N            
  9. 9. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. On its own, use of the FFIEC CAT has clear strengths and weaknesses 9 Easy to conduct Ordained by regulators Good coverage Contextual Thoroughly mapped Lack of detailed gap analysis Little flexibility Hard for non-technologists to digest Difficult to represent findings
  10. 10. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Depending on the ability of your organization to respond to regulatory guidance, additional support or use of alternate frameworks may help 10
  11. 11. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. Subcategories further divide a Category into specific outcomes of technical and/or management activities. Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. The NIST Framework Core identifies underlying key Categories and Subcategories for each Function, and maps them to Informative References 11 Identify Protect Detect Respond Recover Function Category Subcategory Informative References  Asset Management  Business Environment  Risk Assessment  Risk Management Strategy  Access Control  Awareness and Training  Data Security  Information Protection Procedures  Maintenance  Protective Technology  Anomalies and Events  Security Continuous Monitoring  Detection Processes  Response Planning  Communications  Analysis  Mitigation  Improvements  Recovery Planning  Improvements  Communications Governance Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.
  12. 12. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The FFIEC Cybersecurity Assessment Tool directly aligns with the NIST Cybersecurity Framework 12 NIST Framework: Industry Alignment The FFIEC Cybersecurity Assessment Tool (FFIEC CAT) provides a statement by statement and page by page comparison from the NIST Cybersecurity Framework (NIST CSF) to the FFIEC CAT. FFIEC Cybersecurity Assessment Tool NIST Cybersecurity Framework Example of the NIST CSF mapping to the FFIEC CAT:
  13. 13. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. The Core of the NIST Cybersecurity Framework further aligns to other Frameworks 13 NIST Framework: Industry Alignment Organizations with successful implementations of NIST CSF can benefit from its synergy with other Frameworks The NIST CSF Core contains Informative References which are specific sections of other Frameworks that illustrate a method to achieve the outcomes associated with each of the Core’s Subcategories. Example of the NIST CSF Core referring to other Frameworks: Other Frameworks NIST Cybersecurity Framework Function Category Subcategory Informative References ·      CCS CSC 1 ·      COBIT 5 BAI09.01, BAI09.02 ·      ISA 62443-2-1:2009 4.2.3.4 ·      ISA 62443-3-3:2013 SR 7.8 ·      ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 ·      NIST SP 800-53 Rev. 4 CM-8 Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. IDENTIFY(ID) ID.AM-1: Physical devices and systems within the organization are inventoried
  14. 14. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. By assessing both the current state and desired state profiles, an organization can determine the most impactful areas of focus 14 PRISMA Scale Govern Protect Recover Identify Respond Detect Identify Protect Detect Respond Recover Govern NIST / WMP Framework Implementation TestingProcedures Org. IntegrationPolicies
  15. 15. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.15 The NIST framework can be leveraged to monitor and objectively evaluate an organization’s security maturity and associated progress Function Current Rating Desired Rating GOVERN 1.5 3.6 IDENTIFY 1.1 3.5 PROTECT 1.4 3.5 DETECT 1.4 3.2 RESPOND 1.5 3.5 RECOVER 1.2 3.1 LEGEND Govern Protect Recover Identify Respond Detect
  16. 16. © 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. At the end of the day, regulators will demand more than a completed checklist 16
  17. 17. Questions & Discussion 17 JERIN MAY Director - Infrastructure and Security - Seattle Desk 206.905.0209 Cell 206.920.0958 jmay@westmonroepartners.com ROSS MILLER Manager – Infrastructure and Security - Seattle Desk 206.905.0167 Cell 517.525.1843 rmiller@westmonroepartners.com

×