The document outlines strategies for reducing cyber risk at community banks, focusing on challenges faced, the FFIEC Cybersecurity Assessment Tool (CAT), and best practices for security controls. Key areas include risk management, threat intelligence, cybersecurity controls, and incident management, emphasizing the importance of comprehensive assessments and employee training. Recommendations also highlight the need for ongoing monitoring, secure access management, and adherence to regulatory guidelines to protect customer information.

1. DECREASE CYBER RISK AT YOUR
COMMUNITY BANK
Manish Rai & Ty Powers, Great Bay Software

2. 2
AGENDA
• Current challenges faced by community banks
• Getting started with the new CAT tool & FFIEC Audits
• Best practices for:
- Plugging potential cyber gaps
- Addressing network access control

3. 3
GREATEST CHALLENGES FACING FINANCIAL SERVICES ORGANIZATIONS

4. 4
FFIEC CYBERSECURITY ASSESSMENT TOOL (CAT) MEASURES RISK AND
MATURITY ACROSS 5 DOMAINS
D1. Cybersecurity Risk
Management &
Oversight
• Governance
• Risk Management
• Resources
• Training & Culture
D2. Threat Intelligence &
Collaboration
• Threat Intelligence
• Monitoring &
Analysis
• Information Sharing
D3. Cybersecurity
Controls
• Preventative
• Detective
• Corrective
D4. External
Dependency
Management
• Connections
• Relationship
Management
D5. Cybersecurity
Incidence Management
& Resilience
• Incidence Resilience
Planning & Strategy
• Detection, Response
and Mitigation
• Escalation &
Reporting

5. 5
FFIEC CAT INHERENT RISK AND MATURITY LEVELS MEASUREMENT MODEL

6. 6
FFIEC CYBERSECURITY ASSESSMENT TOOL
• Why the FFIEC CAT?
• Developed by the Federal Financial Institutions Examination Council (FFIEC) to help
institutions identify their risks and determine their cybersecurity maturity.
• What is it used for?
• Provides institutions with a repeatable and measureable process to inform
management of their institution’s risks and level of cybersecurity preparedness

7. 7
COMPLETING THE CAT ASSESSMENT
• Assess the institution’s inherent risk profile based on five categories
• Technologies and Connection Types
• VPN, Wireless, LAN to LAN, ISP
• Delivery Channels
• Online, Mobile delivery, ATM
• Online/Mobile Products and Technology Services
• Payment services, wire transfers, remote banking
• Organizational Characteristics
• M&A, # employees, # contractors, locations (branch, office, and data centers)
• External Threats
• Volume and type of attacks (attempted or successful)

8. 8
COMPLETING THE CAT ASSESSMENT
• Evaluate the institution’s Cybersecurity Maturity level for the five domains
• Cyber Risk Management and Oversight
• Cybersecurity program including policies and procedures
• Threat Intelligence and Collaboration
• Tools and processes to effectively discover, analyze, and understand cyber threats
• Cybersecurity Controls
• Practices and processes used to protect assets, infrastructure, and information
• Continuous, automated protection and monitoring
• External Dependency Management
• Program to oversee and manage external connections and third-party relationships
• Cyber Incident Management and Resilience
• Establishing, identifying, and analyzing cyber events

9. 9
DESIGN AND IMPLEMENT SECURITY CONTROLS
• Access controls on customer information systems
• Authenticate and permit access only to authorized individuals
• Prevent employees from providing customer information to unauthorized
individuals
• Physical Access Restrictions
• Restrict access at physical locations containing customer information, to authorized
individuals only
• Employ the use of Encryption
• Encrypt electronic customer information, while in transit as well as in storage
• on networks or systems to which unauthorized individuals may have access

10. 10
DESIGN SECURITY CONTROLS
• Minimum Security Baseline and Control Process
• Procedures designed to ensure that system modifications are consistent with the
community bank’s information security program
• Personnel Controls
• Implement segregation of duties and personnel background checks
• Monitoring Systems
• Monitoring systems and procedures to detect actual and attempted attacks on, or
intrusions into, customer information systems
• Incident Response
• Implement procedures to be taken when unauthorized access or other incidents are
detected
• Actions including reporting to regulatory and law enforcement agencies

11. 11
EDUCATE, TEST, AND OVERSEE
• Educate and Train Staff
• Train staff to recognize and respond to threats including fraud and identity theft
• Provide staff with adequate training around computing and information security
• Train staff on how to properly dispose of customer data
• Test Key Controls
• Test and validate the procedures and systems put in place
• The risk assessment should drive frequency and scope
• Oversee Service Providers
• Exercise due diligence in selecting service providers
• Monitor and hold them accountable for adhering to the FFIEC Security Guidelines

12. 12
BEST PRACTICES
• Policies, Procedures, and Action
• Practice what you preach
• Execute the information security strategy and plans as designed
• Leverage the Network Infrastructure
• Control access to the network
• Limit network access to approved devices (Authenticate, Authorize, and Audit)
• Ensure proper network segmentation
• Reduce the available attack surface and limit the contamination or threat
• Keep the perimeter intact
• Avoid internet-facing endpoints and services where possible

13. 13
BEST PRACTICES
• Don’t Forget About the Endpoints
• Make sure that you can answer the following at all times:
• What’s connecting to the network?
• Where is it located?
• How is it behaving?
• Do I trust it? Should I?
• Disable remote access to devices as possible
• Remote access provides a conduit to vulnerable devices
• Change default credentials immediately
• Disable default admin accounts

14. 14
BEST PRACTICES
• Don’t Forget About the Endpoints - Continued
• Disable/Limit protocol usage
• Disable unsecure protocols such as Telnet and FTP as possible
• Best practice for many regulatory guidelines
• Ensure that communication ports that should be open are
• Are SSH, Telnet and HTTP ports still open?
• Some attacks disable remote access to limit remediation
• Patch, patch, patch
• Patch early and patch often
• Not always possible

15. 15
BEST PRACTICES
• Don’t Forget About Tomorrow
• Choose solutions not point products
• Deploy highly scalable systems that will mature with the organization
• Look for solutions that enhance existing systems
• Avoid creating information siloes
• Choose vendors and integrators that provide the same level of service that you
provide to your customers

16. 16
SECURITY AND MANAGEMENT TOOLS NEEDED FOR COMPLIANCE
Vulnerability Scanner
Advanced Threat Detection
Anti-Virus Firewall Discovery, Visibility and
Network Access Control
Log and Event
Management
Intrusion Detection
and Prevention

17. 17
KEY CAT TOOL NETWORK ACCESS CONTROL REQUIREMENTS UNDER
PREVENTATIVE AND DETECTIVE CONTROLS
Discovery
• Unregistered /
Unauthorized Devices
• Rogue Access Points
• Critical Systems
Running Legacy
Technologies
Visibility/Monitoring
• Network Ports
• FTP / Telnet Traffic
• Anomalous Behavior
• Real-time Network
Monitoring
Control
• Unauthorized Access
• Unregistered Device
Access
• Roque Access Points
• Network
Segmentation
• Traffic Between
Trusted / Untrusted
Zones
• Wi-Fi Security Settings
(Strong)

18. 18
GREAT BAY VISION
Network
Access
Control
Know
• Monitor Port Usage
• Networking Monitoring
• Anomalous Behavior Detection
• FTP/Telnet Traffic
Control
• Unauthorized Access
• Rogue Access Points
• Network Segmentation
• Trusted/Untrusted Zones
Enhance
• Asset Inventory/Management
• Incidence Response
• Troubleshooting
See
• Discover in Real-time
• Unauthorized/Unregistered
• Rogue Access Points

19. THANK YOU! QUESTIONS?