Summary of FFIEC Guidance on Information Security Risk Management Programs

1. Informa(on
Security
Risk
Management
Overview
Federal
Financial
Ins(tu(ons
Examina(on
Council
FFIEC
IT
Security
Handbook
hCp://ithandbook.ffiec.gov/it-­‐booklets/informa(on-­‐security.aspx
Wesley.Moore@Quarule.com

2. Financial
Ins(tu(ons
Use
an
IT
Security
Process
Regulatory
rules
1. Financial
ins+tu+ons
(FIs)
protect
their
informa+on
by
ins+tu+ng
a
security
process
that
iden+fies
risks,
forms
a
strategy
to
manage
the
risks,
implements
the
strategy,
tests
the
implementa+on,
and
monitors
the
environment
to
control
the
risks.
2. The
process
is
designed
to
iden+fy,
measure,
manage,
and
control
the
risks
to
system
and
data
availability,
integrity,
and
confiden+ality,
and
to
ensure
accountability
for
system
ac+ons.
Key
Compliance
Ques(ons
a) Has
the
FI
implemented
an
ongoing
security
process?
b) Has
the
FI
ins+tuted
appropriate
governance
for
the
security
process?
c) Has
the
FI
assigned
clear
and
appropriate
roles
and
responsibili+es?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
2

3. What
Comprises
the
Security
Process
Framework?
Regulatory
rules
The
security
process
framework
has
five
areas:
Informa(on
Security
Risk
Assessment,
Informa(on
Security
Strategy,
Security
Controls
Implementa(on
An
Informa(on
Security
Risk
Assessment
(ISRA)
is
a
process
to
iden+fy
and
assess
threats,
vulnerabili+es,
aPacks,
probabili+es
of
occurrence,
and
outcomes.
Key
Compliance
Ques(ons
Does
the
security
process
include
an
IS
Risk
Assessment?
Does
the
IS
Risk
Assessment
iden+fy
and
assess
threats,
vulnerabili+es,
aPacks,
probabili+es
of
occurrence,
and
outcomes?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
3

4. The
Board
Approves
the
Info
Security
Strategy!
Regulatory
rules
The
Informa+on
Security
Strategy
is
a
plan
to
mi(gate
risk
that
integrates
technology,
policies,
procedures,
and
training.
The
plan
should
be
reviewed
and
approved
by
the
board
of
directors.
Key
Compliance
Ques(ons
Is
the
Informa+on
Security
Strategy
reviewed
and
approved
by
the
board
of
directors?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
4

5. What
is
a
Security
Controls
Implementa(on?
Regulatory
rules
Security
Controls
Implementa+on
includes:
- acquisi+on
and
opera+on
of
technology,
- assignment
of
du(es
and
responsibili+es
to
managers
and
staff,
- deployment
of
risk
appropriate
controls
- assurance
that
management
and
staff
understand
their
responsibili+es
and
have
the
knowledge,
skills,
and
mo(va(on
necessary
to
fulfill
their
du+es.
Key
Compliance
Ques(ons
Is
the
Security
Controls
Implementa+on
adequate?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
5

6. What
Does
Security
Monitoring
Entail?
Regulatory
rules
Security
monitoring
uses
methodologies
to
gain
assurance
that
risks
are
appropriately
assessed
and
mi(gated.
Security
monitoring
should
verify
that
significant
controls
are
effec+ve
and
performing
as
intended.
Key
Compliance
Ques(ons
Does
security
monitoring
assess
if
risks
are
appropriately
assessed?
Does
security
monitoring
assess
if
risks
are
appropriately
mi+gated?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
6

7. How
is
Security
Process
Monitoring
Used?
Regulatory
rules
Security
Process
Monitoring
and
Upda+ng
is
the
process
of
con+nuously
gathering
and
analyzing
informa+on
regarding
new
threats
and
vulnerabili(es,
actual
aCacks
on
this
or
other
ins+tu+ons.
Informa+on
learned
from
Security
Process
Monitoring
and
Upda+ng
should
be
used
to
update
this
ins(tu(on's
risk
assessment,
strategy,
and
controls.
Key
Compliance
Ques(ons
Does
Security
Process
Monitoring
and
Upda+ng
con+nuously
gather
and
analyze
informa+on
regarding
new
threats,
new
vulnerabili+es,
actual
aPacks
on
this
ins+tu+on,
and
actual
aPacks
on
other
ins+tu+ons?
Does
this
ins+tu+on
use
the
informa+on
learned
from
the
Security
Process
Monitoring
and
Upda+ng
to
update
risk
assessments,
strategy,
and
controls?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
7

8. Governance
Ensures
Info
Security
is
Managed
Regulatory
rules
Governance
is
achieved
through
the
management
structure,
assignment
of
responsibili+es
and
authority,
establishment
of
policies,
standards
and
procedures,
alloca+on
of
resources,
monitoring,
and
accountability.
Governance
is
required
to
ensure
that
tasks
are
completed
appropriately,
that
accountability
is
maintained,
and
that
risk
is
managed
for
the
en+re
enterprise.
Key
Compliance
Ques(ons
Does
the
governance
ensure
that
tasks
are
completed
appropriately?
Does
the
governance
ensure
that
accountability
is
maintained?
Does
the
governance
ensure
that
risk
is
managed
for
the
en+re
enterprise?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
8

9. Who
is
Accountable?
Regulatory
rules
Informa+on
security
is
the
responsibility
of
everyone
who
has
the
opportunity
to
control
or
report
the
ins+tu+on's
data.
Informa+on
security
should
be
supported
throughout
the
ins(tu(on,
including
the
board
of
directors,
senior
management,
informa+on
security
officers,
employees,
auditors,
service
providers,
and
contractors.
Each
role
should
be
accountable
for
ac+ons
taken.
Accountability
requires:
- clear
use
of
appropriate
authority
- clear
communica(on
of
expecta+ons
- delega(on
and
judicious
use
of
appropriate
authority
Key
Compliance
Ques(ons
Have
expecta+ons
been
clearly
communicated?
Are
there
clear
repor+ng
lines?
Do
the
delega+on
prac+ces
of
this
ins+tu+on
bring
about
appropriate
compliance
with
this
ins+tu+on's
policies,
standards,
and
procedures?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
9

10. What
is
the
Board’s
Responsibility?
Regulatory
rules
The
board
of
directors,
or
an
appropriate
commiPee
of
the
board,
is
responsible
for
overseeing
of
the
development,
implementa(on,
and
maintenance
of
the
informa+on
security
program.
The
board
should
provide
management
with
its
expecta(ons
and
requirements
and
hold
management
accountable
for:
-­‐
central
oversight
and
coordina+on
-­‐
monitoring
and
tes+ng
-­‐
assignment
of
responsibility
-­‐
risk
assessment
and
measurement
-­‐
repor+ng
-­‐
acceptable
residual
risk.
The
board
should
approve
wriCen
informa(on
security
policies
and
the
wriCen
report
on
the
effec+veness
of
the
informa+on
security
program
at
least
annually.
Key
Compliance
Ques(ons
Has
the
board
fulfilled
its
responsibili+es
to
oversee
the
informa+on
security
program?
Has
the
board
made
senior
management
accountable?
Does
the
board
approve
policies
and
a
report
on
the
IS
security
program
at
least
annually?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
10

11. What
is
Senior
Management’s
Responsibility?
Regulatory
rules
Senior
management
should:
- clearly
support
all
aspects
of
the
informa+on
security
program,
- implement
the
informa+on
security
program
as
approved
by
the
board,
- establish
appropriate
policies,
procedures,
and
controls,
- par(cipate
in
assessing
the
effect
of
security
issues
on
the
financial
ins+tu+on
and
its
business
lines
and
processes,
- delineate
clear
lines
of
responsibility
and
accountability
for
informa+on
security
risk
management
decisions,
- define
risk
measurement
defini+ons
and
criteria,
- establish
acceptable
levels
of
informa+on
security
risks,
oversee
risk
mi+ga+on
ac+vi+es.
Key
Compliance
Ques(ons
Has
senior
management
fulfilled
its
responsibili+es
to
support,
implement,
control,
maintain
and
assess
the
informa+on
security
program?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
11

12. Who
are
the
Informa(on
Security
Officers?
Regulatory
rules
Senior
management
should
designate
one
or
more
individuals
as
informa(on
security
officers.
Informa+on
security
officers
should
report
directly
to
the
board
of
directors
or
to
senior
management,
have
sufficient
independence
to
perform
their
assigned
tasks,
and
the
authority
to
respond
to
a
security
event.
Key
Compliance
Ques(ons
Did
senior
management
designate
one
or
more
individuals
as
informa+on
security
officers?
Do
Informa+on
Security
Officers
have
the
authority
to
respond
to
a
security
event
by
ordering
emergency
ac+ons
to
protect
the
financial
ins+tu+on
and
its
customers
from
an
imminent
loss
of
informa+on
or
value?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
12

13. Who
Ensures
Integra(on
of
Security
Controls?
Regulatory
rules
Senior
management
also
has
the
responsibility
to
ensure
integra(on
of
security
controls
throughout
the
organiza+on.
To
support
integra+on,
senior
management
should:
- Ensure
the
security
process
is
governed
by
organiza+onal
policies
and
prac+ces
- Require
that
data
with
similar
cri+cality
and
sensi+vity
be
protected
consistently
- Enforce
compliance
with
the
security
program
in
a
balanced
and
consistent
manner
- Coordinate
informa+on
security
with
physical
security
- Ensure
an
effec+ve
informa+on
security
awareness
program
has
been
implemented
Key
Compliance
Ques(ons
Has
senior
management
fulfilled
its
responsibili+es
to
support
integra+on
throughout
the
organiza+on?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
13

14. Who
Accepts
the
Risk
and
Performs
Mi(ga(on?
Regulatory
rules
Senior
management
should
make
decisions
regarding
the
acceptance
of
security
risks
and
the
performance
of
risk
mi+ga+on
ac+vi+es
using
guidance
approved
by
the
board
of
directors.
Those
decisions
should
be
incorporated
into
the
ins+tu+on's
policies,
standards,
and
procedures.
Key
Compliance
Ques(ons
Has
the
Board
approved
guidance
for
senior
management
regarding
the
acceptance
of
security
risks
and
the
performance
of
risk
mi+ga+ng
ac+vi+es?
Has
that
guidance
been
incorporated
into
the
ins+tu+on's
policies,
standards,
and
procedures?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
14

15. Do
Employees
Understand
What
to
Do?
Regulatory
rules
Ins+tu+ons
can
achieve
effec(ve
employee
awareness
and
understanding
through
security
training
and
ongoing
security-­‐related
communica+ons,
employee
cer+fica+ons
of
compliance,
self-­‐assessments,
audits,
and
monitoring.
Key
Compliance
Ques(ons
Does
the
ins+tu+on
define
security
responsibili(es
in
their
security
policy?
Do
job
descrip(ons
and
contracts
specify
any
addi+onal
security
responsibili+es
beyond
the
general
policies?
Does
the
ins+tu+on
achieve
effec+ve
employee
awareness
and
understanding
through
security
training
and
ongoing
security-­‐related
communica(ons,
employee
cer(fica(ons
of
compliance,
self-­‐assessments,
audits,
and
monitoring?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
15

16. Who
Monitors
External
Par(es?
Regulatory
rules
Management
also
should
consider
and
monitor
the
roles
and
responsibili(es
of
external
par(es.
The
security
responsibili(es
of
technology
service
providers
(TSPs),
contractors,
customers,
and
others
who
have
access
to
the
ins+tu+on's
systems
and
data
should
be
clearly
delineated
and
documented
in
contracts.
Sufficient
controls
should
be
included
in
the
contract
to
enable
management
to
enforce
contractual
requirements.
Key
Compliance
Ques(ons
Does
management
consider
and
monitor
en++es
that
have
access
to
the
ins+tu+ons
systems?
Are
controls
sufficient
and
backed
up
by
contractual
commitments?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
16

17. What’s
an
Informa(on
Security
Risk
Assessment?
Regulatory
rules
Financial
ins+tu+ons
must
maintain
an
ongoing
informa+on
security
risk
assessment
program.
Key
Compliance
Ques(ons
Does
the
FI
gather
sufficient
informa(on
to
document
a
thorough
understanding
of
the
opera+ng
and
business
environments?
Does
the
FI
gather
relevant
technical
informa(on
about:
network
maps
detailing
internal
and
external
connec+vity;
hardware
and
sogware
inventories;
databases
and
files
that
contain
cri+cal
and/or
confiden(al
informa(on;
processing
arrangements
and
interfaces
with
external
en++es;
hardware
and
sogware
configura(ons;
and
policies,
standards,
and
procedures
for
the
opera(on,
maintenance,
upgrading,
and
monitoring
of
technical
systems?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
17

18. Are
the
Controls
Effec(ve?
Regulatory
rules
Non-­‐technical
informa+on
that
may
be
necessary
includes
the
policies,
standards,
and
procedures
addressing:
- physical
security
of
facili+es
and
informa+on
assets
- personnel
security,
vendor
contracts,
personnel
security
training
and
exper+se,
and
insurance
coverage.
- control
effec+veness
Key
Compliance
Ques(ons
Does
the
ins+tu+on
gather
the
policies,
standards,
and
procedures
addressing
physical
security
(including
facili+es
as
well
as
informa+on
assets
that
include
loan
documenta+on,
deposit
records
and
signature
cards,
and
key
and
access
code
lists),
personnel
security
(including
hiring
background
checks
and
behavior
monitoring),
vendor
contracts,
personnel
security
training
and
exper(se,
and
insurance
coverage.
Does
the
ins+tu+on
gather
informa+on
on
control
effec(veness?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
18

19. Does
the
Program
Iden(fy,
Analyze
and
Priori(ze
Risks?
Regulatory
rules
A
risk
assessment
should
include
an
iden(fica(on
of
informa(on
and
the
informa(on
systems
to
be
protected,
including
electronic
systems
and
physical
components
used
to
access,
store,
transmit,
protect,
and
eventually
dispose
of
informa+on.
Key
Compliance
Ques(ons
Does
the
informa+on
security
risk
assessment
program
effec(vely
gather
data
regarding
the
informa+on
and
technology
assets,
threats
to
those
assets,
vulnerabili+es,
exis+ng
security
controls
and
processes,
and
the
current
security
standards
and
requirements?
Does
the
ongoing
informa+on
security
risk
assessment
program
effec+vely
analyze
the
probability
and
impact
of
the
known
threats
and
vulnerabili+es?
Does
the
ongoing
informa+on
security
risk
assessment
program
effec(vely
priori(ze
the
risks
to
determine
the
appropriate
level
of
training,
controls,
and
assurance
necessary
for
effec+ve
mi+ga+on?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
19

20. What
are
the
Systems
and
Data
Flow?
Regulatory
rules
The
ins+tu+on's
analysis
should
include
a
system
characteriza(on
and
data
flow
analysis
of
networks
(where
feasible),
computer
systems,
connec+ons
to
business
partners
and
the
Internet,
and
the
interconnec+ons
between
internal
and
external
systems.
Include
backup
tapes,
portable
computers,
personal
digital
assistants,
media
such
as
compact
disks,
micro
drives,
and
diskePes,
and
media
used
in
sogware
development
and
tes+ng.
In
iden+fying
informa+on
and
the
informa+on
systems,
it
is
important
to
understand
how
the
ins(tu(on
uses
informa(on
in
its
day-­‐to-­‐day
opera+ons.
Key
Compliance
Ques(ons
Is
the
ins+tu+on’s
analysis
complete?
Does
the
risk
assessment
address
employee
access,
use,
and
dissemina+on
of
informa+on
in
response
to
requests?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
20

21. What
are
the
Service
Providers’
Programs
and
Controls?
Regulatory
rules
The
ins+tu+on's
system
architecture
diagram
and
related
documenta+on
should
iden(fy
service
provider
rela(onships,
where
and
how
data
is
passed
between
systems,
and
the
relevant
controls
that
are
in
place.
Key
Compliance
Ques(ons
Does
the
financial
ins+tu+on
consider
their
outsourcing
strategy
in
iden+fying
relevant
data
flows
and
informa+on
processing
ac+vi+es?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
21

22. Do
We
Classify
and
Rank
Data,
Systems,
and
Applica(ons?
Regulatory
rules
FIs
should
assess
the
rela(ve
importance
of
the
various
informa+on
systems
based
on
the
nature
of
their
func+on,
the
cri+cality
of
data
they
support,
and
the
sensi+vity
of
data
they
store,
transmit,
or
protect.
When
assessing
the
sensi+vity
of
data,
ins+tu+ons
should
consider
the
increased
risk
posed
to
the
ins+tu+on
from
the
aggrega(on
of
data
elements.
Key
Compliance
Ques(ons
Does
the
FI
assess
the
importance
of
informa+on
systems?
Does
the
FI
consider
the
increased
risk
of
aggrega+on
of
data
elements?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
22

23. Informa(on
Systems
Security
Programs
Na(onal
Futures
Associa(on
9070
-­‐
NFA
COMPLIANCE
RULES
2-­‐9,
2-­‐36
AND
2-­‐49:
INFORMATION
SYSTEMS
SECURITY
PROGRAMS
hCp://www.nfa.futures.org/nfamanual/NFAManual.aspx?RuleID=9070&Sec(on=9

24. What
Comprises
the
Informa(on
Systems
Security
Program?
Regulatory
rules
Five
areas
of
an
Informa+on
Systems
Security
Program
(ISSP):
1. WriPen
Program
2. Security
and
Risk
Analysis
3. Deployment
of
Protec+ve
Measures
Against
Iden+fied
Threats
and
Vulnerabili+es
4. Response
and
Recovery
from
Threats
to
Electronic
Systems
5. Employee
Training
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
24

25. Do
We
Have
a
WriCen
Informa(on
Security
Systems
Program
(ISSP)?
Regulatory
rules
a) Members
must
adopt
and
enforce
a
wriPen
ISSP
designed
to
provide
safeguards
and
protect
against
security
threats
or
hazards
to
their
technology
systems.
b) The
wriPen
ISSP
must
be
appropriate
to
the
Member's
size,
complexity
of
opera+ons,
type
of
customers
and
counterpar+es,
the
sensi+vity
of
the
data
accessible
within
its
systems,
and
its
electronic
interconnec+vity
with
other
en++es.
c) There
are
several
cybersecurity
best
prac+ces
and
standards
readily
available,
including
those
promulgated
by
SANS,
OWASP,
ISACA's
COBIT
5,
and
NIST.
Key
Compliance
Ques(ons
1. Does
the
Member
have
a
wriPen
ISSP?
2. Is
the
ISSP
appropriate
for
the
Member’s
specific
needs?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
25

26. Do
We
Analyze
Security
and
Risk?
There
are
many
different
types
of
internal
and
external
threats,
including:
a) Loss,
destruc+on
or
theg
of
data;
b) APacks
by
viruses,
spyware
and
other
malware;
and
c) Intercep+on
and
compromising
of
electronic
transmissions.
Key
Compliance
Ques(ons
1. Does
the
Member
keep
track
of
their
hardware
and
sogware?
2. Has
the
Member
reviewed
the
vulnerabili+es
of
their
electronic
infrastructure?
3. Is
the
Member’s
data
secure?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
26

27. Do
We
Assess
and
Priori(ze?
Members
must
assess
and
priori+ze
the
risks
associated
with
the
use
of
their
informa+on
technology
systems.
Regulatory
rules
a) Es+mate
the
severity
of
the
poten+al
threats;
b) Perform
a
vulnerability
analysis;
and
c) Decide
how
to
manage
the
risks
of
these
threats.
Key
Compliance
Ques(ons
1. Have
there
been
any
past
incidents?
2. What
are
the
known
threats
iden+fied
by
other
en++es?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
27

28. How
Do
We
Protect
Against
Iden(fied
Threats
and
Vulnerabili(es?
A
Member
should
document
in
their
ISSP
the
safeguards
that
they
deploy
ager
reviewing
and
priori+zing
threats
and
vulnerabili+es.
These
safeguards
will
depend
on
the
Member’s
specific
needs,
and
can
include:
a) Physically
protec+ng
buildings,
equipment
and
assets;
b) Using
and
maintaining
up-­‐to-­‐date
firewall,
an+-­‐virus
and
an+-­‐malware
sogware;
c) Limi+ng
both
physical
and
electronic
access;
d) Ensuring
that
systems
are
regularly
and
properly
updated;
e) Deploying
encryp+on
sogware;
f) Preven+ng
the
use
of
unauthorized
sogware;
g) Backing
up
systems
and
data;
and
h) Ensuring
that
mobile
devices
are
subject
to
similar
applicable
safeguards.
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
28

29. How
Do
We
Detect
Poten(al
Threats
and
Vulnerabili(es?
Regulatory
rules
Members
should
also
document
and
implement
reasonable
procedures
to
detect
poten+al
threats,
including
new
and
emerging
threats.
Key
Compliance
Ques(ons
1. What
procedures
does
Member
have
in
place?
2. Do
those
procedures
meet
the
proper
standards?
3. Is
the
Member
a
part
of
a
threat
sharing
organiza+on
which
can
alert
the
Member
of
new
and
emerging
threats?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
29

30. How
Do
We
Respond
to
Threats
to
Electronic
Systems?
Regulatory
rules
Members
should
create
an
incident
response
plan
to
provide
a
framework
to
manage
detected
security
incidents,
analyze
their
poten(al
impact
and
take
appropriate
measures
to
contain
and
mi+gate
their
threat.
The
response
plan
should
list
out
how
the
Member
will
address
poten(al
incidents,
including
how
it
will
communicate
and
escalate
incidents
internally,
and
how
it
will
communicate
externally
with
customers,
counterpar+es,
regulators,
and
law
enforcement.
The
Member’s
response
plan
should
also
include
how
the
Member
plans
to
restore
compromised
systems
and
data,
and
how
it
will
incorporate
lessons
learned
into
the
ISSP.
Key
Compliance
Ques(ons
1. Does
the
Member
have
a
response
plan?
2. Does
the
response
plan
detail
how
to
determine
the
level
and
type
of
threat
and
how
to
respond?
3. Does
the
response
plan
detail
how
restore
compromised
systems
and
data?
4. Does
the
response
plan
detail
who,
how
and
when
to
communicate
details
of
an
incident?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
30

31. Does
Everyone
Know
What
to
Do?
Regulatory
rules
A
Member's
ISSP
should
contain
a
descrip+on
of
the
Member's
educa(on
and
training
rela+ng
to
informa+on
security
for
all
appropriate
personnel.
This
training
program
should
be
conducted
for
employees
upon
hiring
and
periodically
during
their
employment,
and
should
be
appropriate
to
the
security
risks
the
Member
faces
as
well
as
the
composi+on
of
its
workforce.
Key
Compliance
Ques(ons
1. Are
the
Member’s
employees
trained
in
informa+on
security?
2. Does
the
Member
train
employees
on
informa+on
security
both
at
hiring
and
throughout
employment?
3. Is
the
training
appropriate
for
the
risks
and
the
workforce?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
31

32. How
Do
We
Know
if
the
Info
Systems
Security
Plan
(ISSP)
is
Effec(ve?
Regulatory
rules
A
Member
should
monitor
and
regularly
review
the
effec(veness
of
its
ISSP,
including
the
efficacy
of
the
safeguards
deployed,
and
make
appropriate
adjustments.
The
review
should
be
done
at
least
once
every
year,
and
may
be
done
by
in-­‐house
staff
with
appropriate
knowledge
or
by
engaging
an
independent
third-­‐party
informa+on
security
specialist.
Key
Compliance
Ques(ons
1. Does
the
Member
schedule
regular
reviews
of
its
ISSP?
2. Does
the
Member
have
qualified
employees
who
can
perform
the
review
or
does
the
Member
need
to
hire
an
outside
party?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
32

33. Are
Third-­‐Party
Service
Providers
Secure?
Regulatory
rules
A
Member’s
ISSP
should
also
address
the
risks
posed
by
third-­‐party
service
providers
that
have
access
to
a
Member's
systems,
operate
outsourced
systems
for
the
Member
or
provide
cloud-­‐
based
services
to
the
Member.
Since
the
Member
does
not
control
the
third-­‐party
service
providers,
it
is
crucial
that
the
Member
perform
due
diligence
on
a
service
provider's
security
prac+ces
and
avoid
using
third
par+es
whose
security
standards
are
not
comparable
to
the
Member's
standards
in
a
par+cular
area
or
ac+vity.
A
Member
should
also
place
appropriate
access
controls
to
their
informa+on
systems
and
data
and
have
a
procedure
to
remove
access
when
a
service
provider
is
no
longer
providing
services.
Key
Compliance
Ques(ons
1. Does
the
Member
keep
a
list
of
any
service
providers
it
employs?
2. Does
the
Member
monitor
the
security
prac+ces
of
its
service
providers?
3. Does
the
Member
have
access
controls
in
place
to
prevent
improper
access?
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
33

34. ISSP
Resources
SANS
Ins+tute
(SANS)
–
hPps://www.sans.org/
Open
Web
Applica+on
Security
Project
(OWASP)
–
hPps://www.owasp.org
ISACA's
Control
Objec+ves
for
Informa+on
and
Related
Technology
(COBIT)
5
–
hPps://cobitonline.isaca.org/
Na+onal
Ins+tute
of
Standards
and
Technology
(NIST)
–
hPps://www.nist.gov/
©
2014-­‐2016
Quarule,
Inc.
-­‐
Confiden+al
&
Proprietary
34