Submit Search
Upload
Information Security Risk Management Overview
•
2 likes
•
337 views
W
Wesley Moore
Follow
Summary of FFIEC Guidance on Information Security Risk Management Programs
Read less
Read more
Business
Report
Share
Report
Share
1 of 34
Download now
Download to read offline
Recommended
The importance of information security risk management
The importance of information security risk management
Michael Francis
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
Security-Brochure
Security-Brochure
Prahlad Reddy
Security-Brochure
Security-Brochure
Tyler Carlson
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
Risk Assessments
Risk Assessments
JoAnna Cheshire
Risk management ISO 27001 Standard
Risk management ISO 27001 Standard
Tharindunuwan9
Recommended
The importance of information security risk management
The importance of information security risk management
Michael Francis
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
Security-Brochure
Security-Brochure
Prahlad Reddy
Security-Brochure
Security-Brochure
Tyler Carlson
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
Risk Assessments
Risk Assessments
JoAnna Cheshire
Risk management ISO 27001 Standard
Risk management ISO 27001 Standard
Tharindunuwan9
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
Keyaan Williams
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
Ivanti
Roadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
Build an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
PECB
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
Mastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
Roadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
Practical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
Information Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
22241862 delli zabaleta grupo 2 taller # 8
22241862 delli zabaleta grupo 2 taller # 8
neilapalencia
2 disoluciones
2 disoluciones
Ana Martinez
More Related Content
What's hot
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
Keyaan Williams
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
Ivanti
Roadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
Build an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
PECB
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
Mastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
Roadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
Practical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
Information Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
What's hot
(20)
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
Information Security Risk Management
Information Security Risk Management
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
Roadmap to security operations excellence
Roadmap to security operations excellence
Build an Information Security Strategy
Build an Information Security Strategy
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Mastering Information Technology Risk Management
Mastering Information Technology Risk Management
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
Roadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Practical approach to security risk management
Practical approach to security risk management
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Information Systems Security & Strategy
Information Systems Security & Strategy
Viewers also liked
22241862 delli zabaleta grupo 2 taller # 8
22241862 delli zabaleta grupo 2 taller # 8
neilapalencia
2 disoluciones
2 disoluciones
Ana Martinez
Mycardial infraction.ppt
Mycardial infraction.ppt
Krishna Kumar
Cardiac arrhythmia
Cardiac arrhythmia
Krishna Kumar
POLINOMIOS INTERPOLADORES
POLINOMIOS INTERPOLADORES
Jessenia Alacayo
Inteligencias multiples
Inteligencias multiples
JORGE M. SOMOANO
Seminario 3
Seminario 3
aanacarmona
SMWNYC 2017 - Contently - How to Build an Online Community that Doesn't Suck
SMWNYC 2017 - Contently - How to Build an Online Community that Doesn't Suck
Social Media Week
C1 cda pharmacologic management ppp 2015
C1 cda pharmacologic management ppp 2015
Diabetes for all
C1 cda pharmacologic management of type 2 diabetes 2016
C1 cda pharmacologic management of type 2 diabetes 2016
Diabetes for all
Pototsky palace
Pototsky palace
darynapyrogova
Fraçoes 2
Fraçoes 2
flufy
Emerging Services for Research Informatio Management (RIM) through Enterprise...
Emerging Services for Research Informatio Management (RIM) through Enterprise...
OCLC
SMWNYC 2017 - VaynerMedia - How Johnnie Walker Brought Drunk Driving Into Soc...
SMWNYC 2017 - VaynerMedia - How Johnnie Walker Brought Drunk Driving Into Soc...
Social Media Week
NFA Interpretive Notice on Info Security
NFA Interpretive Notice on Info Security
Wesley Moore
Biml for Beginners: Speed up your SSIS development (Malta Microsoft Data Plat...
Biml for Beginners: Speed up your SSIS development (Malta Microsoft Data Plat...
Cathrine Wilhelmsen
Information security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
Laserové tonery dell
Laserové tonery dell
naplne-do-tlaciarni.sk
Configuration beyond Java EE 8
Configuration beyond Java EE 8
Anatole Tresch
Module 4 power point final
Module 4 power point final
Brandon Dickens
Viewers also liked
(20)
22241862 delli zabaleta grupo 2 taller # 8
22241862 delli zabaleta grupo 2 taller # 8
2 disoluciones
2 disoluciones
Mycardial infraction.ppt
Mycardial infraction.ppt
Cardiac arrhythmia
Cardiac arrhythmia
POLINOMIOS INTERPOLADORES
POLINOMIOS INTERPOLADORES
Inteligencias multiples
Inteligencias multiples
Seminario 3
Seminario 3
SMWNYC 2017 - Contently - How to Build an Online Community that Doesn't Suck
SMWNYC 2017 - Contently - How to Build an Online Community that Doesn't Suck
C1 cda pharmacologic management ppp 2015
C1 cda pharmacologic management ppp 2015
C1 cda pharmacologic management of type 2 diabetes 2016
C1 cda pharmacologic management of type 2 diabetes 2016
Pototsky palace
Pototsky palace
Fraçoes 2
Fraçoes 2
Emerging Services for Research Informatio Management (RIM) through Enterprise...
Emerging Services for Research Informatio Management (RIM) through Enterprise...
SMWNYC 2017 - VaynerMedia - How Johnnie Walker Brought Drunk Driving Into Soc...
SMWNYC 2017 - VaynerMedia - How Johnnie Walker Brought Drunk Driving Into Soc...
NFA Interpretive Notice on Info Security
NFA Interpretive Notice on Info Security
Biml for Beginners: Speed up your SSIS development (Malta Microsoft Data Plat...
Biml for Beginners: Speed up your SSIS development (Malta Microsoft Data Plat...
Information security management system (isms) overview
Information security management system (isms) overview
Laserové tonery dell
Laserové tonery dell
Configuration beyond Java EE 8
Configuration beyond Java EE 8
Module 4 power point final
Module 4 power point final
Similar to Information Security Risk Management Overview
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
Christopher OPARAUGO, MBA, CGEIT, CISM, CRISC
Lecture on Safety Management.pptx
Lecture on Safety Management.pptx
atwine1
Risk Assessment Famework
Risk Assessment Famework
lneut03
Cv HASSAN RIAZ
Cv HASSAN RIAZ
Hassan Riaz
A to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
Security Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
William McBorrough
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
CPaschal
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
VISTA InfoSec
PB CV v0.4
PB CV v0.4
Pedro Borracha
It Security Audit Process
It Security Audit Process
Ram Srivastava
HIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
EMPLOYEE PARTICIPATION IN SAFETY.pdf
EMPLOYEE PARTICIPATION IN SAFETY.pdf
Bimal Chandra Das
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
HIRA Manual
HIRA Manual
Northstar Safety Systemz Pvt. Ltd.
Solve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
Jobsite Safety
Jobsite Safety
Tony Loup
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
Similar to Information Security Risk Management Overview
(20)
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
Lecture on Safety Management.pptx
Lecture on Safety Management.pptx
Risk Assessment Famework
Risk Assessment Famework
Cv HASSAN RIAZ
Cv HASSAN RIAZ
A to Z of Information Security Management
A to Z of Information Security Management
Security Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
PB CV v0.4
PB CV v0.4
It Security Audit Process
It Security Audit Process
HIPAA omnibus rule update
HIPAA omnibus rule update
EMPLOYEE PARTICIPATION IN SAFETY.pdf
EMPLOYEE PARTICIPATION IN SAFETY.pdf
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
HIRA Manual
HIRA Manual
Solve the exercise in security management.pdf
Solve the exercise in security management.pdf
Jobsite Safety
Jobsite Safety
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
Recently uploaded
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
ashishs7044
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
KeppelCorporation
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
KaiNexus
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
Olivia Kresic
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
lizamodels9
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
ictsugar
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
Mintel Group
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
ictsugar
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
Data Analytics Company - 47Billion Inc.
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
Seta Wicaksana
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
ashishs7044
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
Kirill Klimov
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
ashishs7044
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
noida100girls
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
pollardmorgan
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
callgirls2057
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
delhimodelshub1
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
callgirls2057
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
lizamodels9
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
ashishs7044
Recently uploaded
(20)
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
Information Security Risk Management Overview
1.
Informa(on Security Risk
Management Overview Federal Financial Ins(tu(ons Examina(on Council FFIEC IT Security Handbook hCp://ithandbook.ffiec.gov/it-‐booklets/informa(on-‐security.aspx Wesley.Moore@Quarule.com
2.
Financial Ins(tu(ons Use
an IT Security Process Regulatory rules 1. Financial ins+tu+ons (FIs) protect their informa+on by ins+tu+ng a security process that iden+fies risks, forms a strategy to manage the risks, implements the strategy, tests the implementa+on, and monitors the environment to control the risks. 2. The process is designed to iden+fy, measure, manage, and control the risks to system and data availability, integrity, and confiden+ality, and to ensure accountability for system ac+ons. Key Compliance Ques(ons a) Has the FI implemented an ongoing security process? b) Has the FI ins+tuted appropriate governance for the security process? c) Has the FI assigned clear and appropriate roles and responsibili+es? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 2
3.
What Comprises the
Security Process Framework? Regulatory rules The security process framework has five areas: Informa(on Security Risk Assessment, Informa(on Security Strategy, Security Controls Implementa(on An Informa(on Security Risk Assessment (ISRA) is a process to iden+fy and assess threats, vulnerabili+es, aPacks, probabili+es of occurrence, and outcomes. Key Compliance Ques(ons Does the security process include an IS Risk Assessment? Does the IS Risk Assessment iden+fy and assess threats, vulnerabili+es, aPacks, probabili+es of occurrence, and outcomes? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 3
4.
The Board Approves
the Info Security Strategy! Regulatory rules The Informa+on Security Strategy is a plan to mi(gate risk that integrates technology, policies, procedures, and training. The plan should be reviewed and approved by the board of directors. Key Compliance Ques(ons Is the Informa+on Security Strategy reviewed and approved by the board of directors? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 4
5.
What is a
Security Controls Implementa(on? Regulatory rules Security Controls Implementa+on includes: - acquisi+on and opera+on of technology, - assignment of du(es and responsibili+es to managers and staff, - deployment of risk appropriate controls - assurance that management and staff understand their responsibili+es and have the knowledge, skills, and mo(va(on necessary to fulfill their du+es. Key Compliance Ques(ons Is the Security Controls Implementa+on adequate? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 5
6.
What Does Security
Monitoring Entail? Regulatory rules Security monitoring uses methodologies to gain assurance that risks are appropriately assessed and mi(gated. Security monitoring should verify that significant controls are effec+ve and performing as intended. Key Compliance Ques(ons Does security monitoring assess if risks are appropriately assessed? Does security monitoring assess if risks are appropriately mi+gated? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 6
7.
How is Security
Process Monitoring Used? Regulatory rules Security Process Monitoring and Upda+ng is the process of con+nuously gathering and analyzing informa+on regarding new threats and vulnerabili(es, actual aCacks on this or other ins+tu+ons. Informa+on learned from Security Process Monitoring and Upda+ng should be used to update this ins(tu(on's risk assessment, strategy, and controls. Key Compliance Ques(ons Does Security Process Monitoring and Upda+ng con+nuously gather and analyze informa+on regarding new threats, new vulnerabili+es, actual aPacks on this ins+tu+on, and actual aPacks on other ins+tu+ons? Does this ins+tu+on use the informa+on learned from the Security Process Monitoring and Upda+ng to update risk assessments, strategy, and controls? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 7
8.
Governance Ensures Info
Security is Managed Regulatory rules Governance is achieved through the management structure, assignment of responsibili+es and authority, establishment of policies, standards and procedures, alloca+on of resources, monitoring, and accountability. Governance is required to ensure that tasks are completed appropriately, that accountability is maintained, and that risk is managed for the en+re enterprise. Key Compliance Ques(ons Does the governance ensure that tasks are completed appropriately? Does the governance ensure that accountability is maintained? Does the governance ensure that risk is managed for the en+re enterprise? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 8
9.
Who is Accountable?
Regulatory rules Informa+on security is the responsibility of everyone who has the opportunity to control or report the ins+tu+on's data. Informa+on security should be supported throughout the ins(tu(on, including the board of directors, senior management, informa+on security officers, employees, auditors, service providers, and contractors. Each role should be accountable for ac+ons taken. Accountability requires: - clear use of appropriate authority - clear communica(on of expecta+ons - delega(on and judicious use of appropriate authority Key Compliance Ques(ons Have expecta+ons been clearly communicated? Are there clear repor+ng lines? Do the delega+on prac+ces of this ins+tu+on bring about appropriate compliance with this ins+tu+on's policies, standards, and procedures? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 9
10.
What is the
Board’s Responsibility? Regulatory rules The board of directors, or an appropriate commiPee of the board, is responsible for overseeing of the development, implementa(on, and maintenance of the informa+on security program. The board should provide management with its expecta(ons and requirements and hold management accountable for: -‐ central oversight and coordina+on -‐ monitoring and tes+ng -‐ assignment of responsibility -‐ risk assessment and measurement -‐ repor+ng -‐ acceptable residual risk. The board should approve wriCen informa(on security policies and the wriCen report on the effec+veness of the informa+on security program at least annually. Key Compliance Ques(ons Has the board fulfilled its responsibili+es to oversee the informa+on security program? Has the board made senior management accountable? Does the board approve policies and a report on the IS security program at least annually? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 10
11.
What is Senior
Management’s Responsibility? Regulatory rules Senior management should: - clearly support all aspects of the informa+on security program, - implement the informa+on security program as approved by the board, - establish appropriate policies, procedures, and controls, - par(cipate in assessing the effect of security issues on the financial ins+tu+on and its business lines and processes, - delineate clear lines of responsibility and accountability for informa+on security risk management decisions, - define risk measurement defini+ons and criteria, - establish acceptable levels of informa+on security risks, oversee risk mi+ga+on ac+vi+es. Key Compliance Ques(ons Has senior management fulfilled its responsibili+es to support, implement, control, maintain and assess the informa+on security program? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 11
12.
Who are the
Informa(on Security Officers? Regulatory rules Senior management should designate one or more individuals as informa(on security officers. Informa+on security officers should report directly to the board of directors or to senior management, have sufficient independence to perform their assigned tasks, and the authority to respond to a security event. Key Compliance Ques(ons Did senior management designate one or more individuals as informa+on security officers? Do Informa+on Security Officers have the authority to respond to a security event by ordering emergency ac+ons to protect the financial ins+tu+on and its customers from an imminent loss of informa+on or value? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 12
13.
Who Ensures Integra(on
of Security Controls? Regulatory rules Senior management also has the responsibility to ensure integra(on of security controls throughout the organiza+on. To support integra+on, senior management should: - Ensure the security process is governed by organiza+onal policies and prac+ces - Require that data with similar cri+cality and sensi+vity be protected consistently - Enforce compliance with the security program in a balanced and consistent manner - Coordinate informa+on security with physical security - Ensure an effec+ve informa+on security awareness program has been implemented Key Compliance Ques(ons Has senior management fulfilled its responsibili+es to support integra+on throughout the organiza+on? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 13
14.
Who Accepts the
Risk and Performs Mi(ga(on? Regulatory rules Senior management should make decisions regarding the acceptance of security risks and the performance of risk mi+ga+on ac+vi+es using guidance approved by the board of directors. Those decisions should be incorporated into the ins+tu+on's policies, standards, and procedures. Key Compliance Ques(ons Has the Board approved guidance for senior management regarding the acceptance of security risks and the performance of risk mi+ga+ng ac+vi+es? Has that guidance been incorporated into the ins+tu+on's policies, standards, and procedures? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 14
15.
Do Employees Understand
What to Do? Regulatory rules Ins+tu+ons can achieve effec(ve employee awareness and understanding through security training and ongoing security-‐related communica+ons, employee cer+fica+ons of compliance, self-‐assessments, audits, and monitoring. Key Compliance Ques(ons Does the ins+tu+on define security responsibili(es in their security policy? Do job descrip(ons and contracts specify any addi+onal security responsibili+es beyond the general policies? Does the ins+tu+on achieve effec+ve employee awareness and understanding through security training and ongoing security-‐related communica(ons, employee cer(fica(ons of compliance, self-‐assessments, audits, and monitoring? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 15
16.
Who Monitors External
Par(es? Regulatory rules Management also should consider and monitor the roles and responsibili(es of external par(es. The security responsibili(es of technology service providers (TSPs), contractors, customers, and others who have access to the ins+tu+on's systems and data should be clearly delineated and documented in contracts. Sufficient controls should be included in the contract to enable management to enforce contractual requirements. Key Compliance Ques(ons Does management consider and monitor en++es that have access to the ins+tu+ons systems? Are controls sufficient and backed up by contractual commitments? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 16
17.
What’s an Informa(on
Security Risk Assessment? Regulatory rules Financial ins+tu+ons must maintain an ongoing informa+on security risk assessment program. Key Compliance Ques(ons Does the FI gather sufficient informa(on to document a thorough understanding of the opera+ng and business environments? Does the FI gather relevant technical informa(on about: network maps detailing internal and external connec+vity; hardware and sogware inventories; databases and files that contain cri+cal and/or confiden(al informa(on; processing arrangements and interfaces with external en++es; hardware and sogware configura(ons; and policies, standards, and procedures for the opera(on, maintenance, upgrading, and monitoring of technical systems? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 17
18.
Are the Controls
Effec(ve? Regulatory rules Non-‐technical informa+on that may be necessary includes the policies, standards, and procedures addressing: - physical security of facili+es and informa+on assets - personnel security, vendor contracts, personnel security training and exper+se, and insurance coverage. - control effec+veness Key Compliance Ques(ons Does the ins+tu+on gather the policies, standards, and procedures addressing physical security (including facili+es as well as informa+on assets that include loan documenta+on, deposit records and signature cards, and key and access code lists), personnel security (including hiring background checks and behavior monitoring), vendor contracts, personnel security training and exper(se, and insurance coverage. Does the ins+tu+on gather informa+on on control effec(veness? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 18
19.
Does the Program
Iden(fy, Analyze and Priori(ze Risks? Regulatory rules A risk assessment should include an iden(fica(on of informa(on and the informa(on systems to be protected, including electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of informa+on. Key Compliance Ques(ons Does the informa+on security risk assessment program effec(vely gather data regarding the informa+on and technology assets, threats to those assets, vulnerabili+es, exis+ng security controls and processes, and the current security standards and requirements? Does the ongoing informa+on security risk assessment program effec+vely analyze the probability and impact of the known threats and vulnerabili+es? Does the ongoing informa+on security risk assessment program effec(vely priori(ze the risks to determine the appropriate level of training, controls, and assurance necessary for effec+ve mi+ga+on? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 19
20.
What are the
Systems and Data Flow? Regulatory rules The ins+tu+on's analysis should include a system characteriza(on and data flow analysis of networks (where feasible), computer systems, connec+ons to business partners and the Internet, and the interconnec+ons between internal and external systems. Include backup tapes, portable computers, personal digital assistants, media such as compact disks, micro drives, and diskePes, and media used in sogware development and tes+ng. In iden+fying informa+on and the informa+on systems, it is important to understand how the ins(tu(on uses informa(on in its day-‐to-‐day opera+ons. Key Compliance Ques(ons Is the ins+tu+on’s analysis complete? Does the risk assessment address employee access, use, and dissemina+on of informa+on in response to requests? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 20
21.
What are the
Service Providers’ Programs and Controls? Regulatory rules The ins+tu+on's system architecture diagram and related documenta+on should iden(fy service provider rela(onships, where and how data is passed between systems, and the relevant controls that are in place. Key Compliance Ques(ons Does the financial ins+tu+on consider their outsourcing strategy in iden+fying relevant data flows and informa+on processing ac+vi+es? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 21
22.
Do We Classify
and Rank Data, Systems, and Applica(ons? Regulatory rules FIs should assess the rela(ve importance of the various informa+on systems based on the nature of their func+on, the cri+cality of data they support, and the sensi+vity of data they store, transmit, or protect. When assessing the sensi+vity of data, ins+tu+ons should consider the increased risk posed to the ins+tu+on from the aggrega(on of data elements. Key Compliance Ques(ons Does the FI assess the importance of informa+on systems? Does the FI consider the increased risk of aggrega+on of data elements? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 22
23.
Informa(on Systems Security
Programs Na(onal Futures Associa(on 9070 -‐ NFA COMPLIANCE RULES 2-‐9, 2-‐36 AND 2-‐49: INFORMATION SYSTEMS SECURITY PROGRAMS hCp://www.nfa.futures.org/nfamanual/NFAManual.aspx?RuleID=9070&Sec(on=9
24.
What Comprises the
Informa(on Systems Security Program? Regulatory rules Five areas of an Informa+on Systems Security Program (ISSP): 1. WriPen Program 2. Security and Risk Analysis 3. Deployment of Protec+ve Measures Against Iden+fied Threats and Vulnerabili+es 4. Response and Recovery from Threats to Electronic Systems 5. Employee Training © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 24
25.
Do We Have
a WriCen Informa(on Security Systems Program (ISSP)? Regulatory rules a) Members must adopt and enforce a wriPen ISSP designed to provide safeguards and protect against security threats or hazards to their technology systems. b) The wriPen ISSP must be appropriate to the Member's size, complexity of opera+ons, type of customers and counterpar+es, the sensi+vity of the data accessible within its systems, and its electronic interconnec+vity with other en++es. c) There are several cybersecurity best prac+ces and standards readily available, including those promulgated by SANS, OWASP, ISACA's COBIT 5, and NIST. Key Compliance Ques(ons 1. Does the Member have a wriPen ISSP? 2. Is the ISSP appropriate for the Member’s specific needs? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 25
26.
Do We Analyze
Security and Risk? There are many different types of internal and external threats, including: a) Loss, destruc+on or theg of data; b) APacks by viruses, spyware and other malware; and c) Intercep+on and compromising of electronic transmissions. Key Compliance Ques(ons 1. Does the Member keep track of their hardware and sogware? 2. Has the Member reviewed the vulnerabili+es of their electronic infrastructure? 3. Is the Member’s data secure? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 26
27.
Do We Assess
and Priori(ze? Members must assess and priori+ze the risks associated with the use of their informa+on technology systems. Regulatory rules a) Es+mate the severity of the poten+al threats; b) Perform a vulnerability analysis; and c) Decide how to manage the risks of these threats. Key Compliance Ques(ons 1. Have there been any past incidents? 2. What are the known threats iden+fied by other en++es? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 27
28.
How Do We
Protect Against Iden(fied Threats and Vulnerabili(es? A Member should document in their ISSP the safeguards that they deploy ager reviewing and priori+zing threats and vulnerabili+es. These safeguards will depend on the Member’s specific needs, and can include: a) Physically protec+ng buildings, equipment and assets; b) Using and maintaining up-‐to-‐date firewall, an+-‐virus and an+-‐malware sogware; c) Limi+ng both physical and electronic access; d) Ensuring that systems are regularly and properly updated; e) Deploying encryp+on sogware; f) Preven+ng the use of unauthorized sogware; g) Backing up systems and data; and h) Ensuring that mobile devices are subject to similar applicable safeguards. © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 28
29.
How Do We
Detect Poten(al Threats and Vulnerabili(es? Regulatory rules Members should also document and implement reasonable procedures to detect poten+al threats, including new and emerging threats. Key Compliance Ques(ons 1. What procedures does Member have in place? 2. Do those procedures meet the proper standards? 3. Is the Member a part of a threat sharing organiza+on which can alert the Member of new and emerging threats? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 29
30.
How Do We
Respond to Threats to Electronic Systems? Regulatory rules Members should create an incident response plan to provide a framework to manage detected security incidents, analyze their poten(al impact and take appropriate measures to contain and mi+gate their threat. The response plan should list out how the Member will address poten(al incidents, including how it will communicate and escalate incidents internally, and how it will communicate externally with customers, counterpar+es, regulators, and law enforcement. The Member’s response plan should also include how the Member plans to restore compromised systems and data, and how it will incorporate lessons learned into the ISSP. Key Compliance Ques(ons 1. Does the Member have a response plan? 2. Does the response plan detail how to determine the level and type of threat and how to respond? 3. Does the response plan detail how restore compromised systems and data? 4. Does the response plan detail who, how and when to communicate details of an incident? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 30
31.
Does Everyone Know
What to Do? Regulatory rules A Member's ISSP should contain a descrip+on of the Member's educa(on and training rela+ng to informa+on security for all appropriate personnel. This training program should be conducted for employees upon hiring and periodically during their employment, and should be appropriate to the security risks the Member faces as well as the composi+on of its workforce. Key Compliance Ques(ons 1. Are the Member’s employees trained in informa+on security? 2. Does the Member train employees on informa+on security both at hiring and throughout employment? 3. Is the training appropriate for the risks and the workforce? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 31
32.
How Do We
Know if the Info Systems Security Plan (ISSP) is Effec(ve? Regulatory rules A Member should monitor and regularly review the effec(veness of its ISSP, including the efficacy of the safeguards deployed, and make appropriate adjustments. The review should be done at least once every year, and may be done by in-‐house staff with appropriate knowledge or by engaging an independent third-‐party informa+on security specialist. Key Compliance Ques(ons 1. Does the Member schedule regular reviews of its ISSP? 2. Does the Member have qualified employees who can perform the review or does the Member need to hire an outside party? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 32
33.
Are Third-‐Party Service
Providers Secure? Regulatory rules A Member’s ISSP should also address the risks posed by third-‐party service providers that have access to a Member's systems, operate outsourced systems for the Member or provide cloud-‐ based services to the Member. Since the Member does not control the third-‐party service providers, it is crucial that the Member perform due diligence on a service provider's security prac+ces and avoid using third par+es whose security standards are not comparable to the Member's standards in a par+cular area or ac+vity. A Member should also place appropriate access controls to their informa+on systems and data and have a procedure to remove access when a service provider is no longer providing services. Key Compliance Ques(ons 1. Does the Member keep a list of any service providers it employs? 2. Does the Member monitor the security prac+ces of its service providers? 3. Does the Member have access controls in place to prevent improper access? © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 33
34.
ISSP Resources
SANS Ins+tute (SANS) – hPps://www.sans.org/ Open Web Applica+on Security Project (OWASP) – hPps://www.owasp.org ISACA's Control Objec+ves for Informa+on and Related Technology (COBIT) 5 – hPps://cobitonline.isaca.org/ Na+onal Ins+tute of Standards and Technology (NIST) – hPps://www.nist.gov/ © 2014-‐2016 Quarule, Inc. -‐ Confiden+al & Proprietary 34
Download now