acfn viso ebook
TRANSCRIPT
A well-structured approach to allow your institution to implement an ISO without overburdening existing staff
vISO
80
70
60
50
40
30
20
10
0
Primary Concerns of Bank Executives
Perc
enta
ge o
f Ban
kers
Con
cern
ed
Reputation Cybersecurity/IT Regulatory Compliance
#1 Reputation
#2 Cybersecurity
and IT
#3 RegulatoryCompliance
Three Major Concerns Keep Bank Executives Up at Night
Regulatory Compliance, Cybersecurity, and Reputation all can depend on the appropriate oversight and direction provided by the ISO function within your institution.
Step 1Categorize the information system
Step 2Select SecurityControls
Step 3ImplemementSecurity Controls
Step 4Assess SecurityControls
Risk ManagmentFramework
Step 5Authorize Information Systems*
Step 6Monitor Security Controls
In 1999, the Gramm-Leach-Bliley Act (GLBA) was passed, in part to serve to protect confidential customer information. After the events of 9/11, the importance of keeping
private data secure became even more important. The Commerce
Departments’ NIST created a framework to help institutions
protect private information. The NIST Cybersecurity Framework
is widely considered to be the gold standard of compliance
to government-set standards. Many banks say they agree
that using the NIST framework as a baseline makes sense.
(BankInfo Security)
Nonpublic Private Data Protection
*Source: NIST Special Publication 800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
Regulatory policies set by the GLBA and the FFIEC are there to protect banks as well as consumers.
Protection for All
“The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information.” — FTC, Gramm-Leach-Bliley
(GLB) Act
“Institutions of all sizes may outsource various aspects of the analysis and response function, such as activity monitoring.” — FFIEC Information Security IT
Handbook, Page 83
Adhering to a rules set, such as the GLB Safeguards Rule, is of the utmost importance – there are civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines.
The FFIEC guidelines also call for security program monitoring and management to be separate from IT. Though it’s important that security monitoring works with IT so that the two functions can share information with each other, having security monitoring only within IT does not ensure proper safeguards.
The FFIEC’s Cybersecurity Assessment Tool was mapped to the NIST Cybersecurity Framework to help institutions identify their risks and determine their cybersecurity preparedness.
In November 2015, the FFIEC updated their Information Technology Information Handbook [for Management]. The updates address several new recommendations for bank management:
The FFIEC Updates and What They Mean
• “ Review and approve an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity.”
• “ Oversee the adequacy and allocation of IT resources.”
• “ Hold management accountable for identifying, measuring and mitigating IT risks.”
• Most importantly, the IT Information Handbook calls for “independent, comprehensive and effective audit coverage of IT controls,” and further states that “the board may delegate the design, implementation and monitoring of specific IT activities.” This is where having an ISO is extremely valuable.
FFIEC IT Regulatory Exams Are Growing Increasingly Technical.
All Covered’s Finance Practice has successfully assisted in FFIEC regulatory exams for over thirty years. Since the inception of GLBA, financial institutions have been faced with increased scrutiny on mitigating
controls. All Covered has seen IT Audit and FFIEC Exams prove challenging for community financial institutions
due to their ever-increasing compliance requirements.
2013 2014
Data Classification
Business Continuity
IT Risk Assessment
Log Archiving
BYoD
DDoS Preparedness
Vendor Management
Cybersecurity
Ongoing VA Scanning
SIEM
2015
Information Security Officer
NIST Cybersecurity Framework
FFIEC - Cybersecurity
Assessment Tool
Cyber-Preparedness
Cyber-Resiliency
Incident Response Testing
FFIEC IT Regulatory Exams are Driven by Experience.
In 2013, Super Storm Sandy made disaster recovery a major issue. In 2014, the massive data
breaches at major companies such as Target or Chase impacted not just the business community,
but also the consumers they served. Their reputation in both of these cases was marred. We also
saw vulnerabilities such as ShellShock, Heartbleed and Poodle prove that vulnerability scanning
needed to be persistent, consistent and ongoing. In 2015, we saw threats like CryptoLocker require more than
just action after the fact, but the education and training to be cyber prepared.
Let our experience help educate and inform your institution so that you’re not left in the dust during your next
FFIEC exam.
We’ve already mentioned that the Information Security Officer role faces the challenge of interfacing with IT, but also needs to be established. This is just one of several challenges facing financial institutions. The
FFIEC Information Technology Information Handbook puts it best:
Staying Up to Par With Cybersecurity Presents Many Challenges.
“While the board may delegate the design, implementation and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities.”
The board’s responsibility makes it necessary to address the function of the ISO within the financial institution. However, along with the challenge of remaining responsible, another large challenge presents itself:
The average ISO salary is $193,351 (salary.com).
All Covered aims to help reduce the expense in hiring an ISO and the challenges presented in looking for the right ISO for an institution.
The ISO has many key functions, within an institution. The right ISO must:
ISO the Right Way
• Implement and maintain a cost effective, rightsized and scalable Information Security Program. An ISO must work within budgetary constraints to implement the right solutions based on the risk tolerance of the institution.
• Ensure your institution’s operations are in line with the risk strategy of the institution. Every bank and credit union is unique. Many factors determine how a bank decides to meet their regulatory requirements. The ISO must understand and accomplish this.
• Help you meet Regulatory Requirements right now! All Covered has successfully assisted financial institutions in addressing MRAs regarding information security for over thirty years.
Item #: VISOEB4/16-I
KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC.100 Williams Drive, Ramsey, New Jersey 07446
CountOnKonicaMinolta.com
© 2016 KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC. All rights reserved. Reproduction in whole or in part without written permission is prohibited. KONICA MINOLTA, the KONICA MINOLTA logo, Count on Konica Minolta, bizhub, PageScope, and Giving Shape to Ideas are registered trademarks or trademarks of KONICA MINOLTA, INC. All other product and brand names are trademarks or registered trademarks of their respective companies or organizations. All features and functions described here may not be available on some products. Design & specifications are subject to change without notice.
The Right ISO Will Protect Both Your Financial Institution and the Community You Serve
Nearly 75% of financial institution executives have indicated that their institutions reputation is the number one concern they have.
Finding the right ISO isn’t easy. All Covered’s Virtual ISO service can provide a cost effective, rightsized and scalable Information Security Program to ensure your institution’s operations are in line with your risk strategy
and meet regulatory requirements. This service has helped our clients stay increasingly competitive, while successfully maintaining regulatory compliance and implementing security measures to mitigate cyber threats.
If you want to learn more about All Covered’s Virtual ISO service, call us:
866-446-1133