gladiator® virtual information security officer

© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®

Gladiator® Virtual Information Security Officer

Presented by: Viviana Campanaro – CISSPDecember 13, 2017

© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.

Agenda

• Cybersecurity Challenges• Regulatory Reality• Role and Responsibilities of the ISO• Gladiator vISO Service Overview


BankNews Innovative Solutions Award

Consulting/Outsourcing/Training SolutionGladiator® Virtual Information Security Officer


Top Concerns

• Regulatory Compliance

• Cybersecurity and IT

• Reputation


Cybersecurity Threat Landscape

• Buffer Overflow

• Service Overwhelm

• Stealth Diagnostics

• DoS

• SQL Injections

• Phishing

• Web Browser Pop-Ups

• VBA, ActiveX Flash Tricks

• OS Specific Attack Tools

• Cross-site Scripting

• SSL-encrypted threats

• Zombie Bots

• RDP Exploits

• Memory

• Scrapping

• DDOS

• Ransomware

• APT’s

• Spear Phishing

• Targeted Attacks

• Drive-by Downloads

• Watering Hole Attacks

Pervasive

Limited

• Self Replicating Code

• Password Guessing

• Password Cracking

• Disabling Audits

Challenging

• Hijacking Sessions

• Exploit Known Vulnerabilities

• Packet Forging & Spoofing

• SPAM

• Back Doors

• Sweeper & Sniffers


Cybercrime will Cost Businesses

Source: JuniperThe Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation

Rapid digitization of consumers’ lives

and records

Data breaches $6.1 trillion

globally by 2021


More Malware & More Attacks

2017 - Symantec Internet Security Threat Report

• 1.1B Identities exposed

• > 357M new malware variants

• > 400k Ransomware detections(463,841)


Why Are They Coming After Us?

Financial

Espionage

Source: Verizon Data Breach Investigations Report

2017 VDBIR • 73% Financial• 21% Espionage• 6% FIG


How Are They Coming After Us?

Social

2017 VDBIR62% Hacking51% Malware43% Social

Source: Verizon Data Breach Investigations Report


In the News

Equifax breach• Unpatched machines

• 145 million records compromised

• 200k credit card numbers stolen

“...ordinary threats will harm even the most extraordinary security programs

if they’re caught off guard.” – Fortinet Threat Landscape Report, Q3 2017


Cyber Resiliency

→ Cyber Breach Protection

→ Cyber Breach Detection

→ Cyber Incident Response

→ Cyber Breach Recovery

* salary.com


Attracting & Retaining Personnel

* Source: salary.com

• 0% InfoSec unemployment

• Average ISO salary $193,000*


Regulatory Reality


Regulators Making Cybersecurity a Priority

The FFIEC releases a revised Information Security booklet - FFIEC, September 9, 2016

FFIEC Releases Updates to Cybersecurity Assessment Tool - FFIEC, May 31, 2017

FFIEC Releases Cybersecurity Assessment Tool - FFIEC, June 30, 2015

Financial Regulators Release Revised Management Booklet - FFIEC, November 10, 2015

FFIEC Issues Statement on Safeguarding the Cybersecurity of Interbank Messaging and Payment Networks - FFIEC, June 7, 2016

The FFIEC published frequently asked questions (FAQ) guide related to the Cybersecurity Assessment Tool

- FFIEC, October 17, 2016

New York State Department of Financial ServicesProposed 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies

- NYSDFS, December 28, 2016

The FDIC launches the Information Technology Risk Examination (InTREx) Program - FFIEC, June 30, 2016


FFIEC Information Security Handbook

Source: FFIEC Guidelines

Written information security program

InfoSec management by an independent ISO

Separate InfoSec program management from IT operations


FFIEC Cybersecurity Assessment Tool (CAT)

Source: FFIEC June 2015


Board of Directors – Information Security

Information Security Policies InfoSec Training

Business Continuity Plan

InfoSec Risk Assessment

Vendor Management

Audit Information Vulnerability Assessment

Compliance/Risk Committee

Incident Reporting

Exam Information


• 2015 – Financial Institutions receive “Recommendations”

• 2016 & 2017 – Financial Institutions receive Matter Requiring Attention (MRA)

Regulatory Reality


InfoSec Regulatory Exam Focus

2014 – 2015• Business Continuity• IT Risk Assessments• Log Archiving

2015 – 2016• Vendor Management• CyberSec Assessment Tool• Ongoing VA Scanning

2016 – 2017• Information Security Officer• SIEM & Breach Detection• Cyber-Prep & Resiliency


Role of the Information Security Officer


ISO & Regulatory Requirements

Independent ISO or

Committee

Sufficient knowledge and training

Separate InfoSec

oversight from IT

Rightsized InfoSec program

Source: FFIEC Guidelines


ISO Responsibilities

Responsible for the Administration and Execution of the Information Security Program

Audits & Exams


Trending: Virtual ISO Services

IS Strategy

Certified security &

compliance

Experienced

Policies

Assessments

Reporting

Training


In the NewsThe Rise of the Virtual Cyber Security Leader

“With cyber attacks and regulatory requirements on the rise, we are entering the age of outsourced

cybersecurity.”

“The trend of establishing cybersecurity leadership is rapidly moving toward the virtual CISO.”

- MIS Training Institute, Nov. 27, 2017


Gladiator® IT Regulatory Compliance Team

• Certified security and compliance experts• Located in the USA• 20+ years experience• Banking background• Compliance background• Segregation of duties within JHA

ITRC Team Highlights



• Risk & Compliance Consultants– Experience working with FIs– Certified Information Systems Auditor (CISA)– CISM, CRISC, CGEIT preferred– Knowledge and ongoing education on FI regulations– Lead client compliance projects for vISO services– Present to executive management and Board of Directors



• IT Compliance Consultants– Experience working with FIs– Knowledge and ongoing education on FI regulations– Ensure compliance with all applicable regulations– Perform policy and compliance reviews– Develop and maintain compliance documentation

© 2017 Jack Henry & Associates, Inc.®28 © 2017 Jack Henry & Associates, Inc.

vISO Service Elements

Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation

Written Information Security ProgramPolicies, Procedures, Forms

Ongoing Compliance ManagementAudit Support, Monthly Meetings

Reporting


Gladiator® Virtual ISO Service Elements

Description• Consulting service• Identify threats to FI’s

classified assets• Determine Inherent and

Residual risk• Provide Recommendations

Information Security Asset Based Risk Assessment

Deliverables• Executive Summary Report• Control Validation Report• Asset Classification Report• Detailed Risk Results Report• Remediation Sheet



Written Information Security Program

Description• Required policies and

procedures for GLBA compliance

• Updated Annually

Deliverables• IS Policies• IT Management Manual• eBanking Policies



IS Ongoing Compliance Management

Description• Consulting service• Audit Support• Educational materials• IS Status Reporting • 24/7 access to the Vault

Deliverables• Periodic (Monthly or Quarterly)

IS Status Reports• ITRC Newsletter• Security Timely Topics eblast• Educational Webcasts


Gladiator® Virtual ISO Service ElementsIS Ongoing Compliance Management – Status Report



Overview Status of InfoSec tasks

IS Ongoing Compliance Management – Status Report



Detailed Status of InfoSec tasks




Project Status tracking



Gladiator® Virtual Information Security OfficerTM

Validate informationsecurity program

Empower management’s

oversight

Protect your reputation and

your customers’ data

Provide visibilityinto information

controls

PROVIDE


Thanks!

Viviana Campanaro – CISSPGladiator – Security & Compliance Sales Engineer

[email protected]

gladiator® virtual information security officer

Documents