how to implement a virtual information security officer

© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®

How to Implement a Virtual Information Security OfficerPresented by: Viviana Campanaro – CISSPApril 17, 2018

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.

Speaker: Viviana Campanaro, CISSP

• Gladiator Security Sales Engineer

• Security and Compliance experience in healthcare and financial industries

• 20 years in information security

• CISSP since 2005


Agenda

• State of Cybersecurity for FIs• Examiners position on ISO• Role and Responsibilities of the ISO• How to Implement a virtual ISO• Gladiator Virtual ISO service


Top Concerns

• Regulatory Compliance

• Cybersecurity and IT

• Reputation


Cybersecurity Threat Landscape

• Buffer Overflow

• Service Overwhelm

• Stealth Diagnostics

• DoS

• SQL Injections

• Phishing

• Web Browser Pop-Ups

• VBA, ActiveX Flash Tricks

• OS Specific Attack Tools

• Cross-site Scripting

• SSL-encrypted threats

• Zombie Bots

• RDP Exploits

• Memory

• Scrapping

• DDOS

• Ransomware

• APT’s

• Spear Phishing

• Targeted Attacks

• Drive-by Downloads

• Watering Hole Attacks

Pervasive

Limited

• Self Replicating Code

• Password Guessing

• Password Cracking

• Disabling Audits

Increased

• Hijacking Sessions

• Exploit Known Vulnerabilities

• Packet Forging & Spoofing

• SPAM

• Back Doors

• Sweeper & Sniffers


Cybercrime will Cost Businesses

Source: Juniper - The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation

• Consumers’ lives and records have been rapidly digitized

• Data breaches will cost $6.1 trillion globally by 2021


Cybercrime Elements

Source: Verizon Data Breach Investigations Report, 2017

• Money, Espionage, Fun, Ideology, Grudge

• Hacking, Malware, Social Engineering schemes

• Email, Social Media, Internet browsing

Means Motive

Opportunity

2017 VDBIR62% Hacking51% Malware43% Social

2017 VDBIR 73% Financial21% Espionage6% FIG


Malware & Attacks are more diverse

Source: 2018 Symantec Internet Security Threat Report


In the News

Equifax breach• Unpatched machines

• 145 million records compromised

• 200k credit card numbers stolen

“...ordinary threats will harm even the most extraordinary security programs

if they’re caught off guard.” – Fortinet Threat Landscape Report, Q3 2017


Limited

• Control and security risks in electronic imaging systems issued

• Statement on EFT Switches and Network Services

• Information Systems Examination Handbook (1996)

IT Regulatory Landscape

• Information Security Handbook updated

• FILs on Identify Theft and Red Flags

• FIL on Foreign Based Third Party Risk

• RDC Guidance

• Payment Handbook updated

• BCP Handbook updated

• FIL and Bulletin on Third Party Risk

• FIL on Pandemic Planning

• Supplement to Internet Banking

Authentication

• TSP Handbook Updated

• Statement on Outsourced Cloud

Computing

• Social Media Guidance

• Cybersecurity General

Observations and Statement

• Management Handbook updated

• Cybersecurity Assessment Tool

• Appendix J-TSPs

• Appendix E-MFS

• Information Security Handbook

updated

• InTrex Exam Format

Pervasive

Increased

• GLBA

• Internet Banking Authentication

• eBanking, Information Security, and

BCP Handbooks issued

• TSP Handbook issued

• Operations and Payments Handbook

issued

• FCRA Updated


InfoSec Regulatory Exam Focus

2014 – 2015• Business Continuity• IT Risk Assessments• Log Archiving

2015 – 2016• Vendor Management• CyberSec Assessment Tool• Ongoing VA Scanning

2016 – 2017• Information Security Officer• SIEM & Breach Detection• Cyber Resiliency


Examiners position on Cyber Resiliency

→ Cyber Breach Protection

→ Cyber Breach Detection

→ Cyber Incident Response

→ Cyber Breach Recovery

* salary.com


Examiners position on ISO

Independent ISO or Committee

Sufficient knowledge and training

Separate InfoSec oversight from IT

Rightsized InfoSec program

Source: FFIEC Guidelines 2006


Examiners ISO methodologies

• Hire an ISO

• Appoint ISO Committee

• Outsource ISOAccepted by FFIEC


Hire Individual ISO

• Dedicated resource

• In-house expertise

• No vendor management

Pros (+) Cons (-)• Costly

Ave. $215k salary

• Competitive

• Low unemployment

• High turnover


ISO Committee

• Multiple resources

• Shared responsibilities

• No vendor management

• Slow decision making– Many cooks in the kitchen

• Limited expertise

• Limited accountability

Pros (+) Cons (-)


Outsourced/Virtual ISO

• Certified and experienced professionals

• Increased capabilities

• Cost effective

• No staff turnover

• Ensure compliance

• Individual consultants

• Service levels

• Vendor management

Pros (+) Cons (-)


ISO Responsibilities

Responsible for the Administration and Execution of the Information Security Program

Audits & Exams


Trending: Virtual ISO Services

IS Strategy

Certified security &

compliance

Experienced

Policies

Assessments

Reporting

Training


In the NewsThe Rise of the Virtual Cyber Security Leader

“With cyber attacks and regulatory requirements on the rise, we are entering the age of outsourced

cybersecurity.”

“The trend of establishing cybersecurity leadership is rapidly moving toward the virtual CISO.”

- MIS Training Institute, Nov. 27, 2017


Implementing a Virtual Information Security Officer


High operational risk

Audit/Regulatory criticism

Lack of InfoSec expertise

Limited budget

When to consider a vISO


Appoint a named ISO or Committee

Seek experienced providers

Look for team vs individual resource

Ask for references

How to leverage a vISO


Team Approach

• Certified security and compliance experts• Years experience• Banking background• Compliance background• Segregation of duties

Look for:


Budget 25% of time

Set your selection criteria

Determine areas where help is needed

Perform vendor due diligence

Preparing for a vISO


Outline roles and responsibilities

Prepare documents

Set priorities and objectives

Evaluate and measure performance

Implementing a vISO


BankNews Innovative Solutions Award Winner


vISO Service Elements

Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation

Written Information Security ProgramPolicies, Procedures, Forms

Ongoing Compliance ManagementAudit Support, Monthly Meetings

Reporting


Virtual Information Security Officer

Validate informationsecurity program

Empower management’s

oversight

Protect your reputation and

your customers’ data

Provide visibilityinto information

controls

PROVIDE


Thank You!

Viviana Campanaro – CISSPGladiator – Security Sales Engineer

[email protected]

mailto:[email protected]

how to implement a virtual information security officer

Documents