how to implement a virtual information security officer
TRANSCRIPT
![Page 1: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/1.jpg)
© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®
How to Implement a Virtual Information Security OfficerPresented by: Viviana Campanaro – CISSPApril 17, 2018
![Page 2: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/2.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Speaker: Viviana Campanaro, CISSP
• Gladiator Security Sales Engineer
• Security and Compliance experience in healthcare and financial industries
• 20 years in information security
• CISSP since 2005
![Page 3: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/3.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Agenda
• State of Cybersecurity for FIs• Examiners position on ISO• Role and Responsibilities of the ISO• How to Implement a virtual ISO• Gladiator Virtual ISO service
![Page 4: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/4.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Top Concerns
• Regulatory Compliance
• Cybersecurity and IT
• Reputation
![Page 5: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/5.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Cybersecurity Threat Landscape
• Buffer Overflow
• Service Overwhelm
• Stealth Diagnostics
• DoS
• SQL Injections
• Phishing
• Web Browser Pop-Ups
• VBA, ActiveX Flash Tricks
• OS Specific Attack Tools
• Cross-site Scripting
• SSL-encrypted threats
• Zombie Bots
• RDP Exploits
• Memory
• Scrapping
• DDOS
• Ransomware
• APT’s
• Spear Phishing
• Targeted Attacks
• Drive-by Downloads
• Watering Hole Attacks
Pervasive
Limited
• Self Replicating Code
• Password Guessing
• Password Cracking
• Disabling Audits
Increased
• Hijacking Sessions
• Exploit Known Vulnerabilities
• Packet Forging & Spoofing
• SPAM
• Back Doors
• Sweeper & Sniffers
![Page 6: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/6.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Cybercrime will Cost Businesses
Source: Juniper - The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation
• Consumers’ lives and records have been rapidly digitized
• Data breaches will cost $6.1 trillion globally by 2021
![Page 7: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/7.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Cybercrime Elements
Source: Verizon Data Breach Investigations Report, 2017
• Money, Espionage, Fun, Ideology, Grudge
• Hacking, Malware, Social Engineering schemes
• Email, Social Media, Internet browsing
Means Motive
Opportunity
2017 VDBIR62% Hacking51% Malware43% Social
2017 VDBIR 73% Financial21% Espionage6% FIG
![Page 8: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/8.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Malware & Attacks are more diverse
Source: 2018 Symantec Internet Security Threat Report
![Page 9: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/9.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
In the News
Equifax breach• Unpatched machines
• 145 million records compromised
• 200k credit card numbers stolen
“...ordinary threats will harm even the most extraordinary security programs
if they’re caught off guard.” – Fortinet Threat Landscape Report, Q3 2017
![Page 10: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/10.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Limited
• Control and security risks in electronic imaging systems issued
• Statement on EFT Switches and Network Services
• Information Systems Examination Handbook (1996)
IT Regulatory Landscape
• Information Security Handbook updated
• FILs on Identify Theft and Red Flags
• FIL on Foreign Based Third Party Risk
• RDC Guidance
• Payment Handbook updated
• BCP Handbook updated
• FIL and Bulletin on Third Party Risk
• FIL on Pandemic Planning
• Supplement to Internet Banking
Authentication
• TSP Handbook Updated
• Statement on Outsourced Cloud
Computing
• Social Media Guidance
• Cybersecurity General
Observations and Statement
• Management Handbook updated
• Cybersecurity Assessment Tool
• Appendix J-TSPs
• Appendix E-MFS
• Information Security Handbook
updated
• InTrex Exam Format
Pervasive
Increased
• GLBA
• Internet Banking Authentication
• eBanking, Information Security, and
BCP Handbooks issued
• TSP Handbook issued
• Operations and Payments Handbook
issued
• FCRA Updated
![Page 11: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/11.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
InfoSec Regulatory Exam Focus
2014 – 2015• Business Continuity• IT Risk Assessments• Log Archiving
2015 – 2016• Vendor Management• CyberSec Assessment Tool• Ongoing VA Scanning
2016 – 2017• Information Security Officer• SIEM & Breach Detection• Cyber Resiliency
![Page 12: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/12.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Examiners position on Cyber Resiliency
→ Cyber Breach Protection
→ Cyber Breach Detection
→ Cyber Incident Response
→ Cyber Breach Recovery
* salary.com
![Page 13: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/13.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Examiners position on ISO
Independent ISO or Committee
Sufficient knowledge and training
Separate InfoSec oversight from IT
Rightsized InfoSec program
Source: FFIEC Guidelines 2006
![Page 14: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/14.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Examiners ISO methodologies
• Hire an ISO
• Appoint ISO Committee
• Outsource ISOAccepted by FFIEC
![Page 15: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/15.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Hire Individual ISO
• Dedicated resource
• In-house expertise
• No vendor management
Pros (+) Cons (-)• Costly
Ave. $215k salary
• Competitive
• Low unemployment
• High turnover
![Page 16: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/16.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
ISO Committee
• Multiple resources
• Shared responsibilities
• No vendor management
• Slow decision making– Many cooks in the kitchen
• Limited expertise
• Limited accountability
Pros (+) Cons (-)
![Page 17: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/17.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Outsourced/Virtual ISO
• Certified and experienced professionals
• Increased capabilities
• Cost effective
• No staff turnover
• Ensure compliance
• Individual consultants
• Service levels
• Vendor management
Pros (+) Cons (-)
![Page 18: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/18.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
ISO Responsibilities
Responsible for the Administration and Execution of the Information Security Program
Audits & Exams
![Page 19: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/19.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Trending: Virtual ISO Services
IS Strategy
Certified security &
compliance
Experienced
Policies
Assessments
Reporting
Training
![Page 20: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/20.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
In the NewsThe Rise of the Virtual Cyber Security Leader
“With cyber attacks and regulatory requirements on the rise, we are entering the age of outsourced
cybersecurity.”
“The trend of establishing cybersecurity leadership is rapidly moving toward the virtual CISO.”
- MIS Training Institute, Nov. 27, 2017
![Page 21: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/21.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Implementing a Virtual Information Security Officer
![Page 22: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/22.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
High operational risk
Audit/Regulatory criticism
Lack of InfoSec expertise
Limited budget
When to consider a vISO
![Page 23: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/23.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Appoint a named ISO or Committee
Seek experienced providers
Look for team vs individual resource
Ask for references
How to leverage a vISO
![Page 24: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/24.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Team Approach
• Certified security and compliance experts• Years experience• Banking background• Compliance background• Segregation of duties
Look for:
![Page 25: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/25.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Budget 25% of time
Set your selection criteria
Determine areas where help is needed
Perform vendor due diligence
Preparing for a vISO
![Page 26: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/26.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Outline roles and responsibilities
Prepare documents
Set priorities and objectives
Evaluate and measure performance
Implementing a vISO
![Page 27: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/27.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
BankNews Innovative Solutions Award Winner
![Page 28: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/28.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
vISO Service Elements
Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation
Written Information Security ProgramPolicies, Procedures, Forms
Ongoing Compliance ManagementAudit Support, Monthly Meetings
Reporting
![Page 29: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/29.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Virtual Information Security Officer
Validate informationsecurity program
Empower management’s
oversight
Protect your reputation and
your customers’ data
Provide visibilityinto information
controls
PROVIDE
![Page 30: How to Implement a Virtual Information Security Officer](https://reader031.vdocuments.us/reader031/viewer/2022012512/618bbe6e8d43275a6636d4f5/html5/thumbnails/30.jpg)
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Thank You!
Viviana Campanaro – CISSPGladiator – Security Sales Engineer