maintaining customer loyalty through business …...maintaining customer loyalty through business...

MAINTAINING CUSTOMER LOYALTY THROUGH BUSINESS RESILIENCE

Thomas E. Williams Business Continuity/Cyber Security Strategy Manager

Gladiator - A Division of Jack Henry & AssociatesNorthville, Michigan

[email protected] 313-318-3839

August 8 & 9, 2019

© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.

Maintaining Customer Loyalty Through Business Resilience

Tom WilliamsBusiness Continuity/Cyber Security Strategy Manager

Jack Henry & Associates, Inc.®

Presented byGladiator - A Division of Jack Henry & Associates &

The Graduate School of BankingAugust 9-10, 2019

© 2017 Jack Henry & Associates, Inc.®2© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.

Tom Williams

Jack Henry & Associates

(Gladiator Division)Business Continuity-Cyber Security Strategy Manager

313-318-3839

[email protected]

mailto:[email protected]


Agenda

Information Security Program Components

Executing the Business Continuity / Cyber Incident Response Plan

Gladiator Cyber-Attack Mock Drill

Key Cyber Threats Facing Financial Institutions Today

The FFIEC Guidelines on Business Continuity and Cyber Security


Jack Henry & AssociatesThree Successful Brands

• Community and Multi-Billion Dollar Banks

• Core Processing Systems• Integrated Complementary

Products• In-House or Outsourced

Services

• Credit Unions of All Sizes• Core Processing Systems• Integrated Complementary

Products• In-House or Outsourced

Services

• Financial Institutions of All Sizes

• Corporate Entities and Strategic Partnerships

• Core Processor Agnostic• Best-of-Breed Niche Solutions


Brief Introduction to Gladiator Services

Gladiator®

CoreDEFENSEManaged Security

Services™

Gladiator® IT Regulatory Compliance/Policy

Products™

Centurion Business Continuity

Planning™/ Centurion Disaster

Recovery®

Gladiator® Hosted Network Solutions™

Gladiator® Managed IT Services™


In the News

CNN Headline - March 23rd

The FBI is investigating a ransomware attack on the city of Atlanta


Every business is at risk from …Natural Disasters, Accidents, & Environmental Events

Cyber Attacks and Terrorism

Power & Energy Disruptions

Internal / External Fraud

Physical Security

Human Error


The Information Security Program Components


Information Security Defined

• The processes and methodologies involved with keeping information Confidential, Available, and assuring its Integrity.

• Includes the following:– Access controls: Unauthorized access.– Protecting information: In transit, storage or idle state.– Resolution: Detection and remediation of breaches.


Three Principles of Information Security

• Confidentiality• Integrity• Availability



Compliance/ Risk

Committee


Compliance / Risk Committee

• Board Representation• Executive Management• Information Technology• Compliance / BSA / Information

Security Officers• Human Resources• Business Unit Managers /

Representatives



PoliciesCompliance/

RiskCommittee


Policies

• Information Security – Cyber-Security– Assignment of Responsibilities– Data Classification– Risk Management & Control – Vendor Oversight– Training– Incident Response– Program Review & Testing

© 2017 Jack Henry & Associates, Inc.®17© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.© 2018 Jack Henry & Associates, Inc.

Policies

• Tech Mgt & Responsibilities• Physical / Logical Security• Core Processing Services &

Security• Data Classification• Audit & Review• Education• Change Management

• Data Storage & Backup• Technology Usage (Wireless-

Email-VoIP-Remote Access-Mobile)

• Technology Management (Hardware/Software Inventory & Licensing-Patch Management-Lifecycle Management)

• Monitoring & Reporting



Policies

Compliance/ Risk

CommitteeRisk/Vulnerability

Assessments


Risk/Vulnerability Assessments• Information Security• IT Risk Assessment• E-banking

– Internet Banking – Authentication – Wires/ACH Origination – Remote Deposit Capture/Mobile Deposit Capture

• ID Theft Prevention– Fraud Alerts – Close Compromised Accounts

• External Penetration Testing• Internal Vulnerability Testing• Social Engineering Testing



Risk/VulnAssessmentsPolicies

Compliance/ Risk

Committee

Business Continuity &

Incident Response

Plan


Business Continuity / Incident Response Plan TOCBusiness Continuity Plan TOC1. Team Information

1. BU Recovery Team - Recovery Organization Charts

2. Workspace & Equip. Summary - Facilities & Locations

2. Notifications1. Personnel Notification Script - Business

Unit Call List2. Call List Team Leaders – External/Internal

Notifications3. Recovery Tasks

1. Recovery Phases – Recovery Tasks for Rec. Team

4. Business Impact Analysis Reports5. Process & Resources Reports6. Recovery Forms7. Appendix

Incident Response Plan TOC




Compliance/ Risk

Committee

Incident Handling & Reporting


Incident Response

Plan



• Identify Roles & Responsibilities• Recognize & Identify Event• Inform Appropriate Personnel• Initiate Documentation Process• Assign Incident Severity Level• Contain & Eradicate Event• Implement Preventative

Measures

• Recover• Notify Law Enforcement /

Customers / Regulators• Establish Media Communications• Perform Forensic Follow-up

Analysis• Create Executive Report• Store Documentation & Evidence• Post Mortem Review




Compliance/ Risk

Committee


Vendor Management


Incident Response

Plan


Vendor Management

• Vendor Evaluation and Selection • Contract Negotiations• Service Level Agreements (SLA)• Risk Management• Ongoing Due Diligence• Contingency Planning / Termination




Compliance/ Risk

Committee


Vendor Management

Security Awareness

Training


Incident Response

Plan


Security Awareness Training

• For Employees, Board & Management & Customers– Social Engineering (Pre-text calling – Phishing)– Acceptable Use– Incident Response– BCP – ID Theft Prevention / Handling




Compliance/ Risk

Committee


Incident Response

Plan


Vendor Management

IncidentReporting

Audits & Testing


Audits & Testing

Risk AssessmentsDefine ScopeControl Design and Operational Effectiveness TestingReportingRemediation Tracking



Compliance/ Risk

Committee

Incident Reporting &

Handling

Vendor Management

Security Awareness

Training

Audits & Testing

Regulatory Exams



Incident Response Plan


Regulatory Exams

• FFIEC (Federal Financial Institution Examination Council)– OCC (Office of Comptroller Currency)– FRB (Federal Reserve Bank)– FDIC (Federal Deposit Insurance Corporation)– NCUA (National Credit Union Administration)– CFPB (Consumer Financial Protection Bureau)



Compliance/ Risk

Committee

Incident Reporting Vendor

Management

Security Awareness

Training

Audits Regulatory Exams



Incident Response Plan

Today’s Focus


Detailed Status of InfoSec tasks

IS Ongoing Compliance Management – Status Report – Security Monitoring



IS Ongoing Compliance Management – Status Report – BCP/Disaster Recovery



IS Ongoing Compliance Management – Status Report – Vendor Management



IS Ongoing Compliance Management – Status Report – Policies


Remediation tracking

IS Ongoing Compliance Management – Status Report – Remediation Activities


Information Security Officer Responsibilities

Responsible for the Administration and Execution of the Information Security Program

Audits & Exams


Maximizing Effectiveness


Structure of Accountability

Skills and Expertise

Time Allocation

Governance Risk & Compliance

Effective Information

Security Program


Examiners position on Information Security Officer (ISO)

Independent ISO or Committee

Sufficient knowledge and training

Separate InfoSec oversight from IT

Rightsized InfoSec program

Source: FFIEC Guidelines, 2006


Examiners ISO methodologies

• Hire an ISO

• Appoint ISO Committee

• Outsource ISOAccepted by FFIEC


Information Security

Program Position


What is your Bank’s Information Security Program Position?

Limited Information Security Program

Effective Information Security Program

Moderate Risk

Each organization should continually strive to move toward the Low Risk area

Semi-High

Semi-Low

Low Risk

High Risk


What is Business Continuity Planning?


Business Continuity Planning is a proactive planning process that ensures critical services or products are delivered during a disruption.


Business ContinuityBusiness Unit Plans to

restore Critical Business Functions / Processes that the Business Units

are responsible for

Incident Response Plan used by the

Incident Response Team to prevent,

mitigate and recover from a cyber incident

Business Continuity Planning

encompasses Incident Response

Planning


People/ProcessesEmployeesMembersProcessesVendorsFire / PoliceUtilitiesRegulatorsPlans / ProceduresDocumentation

FacilitiesAlternate work areasRepaired facilitiesRecovery centersHospitalsShelter areasMobile Recovery UnitsOff-site storage facilities

TechnologySystemsServersApplicationsDataTelecommunications


People/Processes Facilities Technology

Lend

ing

Ret

ail

Ban

king

Ope

ratio

ns


RISK MONITORING

BU

SINESS

IMPAC

T AN

ALYSISRISK

ASSESSMENT

RIS

K

MAN

AGEM

ENT

BCP Lifecycle

Business Functions-Recovery Window-Resources-Contingency StrategiesDi-Impact

Threats-Natural -Human-Technical-Cyber Attacks

Documentation-Emergency Management Plans

-Crisis Management Plans-Business Unit Plans-Incident Response Plan

Plan Maintenance-Phased approach-Tabletop exercises-Mock drills-Functional testing

FFIEC BCP Guidelines


Process for Recovering from a Disaster Event


Recovery Phases & Plan Execution

RECOVERY TIMELINE



CRISIS MANAGEMENT• Evacuation &

safety• Liaison• Stabilize• Incident

Response• Damage

assessment• Communications• Disaster

declaration

1



2CRISIS MANAGEMENT1

RELOCATE & RESTORE

• Notifications• Salvage• Establish

Command Centers

• Determine alternate workspaces

• Acquire resources

• Restore resources



2CRISIS MANAGEMENT1

RELOCATE & RESTORE

RECOVER BUSINESS FUNCTIONS3

• Recreate lost work

• Implement contingency strategies

• Resume business functions



2CRISIS MANAGEMENT1

RELOCATE & RESTORE

RECOVER BUSINESS FUNCTIONS3

REBUILD & RETURN4

• Repair or replace damaged equipment an/or facilities

• Formulate a plan for returning to normal operations

• Execute the plan

• Perform a debrief session


Locations, Personnel,

Recovery Teams, Departments

Business Functions, Process, Resources

Vendors, External Contacts

IT & Application Recovery Procedures

Custom Documentation

Testing

BCP Maintenance/

TestingProcess


Documentation

Emergency Management Plans• Evacuation procedures• Scenarios

Crisis Management Team Plan

Business Unit Recovery Team Plans


Team Responsibilities

MANAGEMENT ADMINISTRATIVE DAMAGE ASSESSMENT

INFORMATION SYSTEMS

BUSINESS UNITS

CRISIS MANAGEMENT

BUSINESS UNIT RECOVERY

Business Units• Recover business functions

- Relocate to assigned workspaces- Acquire and restore resources - Recreate lost work- Implement Contingency Strategies


Cyber-Attack Recovery Process


• Identify• Protect • Detect• Respond• Recover

Beyond Cybersecurity: Cyber Resilience

NIST Framework


• People – Board awareness, Educate all stakeholders, Trusted Advisor Partnerships

• Processes – Cyber Risk Appetite Statement, Test Incident Response Plan with DR/BCP; Succession Plan

• Technology – Monitor transactions and layer services to prevent, detect and respond to attacks; partner with trusted TSPs

Defense in Depth


Defense in Depth - TechnologyCore

Provider

WAN


Gladiator Research

Threat Intelligence Process

US-CERT

FBI FS-ISAC

iSIGHT

NCFTA

PlatformVendorsJHA

3rd Party

OtherPartners

Identify current methods attackers are using to infiltrate networks and infect systems

Locate and track hostile domains, botnets, and hosts on the Internet

Reverse engineer malware to learn new behaviors and infection methods

Assess current financial fraud methods


Incident Response Process

Cyber Incident

1.Report Incident

• Technical Support / Help Desk

2.Incident

Classification• Validation and Severity

of Incident

3.Notification/Escalation

• Who to contact, internal-external

4.Assessment

• Entry point of virus• Systems affected• Time to close incident• Regulatory - Law agencies

5.Documentation

• Phone conversations• System logs• Meeting minutes• Screen shots

6.Containment

• Shut down system• Disconnect from network• Monitor system/network• Set traps• Disable functions, etc.


Incident Response Process7.

Protecting Evidence

• Preserving hard drives• Documenting incidents

8.Eradication &

Recovery• Anti-virus software• System rebuilds

9.Follow-up Analysis

• System monitoring• Sequence of events• Method of discovery• Lessons learned

10.Incident

Prevention• Technology• Policies, procedures• Training on security awareness• Technical configurations• Access permissions, logs, etc.

11Vendor

Management• Tier 1 vendors must report all Incidents• T1 vendors must have Incident Response Plans• T1 Vendors must have Business Continuity Plans


Top Cyber Threats facing Financial Institutions


Top Cyber Threats

Social Engineering

Encrypted Traffic

Malicious Code

Variants

Supply Chain

Infections

Patches/ Vulnerabilities Ransomware


Honorable Mention

Internal Threats

Internet of Things(IOT)

Wireless/ Mobile


Evaluating Your Business Continuity Program


Evaluate your Business Continuity Program


Gladiator Risk Mitigation Services

• Business Continuity

• Disaster Avoidance – Disaster Recovery

• Multilayered security to mitigate cybersecurity risk

• 24/7 security monitoring

• Provide visibility into security and controls

• Certified security and compliance staff

• Empower management oversight

• Protect your reputation

RISK Mitigation

Centurion -BC/DR

CoreDEFENSE

IT Regulatory Compliance Managed IT

Hosted Network Solutions


Centurion BCP Services

• Enterprise-Wide BCP– Deluxe Engagement– Remote Engagement– Plan Maintenance Service

• BCP Software– COPE (Centurion’s Online Planning Expert)– SQL Database

• BC / DR Plan Reviews– DR Testing Assistance i.e., Replication Testing

• Mock Disaster Drills– Natural and Manmade Disasters– Cyber Attack


Gladiator Risk Mitigation Services

• Business Continuity

• Disaster Avoidance – Disaster Recovery

• Multilayered security to mitigate cybersecurity risk

• 24/7 security monitoring

• Provide visibility into security and controls

• Certified security and compliance staff

• Empower management oversight

• Protect your reputation

RISK Mitigation

Centurion -BC/DR

CoreDEFENSE

IT Regulatory Compliance Managed IT

Hosted Network Solutions


BCP/DR Support Organizations Websites• www.centuriondr.com

– Centurion Disaster Recovery • www.ready.gov

– US Department of Homeland Security• www.drj.com

– Disaster Recovery Journal (free magazine)• www.ffiec.gov

– Federal Financial Institutions Examination Council’s site• www.redcross.org

– American Red Cross• www.fema.gov

– Federal Emergency Management Agency• www.citizenscorps.gov/cert/

– Community Emergency Response Team• http://www.operationhope.org/effak/effak_english.pdf• Emergency Financial First Aid Kit – Supported by Operation Hope & FEMA

http://www.operationhope.org/effak/effak_english.pdf


• Provide an interactive experience based on decisions associated with a cyber incident.

• Better understand your financial institution’s vulnerability toward cyber incidents.

• Assess your financial institution’s Incident Response Plan (IRP).

• Identify the major milestones associated with a cyber incident.

• Collaborate with your peers to share approaches to dealing with cyber incidents.

Cyber Incident Response Drill Objectives


• This is a test exercise, based on the probability of a real-world scenario.

• Treat scenario details as fact.

• Think about how your bank’s cyber program would measure up to a similar, but real incident.

• Consider what improvements may be required to your IRP resulting from the drill.

Cyber-Attack Drill Information


• You will be assigned to the Incident Response Team (IRT) of The Financial Institution of Madison.

• Your team will be given a scenario resulting in a cyber incident to The Financial Institution of Madison.

• Please assume the role that you are assigned to as an Incident Response Team Member.

• As the IRT your team must adhere to the appropriate steps required to navigate through the cyber incident.

Cyber-Attack Drill Information


Incident Response Drill Challenges

Situational events that your IRT has to make decisions on

Share ideas and learn from your peers

Challenges are derived from real-world situations

Poll Everywhere will display team challenge results

Creates group discussion and collaboration


• $757 million in assets

• Main office is located in downtown Madison, WI

• 9 additional branch office locations throughout Madison

• 211 employees and 511,000 customers

Financial Institution of Madison Bank Profile


• Core processing – Outsourced• Windows® infrastructure runs at main office• VMware Snapshots taken once per day and replicated off-

site at another branch twenty-five miles away• Uses a MPLS common network between branches• Thirty days of historical backups

Financial Institution of Madison Technology Profile


• More information will be provided during the class section to maintain the overall integrity of the exercise

• Be prepared to play an active role on the Incident Response Team that you are assigned to

• Regardless of your current role at your bank, the drill will provide insight to the fact that cyber-security is the responsibility of all employees



Tom Williams

Jack Henry & Associates

(Gladiator Division)Business Continuity-Cyber Security Strategy Manager

313-318-3839

[email protected]

mailto:[email protected]

maintaining customer loyalty through business …...maintaining customer loyalty through business...

Documents