preparing for your next ncua it exam visit - cuna councils - preparing for your... · Ø it –...
TRANSCRIPT
![Page 1: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/1.jpg)
PreparingForYourNextNCUAITExamVisit
James Harris is the CEO of Compliance Advisory Services, LLC, ana:onallyknowninforma:onsecurityconsul:ngandriskmanagementfirm.
Hehasover26yearsofexperienceinthebanking/creditunionindustry.His exper:se is in all areas of informa:on systems security, Gramm-LeachBlileyAct,PCI,andSarbanesOxleyAct. James is formerbankerand FDIC examiner, with a unique ability to reduce complex legalconceptstoplainEnglish.
Easiestwaytocontactme:[email protected]
CopyrightedbyComplianceAdvisoryServices,LLC 1
![Page 2: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/2.jpg)
PreparingForYourNextNCUAITExamVisit
Jamesholdsmanycybersecuritycer:fica:ons:• JD LawDegree• CISSP Cer:fiedInforma:onSystemSecurityProfessional• CISA Cer:fiedInforma:onSystemsAuditor• CEH Cer:fiedEthicalHacker• CHFI Cer:fiedHackingForensicInves:gator• CPT Cer:fiedPentester• OPST OpenSourceProfessionalSecurityTester
CopyrightedbyComplianceAdvisoryServices,LLC 2
![Page 3: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/3.jpg)
PreparingForYourNextNCUAITExamVisit
• IsyourcreditunionpreparedforyournextregulatoryITExam?
• Whereshouldyoubegin?
• Whataretheregulatorsgoingtofocuson?
• Whataretheregulatorsgoingtoask?
CopyrightedbyComplianceAdvisoryServices,LLC 3
![Page 4: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/4.jpg)
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?• ObtainacopyofyourlastExam
• DeterminealloftheIT/InfoSecfindingsnotedintheexam
• Transferthosefindingsontoa“trackingsheet”
CopyrightedbyComplianceAdvisoryServices,LLC 4
![Page 5: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/5.jpg)
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?
• DeterminewhetherallpriorITExamFindingshavebeencorrected• Ifnot,correctthemimmediately• Iftheywerecorrectedthennotethatonthe“trackingsheet’• Do the same for any andall internal&external ITAudits since the
lastexam
CopyrightedbyComplianceAdvisoryServices,LLC 5
![Page 6: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/6.jpg)
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?
• Makesureyourimportantpoliciesandriskassessmentsareuptodate.
Ø Informa:onSecurityProgram&RiskAssessmentØ ITPolicyØ E-BankingPolicy&RiskAssessmentØ IncidentResponsePlan–donotforget(DDoS&Ransomwarelanguage)Ø BCP/DRPlan(testitannually)
CopyrightedbyComplianceAdvisoryServices,LLC 6
![Page 7: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/7.jpg)
PreparingForYourNextNCUAITExamVisit
IsyourcreditunionpreparedforyournextregulatoryITExam?
• MobileDevicePolicy-BYOD• MobileBankingPolicy(remembermobiledepositlanguage&limits)• WireTransferPolicy–(donotforget:boardapprovedlimits)• InstantIssueDebit/CreditCardPolicy&RiskAssessment[donotforget]
CopyrightedbyComplianceAdvisoryServices,LLC 7
![Page 8: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/8.jpg)
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtofocuson?
• HasyourboardreceiveddocumentedCyberSecurityTraining?• HasyourboardreceivedCyberIntelligenceSummariesonaregularbasis?[FS-ISAC]• HasyourboardreceivedyourGLBAAnnualStatusReportontheInfoSecProgram?• DoyourITCommigeeregularlyconvene(quarterlyoratleast4:mesayear)?• AreyourITCommigeeminutesprovidedtotheboard?• DoyouhaveawrigenITStrategicPlan(3yrforward-lookingplan)?• Haveyoucompletedadocumentedannualreviewofcri:calvendors?
CopyrightedbyComplianceAdvisoryServices,LLC 8
![Page 9: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/9.jpg)
PreparingForYourNextNCUAITExamVisit
Whataretheregulatorsgoingtofocuson?• AreyouproperlymanagingandcontrollingriskwithallaspectofE-Banking
Ø CustomerAuthen:ca:on(MFA)–MustbeMFAØ BillPaymentlimitsØ WireTransfers–Outofbandcall-backsØ ACHOrigina:ons–:meofmonth,typicaldollaramount,numberofiteminfile,etc
CopyrightedbyComplianceAdvisoryServices,LLC 9
![Page 10: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/10.jpg)
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask?
• LogicalControlsSejngs–Network,CoreBankingPlalorm,andmajorApps
Ø Pwdminlength?Ø Pwdcomplexityenabled?Ø Pwdchangeinterval?Ø Time-outsejng?Ø Lockoutsejng?Ø PwdHistory?
CopyrightedbyComplianceAdvisoryServices,LLC 10
![Page 11: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/11.jpg)
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask?
• Printscreensofthefollowing–Network:
Ø Screenprintsshowingthemembersofthebuilt-inAdministratorgroupØ ScreenprintsofDomainAdministratorsØ ScreenprintsofEnterpriseAdministratorsØ ScreenprintsshowingGuestGroupmembers&whichoneshavebeendisabledØ Permissionsfortwokeynetworkshares–Accoun:ngandHR?
Ø
CopyrightedbyComplianceAdvisoryServices,LLC 11
![Page 12: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/12.jpg)
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask
• Printscreensforthefollowing–Mainframe:
Provideacopyofthefollowingfiles:• /etc/passwd• /etc/security/user• /.rhosts• /etc/hosts.equiv• /etc/inetd.conf• /etc/services
CopyrightedbyComplianceAdvisoryServices,LLC 12
![Page 13: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/13.jpg)
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask
• CybersecurityRiskAssessmentTool(CATTool)
Ø HowdidyourCUcompleteit?(Individualorcommigee)Ø Howlongdidittaketofinishit?(theyneeda:meframe)
• TheNCUAhasmadeitarequirementtocomplete!
• WhatwasyourCU’sInherentRisk?Theywillwanttoreviewtheques:ons&answers• DidyoufullymeetBaselineRequirements?Par:aldoesn’tcount!!!
CopyrightedbyComplianceAdvisoryServices,LLC 13
![Page 14: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/14.jpg)
PreparingForYourNextNCUAITExamVisitWhataretheregulatorsgoingtoask
• NCUAwillcompleteseveraloftheirITAuditPrograms.
Ø IT–ItemsNeededØ IT–748Expanded(MostITexaminerscompletethisone)Ø IT–An:-Virus&Malware(Op:onal)Ø IT–AuditProgram(Op:onal)Ø IT–BusinessCon:nuity(MostITexaminerscompletethisone)Ø IT–ElectronicBanking(Required)Ø IT–Networks(MostITexaminerscompletethisone)Ø IT–PolicyChecklist(Op:onal)Ø IT-Firewalls(Op:onal)Ø IT–IDS/IPS(Op:onal)Ø IT–PenTestReview(MostITexaminerscompletethisone)Ø IT–Physical&Environment(MostITexaminerscompletethisone)Ø IT–RemoteAccess(MostITexaminerscompletethisone)Ø IT–Virtualiza:on(Op:onal)Ø IT–WirelessNetworks(Op:onal)
CopyrightedbyComplianceAdvisoryServices,LLC 14
![Page 15: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/15.jpg)
PreparingForYourNextNCUAITExamVisit
• ReviewpriorITexamresults.• CorrectallpriorITExam/AuditFindings• UnderstandwhatITexaminersarelookingfor.• ReviewandupdateallIT/InfoSecpolicies&riskassessments• Ensurelogicalcontrolsareappropriate.• Understandwhatques:onsexaminerswillask.• CompleteyourCATTool.
CopyrightedbyComplianceAdvisoryServices,LLC 15
![Page 16: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/16.jpg)
PreparingForYourNextNCUAITExamVisit
Thankyouforyour:meandagen:on!GoodluckwithyournextITexam.JamesHarris,JD,CISSP,CISA,CEH,CHFI,[email protected]:n,Texas502-552-0559
CopyrightedbyComplianceAdvisoryServices,LLC 16
![Page 17: Preparing For Your Next NCUA IT Exam Visit - CUNA Councils - Preparing for your... · Ø IT – Policy Checklist (Op:onal) ... (Op:onal) Ø IT – PenTest Review ... Preparing For](https://reader033.vdocuments.us/reader033/viewer/2022052712/5af7871b7f8b9a190c91344d/html5/thumbnails/17.jpg)
CopyrightedbyComplianceAdvisoryServices,LLC 17