session handouts tom schauer, ceo trustcc...session handouts! tom schauer, ceo trustcc! or...
TRANSCRIPT
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 1
Copyright TrustCC. All Rights Reserved.
IT Risk Assessment: Confusion to Clarity
aka A Risk Assessment A Day
Keeps the Examiner at Bay
By Tom Schauer CISA, CISM, CISSP, CEH, CRISC, CTGA
[email protected] 253.468.9750
Copyright TrustCC. All Rights Reserved.
My Qualifica:ons
ü Started in Banking in 1986; Data Security and BCP ü Led IT Audit and Security prac:ces for DeloiIe/Guardent
ü Founded TrustCC in 2001 to help Banks and Credit Unions address GLBA
ü TrustCC has performed 2000 IT Audits and Security Assessments for nearly 400 financial ins:tu:ons
ü Contract IT Examiner for State/Federal Regulatory Agencies
Copyright TrustCC. All Rights Reserved.
As new guidance requires more risk assessments, many credit unions are confused about IT risk assessment requirements. This talk will bring clarity to the requirements and will provide helpful guidance.
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 2
Copyright TrustCC. All Rights Reserved.
Risk: Security Breach
Copyright TrustCC. All Rights Reserved.
Risk – Vendor Breach
Copyright TrustCC. All Rights Reserved.
Of 4239, only 34 CU Events and 124 Bank Events
Credit Union Events • Merchant breach (3) • Vendor Negligence
• Accidental disclosure (5) • Paper Carelessness (3) • Accidental Loss of Tape Backup (2)
• Employee Misuse of Information (3)
• ATM Skimming • Hacking (2) • Theft (8) • Social Engineering (2) • Malware
4/6/14, 9:14 AMChronology of Data Breaches | Privacy Rights Clearinghouse
Page 1 of 6https://www.privacyrights.org/data-breach-asc?title=Credit+Union
Credit Union
Search the entire database for acompany or organization by name Search
Date Made Public (/data-breach-asc?
order=field_breach_date_value_1&sort=asc&title=Credit+Union)Name Entity Type
Total Records (/data-breach-asc?
order=field_breach_total_value&sort=asc&title=Credit+Union)
September 7, 2013Rockland Federal Credit UnionRockland, Massachusetts
BSF HACK Unknown
Those with questions may call 781-878-0232.
Rockland Federal Credit Union is sending customers new debit cards with new PINs as a result of a merchant who discovereda breach in their computer system. All old debit cards will be deactivated on September 26.
Information Source:Media
records from this breach used in our total: 0
August 28, 2013Missouri Credit UnionColumbia, Missouri
BSF DISC 39,000
A file with customer information was accidentally published on Missouri Credit Union's website on August 5. The names,Social Security numbers, account numbers, teller and call in passwords, and addresses of Missouri Credit Union memberswere accessed. The file was accessed 10 times before the issue was discovered and it was taken off of the website.
Information Source:Media
records from this breach used in our total: 39,000
June 17, 2013Yolo Federal Credit UnionWoodland, California
BSF UNKN Unknown
Yolo was notified by Visa that there may have been a breach at several merchant locations. Yolo was not the sight of thebreach, but customers were issued new payment cards. The issue was reported to Yolo on May 31.
Information Source:Media
records from this breach used in our total: 0
December 13, 2012Yolo Federal Credit UnionWoodland, California
BSF CARD Unknown
A skimming device on an ATM resulted in fraudulent transactions on over 800 accounts. The fraudulent transactions appear todate from October 27, 2012 to November 7, 2012. It is not clear how many skimming devices were involved and where theywere located.
Information Source:California Attorney General
records from this breach used in our total: 0
October 29, 2012Abilene Telco Federal Credit Union, ExperianAbilene, Texas
BSF HACK 847
A hacker or hackers were able to access an Abilene Telco Federal Credit Union employee's computer in September 2011. TheBank's online account with Experian was then used to download the credit reports of 847 people. Social Security numbers,dates of birth and detailed financial data were exposed.
Information Source:Dataloss DB
records from this breach used in our total: 847
October 24, 2012Vermont State Employee's Credit Union(VSECU)Montplier, Vermont
BSF PORT Unknown
Two unencrypted backup tapes were discovered missing on September 10. They were lost sometime between August 27, and
Sign In to Your Complaint Center.
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 3
Copyright TrustCC. All Rights Reserved.
Risk: Vulnerable So\ware, breaches at other organiza:ons, card data breaches
Copyright TrustCC. All Rights Reserved. Copyright TrustCC. All Rights Reserved.
Risk: Cyber Activism… Anonymous ü Hack:vism targe:ng ‘Cri:cal US Infrastructure’ ü Banks, Credit Unions, DOJ, VISA, Mastercard, etc.
Copyright TrustCC. All Rights Reserved. Copyright TrustCC. All Rights Reserved.
Risk: DDoS or Terrorism
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 4
Copyright TrustCC. All Rights Reserved. Copyright TrustCC. All Rights Reserved.
Risk to members... Scareware! Some pop-ups claim you have a security issue. They lie. If you click anywhere in the pop-up box you will download and install seriously disruptive spyware.
Copyright TrustCC. All Rights Reserved. Copyright TrustCC. All Rights Reserved.
Copyright TrustCC. All Rights Reserved.
Risk Assessment
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 5
Copyright TrustCC. All Rights Reserved.
Asset
Asset Vulnerability
Vulnerability
Vulnerability
Threats
Risk Assessment – Threat Inventory
Copyright TrustCC. All Rights Reserved.
Alarm Stronger
Key Guard
Watch Dog
Risk Assessment – Anti-Burglary Controls
Copyright TrustCC. All Rights Reserved.
What it is not…
ü A Risk Assessment does not include TESTING the effectiveness of controls.
ü So when we talk about Control testing, realize that it is a separate step that follows risk assessment and should be “tied” to the risk assessment.
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 6
Copyright TrustCC. All Rights Reserved.
Today… Examiners Expect
ü A Risk Management Culture ü GLBA Customer Info Security is Primary RA ü Online/Mobile Banking Risk Assessment ü DDOS Risk Assessment ü New Technology Risk Assessment (ie. Board iPads) ü Variance (120 day PW expiration with Bio-metrics)
ü Audit Risk Assessment
ü Business Impact Analysis ü BCP Threat Assessment
Copyright TrustCC. All Rights Reserved.
Management Support
Is Management ready to embrace a risk management culture? If not at the top, it won’t happen.
Copyright TrustCC. All Rights Reserved.
GLBA Information Security Risk Assessment
ü Consider reasonably foreseeable threats ü Evaluate the impact should threat occur (inherent risk) ü Document and identify key controls ü Evaluate the likelihood of the threat given the controls
(residual risk) ü Conclude on Sufficiency & Remediate as Appropriate ü Regularly Revisit
ü TrustCC generally recommends this recipe for all risk assessments.
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 7
Copyright TrustCC. All Rights Reserved.
GLBA - Reasonably Foreseeable Threats
ü Passwords Guessed ü Malware ü Network Device Attack ü Workstation Attack ü Wireless Attack ü Server Attack ü Physical Security
ü Social Engineering ü Backup Tapes Stolen ü Remote Access Attack ü Vendor Data Attack ü Online Banking Attack ü etc
Copyright TrustCC. All Rights Reserved.
GLBA - Key Controls
ü Anti-Malware ü System Configuration ü Firewalls ü IDS/IPS ü Policies and Standards ü Security Training ü Board Reporting
ü Controls Testing ü Patching and Updates ü Encryption ü Visitor Controls ü etc
These must be mapped to the threats.
Copyright TrustCC. All Rights Reserved.
Test Results:
ü Some Examiners Expect to See Test Results in the GLBA RA
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 8
Copyright TrustCC. All Rights Reserved.
Copyright TrustCC. All Rights Reserved.
Online/Mobile Banking Risk Assessment
ü Lets Walk through the Sample PDF Provided Ø Descrip:on of Requirements Ø Descrip:on of Capabili:es Ø Descrip:on of Controls Ø Risk Assessment Matrix Ø Conclusion and Control Enhancements
Copyright TrustCC. All Rights Reserved.
DDoS Risk Assessment – Different as the risk is defined
ü Lets walk through example.. ü Background… sites, capabili:es, hosts ü Context… cri:cality of Internet to organiza:on ü Threat Descrip:on ü Threat Impact (inherent risk) ü Controls Deployed ü Threat Likelihood (residual risk) ü Planned Remedia:on Ac:vi:es ü Conclusion
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 9
Copyright TrustCC. All Rights Reserved.
New Technology Risk Assessment ü Board Packets on iPads
Copyright TrustCC. All Rights Reserved.
Policy Variance / Risk Assessment… be cau:ous.
Copyright TrustCC. All Rights Reserved.
Building Tools to Facilitate Risk Assessment
ü Walk through example
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 10
Copyright TrustCC. All Rights Reserved. Copyright TrustCC. All Rights Reserved.
Guest Speaker
Copyright TrustCC. All Rights Reserved.
Expert Payments Advisors
1129 20th Street, Northwest | Suite 300 | Washington, DC 20036 | 202-721-9120 | www.mcgovernsmithadvisors.com
ACUIA 24th Annual Conference “Payments Sleeper Risk”
Copyright TrustCC. All Rights Reserved.
ü Financial industry regulatory expert ü Co-‐author of Gramm-‐Leach-‐Bliley Act (GLBA), Data Protec:on Regula:on
ü 28+ years compliance & risk experience (13 with Department of Treasury in D.C.)
ü Visionary behind outsourced management compliance products & services
Paul Reymann Partner, McGovern Smith Advisors
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 11
Copyright TrustCC. All Rights Reserved.
Payments Sleeper Risk
Consumer Compliance; Credit; Financial; IT; Info Sec; Reputa8on
3rd Party Payment Processors
Overdra>
UDAAP
Disclosures
EMV Debit Interchange
Prepaid Cards
Pay Day Lenders & Others
Cri8cal Vendors
Copyright TrustCC. All Rights Reserved.
Copyright TrustCC. All Rights Reserved.
PR Newswire: Up to 63% of security infrac:ons & business disrup:ons aIributed to suppliers & vendors.
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 12
Copyright TrustCC. All Rights Reserved. 34
Copyright TrustCC. All Rights Reserved.
Copyright TrustCC. All Rights Reserved.
Develop a plan tailored to:
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 13
Copyright TrustCC. All Rights Reserved.
Copyright TrustCC. All Rights Reserved.
Copyright TrustCC. All Rights Reserved. Copyright TrustCC. All Rights Reserved.
Questions and Answers
By Tom Schauer CISA, CISM, CISSP, CEH, CRISC, CTGA
[email protected] 253.468.9750
Session Handouts Tom Schauer, CEO TrustCC
www.trustcc.com or 866.290.6774 ext 1 14
Copyright TrustCC. All Rights Reserved.
Enter to Win…
Give me your business card and subject yourself to a sales call. If your card is drawn you will receive a:
Realis:c Social Engineering Test for Free
Or $1,000 off your next contract with TrustCC (6mths)
Copyright TrustCC. All Rights Reserved.