session handouts tom schauer, ceo trustcc...session handouts! tom schauer, ceo trustcc! or...

Session Handouts Tom Schauer, CEO TrustCC

www.trustcc.com or 866.290.6774 ext 1 1

Copyright TrustCC. All Rights Reserved.

IT Risk Assessment: Confusion to Clarity

aka A Risk Assessment A Day

Keeps the Examiner at Bay

By Tom Schauer CISA, CISM, CISSP, CEH, CRISC, CTGA

[email protected] 253.468.9750


My Qualifica:ons

ü Started in Banking in 1986; Data Security and BCP ü Led IT Audit and Security prac:ces for DeloiIe/Guardent

ü Founded TrustCC in 2001 to help Banks and Credit Unions address GLBA

ü TrustCC has performed 2000 IT Audits and Security Assessments for nearly 400 financial ins:tu:ons

ü Contract IT Examiner for State/Federal Regulatory Agencies


As new guidance requires more risk assessments, many credit unions are confused about IT risk assessment requirements. This talk will bring clarity to the requirements and will provide helpful guidance.




Risk: Security Breach


Risk – Vendor Breach


Of 4239, only 34 CU Events and 124 Bank Events

Credit Union Events •  Merchant breach (3) •  Vendor Negligence

•  Accidental disclosure (5) •  Paper Carelessness (3) •  Accidental Loss of Tape Backup (2)

•  Employee Misuse of Information (3)

•  ATM Skimming •  Hacking (2) •  Theft (8) •  Social Engineering (2) •  Malware

4/6/14, 9:14 AMChronology of Data Breaches | Privacy Rights Clearinghouse

Page 1 of 6https://www.privacyrights.org/data-breach-asc?title=Credit+Union

Credit Union

Search the entire database for acompany or organization by name Search

Date Made Public (/data-breach-asc?

order=field_breach_date_value_1&sort=asc&title=Credit+Union)Name Entity Type

Total Records (/data-breach-asc?

order=field_breach_total_value&sort=asc&title=Credit+Union)

September 7, 2013Rockland Federal Credit UnionRockland, Massachusetts

BSF HACK Unknown

Those with questions may call 781-878-0232.

Rockland Federal Credit Union is sending customers new debit cards with new PINs as a result of a merchant who discovereda breach in their computer system. All old debit cards will be deactivated on September 26.

Information Source:Media

records from this breach used in our total: 0

August 28, 2013Missouri Credit UnionColumbia, Missouri

BSF DISC 39,000

A file with customer information was accidentally published on Missouri Credit Union's website on August 5. The names,Social Security numbers, account numbers, teller and call in passwords, and addresses of Missouri Credit Union memberswere accessed. The file was accessed 10 times before the issue was discovered and it was taken off of the website.


records from this breach used in our total: 39,000

June 17, 2013Yolo Federal Credit UnionWoodland, California

BSF UNKN Unknown

Yolo was notified by Visa that there may have been a breach at several merchant locations. Yolo was not the sight of thebreach, but customers were issued new payment cards. The issue was reported to Yolo on May 31.



December 13, 2012Yolo Federal Credit UnionWoodland, California

BSF CARD Unknown

A skimming device on an ATM resulted in fraudulent transactions on over 800 accounts. The fraudulent transactions appear todate from October 27, 2012 to November 7, 2012. It is not clear how many skimming devices were involved and where theywere located.

Information Source:California Attorney General


October 29, 2012Abilene Telco Federal Credit Union, ExperianAbilene, Texas

BSF HACK 847

A hacker or hackers were able to access an Abilene Telco Federal Credit Union employee's computer in September 2011. TheBank's online account with Experian was then used to download the credit reports of 847 people. Social Security numbers,dates of birth and detailed financial data were exposed.

Information Source:Dataloss DB


October 24, 2012Vermont State Employee's Credit Union(VSECU)Montplier, Vermont

BSF PORT Unknown

Two unencrypted backup tapes were discovered missing on September 10. They were lost sometime between August 27, and

Sign In to Your Complaint Center.




Risk: Vulnerable So\ware, breaches at other organiza:ons, card data breaches

Copyright TrustCC. All Rights Reserved. Copyright TrustCC. All Rights Reserved.

Risk: Cyber Activism… Anonymous ü Hack:vism targe:ng ‘Cri:cal US Infrastructure’ ü Banks, Credit Unions, DOJ, VISA, Mastercard, etc.


Risk: DDoS or Terrorism




Risk to members... Scareware! Some pop-ups claim you have a security issue. They lie. If you click anywhere in the pop-up box you will download and install seriously disruptive spyware.



Risk Assessment




Asset

Asset Vulnerability

Vulnerability

Vulnerability

Threats

Risk Assessment – Threat Inventory


Alarm Stronger

Key Guard

Watch Dog

Risk Assessment – Anti-Burglary Controls


What it is not…

ü A Risk Assessment does not include TESTING the effectiveness of controls.

ü So when we talk about Control testing, realize that it is a separate step that follows risk assessment and should be “tied” to the risk assessment.




Today… Examiners Expect

ü A Risk Management Culture ü GLBA Customer Info Security is Primary RA ü Online/Mobile Banking Risk Assessment ü DDOS Risk Assessment ü New Technology Risk Assessment (ie. Board iPads) ü Variance (120 day PW expiration with Bio-metrics)

ü Audit Risk Assessment

ü  Business Impact Analysis ü  BCP Threat Assessment


Management Support

Is Management ready to embrace a risk management culture? If not at the top, it won’t happen.


GLBA Information Security Risk Assessment

ü Consider reasonably foreseeable threats ü Evaluate the impact should threat occur (inherent risk) ü Document and identify key controls ü Evaluate the likelihood of the threat given the controls

(residual risk) ü Conclude on Sufficiency & Remediate as Appropriate ü Regularly Revisit

ü TrustCC generally recommends this recipe for all risk assessments.




GLBA - Reasonably Foreseeable Threats

ü Passwords Guessed ü Malware ü Network Device Attack ü Workstation Attack ü Wireless Attack ü Server Attack ü Physical Security

ü Social Engineering ü Backup Tapes Stolen ü Remote Access Attack ü Vendor Data Attack ü Online Banking Attack ü etc


GLBA - Key Controls

ü Anti-Malware ü System Configuration ü Firewalls ü IDS/IPS ü Policies and Standards ü Security Training ü Board Reporting

ü Controls Testing ü Patching and Updates ü Encryption ü Visitor Controls ü etc

These must be mapped to the threats.


Test Results:

ü Some Examiners Expect to See Test Results in the GLBA RA





Online/Mobile Banking Risk Assessment

ü  Lets Walk through the Sample PDF Provided Ø  Descrip:on of Requirements Ø  Descrip:on of Capabili:es Ø  Descrip:on of Controls Ø  Risk Assessment Matrix Ø  Conclusion and Control Enhancements


DDoS Risk Assessment – Different as the risk is defined

ü  Lets walk through example.. ü  Background… sites, capabili:es, hosts ü  Context… cri:cality of Internet to organiza:on ü  Threat Descrip:on ü  Threat Impact (inherent risk) ü  Controls Deployed ü  Threat Likelihood (residual risk) ü  Planned Remedia:on Ac:vi:es ü  Conclusion




New Technology Risk Assessment ü Board Packets on iPads


Policy Variance / Risk Assessment… be cau:ous.


Building Tools to Facilitate Risk Assessment

ü  Walk through example




Guest Speaker


Expert Payments Advisors

1129 20th Street, Northwest | Suite 300 | Washington, DC 20036 | 202-721-9120 | www.mcgovernsmithadvisors.com

ACUIA 24th Annual Conference “Payments Sleeper Risk”


ü Financial industry regulatory expert ü Co-‐author of Gramm-‐Leach-‐Bliley Act (GLBA), Data Protec:on Regula:on

ü 28+ years compliance & risk experience (13 with Department of Treasury in D.C.)

ü Visionary behind outsourced management compliance products & services

Paul Reymann Partner, McGovern Smith Advisors




Payments Sleeper Risk

Consumer Compliance; Credit; Financial; IT; Info Sec; Reputa8on

3rd Party Payment Processors

Overdra>

UDAAP

Disclosures

EMV Debit Interchange

Prepaid Cards

Pay Day Lenders & Others

Cri8cal Vendors



PR Newswire: Up to 63% of security infrac:ons & business disrup:ons aIributed to suppliers & vendors.






Questions and Answers

By Tom Schauer CISA, CISM, CISSP, CEH, CRISC, CTGA

[email protected] 253.468.9750




Enter to Win…

Give me your business card and subject yourself to a sales call. If your card is drawn you will receive a:

Realis:c Social Engineering Test for Free

Or $1,000 off your next contract with TrustCC (6mths)


session handouts tom schauer, ceo trustcc...session handouts! tom schauer, ceo trustcc! or...

Documents