ISACA ISSA Presentation

  • Published on
    10-Jan-2017

  • View
    165

  • Download
    0

Embed Size (px)

Transcript

Slide 1

Lord of the Keys:

Maturing your IS Program Using the NIST Cybersecurity Framework and FFIEC Cybersecurity Maturity Assessment

1

Reasons to MatureBreaches and ImpactWNB PostureNIST Cybersecurity FrameworkFFIEC Maturity Assessment Tool

AgendaPage 2 of 117

I.S.E. Peoples Choice Awardhttp://www.ten-inc.com/ise/central/default.asphttps://www.surveymonkey.com/r/CEN_PCVOTING

Background

LinkedIn Profile: Marc Crudgington

President signs to improve cybersecurity in the critical infrastructure, 02/2013 Executive Order 13636 Covers those associated with payment cards (banks, merchants, tech), 12/2004PCI RequiredProtecting customer data is paramount to the banks reputation/trust Right thing to doWhy Act?

Cybersecurity Awareness, IT Handbook, Frequency of attacks, 11/2015; Mitigate attacks, 03/2015; Participate in Intel Sharing, 11/2014 FFIECPrivate sector information sharing, 02/2015; National Action Plan and Cybersecurity Commission, 02/2016Executive OrderReleases Cybersecurity Assessment Tool, recommends financial institutions use or a similar tool, 06/2015 FFIECWhy Act?

Why Act?

ID10Ts exist and they want their

6

Company Breaches

Effects on Economy

Effects on EconomyIP: 70% of value of public companies

Annual losses: estimated over $300B

China: +$107B sales and +2.1M jobsIP Intensive43%: ITRC account of breaches

2013: 8.8M records stolen

1.8M: Victims of Identity TheftHealthcare2013: 856 reported breaches

Q1 2014: 98.3% of data exposed

37%: Breaches affected the sectorFinance/Business

Effects on Economy1M+ jobs lost and a $200B cost in 2010 Based on estimate of 5,080 jobs per $1B0.5% ($70B)or 1% ($140B) of National IncomeGlobally - $350B or $700BHealthcare: $7B for HIPAA 2013 lossesSMBs: 80% file bankruptcy or suffer significant financial lossesS&P 500: $136.5B due to AP Twitter hack

Effects on Economy

2015201320122011$214

$194$188$201

$2172014

Effects on EconomyEnterprisesSMBsAttack TypeIncidentProf Svcs $109kBus. Opp. $457kPreventionNew IT Sec $57kTraining $26k

Total $649kIncidentProf Svcs $13kBus. Opp. $23kPreventionNew IT Sec $9kTraining $5k

Total $50kTargetedEnt. $2.4MSMB $92kPhishingEnt. $57kSMB $26kDDoSEnt. $57kSMB $26k

Effects on EconomyLoss of IP and Confidential InformationCybercrimeLoss of sensitive business information-stock market manipulationOpportunity costs, including service and employment disruptions, and reduced trust for online activitiesThe additional cost of securing networks, insurance, and recovery from cyber attacksReputational damage

Defense-in-Depth 2.0Traffic Flow / Security Layers

Internet

Cybersecurity Maturity Timeline

2012/2013201420152016STARTContinuous improvementBegin assessing program, developing strategy; PCIComplete maturity assessment engagement; evaluate report, next stepsEvaluate/implement framework, tools implementation, continue PCI pathContinue implementation of framework, tools, PCI; self/regulator assessment, engage 3rd party

Organizational understanding to manage cybersecurity risksAppropriate activities to identify the occurrence of a cybersecurity eventAppropriate activities to take action regarding a detected cybersecurity eventMaintain plans for resilience and to restore services impactedAppropriate safeguards to ensure delivery of servicesFramework CoreIdentifyProtectDetectRespondRecover

Framework Function/CategoryFunctionCategoryIdentifyAsset Management (6)Business Environment (5)Governance (4)Risk Assessment (6)Risk Management Strategy (3)ProtectAccess Control (5)Awareness and Training (5)Data Security (7)Information Protection Processes (12)Maintenance (2)Protective Technology (4)

Framework Function/Category cont.FunctionCategoryDetectAnomalies and Events (5)Security Continuous Monitoring (8)Detection Processes (5)RespondResponse Planning (1)Communications (5)Analysis (4)Mitigation (3)Improvements (2)RecoverRecovery Planning (1)Improvements (2)Communications (3)

Framework Subcategories

Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties, are understood and managed

Subcategories specific outcomes of technical and/or management activities (requirements, controls, guidelinesIdentify: ID.GV-1Detected events are analyzed to understand attack targets and methodsDetect: DE.AE-2Protections against data leaks are implementedProtect: PR.DS-5

What We DidParticipated in Framework Request for InformationReviewed Framework upon releaseDetermined how Framework fit into our current IS ProgramDeclared NIST Cybersecurity Framework as our foundational IS Program frameworkIncorporated NIST Cybersecurity Framework into our IS ProgramInternal Audit performed Cybersecurity / GLBA Audit

FFIEC Inherent Risk ProfileOnline/Mobile Products and Technology ServicesTechnologies and Connection TypesOrganizational CharacteristicsExternal Threats

= Inherent Risk

Delivery Channels

Inherent Risks SamplesCategoryRisk LevelsLeastMinimalModerateSignificantMostPersonal devices allowed to connect to the corporate networkNoneOnly one device type available;