GLBA & IS/IT Risk Assessments - Bcac

advertisement
GLBA & IS/IT Risk
Assessments
Presented by Kristina Buckley of
Buckley Technology Group
Understanding New Vendor Management Risks
and Key Areas for Improvement
1
GLBA Overview
2
GLBA Risk Assessment Report
3
GLBA Risk Matrix
4
IS & IT Risk Assessments
5
Cybercrime Initiative
GLBA Program
•
Requires Financial Institution to ensure the security, confidentiality, and integrity of
customer information.
•
The bank is required to develop and maintain a written program to assess, manage
and control risks associated with customer non-public information.
•
Program must include the monitoring and review of appropriate audits and
documentation.
•
Annual Report to board is required by GLBA.
•
Employee information should also be protected.
GLBA Program
•
Program should include incident response and security breach notification.
•
It is the bank’s regulatory requirement to notify customers of a security breach so it is
critical the bank’s contract includes a security notification clause – 24 hours.
•
The program safeguards are intended to:
– Insure the security and confidentiality of customer records and information;
– Protect against any anticipated threats or hazards to the security or integrity of
such records; and
– Protect against unauthorized access to or use of such records or information that
could result in substantial harm or inconvenience to any customer.
GLBA Risk Assessment
Report
Objectives of assessment are as follows:
•
Identify the services/business processes from the bank’s vendor management and
BCP program that have a high NPI Risk level. For each of the business processes:
– Identify the supporting systems involved and any associated input and output of
data.
– Identify the security controls in place for each identified supporting system.
– Identify existing internal and external threats associated with each business
process.
GLBA Risk Assessment
Report
Objectives of assessment are as follows:
•
Identify existing controls in place to mitigate risks.
•
Identify additional controls to be considered to mitigate risks.
•
Identify related vendors and their security practices associated with the business
process.
GLBA Risk Assessment
Report
Document the Threat Level Rating Scale Used:
•
High:
– Threat could lead to disclosure of customer information, significant impact to the
reputation of the bank, significant financial loss, interrupt customer service for an
unacceptable period of time, and not be in compliance.
•
Medium:
– Threat could cause interruption or delay in service to customers, impact to the
reputation of the bank, moderate financial loss for the bank.
Low:
– Threat considered low given mitigating controls in place.
•
GLBA Risk Assessment
Report
Document the Threat Level Rating Scale Used:
GLBA
Risk
Rating
Defining Characteristics
Threat could lead to disclosure of customer
information, significant impact to the reputation of
High the bank, significant financial loss, interrupt
customer service for an unacceptable period of
time, and not be in compliance.
Threat could cause interruption or delay in service
Medium to customers, impact to the reputation of the bank,
moderate financial loss for the bank.
Threat considered low given mitigating controls in
Low
place.
GLBA Risk Assessment
Report
Document the Threat Level of Effort Scale Used:
• High:
– Changes or enhancements that are expected to involve significant incremental
costs and/or require significant involvement by administrators and/or significant
changes to end-users.
•
•
Medium:
– Changes or enhancements that are expected to involve moderate incremental
costs and/or require moderate involvement of administrators and little or no direct
impact to end-users.
Low:
– Changes or enhancements that are considered to be both low cost and to require
moderate to low involvement by administrators and/or minimal to no impact to
end-users.
GLBA Risk Assessment
Report
Document the Threat Level of Effort Scale Used:
Level of
Effort
Defining Characteristics
Changes or enhancements that are expected to
involve significant incremental costs and/or require
High
significant involvement by administrators and/or
significant changes to end-users.
Changes or enhancements that are expected to
involve moderate incremental costs and/or require
Medium
moderate involvement of administrators and little or
no direct impact to end-users.
Changes or enhancements that are considered to
be both low cost and to require moderate to low
Low
involvement by administrators and/or minimal to no
impact to end-users.
GLBA Risk Assessment
Report
For each Business Process:
•
•
•
•
•
•
•
•
•
The vendor name
Associated business process with a high NPI risk rating
The owner
The assigned GLBA Risk Rating (High)
An assigned Level of Effort (High, Medium or Low as defined below)
A description of GLBA findings
An explanation of the risks associated with the finding/observation
Recommendations for further risk mitigation
Financial Institution’s Update (include possible mitigating controls)
GLBA Risk Assessment
Report
1.
Vendor Name: CRIF
Business Process/Business Process Owner:
 Indirect Lending – Kris Buckley
GLBA Risk
High
Level of Effort:
Low
Rating:
Finding: Customer account file is transmitted to vendor. The financial institution
has received a confidentiality agreement, but is not currently aware of a SSAE16
and/or other security documentation outlining how the vendor protects or properly
disposes of NPI, or an incident response plan. It is currently unknown how the
data is transmitted to vendors.
Risk: Without proper vendor oversight/documentation the bank can be at
increased risk of external security threats by information not being properly
secured which could result in unauthorized access, system compromise, and/or
disclosure of customer data.
BTG Recommendations: Request a SSAE16 and/or similar security documentation
detailing the protection and proper disposal of NPI, and a security breach
notification agreement or incident response plan that includes security breach
notification to the bank if there is any possibility that NPI could be compromised.
Work with vendor(s) to ensure data is being transmitted securely.
Financial Institution Update:
GLBA Risk Assessment
Report
•
Other components you may want to add to the table identified on previous screen
depending upon the size and complexity of your financial institution.
–
–
–
–
–
–
–
Risk Areas
Risk Categories
Likelihood
Impact
Inherent Risk
Existing Mitigating Controls
Residual Risk
GLBA Risk Assessment
Report
•
Report should document the total number of business processes within each Risk
Level and the findings.
•
You will identify during the assessment a number of business processes that share
vulnerabilities.
GLBA Risk Assessment
Report
Risk Level
16 High (10
Vendors)
32 Medium
16 Low
Risk/Threat Description





Missing vendor due diligence documentation
Unsecured or unidentified transmission of data
Informal and/or Missing Access Removal Process
Single Factor Website Authentication
Unidentified retention and disposal of NPI on the
Internet

Partial and/or Outdated vendor due diligence
documentation

Exceptions noted but corrected on last SSAE16
GLBA Matrix
Option 2
For each Business Process:
Identify any third parties that may provide the organization with initial information.
Identify any third parties the organization shares data with during this process.
List the methods of collection used to complete the process.
List the formats the data is in (i.e. hardcopy, electronic, etc.).
List how the data is transmitted or transported.
For formats identified, how long are they retained and where?
For electronic file formats identified, how are they backed up and where are backups
retained?
For formats identified, identify disposal process for related information.
Will NPI be retained and available via the Internet? If yes, explain security controls in place
for vendor, the organization and customer access.
Outline retention and disposal of any NPI available via Internet.
GLBA Matrix
Option 2
What security controls are in place for the business process and all related data formats.
Identify who requires access to the business function and related data.
What process is in place to remove employee or vendor access?
Identify any person or party who has access but it is not required under their job description.
What audit controls, reports, and logs are available to monitor employee and vendor access?
Has the vendor provided the organization with a confidentiality agreement and/or security
documentation outlining the protection of non-public information?
Has vendor provided an Incident Response Policy/procedure which includes breach of security
notification to the organization if there is any possibility that non public information could be
compromised?
Identify the possible internal threats.
Internal Risk Rating (high, medium, low)
Identify the possible external threats.
External Risk Rating (high, medium, low)
Type of risks associated with internal and external threats (reputation, financial, strategic)
GLBA Matrix
Option 2:
Questions you may want to add to Matrix:
•
External access points (employee and vendors).
•
Related applications.
•
Security controls for each application.
•
Regulator retention guidelines are met.
GLBA Matrix
Option 2:
Questions you may want to add to Matrix:
•
Network directories that may contain data.
•
Do the vendor employees have access to the NPI on their PC’s, laptop, etc. outside
of the financial institution’s control?
•
Does vendor subcontract with third parties to perform any components related to NPI.
IT/IS Risk Assessment
•
An IT/IS risk assessment should be performed annually on high NPI risk vendors as
part of GLBA. It should also be performed for any prospective vendor or changed
relationship.
•
Business change
•
Product change
•
Controls are changed
•
Regulations are changed (even if your contract states they will remain in
compliance)
IT/IS Risk Assessment
•
The Business Owner (Contract) is responsible for the Vendor and the Risk
Assessment process however IT needs to get involved and be part of the formal
process. Require business owners get IT’s sign-off.
•
Report and Matrix noted earlier can be used to document Risk Assessments
IT/IS Risk Assessment
IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc):
•
Identify
•
All new hardware and software involved in product. Is this cloud based?
•
Is software and hardware compatible to Bank’s existing infrastructure?
•
Document expected network infrastructure to ensure it is truly compatible and to
identify additional needs.
•
Document expected PC, laptop and device configuration.
IT/IS Risk Assessment
IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc):
•
Identify
•
Any firewall, IDS, IPS changes?
•
New servers (traditional or virtual).
•
New licensing requirements.
•
New telecommunication needs.
IT/IS Risk Assessment
IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc):
•
Identify
•
Wireless required or being introduced?
•
Remote access rights and encryption required.
•
Who is responsible for patch maintenance for items above?
Risk Assessment
Website Hosting
Some Questions to consider:
•
Does the vendor provide hosting to other financial institutions?
•
Are they aware of the related regulatory guidance?
•
What can they provide you for Security Documentation? SSAE16?
•
What can they provide you for Pen Testing and Monitoring?
– Objective third party and frequency
Risk Assessment
Website Hosting
Some Questions to consider:
•
Application design and known vulnerabilities? (open source)
•
Security Breach notification procedures (in contract)
•
Website hosting infrastructure
– Private or public server
– Remote Access
Risk Assessment
Website Hosting
Some Questions to consider:
•
Business Continuity
– Outside of your region
– Redundancy
– Backup policy
Monitoring
•
Review all due diligence documentation. Question if reports are not being updated at
a minimum of every two years
•
Review of Penetration Test results
•
If they are regulated ensure you are reviewing audit reports.
Documentation Red
Flags
Be cautious if you run into any of the following during Risk Assessment or Documentation
review:
•
IS Policies are not based on any accepted security standard (ISO27001)
•
No formal training and security awareness program noted for employees and
subcontractors
•
Encryption does not exist on vendor employee laptops
Documentation Red
Flags
•
Can’t provide PEN tests (S/B at a minimum annual)
•
Weak remote access standards
•
Weak BCP/DR Plan
•
Weak data media handling, retention, disposal and return practices
•
Difficulty providing the overall material
Cybercrime Initiative
Resources
www.fsisac.com.
•
The FS-ISAC is a member-owned, nonprofit and private financial sector initiative. Its
primary function is to share timely, relevant, and actionable physical and cyber
security threat and incident information to enhance the ability of the financial services
sector to prepare for, respond to, and mitigate the risk associated with these threats.
•
Both the U.S. Department of Treasury and the U.S. Department of Homeland
Security rely on the FS-ISAC to disseminate critical information to the financial
services sector in times of crisis.
Cybercrime Initiative
Resources
– Members receive timely notification and authoritative information specifically
designed to help protect critical systems and assets from physical and cyber
security threats.
– Provides an anonymous information-sharing capability across the entire financial
services industry that enables institutions to exchange information regarding
physical and cyber security threats, as well as vulnerabilities, incidents, and
potential protective measures and practices.
Cybercrime Initiative
Resources
United States Computer Emergency Readiness Team (US-CERT)
•
The Department of Homeland Security's US-CERT facilitates the coordination of
cyber information sharing and provides cyber vulnerability and threat information
through its national Cyber Awareness System. Financial institutions may learn more
about US-CERT and subscribe to receive security alerts, tips and other updates
through its website at www.us-cert.gov. Cyber Security Page 2
Cybercrime Initiative
Resources
U.S. Secret Service Electronic Crimes Task Force (ECTF)
•
The Electronic Crimes Task Force teams local, state and federal law enforcement
personnel with prosecutors, private industry, and academia to maximize what each
has to offer in an effort to combat cyber criminal activity. For more information on the
Electronic Crimes Task Forces please visit www.secretservice.gov/ectf.shtml.
Cybercrime Initiative
Resources
FBI InfraGard
•
InfraGard is an information sharing forum between the FBI and the private sector.
InfraGard operates more than 60 chapters that conduct local meetings pertinent to
their area. Information about InfraGard may be obtained at www.infragard.org.
Related Rules and
Regulations
•
FDIC IT Exam Officers VM Guidance and Questionnaire
•
IT Examination Handbook Outsourcing Technology Services
•
Part of FFIEC IT Rating (URSIT)
•
Part 364-B FDIC Rule and Regulations
•
FFIEC IT Handbook (excel)
THANK YOU
Kris Buckley, President
kmb@buckleytechgroup.com
www.buckleytechgroup.com
781.258.0618
Download