GLBA & IS/IT Risk Assessments Presented by Kristina Buckley of Buckley Technology Group Understanding New Vendor Management Risks and Key Areas for Improvement 1 GLBA Overview 2 GLBA Risk Assessment Report 3 GLBA Risk Matrix 4 IS & IT Risk Assessments 5 Cybercrime Initiative GLBA Program • Requires Financial Institution to ensure the security, confidentiality, and integrity of customer information. • The bank is required to develop and maintain a written program to assess, manage and control risks associated with customer non-public information. • Program must include the monitoring and review of appropriate audits and documentation. • Annual Report to board is required by GLBA. • Employee information should also be protected. GLBA Program • Program should include incident response and security breach notification. • It is the bank’s regulatory requirement to notify customers of a security breach so it is critical the bank’s contract includes a security notification clause – 24 hours. • The program safeguards are intended to: – Insure the security and confidentiality of customer records and information; – Protect against any anticipated threats or hazards to the security or integrity of such records; and – Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer. GLBA Risk Assessment Report Objectives of assessment are as follows: • Identify the services/business processes from the bank’s vendor management and BCP program that have a high NPI Risk level. For each of the business processes: – Identify the supporting systems involved and any associated input and output of data. – Identify the security controls in place for each identified supporting system. – Identify existing internal and external threats associated with each business process. GLBA Risk Assessment Report Objectives of assessment are as follows: • Identify existing controls in place to mitigate risks. • Identify additional controls to be considered to mitigate risks. • Identify related vendors and their security practices associated with the business process. GLBA Risk Assessment Report Document the Threat Level Rating Scale Used: • High: – Threat could lead to disclosure of customer information, significant impact to the reputation of the bank, significant financial loss, interrupt customer service for an unacceptable period of time, and not be in compliance. • Medium: – Threat could cause interruption or delay in service to customers, impact to the reputation of the bank, moderate financial loss for the bank. Low: – Threat considered low given mitigating controls in place. • GLBA Risk Assessment Report Document the Threat Level Rating Scale Used: GLBA Risk Rating Defining Characteristics Threat could lead to disclosure of customer information, significant impact to the reputation of High the bank, significant financial loss, interrupt customer service for an unacceptable period of time, and not be in compliance. Threat could cause interruption or delay in service Medium to customers, impact to the reputation of the bank, moderate financial loss for the bank. Threat considered low given mitigating controls in Low place. GLBA Risk Assessment Report Document the Threat Level of Effort Scale Used: • High: – Changes or enhancements that are expected to involve significant incremental costs and/or require significant involvement by administrators and/or significant changes to end-users. • • Medium: – Changes or enhancements that are expected to involve moderate incremental costs and/or require moderate involvement of administrators and little or no direct impact to end-users. Low: – Changes or enhancements that are considered to be both low cost and to require moderate to low involvement by administrators and/or minimal to no impact to end-users. GLBA Risk Assessment Report Document the Threat Level of Effort Scale Used: Level of Effort Defining Characteristics Changes or enhancements that are expected to involve significant incremental costs and/or require High significant involvement by administrators and/or significant changes to end-users. Changes or enhancements that are expected to involve moderate incremental costs and/or require Medium moderate involvement of administrators and little or no direct impact to end-users. Changes or enhancements that are considered to be both low cost and to require moderate to low Low involvement by administrators and/or minimal to no impact to end-users. GLBA Risk Assessment Report For each Business Process: • • • • • • • • • The vendor name Associated business process with a high NPI risk rating The owner The assigned GLBA Risk Rating (High) An assigned Level of Effort (High, Medium or Low as defined below) A description of GLBA findings An explanation of the risks associated with the finding/observation Recommendations for further risk mitigation Financial Institution’s Update (include possible mitigating controls) GLBA Risk Assessment Report 1. Vendor Name: CRIF Business Process/Business Process Owner: Indirect Lending – Kris Buckley GLBA Risk High Level of Effort: Low Rating: Finding: Customer account file is transmitted to vendor. The financial institution has received a confidentiality agreement, but is not currently aware of a SSAE16 and/or other security documentation outlining how the vendor protects or properly disposes of NPI, or an incident response plan. It is currently unknown how the data is transmitted to vendors. Risk: Without proper vendor oversight/documentation the bank can be at increased risk of external security threats by information not being properly secured which could result in unauthorized access, system compromise, and/or disclosure of customer data. BTG Recommendations: Request a SSAE16 and/or similar security documentation detailing the protection and proper disposal of NPI, and a security breach notification agreement or incident response plan that includes security breach notification to the bank if there is any possibility that NPI could be compromised. Work with vendor(s) to ensure data is being transmitted securely. Financial Institution Update: GLBA Risk Assessment Report • Other components you may want to add to the table identified on previous screen depending upon the size and complexity of your financial institution. – – – – – – – Risk Areas Risk Categories Likelihood Impact Inherent Risk Existing Mitigating Controls Residual Risk GLBA Risk Assessment Report • Report should document the total number of business processes within each Risk Level and the findings. • You will identify during the assessment a number of business processes that share vulnerabilities. GLBA Risk Assessment Report Risk Level 16 High (10 Vendors) 32 Medium 16 Low Risk/Threat Description Missing vendor due diligence documentation Unsecured or unidentified transmission of data Informal and/or Missing Access Removal Process Single Factor Website Authentication Unidentified retention and disposal of NPI on the Internet Partial and/or Outdated vendor due diligence documentation Exceptions noted but corrected on last SSAE16 GLBA Matrix Option 2 For each Business Process: Identify any third parties that may provide the organization with initial information. Identify any third parties the organization shares data with during this process. List the methods of collection used to complete the process. List the formats the data is in (i.e. hardcopy, electronic, etc.). List how the data is transmitted or transported. For formats identified, how long are they retained and where? For electronic file formats identified, how are they backed up and where are backups retained? For formats identified, identify disposal process for related information. Will NPI be retained and available via the Internet? If yes, explain security controls in place for vendor, the organization and customer access. Outline retention and disposal of any NPI available via Internet. GLBA Matrix Option 2 What security controls are in place for the business process and all related data formats. Identify who requires access to the business function and related data. What process is in place to remove employee or vendor access? Identify any person or party who has access but it is not required under their job description. What audit controls, reports, and logs are available to monitor employee and vendor access? Has the vendor provided the organization with a confidentiality agreement and/or security documentation outlining the protection of non-public information? Has vendor provided an Incident Response Policy/procedure which includes breach of security notification to the organization if there is any possibility that non public information could be compromised? Identify the possible internal threats. Internal Risk Rating (high, medium, low) Identify the possible external threats. External Risk Rating (high, medium, low) Type of risks associated with internal and external threats (reputation, financial, strategic) GLBA Matrix Option 2: Questions you may want to add to Matrix: • External access points (employee and vendors). • Related applications. • Security controls for each application. • Regulator retention guidelines are met. GLBA Matrix Option 2: Questions you may want to add to Matrix: • Network directories that may contain data. • Do the vendor employees have access to the NPI on their PC’s, laptop, etc. outside of the financial institution’s control? • Does vendor subcontract with third parties to perform any components related to NPI. IT/IS Risk Assessment • An IT/IS risk assessment should be performed annually on high NPI risk vendors as part of GLBA. It should also be performed for any prospective vendor or changed relationship. • Business change • Product change • Controls are changed • Regulations are changed (even if your contract states they will remain in compliance) IT/IS Risk Assessment • The Business Owner (Contract) is responsible for the Vendor and the Risk Assessment process however IT needs to get involved and be part of the formal process. Require business owners get IT’s sign-off. • Report and Matrix noted earlier can be used to document Risk Assessments IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): • Identify • All new hardware and software involved in product. Is this cloud based? • Is software and hardware compatible to Bank’s existing infrastructure? • Document expected network infrastructure to ensure it is truly compatible and to identify additional needs. • Document expected PC, laptop and device configuration. IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): • Identify • Any firewall, IDS, IPS changes? • New servers (traditional or virtual). • New licensing requirements. • New telecommunication needs. IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): • Identify • Wireless required or being introduced? • Remote access rights and encryption required. • Who is responsible for patch maintenance for items above? Risk Assessment Website Hosting Some Questions to consider: • Does the vendor provide hosting to other financial institutions? • Are they aware of the related regulatory guidance? • What can they provide you for Security Documentation? SSAE16? • What can they provide you for Pen Testing and Monitoring? – Objective third party and frequency Risk Assessment Website Hosting Some Questions to consider: • Application design and known vulnerabilities? (open source) • Security Breach notification procedures (in contract) • Website hosting infrastructure – Private or public server – Remote Access Risk Assessment Website Hosting Some Questions to consider: • Business Continuity – Outside of your region – Redundancy – Backup policy Monitoring • Review all due diligence documentation. Question if reports are not being updated at a minimum of every two years • Review of Penetration Test results • If they are regulated ensure you are reviewing audit reports. Documentation Red Flags Be cautious if you run into any of the following during Risk Assessment or Documentation review: • IS Policies are not based on any accepted security standard (ISO27001) • No formal training and security awareness program noted for employees and subcontractors • Encryption does not exist on vendor employee laptops Documentation Red Flags • Can’t provide PEN tests (S/B at a minimum annual) • Weak remote access standards • Weak BCP/DR Plan • Weak data media handling, retention, disposal and return practices • Difficulty providing the overall material Cybercrime Initiative Resources www.fsisac.com. • The FS-ISAC is a member-owned, nonprofit and private financial sector initiative. Its primary function is to share timely, relevant, and actionable physical and cyber security threat and incident information to enhance the ability of the financial services sector to prepare for, respond to, and mitigate the risk associated with these threats. • Both the U.S. Department of Treasury and the U.S. Department of Homeland Security rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis. Cybercrime Initiative Resources – Members receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats. – Provides an anonymous information-sharing capability across the entire financial services industry that enables institutions to exchange information regarding physical and cyber security threats, as well as vulnerabilities, incidents, and potential protective measures and practices. Cybercrime Initiative Resources United States Computer Emergency Readiness Team (US-CERT) • The Department of Homeland Security's US-CERT facilitates the coordination of cyber information sharing and provides cyber vulnerability and threat information through its national Cyber Awareness System. Financial institutions may learn more about US-CERT and subscribe to receive security alerts, tips and other updates through its website at www.us-cert.gov. Cyber Security Page 2 Cybercrime Initiative Resources U.S. Secret Service Electronic Crimes Task Force (ECTF) • The Electronic Crimes Task Force teams local, state and federal law enforcement personnel with prosecutors, private industry, and academia to maximize what each has to offer in an effort to combat cyber criminal activity. For more information on the Electronic Crimes Task Forces please visit www.secretservice.gov/ectf.shtml. Cybercrime Initiative Resources FBI InfraGard • InfraGard is an information sharing forum between the FBI and the private sector. InfraGard operates more than 60 chapters that conduct local meetings pertinent to their area. Information about InfraGard may be obtained at www.infragard.org. Related Rules and Regulations • FDIC IT Exam Officers VM Guidance and Questionnaire • IT Examination Handbook Outsourcing Technology Services • Part of FFIEC IT Rating (URSIT) • Part 364-B FDIC Rule and Regulations • FFIEC IT Handbook (excel) THANK YOU Kris Buckley, President kmb@buckleytechgroup.com www.buckleytechgroup.com 781.258.0618