WIXLIB

Tim Segerson, Deputy DirectorOffice of Examination & InsuranceFFIEC CybersecurityAssessment ToolCarolinas LeagueMarch 30, 2016

Agenda Background – Why NowTool OverviewMechanics of the ToolUses and BenefitsNext Steps for NCUACarolinas CU League2

Continuing saga of lost sensitive dataEvery event enhancescriminals ability to crossreference nel-data/Cyber riskmanagement is avolatile and fluidenvironmentCarolinas CU League3

Year of the Data Breach – A Moving “Target”Some dubbed 2013 the year of the data breach after the Target breach.Then came 2014: Home Depot: POS system compromise allowed breach of 56 million payment cardnumbers and 53 million email addresses. JPMorgan Chase: Hack affecting more than 50% of all households in the United States,personal information of 76 million households and 7 million businesses compromised. iCloud: Hackers leaked private images of many famous celebrities. Sony Pictures: Hackers stole intellectual, corporate, and personal information fromSony Pictures’ computer networks in retaliation for the movie “The Interview.”Then came 2015 (YTD): Anthem: 80 million insured Premera Blue Cross: 11 million insured OPM: over 20 million federal employees Hacking TeamCarolinas CU League4

Congressional ScrutinyCarolinas CU League5

Important on Multiple Levels Consumers – Trust in institutions is critical for it all to work Employees/Officials – A credit union’s most valuable assetmay be targets. Organization – Integrity and Reputation of your business isessential for success. Industry – CU links in critical financial system chainCarolinas CU League6

Critical Infrastructure OverviewUS Critical InfrastructureChemical - DHSCommercial Facilities DHSDefense Industrial Base- DODFood & Agriculture –DHS&DOA&HHSCommunications - DHSEmergency Services DHSGovernment Facilities –DHS &GSACritical Manufacturing DHSEnergy - DOEHealthcare & PublicHealth - HHSTransportation Systems– DHS&DOTDams - DHSFinancial Services TreasuryInformationTechnology - DHSNuclear Reactors,Materials, Waste - DHSWater and WastewaterSystems - EPAFBIIC ParticipationFBIICAmerican Council of State Savings Supervisors Federal Reserve Bank of New YorkFederal Reserve BoardState Liaison CommitteeNational Association of Insurance CommissionersConsumer Financial Protection BureauNational Association of State Credit Union SupervisorsDepartment of the TreasuryNational Credit Union AdministrationFarm Credit AdministrationNorth American Securities Administrators AssociationFederal Deposit Insurance CorporationOffice of the Comptroller of the CurrencyFederal Housing Finance AgencySecurities and Exchange CommissionFederal Reserve Bank of ChicagoSecurities Investor Protection CorporationFBIIC ChairLegendFFIEC MembersFFIECTFOSCCIWGOther FBIIC MembersOngoing Cyber Security InitiativeCommodity Futures Trading CommissionCyber Security is a Key Subset of the Critical Infrastructure for most SectorsCarolinas CU League7

The FFIEC Response Cybersecurity and Critical Infrastructure WorkingGroup (CCIWG)– Permanent FFIEC working group established in June 2013to address Cybersecurity– Coordinate enhanced Cybersecurity efforts across FFIECagencies.Carolinas CU League8

Cybersecurity Assessment History June 2013: FFIEC CCIWG established June 2014: FFIEC pilots Cybersecurity Assessmentexam work program– Informed Strategic Vision/Objectives (http://www.ffiec.gov/press/pr031715.htm)– Observations Report Issued http://www.ffiec.gov/press/pr110314.htm– Target Statements and Guidance– 3rd Party Service Providers June 2015: CCIWG releases financial institutionCybersecurity Assessment ToolCarolinas CU League9

FFIEC Cybersecurity Assessment ToolObjectiveTo help institutions identify their risks and determinetheir cybersecurity maturity.The Assessment provides a repeatable andmeasureable process to inform management of theirinstitution’s risks and cybersecurity preparedness.Carolinas CU League10

Other Source Guidance & Models U.K. Prudential Regulation Authority 2014 cybersecurityassessment Canada’s Office of Superintendent of Financial Institutions2013 cybersecurity assessment Department of Energy’s Cybersecurity Capability MaturityModel Program (C2M2) Capability Maturity Model (CMM) Payment Card Industry Data Security Standard (PCI DSS) Many others including SEC, FINRA, and NY DFICarolinas CU League11

Strong Industry Foundation and BenchmarkComprehensive with a Relevant and Cross Referenced FoundationPublic & IndustryGuidance andModelsFFIEC IT Handbookand Guidance Common Structure to:Communicate between Board andManagementCommunicate Throughout OrganizationCommunicate with Service ProvidersCarolinas CU LeagueCybersecurityAssessmentToolEffective Cyber RiskManagementNIST CybersecurityFramework Common Structure to:Identify strengths and weaknesses (gaps)Optimize your cybersecurity InvestmentEvaluate Existing and New Products,Services and Vendors12

Cyber Risk Management PracticeEnterprise Approach Toward Cyber Risk ManagementProgram DevelopmentCyber Risk vs levelof investment/effortOrganizational Risk ExposureLowest RiskHighest RiskHighestSecurityHigher Investment - Possible tyOptimalUnder Investment - Too Much Risk For Measures takenBeyond Minimum Basic Regulatory Requirements and Agency Guidance - RM approach should scaleto the credit unions level of risk exposure, appetite, complexity and percieved impact.Carolinas CU League13

FFIEC Cybersecurity Assessment ToolConsistent with the principles in FFIEC Information Technology ExaminationHandbook (IT Handbook) National Institute of Standards and Technology (NIST)Cybersecurity Framework Industry accepted cybersecurity practicesCarolinas CU League14

FFIEC Cybersecurity Assessment ToolSupporting Materials User’s Guide Overview for CEOs and Boards of Directors Appendix A: Mapping Baseline Statements to FFIECIT Handbook Appendix B: Mapping Cybersecurity Assessment Toolto the NIST Cybersecurity Framework (CSF) Appendix C: GlossaryCarolinas CU League15

FFIEC Cybersecurity Assessment ToolConsists of two partsPart One: Inherent Risk ProfilePart Two: Cybersecurity MaturityCarolinas CU League16

FFIEC Cybersecurity Assessment ToolInherent Risk Profile Categories Technologies and Connection TypesDelivery ChannelsOnline/Mobile Products and Technology ServicesOrganizational CharacteristicsExternal ThreatsCarolinas CU League17

FFIEC Cybersecurity Assessment ToolInherent Risk Profile Risk kType, volume, and complexity of operations andthreats directed at the institutionCarolinas CU League18

FFIEC Cybersecurity Assessment ToolInherent Risk Profile ExcerptCategoryActivity, Serviceor ProductRiskLevelsRisk LevelsCategory: Technologies andConnection TypesLeastMinimalModerateTotal number of internetservice provider (ISP)connections (including branchconnections)ModerateNo connections Minimalcomplexity (1–20 complexity (21–connections)100 connections)Unsecured externalconnections, number ofconnections not users (e.g.,file transfer prototype (FTP),Telnet, rlogin)NoneCarolinas CU LeagueFew instances ofunsecuredconnections (1–5)Several instancesof unsecuredconnections (6–10)SignificantMostSignificantcomplexity (101–200 connections)Substantialcomplexity ( 200connections)Significantinstances ofunsecuredconnections (11–25)Substantialinstances ofunsecuredconnections( 25)19

FFIEC Cybersecurity Assessment ToolCybersecurity Maturity Cyber Risk Management and OversightThreat Intelligence and CollaborationCybersecurity ControlsExternal Dependency ManagementCyber Incident Management and ResponseCarolinas CU League20

FFIEC Cybersecurity Assessment ToolCybersecurity MaturityDomainsAssessment FactorsComponentsDeclarative StatementsCarolinas CU League21

FFIEC Cybersecurity Assessment ToolDomainAssessment Factors1 Cyber Risk Management & Oversight 2 Threat Intelligence & Collaboration Intelligence Sourcing Monitoring and Analyzing Information Sharing3 Cybersecurity Controls Preventative Controls Detective Controls Corrective Controls4 External Dependency Management Connections Relationships Management5 Cyber Incident Management & Resilience Incident Resilience Planning and Strategy Detection, Response and Mitigation Escalation and ReportingCarolinas CU LeagueGovernanceRisk ManagementResourcesTraining and Culture22

Cybersecurity Assessment ToolCybersecurity Maturity ExcerptDomain 1: Cyber Risk Management and OversightAssessment Factor: GovernanceDomainY, NAssessmentFactorBaselineInformation security risks are discussed in management meetings whenprompted by highly visible cyber events or regulatory alerts.OVERSIGHTMaturity LevelComponentDesignated members of management are held accountable by the board or anappropriate board committee for implementing and managing the informationsecurity and business continuity programs.Management provides a written report on the overall status of the informationsecurity and business continuity programs with the board or an appropriatecommittee of the board at least annually.Budgeting process includes information security related expenses and tools.Management considers the risks posed by other critical infrastructures (e.g.,telecom, energy) to the institution.DeclarativeStatementsCarolinas CU League23

FFIEC Cybersecurity Assessment ToolMaturity neCarolinas CU League24

Cybersecurity Maturity/Risk RelationshipHighest RiskInstitutionsLowest RiskInstitutionsCarolinas CU LeagueHighest MaturityLowest Maturity25

Determine Cybersecurity InvestmentInherent Risk eIntermediatefor Each DomainCybersecurity Maturity LevelAdvancedEvolvingBaselineCarolinas CU League26

Additive Model StructureINNOVATIVEItems to review List of threat intelligence resources(e.g. industry groups, consortiums,threat and vulnerability reportingservices). Management reports on cyberintelligence. Verify FI has conducted interviewswith vendors as needed.ADVANCEDINTERMEDIATE EVOLVING BASELINE Threat Analysis Team Investment inTransformational ThreatIntelligence Technology Cyber IntelligenceModel Multi-source Real-TimeThreat Intelligence Threat Intel onGeopolitical EventsFormal ThreatIntelligence ProgramCollection ProtocolsRead-onlyrepositoryAnalyze Tactics,Perform RiskMitigationThreat InfoSource(s)Active MonitoringEnhance RiskManagementCarolinas CU League27

Cyber Risk Management & OversightCyber risk management and oversight addresses the board’sdevelopment and implementation of an effective enterprisewide cybersecurity program with comprehensive policies andprocedures for establishing appropriate accountability andoversight.Nine Components, 31 Baseline StatementsStrategy/PolicyAuditStaffingIT Asset ManagementRisk AssessmentTrainingOversightRisk ManagementCultureCarolinas CU League28

Threat Intelligence & CollaborationThreat intelligence and collaboration includes processes toeffectively discover, analyze, and understand cyber threats,with the capability to share information internally and withappropriate third parties.Three Components, 8 Baseline StatementsThreat Intelligenceand InformationCarolinas CU LeagueMonitoring andAnalyzingInformationSharing29

Cybersecurity ControlsTen Components, 51 Baseline Statements Prevent a threat from exploiting an associated weakness. May bephysical (door locks, card access) or logical (firewalls, antivirus,Preventative website rrectiveControls Identify the presence of a vulnerability or threat. Includes scanningfor vulnerabilities, intrusion detection or prevention systems, logmonitoring, independent vulnerability assessments or pen tests Assist with recovering from unwanted occurrences or mitigate theeffects of a threat being manifested. Includes patch managementand timely resolution of penetration test findings.Carolinas CU League5330