370 likes | 377 Views
Understand and enhance vendor management risks with the GLBA Risk Assessment Report. Learn key areas for improvement and safeguard financial institution data.
E N D
GLBA & IS/IT Risk Assessments Presented by Kristina Buckley of Buckley Technology Group
Understanding New Vendor Management Risks and Key Areas for Improvement GLBA Risk Assessment Report GLBA Overview 1 2 3 GLBA Risk Matrix IS & IT Risk Assessments 4 Cybercrime Initiative 5
GLBA Program • Requires Financial Institution to ensure the security, confidentiality, and integrity of customer information. • The bank is required to develop and maintain a written program to assess, manage and control risks associated with customer non-public information. • Program must include the monitoring and review of appropriate audits and documentation. • Annual Report to board is required by GLBA. • Employee information should also be protected.
GLBA Program • Program should include incident response and security breach notification. • It is the bank’s regulatory requirement to notify customers of a security breach so it is critical the bank’s contract includes a security notification clause – 24 hours. • The program safeguards are intended to: • Insure the security and confidentiality of customer records and information; • Protect against any anticipated threats or hazards to the security or integrity of such records; and • Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
GLBA Risk Assessment Report Objectives of assessment are as follows: • Identify the services/business processes from the bank’s vendor management and BCP program that have a high NPI Risk level. For each of the business processes: • Identify the supporting systems involved and any associated input and output of data. • Identify the security controls in place for each identified supporting system. • Identify existing internal and external threats associated with each business process.
GLBA Risk Assessment Report Objectives of assessment are as follows: • Identify existing controls in place to mitigate risks. • Identify additional controls to be considered to mitigate risks. • Identify related vendors and their security practices associated with the business process.
GLBA Risk Assessment Report Document the Threat Level Rating Scale Used: • High: • Threat could lead to disclosure of customer information, significant impact to the reputation of the bank, significant financial loss, interrupt customer service for an unacceptable period of time, and not be in compliance. • Medium: • Threat could cause interruption or delay in service to customers, impact to the reputation of the bank, moderate financial loss for the bank. • Low: • Threat considered low given mitigating controls in place.
GLBA Risk Assessment Report Document the Threat Level Rating Scale Used:
GLBA Risk Assessment Report Document the Threat Level of Effort Scale Used: • High: • Changes or enhancements that are expected to involve significant incremental costs and/or require significant involvement by administrators and/or significant changes to end-users. • Medium: • Changes or enhancements that are expected to involve moderate incremental costs and/or require moderate involvement of administrators and little or no direct impact to end-users. • Low: • Changes or enhancements that are considered to be both low cost and to require moderate to low involvement by administrators and/or minimal to no impact to end-users.
GLBA Risk Assessment Report Document the Threat Level of Effort Scale Used:
GLBA Risk Assessment Report For each Business Process: • The vendor name • Associated business process with a high NPI risk rating • The owner • The assigned GLBA Risk Rating (High) • An assigned Level of Effort (High, Medium or Low as defined below) • A description of GLBA findings • An explanation of the risks associated with the finding/observation • Recommendations for further risk mitigation • Financial Institution’s Update (include possible mitigating controls)
GLBA Risk Assessment Report • Other components you may want to add to the table identified on previous screen depending upon the size and complexity of your financial institution. • Risk Areas • Risk Categories • Likelihood • Impact • Inherent Risk • Existing Mitigating Controls • Residual Risk
GLBA Risk Assessment Report • Report should document the total number of business processes within each Risk Level and the findings. • You will identify during the assessment a number of business processes that share vulnerabilities.
GLBA MatrixOption 2 For each Business Process:
GLBA Matrix Option 2: Questions you may want to add to Matrix: • External access points (employee and vendors). • Related applications. • Security controls for each application. • Regulator retention guidelines are met.
GLBA Matrix Option 2: Questions you may want to add to Matrix: • Network directories that may contain data. • Do the vendor employees have access to the NPI on their PC’s, laptop, etc. outside of the financial institution’s control? • Does vendor subcontract with third parties to perform any components related to NPI.
IT/IS Risk Assessment • An IT/IS risk assessment should be performed annually on high NPI risk vendors as part of GLBA. It should also be performed for any prospective vendor or changed relationship. • Business change • Product change • Controls are changed • Regulations are changed (even if your contract states they will remain in compliance)
IT/IS Risk Assessment • The Business Owner (Contract) is responsible for the Vendor and the Risk Assessment process however IT needs to get involved and be part of the formal process. Require business owners get IT’s sign-off. • Report and Matrix noted earlier can be used to document Risk Assessments
IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): • Identify • All new hardware and software involved in product. Is this cloud based? • Is software and hardware compatible to Bank’s existing infrastructure? • Document expected network infrastructure to ensure it is truly compatible and to identify additional needs. • Document expected PC, laptop and device configuration.
IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): • Identify • Any firewall, IDS, IPS changes? • New servers (traditional or virtual). • New licensing requirements. • New telecommunication needs.
IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): • Identify • Wireless required or being introduced? • Remote access rights and encryption required. • Who is responsible for patch maintenance for items above?
Risk AssessmentWebsite Hosting Some Questions to consider: • Does the vendor provide hosting to other financial institutions? • Are they aware of the related regulatory guidance? • What can they provide you for Security Documentation? SSAE16? • What can they provide you for Pen Testing and Monitoring? • Objective third party and frequency
Risk AssessmentWebsite Hosting Some Questions to consider: • Application design and known vulnerabilities? (open source) • Security Breach notification procedures (in contract) • Website hosting infrastructure • Private or public server • Remote Access
Risk AssessmentWebsite Hosting Some Questions to consider: • Business Continuity • Outside of your region • Redundancy • Backup policy
Monitoring • Review all due diligence documentation. Question if reports are not being updated at a minimum of every two years • Review of Penetration Test results • If they are regulated ensure you are reviewing audit reports.
Documentation Red Flags Be cautious if you run into any of the following during Risk Assessment or Documentation review: • IS Policies are not based on any accepted security standard (ISO27001) • No formal training and security awareness program noted for employees and subcontractors • Encryption does not exist on vendor employee laptops
Documentation Red Flags • Can’t provide PEN tests (S/B at a minimum annual) • Weak remote access standards • Weak BCP/DR Plan • Weak data media handling, retention, disposal and return practices • Difficulty providing the overall material
Cybercrime InitiativeResources www.fsisac.com. • The FS-ISAC is a member-owned, nonprofit and private financial sector initiative. Its primary function is to share timely, relevant, and actionable physical and cyber security threat and incident information to enhance the ability of the financial services sector to prepare for, respond to, and mitigate the risk associated with these threats. • Both the U.S. Department of Treasury and the U.S. Department of Homeland Security rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis.
Cybercrime InitiativeResources • Members receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats. • Provides an anonymous information-sharing capability across the entire financial services industry that enables institutions to exchange information regarding physical and cyber security threats, as well as vulnerabilities, incidents, and potential protective measures and practices.
Cybercrime InitiativeResources United States Computer Emergency Readiness Team (US-CERT) • The Department of Homeland Security's US-CERT facilitates the coordination of cyber information sharing and provides cyber vulnerability and threat information through its national Cyber Awareness System. Financial institutions may learn more about US-CERT and subscribe to receive security alerts, tips and other updates through its website at www.us-cert.gov. Cyber Security Page 2
Cybercrime InitiativeResources U.S. Secret Service Electronic Crimes Task Force (ECTF) • The Electronic Crimes Task Force teams local, state and federal law enforcement personnel with prosecutors, private industry, and academia to maximize what each has to offer in an effort to combat cyber criminal activity. For more information on the Electronic Crimes Task Forces please visit www.secretservice.gov/ectf.shtml.
Cybercrime InitiativeResources FBI InfraGard • InfraGard is an information sharing forum between the FBI and the private sector. InfraGard operates more than 60 chapters that conduct local meetings pertinent to their area. Information about InfraGard may be obtained at www.infragard.org.
Related Rules and Regulations • FDIC IT Exam Officers VM Guidance and Questionnaire • IT Examination Handbook Outsourcing Technology Services • Part of FFIEC IT Rating (URSIT) • Part 364-B FDIC Rule and Regulations • FFIEC IT Handbook (excel)
THANK YOU Kris Buckley, President kmb@buckleytechgroup.com www.buckleytechgroup.com 781.258.0618