1. Constitution Corporate Economic �& Technology Forum �2007�Information Security
2. Critical Components of your Information Security �Program and Policies �
3. Related Regulations �
4. � 12 CFR 748
Section A: Part 748 - Security Program
Section B: Part 748 Appendix A - Safeguarding Member Information (GLBA)
Section C: Part 748 Appendix B - Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice
Section A: Part 749 - Records Preservation Program
5. � Four Areas to focus on when developing and maintaining a Security program
Information Security Risk Assessment
Information Security Strategy Development
Security Controls Implementation
Security Monitoring & Updating
6. � I. Information Security Risk Assessment
Risk Assessment process must look at all areas that lead to a business risk or risk to membership information.
Risk assessments include review of not only the internal handling of business processes but also all related vendor involvement.
7. � I. Types of Risk Assessments
Information Security/Internal Control Reviews
GLBA
Network Security
8. � Key Steps of Risk Assessments
Information Gathering
Analysis
Reporting and Response
9. � Information Gathering
Technical Information
Network Diagrams
Hardware and Software Inventories
Database and files containing membership data (both in-house and outsourced)
10. � Information Gathering
Non-Technical
Policies, Procedures and Standards addressing;
physical security
personnel security
vendor contracts
personnel security training
11. � Analysis
Classify and Rank Sensitive Data
Assess Threats and Vulnerabilities
Evaluate Existing Controls for Effectiveness
12. � Analysis
Classify and Rank Sensitive Data
Based on the amount of information involved.
Sensitive or Non-sensitive;
Confidential
Internal use
Restricted
13. � Analysis
Assess Threats and Vulnerabilities
Internal – loss of flash drive by employee
External – Intercepted via unencrypted email
14. � Analysis
Evaluate Existing Controls for Effectiveness
Physical and
Logical Controls
15. � Reporting and Response
Risk Rating
High, Medium or Low
Related to the level of exposure and threat likelihood
Identify and segregate the risks CU is willing to accept and those that should be mitigated
Ensure board is involved in segregation of risks
16. � II. Information Security Strategy Development
Prevention
Detection
Response
17. � II. Information Security Strategy Development
Develop Security Strategies that establish limitations on access and limitations on the ability to perform unauthorized actions
Least permission and privileges
18. � Prevention
Identify and document all user access controls
Implement a formal access authorization and termination process
Segregate network and physical access by job responsibility
19. � Detection
Implement monitoring solutions for Internet, internal traffic, remote access, etc
Ensure a formal effective and realistic policy is in place for monitoring
Ensure appropriate detection processes are in place for outsourced services
20. � Response
Document Response plans for;
Member incidents such as Identity Theft
Loss of membership data due to security breach internally or vendor related
Internet or firewall failure
21. � III. Security Controls Implementation
Some policies/procedures that should come out of the strategy development and be implemented;
Password policies to include all areas; internal, remote access, websites, etc.
Internet and Email Usage identifying the encryption requirements for emails and attachments
Authorization and termination access policies for employees and membership
22. � III. Security Controls Implementation
Some policies/procedures that should come out of the strategy development and be implemented;
Membership information retention and disposal policies
Security Services document or flow chart
Risk Assessment procedure
23. � IV. Security Process Monitoring and Updating
Change Control process is not only for internal changes such as employee moves, etc but vendor revisions such as product upgrades, etc.
Critical for owner of process to be involved
Risk Assessment to be performed
IT department to review against existing infrastructure
24. � IV. Security Process Monitoring and Updating
Internal Audit process
Existing policies and procedures
Available reports from vendors
Document!
25. � IV. Security Process Monitoring and Updating
Employee Security Awareness
Existing policies and procedures
Latest threats
26. � IV. Security Process Monitoring and Updating
Monitoring of Internet/email for content and attachments
Physical access logs
Membership related access logs
Software logs/vulnerabilities
27. � Regulatory Guidance
The National Institute of Standards and Technology (NIST) www.nist.gov
International Organization for Standardization Information Technology www.iso.org
Information Systems Audit and Control Association
www.isaca.org
28. � Summary of Areas
Information Security Risk Assessment
Information Security Strategy Development
Security Controls Implementation
Security Monitoring & Updating
29. �
THANK YOU
30. �
Buckley Technology Group
Kris Buckley, President
www.buckleytechgroup.com
781.258.0618
