1 / 49

Information Security Management and Mortgage Systems

Welcome to the Information Security Management and Mortgage Systems Update. Moderator:Dick Taylor, Software Development Director - MortgageServ, Fiserv Lending SolutionsPanelists:Craig Hughes, Vice President of Mortgage Consulting, CC PaceGregory Rondot, Consultant, CC Pace Tony Wagner, Vice P

jaeger
Download Presentation

Information Security Management and Mortgage Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Information Security Management and Mortgage Systems

    2. Welcome to the Information Security Management and Mortgage Systems Update Moderator: Dick Taylor, Software Development Director - MortgageServ, Fiserv Lending Solutions Panelists: Craig Hughes, Vice President of Mortgage Consulting, CC Pace Gregory Rondot, Consultant, CC Pace Tony Wagner, Vice President Enterprise Information Security , Fremont Investment & Loan Ed Neumann, Managing Director - Retail Banking, CC Pace

    3. Presented by: Craig Hughes

    4. Presented by: Gregory A. Rondot, CISSP-ISSAP

    5. Introduction

    6. Traditional ISMS

    7. Organization

    8. Issues

    9. Environment Changes…

    10. Tectonic Shift

    11. How Do We Comply?

    12. Seven Tenets of Compliance

    13. Seven Tenets of Compliance

    14. Enterprise Information Security Scope

    15. EIS Objectives

    16. Enterprise Information Security Group

    17. Typical Areas of Concern

    18. Leveraging Efforts

    19. Requirement Overlap

    20. ISO 27000

    21. ISO 27000 Standards

    22. Implementation

    23. Summary

    24.

    25. Introduction Tony Wagner Vice President, Enterprise Information Security (EIS) Fremont Investment & Loan (FIL) Brea, California Certified Information Systems Auditor 14 years at FIL Enter growth numbers: 10 years, 5 years, today 3 years in Information Security; Responsible for launching EIS; includes Business Continuity Planning 1 year under IT 2 years under Risk Management

    26.

    27. Our Purpose Create risk awareness across the Company Protect the Company from public embarrassment Protect the Company from catastrophic events Employee safety Increase shareholder and customer confidence Increase regulator confidence Comply with laws and regulations

    28.

    29. History EIS began in the IT department; the CIO’s vision He said, “If we did this thing right, you’ll be reporting to the Chief Risk Officer in 18-36 months EIS was moved under the chief risk officer 8 months later Challenges reporting to IT: Scope Visibility Credibility Prioritization

    30.

    31. Benefits Board of Directors and Audit Committee involvement Greater leverage getting mitigation underway Independence from competing C-level objectives Regulators understand the model and like it!

    32. What Makes it Work? CEO and COO endorsement Understanding YOUR risks; focusing your efforts there Succinct policies; leave the procedures to the business and support units Integrating risk assessment into projects; avoiding bolt-ons Frequent communication with senior and business unit management Alignment with security and compliance efforts across the enterprise The right people in the right place Business Information Security Officers (New) Risk assessment, risk assessment, risk assessment Establishing enterprise plans

    33. Written Plans – Reviewed and approved by the Board of Directors Information Security Program Unauthorized Access Response Plan Enterprise Risk Assessment Business Impact Assessment Annual Operating Plan

    34. Challenges Convincing the organization that you aren’t IT Security Convincing employees that security is indeed their job Relating regulations and laws to people’s jobs Getting aligned with the business units Defining “information” for the organization Sorting out information ownership and custodianship Adoption of standards Integrating risk assessment into projects Ownership of mitigation projects

    35. Separating Fact From Fiction Complying With the FFIEC’s Authentication in an Internet Banking Environment

    36. TODAY’S BRIEFIING Online banking today and tomorrow FFIEC mandate Business problems FFIEC Guidance Authentication factors Compliance schedule Risk Assessments Objectives Assessment Process Methodologies Summary Question & Answer

    37. Who is the FFIEC?

    38. Online Banking Today and Tomorrow Online Banking is essential to modern retail banking: Lowers costs Levels playing field/retains customers Prevents and detects fraud

    39. Concerns Are Affecting Online Financial Behavior “Concern about phishing has caused me to…”

    40. Objectives Increase confidence in the US banking system Specifically online banking activities Reduce identity theft and fraud incidents/losses Enhance confidentiality of customer information Reduce systemic risk Push financial institutions toward improved self-regulation FFIEC INTERNET BANKING ..

    41. Unanswered questions raised by the Guidance Risk reduction and mitigation What are the best practices, policies/tools? What forms of authentication are best? Risk transference Will insurance policies protect against losses? Risk acceptance How much risk is acceptable? Risk avoidance How can information be protected? Who is responsible?

    42. Major Statements Customer awareness/education emphasized as first line of defense Single factor authentication inadequate for high risk transactions Multi-factor authentication or a layered approach mandated for high risk transactions FFIEC Online Banking

    43. Major Statements (continued) Risk assessments required as basis for authentication strategy Must be in addition to any additional FFIEC information system security risk assessment Board-level involvement & approval required – not responsibility of IT or vendors FFIEC Online Banking Guidance

    44. FFIEC recognized authentication factors Something I know Password, username, challenge questions Pattern or object identification Something I have Key fob/USB key that plugs into a computer (RSA SecureID) Software/certificate that authenticates the user’s PC Something I am Biometrics - Finger print, retina scan, palm print Not recognized as an authentication factor Where I am (users’s geo-location) Authentication Factors

    45. Layered Approach vs. Second Factor

    46. Benefits More reliable / stronger user authentication More resistant to “phishing” Enhances fraud protection Reduces Identity theft Constraints Higher cost Consumer education and adoption False rejections can lead to consumer dissatisfaction Two Factor Authentication

    47. NEW online banking risk assessment due year end of 2006 Examinations will include evaluation of assessment and corresponding mitigation plans FDIC and OCC have stated that lack of a clear mitigation plan will be deemed unacceptable Compliance failure could be a material event Cease and desist, halt online services, fines, etc. Future? FFIEC Mandated Schedule

    48. CC Pace 4100 Monument Corner Drive, Suite 400 Fairfax, Virginia www.ccpace.com 703.631.6600 Thank You!

    49. Thank You for Your Attention Questions for the panel?

More Related