SlideShare une entreprise Scribd logo

ACFN vISO eBook

P
Patrick Whelan, CISA
1  sur  9
Télécharger pour lire hors ligne
A well-structured approach to allow your institution to implement an ISO without overburdening existing staff vISO
80 70 60 50 40 30 20 10 0 Primary Concerns of Bank Executives PercentageofBankersConcerned Reputation Cybersecurity/IT Regulatory Compliance #1 Reputation #2Cybersecurity and IT #3Regulatory Compliance Three Major Concerns Keep Bank Executives Up at Night Regulatory Compliance, Cybersecurity, and Reputation all can depend on the appropriate oversight and direction provided by the ISO function within your institution.
Step 1 Categorize the information system Step 2 Select Security Controls Step 3 Implemement Security Controls Step 4 Assess Security Controls Risk Managment Framework Step 5 Authorize Information Systems* Step 6 Monitor Security Controls In 1999, the Gramm-Leach-Bliley Act (GLBA) was passed, in part to serve to protect confidential customer information. After the events of 9/11, the importance of keeping private data secure became even more important.The Commerce Departments’ NIST created a framework to help institutions protect private information. The NIST Cybersecurity Framework is widely considered to be the gold standard of compliance to government-set standards. Many banks say they agree that using the NIST framework as a baseline makes sense. (BankInfo Security) Nonpublic Private Data Protection *Source: NIST Special Publication 800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
Regulatory policies set by the GLBA and the FFIEC are there to protect banks as well as consumers. Protection for All “The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information.” — FTC, Gramm-Leach-Bliley (GLB) Act “Institutions of all sizes may outsource various aspects of the analysis and response function, such as activity monitoring.” — FFIEC Information Security IT Handbook, Page 83 Adhering to a rules set, such as the GLB Safeguards Rule, is of the utmost importance – there are civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines. The FFIEC guidelines also call for security program monitoring and management to be separate from IT. Though it’s important that security monitoring works with IT so that the two functions can share information with each other, having security monitoring only within IT does not ensure proper safeguards. The FFIEC’s Cybersecurity Assessment Tool was mapped to the NIST Cybersecurity Framework to help institutions identify their risks and determine their cybersecurity preparedness.
In November 2015, the FFIEC updated their Information Technology Information Handbook [for Management]. The updates address several new recommendations for bank management: The FFIEC Updates and What They Mean • “Review and approve an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity.” • “Oversee the adequacy and allocation of IT resources.” • “Hold management accountable for identifying, measuring and mitigating IT risks.” • Most importantly, the IT Information Handbook calls for “independent, comprehensive and effective audit coverage of IT controls,” and further states that “the board may delegate the design, implementation and monitoring of specific IT activities.” This is where having an ISO is extremely valuable.
FFIEC IT Regulatory Exams Are Growing Increasingly Technical. All Covered’s Finance Practice has successfully assisted in FFIEC regulatory exams for over thirty years. Since the inception of GLBA, financial institutions have been faced with increased scrutiny on mitigating controls. All Covered has seen IT Audit and FFIEC Exams prove challenging for community financial institutions due to their ever-increasing compliance requirements. 2013 2014 Data Classification Business Continuity IT Risk Assessment Log Archiving BYoD DDoS Preparedness Vendor Management Cybersecurity Ongoing VA Scanning SIEM 2015 Information Security Officer NIST Cybersecurity Framework FFIEC - Cybersecurity Assessment Tool Cyber-Preparedness Cyber-Resiliency Incident Response Testing FFIEC IT Regulatory Exams are Driven by Experience. In 2013, Super Storm Sandy made disaster recovery a major issue. In 2014, the massive data breaches at major companies such as Target or Chase impacted not just the business community, but also the consumers they served. Their reputation in both of these cases was marred. We also saw vulnerabilities such as ShellShock, Heartbleed and Poodle prove that vulnerability scanning needed to be persistent, consistent and ongoing. In 2015, we saw threats like CryptoLocker require more than just action after the fact, but the education and training to be cyber prepared. Let our experience help educate and inform your institution so that you’re not left in the dust during your next FFIEC exam.
We’ve already mentioned that the Information Security Officer role faces the challenge of interfacing with IT, but also needs to be established.This is just one of several challenges facing financial institutions.The FFIEC Information Technology Information Handbook puts it best: Staying Up to Par With Cybersecurity Presents Many Challenges. “While the board may delegate the design, implementation and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities.” The board’s responsibility makes it necessary to address the function of the ISO within the financial institution. However, along with the challenge of remaining responsible, another large challenge presents itself: The average ISO salary is $193,351 (salary.com). All Covered aims to help reduce the expense in hiring an ISO and the challenges presented in looking for the right ISO for an institution.
The ISO has many key functions, within an institution. The right ISO must: ISO the Right Way • Implement and maintain a cost effective, rightsized and scalable Information Security Program. An ISO must work within budgetary constraints to implement the right solutions based on the risk tolerance of the institution. • Ensure your institution’s operations are in line with the risk strategy of the institution. Every bank and credit union is unique. Many factors determine how a bank decides to meet their regulatory requirements. The ISO must understand and accomplish this. • Help you meet Regulatory Requirements right now! All Covered has successfully assisted financial institutions in addressing MRAs regarding information security for over thirty years.
Item #: VISOEB 4/16-I KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC. 100 Williams Drive, Ramsey, New Jersey 07446 CountOnKonicaMinolta.com © 2016 KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC. All rights reserved. Reproduction in whole or in part without written permission is prohibited. KONICA MINOLTA, the KONICA MINOLTA logo, Count on Konica Minolta, bizhub, PageScope, and Giving Shape to Ideas are registered trademarks or trademarks of KONICA MINOLTA, INC. All other product and brand names are trademarks or registered trademarks of their respective companies or organizations. All features and functions described here may not be available on some products. Design specifications are subject to change without notice. The Right ISO Will Protect Both Your Financial Institution and the Community You Serve Nearly 75% of financial institution executives have indicated that their institutions reputation is the number one concern they have. Finding the right ISO isn’t easy. All Covered’s Virtual ISO service can provide a cost effective, rightsized and scalable Information Security Program to ensure your institution’s operations are in line with your risk strategy and meet regulatory requirements. This service has helped our clients stay increasingly competitive, while successfully maintaining regulatory compliance and implementing security measures to mitigate cyber threats. If you want to learn more about All Covered’s Virtual ISO service, call us: 866-446-1133

Recommandé

Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover StoryPatrick Spencer
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
 

Recommandé

Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover StoryPatrick Spencer
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017japijapi
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-mainCaio Sanchez Christino
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Organizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachOrganizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachPECB
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesEMC
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor PrivacyRaymond Cunningham
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergdawnrk
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber SecurityPhil Agcaoili
 
IT compliance
IT complianceIT compliance
IT compliancePhan Vuong
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
The State of Cyber
The State of CyberThe State of Cyber
The State of Cyberbusinessforward
 
Laura Massaro January - March 2016 Media Cuttings
Laura Massaro January - March 2016 Media CuttingsLaura Massaro January - March 2016 Media Cuttings
Laura Massaro January - March 2016 Media CuttingsTheEmiliaGroup
 
2005 barra zine
2005 barra zine2005 barra zine
2005 barra zineRudolf Rotchild Costa Cavalcante
 

Contenu connexe

Tendances

Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017japijapi
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Organizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachOrganizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachPECB
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesEMC
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergdawnrk
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber SecurityPhil Agcaoili
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 

Tendances (20)

Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended Team
 
Organizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachOrganizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC Approach
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State Government
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security
 
IT compliance
IT complianceIT compliance
IT compliance
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
 
The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
 

En vedette

Laura Massaro January - March 2016 Media Cuttings
Laura Massaro January - March 2016 Media CuttingsLaura Massaro January - March 2016 Media Cuttings
Laura Massaro January - March 2016 Media CuttingsTheEmiliaGroup
 
Оленьи ручьи
Оленьи ручьиОленьи ручьи
Оленьи ручьиURFU
 
Vasanti Resume_Purchase_Procurement
Vasanti Resume_Purchase_ProcurementVasanti Resume_Purchase_Procurement
Vasanti Resume_Purchase_Procurementvasanti jadhav
 
The Boodles 2016 Media Cuttings
The Boodles 2016 Media CuttingsThe Boodles 2016 Media Cuttings
The Boodles 2016 Media CuttingsTheEmiliaGroup
 
Daybreak Everywhere: Introduction
Daybreak Everywhere: IntroductionDaybreak Everywhere: Introduction
Daybreak Everywhere: Introductioncrlupi810
 
Cafe zafiros place
Cafe zafiros placeCafe zafiros place
Cafe zafiros placeanyeli33
 
Noble Nomad Sblanc 2014
Noble Nomad Sblanc 2014Noble Nomad Sblanc 2014
Noble Nomad Sblanc 2014Odette Kleyn
 
Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...
Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...
Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...Ontico
 
4 practica equipo 7 resuelta por equipo 4
4 practica equipo 7 resuelta por equipo 44 practica equipo 7 resuelta por equipo 4
4 practica equipo 7 resuelta por equipo 4Eduardo Hernandez
 

En vedette (12)

Laura Massaro January - March 2016 Media Cuttings
Laura Massaro January - March 2016 Media CuttingsLaura Massaro January - March 2016 Media Cuttings
Laura Massaro January - March 2016 Media Cuttings
 
2005 barra zine
2005 barra zine2005 barra zine
2005 barra zine
 
Оленьи ручьи
Оленьи ручьиОленьи ручьи
Оленьи ручьи
 
Vasanti Resume_Purchase_Procurement
Vasanti Resume_Purchase_ProcurementVasanti Resume_Purchase_Procurement
Vasanti Resume_Purchase_Procurement
 
The Boodles 2016 Media Cuttings
The Boodles 2016 Media CuttingsThe Boodles 2016 Media Cuttings
The Boodles 2016 Media Cuttings
 
Hidrología de sinaloa
Hidrología de sinaloaHidrología de sinaloa
Hidrología de sinaloa
 
Daybreak Everywhere: Introduction
Daybreak Everywhere: IntroductionDaybreak Everywhere: Introduction
Daybreak Everywhere: Introduction
 
Cafe zafiros place
Cafe zafiros placeCafe zafiros place
Cafe zafiros place
 
Noble Nomad Sblanc 2014
Noble Nomad Sblanc 2014Noble Nomad Sblanc 2014
Noble Nomad Sblanc 2014
 
Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...
Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...
Growing in the wild. The story by cubrid database developers (Esen Sagynov, E...
 
4 practica equipo 7 resuelta por equipo 4
4 practica equipo 7 resuelta por equipo 44 practica equipo 7 resuelta por equipo 4
4 practica equipo 7 resuelta por equipo 4
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
 

Similaire à ACFN vISO eBook

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJSherry Jones
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptxjamiejohngianna
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdfSoniaCristina49
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Information security governance framework
Information security governance frameworkInformation security governance framework
Information security governance frameworkMing-Chang (Bright) Wu
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookChris Cornillie
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 

Similaire à ACFN vISO eBook (19)

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identities
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Information security governance framework
Information security governance frameworkInformation security governance framework
Information security governance framework
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 

ACFN vISO eBook

  • 1. A well-structured approach to allow your institution to implement an ISO without overburdening existing staff vISO
  • 2. 80 70 60 50 40 30 20 10 0 Primary Concerns of Bank Executives PercentageofBankersConcerned Reputation Cybersecurity/IT Regulatory Compliance #1 Reputation #2Cybersecurity and IT #3Regulatory Compliance Three Major Concerns Keep Bank Executives Up at Night Regulatory Compliance, Cybersecurity, and Reputation all can depend on the appropriate oversight and direction provided by the ISO function within your institution.
  • 3. Step 1 Categorize the information system Step 2 Select Security Controls Step 3 Implemement Security Controls Step 4 Assess Security Controls Risk Managment Framework Step 5 Authorize Information Systems* Step 6 Monitor Security Controls In 1999, the Gramm-Leach-Bliley Act (GLBA) was passed, in part to serve to protect confidential customer information. After the events of 9/11, the importance of keeping private data secure became even more important.The Commerce Departments’ NIST created a framework to help institutions protect private information. The NIST Cybersecurity Framework is widely considered to be the gold standard of compliance to government-set standards. Many banks say they agree that using the NIST framework as a baseline makes sense. (BankInfo Security) Nonpublic Private Data Protection *Source: NIST Special Publication 800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
  • 4. Regulatory policies set by the GLBA and the FFIEC are there to protect banks as well as consumers. Protection for All “The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information.” — FTC, Gramm-Leach-Bliley (GLB) Act “Institutions of all sizes may outsource various aspects of the analysis and response function, such as activity monitoring.” — FFIEC Information Security IT Handbook, Page 83 Adhering to a rules set, such as the GLB Safeguards Rule, is of the utmost importance – there are civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines. The FFIEC guidelines also call for security program monitoring and management to be separate from IT. Though it’s important that security monitoring works with IT so that the two functions can share information with each other, having security monitoring only within IT does not ensure proper safeguards. The FFIEC’s Cybersecurity Assessment Tool was mapped to the NIST Cybersecurity Framework to help institutions identify their risks and determine their cybersecurity preparedness.
  • 5. In November 2015, the FFIEC updated their Information Technology Information Handbook [for Management]. The updates address several new recommendations for bank management: The FFIEC Updates and What They Mean • “Review and approve an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity.” • “Oversee the adequacy and allocation of IT resources.” • “Hold management accountable for identifying, measuring and mitigating IT risks.” • Most importantly, the IT Information Handbook calls for “independent, comprehensive and effective audit coverage of IT controls,” and further states that “the board may delegate the design, implementation and monitoring of specific IT activities.” This is where having an ISO is extremely valuable.
  • 6. FFIEC IT Regulatory Exams Are Growing Increasingly Technical. All Covered’s Finance Practice has successfully assisted in FFIEC regulatory exams for over thirty years. Since the inception of GLBA, financial institutions have been faced with increased scrutiny on mitigating controls. All Covered has seen IT Audit and FFIEC Exams prove challenging for community financial institutions due to their ever-increasing compliance requirements. 2013 2014 Data Classification Business Continuity IT Risk Assessment Log Archiving BYoD DDoS Preparedness Vendor Management Cybersecurity Ongoing VA Scanning SIEM 2015 Information Security Officer NIST Cybersecurity Framework FFIEC - Cybersecurity Assessment Tool Cyber-Preparedness Cyber-Resiliency Incident Response Testing FFIEC IT Regulatory Exams are Driven by Experience. In 2013, Super Storm Sandy made disaster recovery a major issue. In 2014, the massive data breaches at major companies such as Target or Chase impacted not just the business community, but also the consumers they served. Their reputation in both of these cases was marred. We also saw vulnerabilities such as ShellShock, Heartbleed and Poodle prove that vulnerability scanning needed to be persistent, consistent and ongoing. In 2015, we saw threats like CryptoLocker require more than just action after the fact, but the education and training to be cyber prepared. Let our experience help educate and inform your institution so that you’re not left in the dust during your next FFIEC exam.
  • 7. We’ve already mentioned that the Information Security Officer role faces the challenge of interfacing with IT, but also needs to be established.This is just one of several challenges facing financial institutions.The FFIEC Information Technology Information Handbook puts it best: Staying Up to Par With Cybersecurity Presents Many Challenges. “While the board may delegate the design, implementation and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities.” The board’s responsibility makes it necessary to address the function of the ISO within the financial institution. However, along with the challenge of remaining responsible, another large challenge presents itself: The average ISO salary is $193,351 (salary.com). All Covered aims to help reduce the expense in hiring an ISO and the challenges presented in looking for the right ISO for an institution.
  • 8. The ISO has many key functions, within an institution. The right ISO must: ISO the Right Way • Implement and maintain a cost effective, rightsized and scalable Information Security Program. An ISO must work within budgetary constraints to implement the right solutions based on the risk tolerance of the institution. • Ensure your institution’s operations are in line with the risk strategy of the institution. Every bank and credit union is unique. Many factors determine how a bank decides to meet their regulatory requirements. The ISO must understand and accomplish this. • Help you meet Regulatory Requirements right now! All Covered has successfully assisted financial institutions in addressing MRAs regarding information security for over thirty years.
  • 9. Item #: VISOEB 4/16-I KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC. 100 Williams Drive, Ramsey, New Jersey 07446 CountOnKonicaMinolta.com © 2016 KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC. All rights reserved. Reproduction in whole or in part without written permission is prohibited. KONICA MINOLTA, the KONICA MINOLTA logo, Count on Konica Minolta, bizhub, PageScope, and Giving Shape to Ideas are registered trademarks or trademarks of KONICA MINOLTA, INC. All other product and brand names are trademarks or registered trademarks of their respective companies or organizations. All features and functions described here may not be available on some products. Design specifications are subject to change without notice. The Right ISO Will Protect Both Your Financial Institution and the Community You Serve Nearly 75% of financial institution executives have indicated that their institutions reputation is the number one concern they have. Finding the right ISO isn’t easy. All Covered’s Virtual ISO service can provide a cost effective, rightsized and scalable Information Security Program to ensure your institution’s operations are in line with your risk strategy and meet regulatory requirements. This service has helped our clients stay increasingly competitive, while successfully maintaining regulatory compliance and implementing security measures to mitigate cyber threats. If you want to learn more about All Covered’s Virtual ISO service, call us: 866-446-1133