1. A well-structured approach to allow your institution
to implement an ISO without overburdening existing staff
vISO
2. 80
70
60
50
40
30
20
10
0
Primary Concerns of Bank Executives
PercentageofBankersConcerned
Reputation Cybersecurity/IT Regulatory Compliance
#1
Reputation
#2Cybersecurity
and IT
#3Regulatory
Compliance
Three Major Concerns
Keep Bank Executives Up at Night
Regulatory Compliance,
Cybersecurity, and Reputation
all can depend on the
appropriate oversight and
direction provided by the ISO
function within your institution.
3. Step 1
Categorize the
information system
Step 2
Select Security
Controls
Step 3
Implemement
Security Controls
Step 4
Assess Security
Controls
Risk Managment
Framework
Step 5
Authorize
Information Systems*
Step 6
Monitor
Security
Controls
In 1999, the Gramm-Leach-Bliley Act (GLBA) was
passed, in part to serve to protect confidential customer
information. After the events of 9/11, the importance of keeping
private data secure became even more important.The Commerce
Departments’ NIST created a framework to help institutions
protect private information. The NIST Cybersecurity Framework
is widely considered to be the gold standard of compliance
to government-set standards. Many banks say they agree
that using the NIST framework as a baseline makes sense.
(BankInfo Security)
Nonpublic Private Data Protection
*Source: NIST Special Publication 800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
4. Regulatory policies set by the GLBA and the FFIEC are there to protect banks as well as consumers.
Protection for All
“The Safeguards Rule requires
companies to develop a written
information security plan that
describes their program to
protect customer information.”
— FTC, Gramm-Leach-Bliley
(GLB) Act
“Institutions of all sizes may
outsource various aspects of the
analysis and response function,
such as activity monitoring.”
— FFIEC Information Security IT
Handbook, Page 83
Adhering to a rules set, such as the
GLB Safeguards Rule, is of the utmost
importance – there are civil penalties
of up to $10,000 per violation for
officers and directors personally liable,
and for the financial institution liable,
penalties of up to $100,000 per
violation. Criminal penalties include
imprisonment for up to five years
and fines.
The FFIEC guidelines also call for
security program monitoring and
management to be separate from IT.
Though it’s important that security
monitoring works with IT so that the
two functions can share information
with each other, having security
monitoring only within IT does not
ensure proper safeguards.
The FFIEC’s Cybersecurity
Assessment Tool was mapped to
the NIST Cybersecurity Framework
to help institutions identify their
risks and determine their
cybersecurity preparedness.
5. In November 2015, the FFIEC updated their Information Technology Information Handbook
[for Management]. The updates address several new recommendations for bank management:
The FFIEC Updates and What They Mean
• “Review and approve an IT strategic
plan that aligns with the overall
business strategy and includes an
information security strategy to
protect the institution from ongoing
and emerging threats, including
those related to cybersecurity.”
• “Oversee the adequacy and
allocation of IT resources.”
• “Hold management accountable
for identifying, measuring and
mitigating IT risks.”
• Most importantly, the IT Information
Handbook calls for “independent,
comprehensive and effective audit
coverage of IT controls,” and further
states that “the board may delegate
the design, implementation and
monitoring of specific IT activities.”
This is where having an ISO is
extremely valuable.
6. FFIEC IT Regulatory Exams Are Growing
Increasingly Technical.
All Covered’s Finance Practice has successfully assisted in FFIEC regulatory exams for over thirty
years. Since the inception of GLBA, financial institutions have been faced with increased scrutiny on mitigating
controls. All Covered has seen IT Audit and FFIEC Exams prove challenging for community financial institutions
due to their ever-increasing compliance requirements.
2013 2014
Data Classification
Business Continuity
IT Risk Assessment
Log Archiving
BYoD
DDoS Preparedness
Vendor Management
Cybersecurity
Ongoing VA Scanning
SIEM
2015
Information Security Officer
NIST Cybersecurity
Framework
FFIEC - Cybersecurity
Assessment Tool
Cyber-Preparedness
Cyber-Resiliency
Incident Response Testing
FFIEC IT Regulatory Exams are
Driven by Experience.
In 2013, Super Storm Sandy made disaster recovery a major issue. In 2014, the massive data
breaches at major companies such as Target or Chase impacted not just the business community,
but also the consumers they served. Their reputation in both of these cases was marred. We also
saw vulnerabilities such as ShellShock, Heartbleed and Poodle prove that vulnerability scanning
needed to be persistent, consistent and ongoing. In 2015, we saw threats like CryptoLocker require more than
just action after the fact, but the education and training to be cyber prepared.
Let our experience help educate and inform your institution so that you’re not left in the dust during your next
FFIEC exam.
7. We’ve already mentioned that the Information Security Officer role faces the challenge of interfacing
with IT, but also needs to be established.This is just one of several challenges facing financial institutions.The
FFIEC Information Technology Information Handbook puts it best:
Staying Up to Par With Cybersecurity
Presents Many Challenges.
“While the board may delegate the
design, implementation and monitoring
of certain IT activities to the steering
committee, the board remains
responsible for overseeing IT activities.”
The board’s responsibility makes it
necessary to address the function of
the ISO within the financial institution.
However, along with the challenge of
remaining responsible, another large
challenge presents itself:
The average ISO salary is $193,351
(salary.com).
All Covered aims to help reduce the
expense in hiring an ISO and the
challenges presented in looking for the
right ISO for an institution.
8. The ISO has many key functions, within an institution. The right ISO must:
ISO the Right Way
• Implement and maintain a cost
effective, rightsized and scalable
Information Security Program. An
ISO must work within budgetary
constraints to implement the right
solutions based on the risk tolerance
of the institution.
• Ensure your institution’s operations
are in line with the risk strategy
of the institution. Every bank and
credit union is unique. Many factors
determine how a bank decides to
meet their regulatory requirements.
The ISO must understand and
accomplish this.
• Help you meet Regulatory
Requirements right now! All Covered
has successfully assisted financial
institutions in addressing MRAs
regarding information security for
over thirty years.