Professional Documents
Culture Documents
Fundamentals of Cybersecurity - NACUSO 4.4.2016
Fundamentals of Cybersecurity - NACUSO 4.4.2016
CE
Building a Solid
FFIEC Risk
Assessment
RISK Encryption
BASED
Cybersecurity
(DLP)
AUDIT
PROGRAM
CYBER
SECURITY
POLICY
Foundation
Change
Physical
Management
Security
Logical
(Computer)
Security
NACUSO Las Vegas
April 4, 2016
PLATINUM PARTNER
Your Presenter
Patrick Sickels, CU*Answers
Attorney in Michigan
Patrick Sickels Dave Wordhouse Jim Vilker Show case Jim Lawrence
Member
Overview
of ISACA W10
RSA Vendors 12.00 DR/BR and
Fundamentals CU*BASE Cybersecurity
Cybersecurity Fundamentals
GOVERNAN
CE
Fundamental Position of
CU*Answers is that Cybersecurity History
does not fundamentally alter the
requirements of protecting member
information.
When do you need a Cybersecurity Program? 03
Personally
Identifiable
Financial
Information of
History
Members Trade Secrets or
other Privileged
Information
from a
Financial
Institution
Source: gemalto
Credit Unions: Industry Stats 01
06
Fined $100,000
Cease and Desist Order
Firewall Run Sheets Respect
System Change& Best Network Run Sheets
Fix application release process
DR/BR Program System Change
Service
Controls for our FM200 Fire
Controls
Customers Suppression
On an annual basis, make sure the Board Minutes reflect that the
Respect & Best
Information Security (and Cybersecurity
Service for our
Policy) were approved by
the board. What else?
Customers
Governance
Reports of Reports of
Policy Internal and
Violations External Audit
HistoryExceptions
Reports of
Incident
Responses
Governance
Remember, it is
okay to fight
(especially
when it comes
to business)
Governance
“… a comprehensive written
information security program including
administrative, technical, and physical
safeguards appropriate to the nature and
scope of its activities“
Add the word Cybersecurity to your InfoSec Plan or even create a
brand new Cybersecurity Policy. Your Cybersecurity Policy can
state what your employees are responsible for.
Cyber InfoSec
Data Encryption 01
06
(DLP)
Change Controls
Segregation of Duties 01
06
of Duties
Terry Childs 01
06
of Duties
Was the only person with passwords, and the only person who
could support it (completely protective of his turf)
Notify
Firewall Run SheetsClients Respect
System Notify
Change & Best
Notify
Network Law
Run Sheets
Vendors
Service
Controls for our Enforcement
Customers
Business
Omega stayed in business but laid off 80 employees and lost $10 million in
sales
1. 7/30/96
2. F:
3. F:\LOGIN\LOGIN 12345
4. CD \PUBLIC
5. FIX.EXE /Y F:\*.*
6. PURGE F:\ /ALL
Vendor
We will not give an opinion on the quality of a particular carrier’s insurance. Our
recommendation is to ensure that your organization has a clear understanding of:
Payout triggers
Carrier control
Limitations
Deductibles
Knowledge
Information Security
Firewall Run Sheets Program for System
Credit Unions
Respect
Change (Word)
& Best Network Run Sheets
DR/BR Program Respect
System for&our
Change
Service
Controls Best FM200 Fire
Service
Acceptable Use Policy Template forControls
Credit for our
Unions
Customers (Word) Suppression
Customers
High Availability
Knowledge
Respect
System Change& Best Network Run Sheets
DR/BR Program Respect
System Change& Best
Service for our
Controls FM200 Fire
Service for our
Controls
Customers Suppression
http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf
Customers
High Availability
Knowledge
Cybersecurity Checklist 01
06
and
Best
Practices
Plain-language checklist
Usccu.us
Firewall Run Sheets Respect
System Change& Best Network Run Sheets
DR/BR Program Respect
System for&our
Change
Service
Controls Best FM200 Fire
Service for our
Controls
Customers Suppression
Customers
High Availability
Knowledge
Risk Matrix
Maturity Models
Maturity Models
First of all, the Maturity Model statements are not well correlated to the risks identified in the FFIEC
Inherent Risk Tool.
Second, there is a significant amount of arbitrariness in the ranking of the various Maturity levels.
(The FFIEC
requires that a financial institution meet all of the categories of one Maturity before moving on to the
next level). For example, to get to the “Advanced” Maturity of Oversight, an institution must be able
to answer affirmatively that “The budget process for requesting additional cybersecurity staff and
tools maps current resources and tools to the cybersecurity strategy.” This requirement is not well
thought out and does not seem to have a clear relationship to cybersecurity. Clarity of expected output
is missing in many of the Maturity ToolSystem
statements.
Respect
Change& Best Network Run Sheets
DR/BR Program Respect
System Change&
Service for our
Controls Best FM200 Fire
In addition, there are certain categories Controls
that do not appear
Service for ourat all to be relevant in the credit union
Suppression
Customers
space. Very few credit unions will be able to answer that “Supply chain risk is reviewed before the
Customers
acquisition of mission-critical information systems including system components.”
High Availability
FFIEC Risk
Maturity Models
Prevention strategies are still important but in 2016 the focus and
priorities will shift to breach acceptance strategies
Outsourcing authentication
Can outside experts make authentication decisions more accurately than we can?
Firewall
Will Run Sheets
members Respect
demand externalSystem Change& Best
authentication (cell phones, Network
google Run Sheets
authenticator,
DR/BR Program Respect
System Change& Best
Service for our
Controls FM200 Fire
etc.?) Service for our
Controls Suppression
Customers
How will internal/external authentication processes be layered/implemented?
Customers
High Availability
User Authentication Tactics: Your Network 01
06
When will we shift to sliding-scale risk based authentication for internal/network users?
Readily available systems can compromise 19 character passwords in less than 3 weeks
(low cost to attacker)
27% of US employees would sell their passwords for $1,000 or less (source:
Sailpoint.com survey)
Password strength is NOT improving (#1 password is still 123456 and #2 is password)
Firewall Run Sheets Respect
System Change& Best Network Run Sheets
DR/BR Program Respect
System Change& Best
Service for our
Controls FM200 Fire
What you will budget over the nextControls
3 years to implement
Service for our a tacticSuppression
to address this concern
Customers
Customers
High Availability
Breach Management: Refocus on the Endpoint 01
06
They will also target mobile devices in hopes they’ll find your PII there
Educate
Firewall Runusers
DR/BR Program on security
Sheets System best
Change&practices
Respect
Respect
System Change
Best
& Best
Service for our
Controls
Network Run Sheets
FM200 Fire
Service for our
Controls
Customers Suppression
Customers
High Availability
Pros and Cons of Cloud Computing 01
06
Pros Cons
Low start up costs Subscription based pricing means you’re
Automatic software upgrades never done paying
Ease of use Less flexibility
Ease of access – internet Security – lack of visibility into what’s
connection happening under the covers
Scalability – provided by cloud On site technology not eliminated – still
provider require some infrastructure
Security – cloud providers like
Microsoft take it seriously
Firewall Run Sheets Respect
System Change& Best Network Run Sheets
DR/BR Program Respect
System for&our
Change
Service
Controls Best FM200 Fire
Service for our
Controls
Customers Suppression
Customers
High Availability
GOVERN-
ANCE
FFIEC Risk
Assessment
RISK Encryption
BASED (DLP)
Questions?
AUDIT
PROGRAM
CYBER
SECURITY
POLICY
Change
Physical
Management
Security
Logical
(Computer)
Security