The document discusses critical controls that financial institutions should implement for security and safety. It emphasizes that security is an ongoing process as technology and business evolve daily. It outlines internal critical controls around data storage, transmission, system connections, access controls, and automated detection/remediation systems. The basics of critical controls include identifying what the company aims to protect, prioritizing issues, and automating controls where possible. Key aspects of the security lifecycle are to identify systems and people, continuously assess and monitor for modifications, and implement remediation and prevention measures.
1. Critical Controls for Safety and
Soundness
Financial Institutions 8/4/2017E Baker Law Firm PLLC
2. Critical Controls for Financial Institutions
Security and Cyber-security is a ongoing
continuous process for Financial Institutions.
There is no “one and done” security fix since
business and technology are constantly evolving.
Employees, customers, vendors, products,
services, software, and hardware all affect and
effect a company’s security system on a day-to-day
basis.
8/4/2017E Baker Law Firm PLLC
3. Internal Critical Controls – Why?
1. Where are your documents / data stored?
2. How are documents / data transmitted?
3. What is connected to your operating systems
and networks?
4. Who has access and to what?
5. What automated processes and systems are in
place to continuously detect, remediate,
minimize losses?
6. Can your answers to the above be verified and
demonstrated as effective?
8/4/2017E Baker Law Firm PLLC
4. The Basics of Critical Controls
Get Started:
▫ Clarify what your Company is trying to protect
▫ Review the gaps or deficiencies which have already
been identified
▫ Prioritize your Company’s to do list
▫ Identify what can be automated (controls,
monitoring and testing controls)
8/4/2017E Baker Law Firm PLLC
6. Identification & Inventory:
Identify
People
Employees
3rd Party Vendors
Others
Systems
Hardware
Software / 3rd party
apps
Network (Data
Maps)
Contracts & Reports
3rd Party Contracts
Internal (Audit /
Compliance)
External
(Regulators)
Strategic Plan &
Project
Development
Processes / Policies
Enterprise Wide
Departmental
Industry specific
Laws & Reg.
Guidance
8/4/2017E Baker Law Firm PLLC
7. Assess & Monitor
Assess, Monitor
& Re-assess
Modifications
New Employees
New Products /
Services
New Vendors
New Systems –
hard/software
New Processes
/ Policies
Testing
Penetration
Vulnerability
Scan
Process
Workflow
Configuration
Network
Hardware
Software
Access
Authority
Review Audit
Findings
Breaches /
Losses
Process
Compliance
3rd Party
Vendor
Security /
Access
Performance
Metrics
Compliance
Industry
Standards
Policy/
Procedures
Reg. Guidance
Laws
8/4/2017E Baker Law Firm PLLC
8. Remediation & Prevention
Remediation
Modifications
New
Employees
New Products
/ Services
New Vendors
New Systems –
hard/software
New Processes
/ Policies
Testing
Penetration
Vulnerability
Scan
Process
Workflow
Configuration
Network
Hardware
Software
Access
Authority
Review Audit
Findings
Breaches /
Losses
Process
Compliance
3rd Party
Vendor
Security /
Access
Performance
Metrics
Compliance
Industry
Standards
Policy/
Procedures
Reg. Guidance
Laws
8/4/2017E Baker Law Firm PLLC
9. Four Basic Principles
• Priorities
▫ What are the current critical security risks
▫ Add “good to have” later
• Implementation
▫ Take action (it doesn’t have to be the best or most complete, just get started)
▫ Develop specific, practical steps on implementation
▫ Assist those departments who are just starting as well as enhancing those which
have identified controls in place
• Sustain and Maintain
▫ Create a team that will show up and advocate
▫ Create resources to assist in supporting and training
▫ Identify and address issues promptly
• Align and Integrate
▫ Complement and enhance co-existence with other existing processes
▫ Recognize that each department may need different controls given their specific
product, service, risks
8/4/2017E Baker Law Firm PLLC
10. 20 Top Critical Security Controls
1. Inventory Devices (Hardware) - Authorized and Unauthorized –identify vulnerabilities, access, data map
2. Inventory Software - Authorized and Unauthorized – identify vulnerabilities to performance, access
3. Secure Configurations - Hardware and Software
4. Assess and Remediate – assess and re-assess identified vulnerabilities
5. Install Malware Defenses
6. Software – manage security lifecycle of software to prevent, detect and correct weaknesses
7. Wireless Access – monitor and control
8. Data Recovery Capability - establish, test and update
9. Training – develop, review, assess, identify and remediate gaps in security
10. Security Configuration of Network Devices - establish, implement and manage
11. Network Ports – limit and control
12. Administrative Privileges – control, document and keep updated
13. Boundary defenses – detect, prevent, correct transfer of information across networks
14. Audit Logs – maintain, monitor, analyze to detect, understand, prevent and recover from attack
15. Control access to critical assets on need to know/need to have basis
16. Account - monitor and control system and application accounts (creation, use, dormancy, termination)
17. Data protection – identify and monitor the processes and tools used to prevent, mitigate, and ensure
18. Incident response and management – develop and implement Incident Response Team & Plan
19. Secure Network Engineering – specify, design and build in features in all system operations
20. Test – simulate penetration and red team exercises to ensure knowledge and efficacy of tools & processes
8/4/2017E Baker Law Firm PLLC
Notas del editor
People: Identify what skill set exists for individuals responsible for security / controls. Identify who in each department and branch is responsible or manages security / controls. Identify who works on each operational system and has working knowledge of the risks associated with that system. Identify the policy and process makers who will clarify the roles and responsibilities of each employee related to security / controls (including successors for continuity).
Systems: Identify network connections (internal, external, remote); identify VLANs, subnets, IP addressing schemes, segmentation, security suite assets, gaps in security coverage, single points of failure. Identify all physical location of hardware assets (buildings, city, etc.). Identify points of entry and exit into network nodes. Identify and map the connections and locations of all data and how the data flows (transmitted, received, stored, deleted) between software systems, computers, mobile devices and network connections (datacenter, cloud). Ensure no application is installed without documentation. Document in a log – all hardware (desktop, laptops, phones, copier/scanners, shredders, printers) (model, serial number, type, quantity, age, warranty, location, contract (PO, lease), cost/depreciation); all software (title, types, versions, license counts, location (business unit, system), custom code, cloud solution or COTS Solution, contract (PO, lease, license), warranty/service agreement, costs
Contracts & Reports: Review and identify existing concerns, prioritize these concerns addressed in reports, etc. Review existing contracts to identify what roles & responsibilities lie with internal corporate employees and which lie with 3rd party vendors. Review and identify all SLA reports and deliverables from internal employees and 3rd party vendors to ensure compliance, efficiency, effectiveness (responsiveness, deliverables, service demarcations, incident handling). Frontline review and consult on (prior to execution) all contracts which may affect hardware, network, security access, integration into existing systems, processes, etc. If existing report has remediation obligations, review periodically to ensure completion.
Policies & Procedures/Processes: Identify, review and ensure complete, accurate and up-to-date documentation of policies, procedures and workflow processes. Review state and federal laws, regulatory guidance (compliance and industry specific). Work with Legal Counsel to be updated on any changes in laws and regulatory guidance (FDIC, OCC, Fed Reserve, FFIEC, etc.) on a monthly if not more frequent basis.
Assess, Monitor and Re-Assess all of the Identified Items in the previous slide. (Configuration Management Database (CMDB) or IT Asset Management (ITAM) database). Review maintenance and service contracts for software to ensure they are being updated with latest patches, etc. Review hardware and systems that are nearing their “end of life” (EOL) to incorporate into your strategic plan, budget, and prepare for upgrades, data transfer, or otherwise transitioning that equipment and those systems and the data on those systems.
Test and Stress the systems (firewalls, AV solutions, IDS/IPS senors, security procedures (patch management, incident response). Review audit findings, technical requirements and reported metrics to verify controls are effective (external and internal). Review initiating reports, SEIM logs, and establish metrics for performance: patch latency reports (time updates are issued to installed), baseline scan coverage (percentage of organizations covered by antivirus, firewall, malware/APT solutions), ratio of compromised machines to user base, incident response time (report of incident to remediation), percentage of incidents detected by equipment type vs overall number of incidents, mean-time between security incident and recovery, percentage of systems/assets without vulnerability issues after test/scan (ensure all systems are configured and patch updates installed correctly), mean-time between infection to detection, budget for security controls to overall budget. Perform vulnerability scans (check for updates that have not be deployed or installed, security controls disabled or misconfigured); technology scans (traffic flow, user behavior, bandwidth rates at specific times/days); and penetration tests (stress test the system, people, security policies/controls and applications).
Identify, track and monitor which controls are “fully implemented,” “partially implemented,” or “not implemented.”
Review security (NIST, ISO, OWASP, COBIT, CCM, SANS, etc.) and compliance frameworks (PCI, HIPAA, GLBA, SOX, etc.) documentation to identify outstanding issues, remediation, control gaps, etc. Update policies, procedures and process workflow to incorporate changes in laws, regulations, systems & people, products or services. Update access/authorizations, data retention and destruction or transmittal (emailed or downloaded or printed).
Remediation & Prevention: management, management, management and document all changes so that the information is easily accessible for IT to understand what configurations were changed, installed, or deleted. Management and documentation of your Company’s systems, assets, security controls, patches. Must first know how data is accessed and routed from your Company’s datacenters, through your Company, and down to the desktop of your users. Need to understand where your Company’s ingress/egress points are located, the location of your edge boundaries (cloud/on premise) and most of all, visibility into how your Company’s internet providers and 3rd party vendors/partners connect remotely into your environment. Automation is your friend and ally.
Security controls are safeguards, they are countermeasures deployed to minimize or compensate for security risks. These risks can be to organizations’ physical property, information, computer systems, or other assets.
Development of Incident Response Plan and Team – containment, collection, and remediation. See NIST 800-61 rev2 for Guide.