1. Lord of the Keys:
Maturing your IS Program Using the NIST Cybersecurity
Framework and FFIEC Cybersecurity Maturity Assessment
2. • Reasons to Mature
• Breaches and Impact
• WNB Posture
• NIST Cybersecurity Framework
• FFIEC Maturity Assessment Tool
Agenda
Page 2 of 117
3. I.S.E. People’s Choice Award
http://www.ten-inc.com/ise/central/default.asp
https://www.surveymonkey.com/r/CEN_PCVOTING
Background
LinkedIn Profile: Marc Crudgington
4. President signs to improve cybersecurity
in the critical infrastructure, 02/2013
Executive
Order
13636
Covers those associated with payment
cards (banks, merchants, tech), 12/2004
PCI
Required
Protecting customer data is paramount to
the banks reputation/trust
Right thing
to do
Why Act?
5. Cybersecurity Awareness, IT Handbook,
Frequency of attacks, 11/2015; Mitigate
attacks, 03/2015; Participate in Intel
Sharing, 11/2014
FFIEC
Private sector information sharing,
02/2015; National Action Plan and
Cybersecurity Commission, 02/2016
Executive
Order
Releases Cybersecurity Assessment Tool,
recommends financial institutions use or
a similar tool, 06/2015
FFIEC
Why Act?
9. Effects on Economy
• IP: 70% of value of
public companies
• Annual losses:
estimated over
$300B
• China: +$107B
sales and +2.1M
jobs
IP Intensive
• 43%: ITRC account
of breaches
• 2013: 8.8M
records stolen
• 1.8M: Victims of
Identity Theft
Healthcare
• 2013: 856 reported
breaches
• Q1 2014: 98.3% of
data exposed
• 37%: Breaches
affected the sector
Finance/Business
10. Effects on Economy
• 1M+ jobs lost and a $200B cost in 2010
• Based on estimate of 5,080 jobs per $1B
• 0.5% ($70B)or 1% ($140B) of National Income
• Globally - $350B or $700B
• Healthcare: $7B for HIPAA 2013 losses
• SMBs: 80% file bankruptcy or suffer significant
financial losses
• S&P 500: $136.5B due to AP Twitter hack
12. Effects on Economy
Associated Costs
Enterprises SMB’s Attack Type
Incident
- Prof Svcs $109k
- Bus. Opp. $457k
Prevention
- New IT Sec $57k
- Training $26k
Total $649k
Incident
- Prof Svcs $13k
- Bus. Opp. $23k
Prevention
- New IT Sec $9k
- Training $5k
Total $50k
Targeted
- Ent. $2.4M
- SMB $92k
Phishing
- Ent. $57k
- SMB $26k
DDoS
- Ent. $57k
- SMB $26k
13. Effects on Economy
• Loss of IP and Confidential Information
• Cybercrime
• Loss of sensitive business information-stock market
manipulation
• Opportunity costs, including service and employment
disruptions, and reduced trust for online activities
• The additional cost of securing networks, insurance,
and recovery from cyber attacks
• Reputational damage
14. Defense-in-Depth 2.0
Perimeter Core
Laptops /
Tablets
Phishing
Scanners
Phones
Web
Apps
Internet
F/W
Remote
Access
F/W
Extranet
VPN F/W
Email GW
Web GW
2FA
IDS
Load
Balancer
Threat
Intel
DMZ
File Xport
Internet
F/W
Payment
Sys F/W
PC’s IPS Servers
Scanners
Server
Monitor
Event
Monitor
DB
Monitor
PCI F/W Critical
Servers
Traffic Flow / Security Layers
Internet
15. Cybersecurity Maturity Timeline
Continuous
improvement
Begin assessing program,
developing strategy; PCI
Complete maturity
assessment
engagement; evaluate
report, next steps
Evaluate/implement
framework, tools
implementation,
continue PCI path
Continue
implementation of
framework, tools, PCI;
self/regulator
assessment, engage 3rd
party
16. Organizational
understanding to
manage
cybersecurity risks
Appropriate
activities to identify
the occurrence of a
cybersecurity event
Appropriate activities
to take action
regarding a detected
cybersecurity event
Maintain plans for
resilience and to
restore services
impacted
Appropriate
safeguards to
ensure delivery
of services
Framework Core
Identify
Protect
Detect
Respond
Recover
17. Framework Function/Category
Function Category
Identify
Asset Management (6)
Business Environment (5)
Governance (4)
Risk Assessment (6)
Risk Management Strategy (3)
Protect
Access Control (5)
Awareness and Training (5)
Data Security (7)
Information Protection Processes (12)
Maintenance (2)
Protective Technology (4)
19. Framework Subcategories
Legal and regulatory
requirements
regarding
cybersecurity,
including privacy and
civil liberties, are
understood and
managed
• Subcategories – specific outcomes of technical and/or
management activities (requirements, controls, guidelines
Identify: ID.GV-1
Detected events are
analyzed to
understand attack
targets and methods
Detect: DE.AE-2
Protections against
data leaks are
implemented
Protect: PR.DS-5
20. What We Did
• Participated in Framework Request for Information
• Reviewed Framework upon release
• Determined how Framework fit into our current IS
Program
• Declared NIST Cybersecurity Framework as our
foundational IS Program framework
• Incorporated NIST Cybersecurity Framework into our IS
Program
• Internal Audit performed Cybersecurity / GLBA Audit
22. Inherent Risks Samples
Category
Risk Levels
Least Minimal Moderate Significant Most
Personal devices
allowed to connect
to the corporate
network
None Only one device
type available;
<5% employees;
email
Multiple device
types; <10%
employees; e-
mail
Multiple device
types; <25% emp.;
e-mail, some apps
Any device;
>25%
employees; all
apps accessed
Online presence
(customer)
No web facing Website/Social
media
Delivery channel,
customer comm.
Wholesale, retail
account
origination
Internet apps
serve as
channel
Issue debit or credit
cards
Do not issue
debit or credit
cards
Issue through a
third party;
<10,000 cards
Issue third party;
between 10,000
– 50,000 cards
Issue directly;
between 50,000 –
100,000 cards
Issue directly;
>100,000 cards
outstanding;
issue on behalf
Changes in IT and IS
staffing
Key positions
filled; low
turnover
Staff vacancies
exist for non-
critical roles
Some turnover in
key or senior
positions
Frequent turnover
in key or senior
staff
Vacancies Sr.
staff long
periods; IT/IS
turnover high
Attempted Cyber
Attacks
None <100 monthly,
generic phishing
<500, targeted
phishing, DDoS
>500-100k, spear
phishing, threat
reports, DDoS
<100k,
persistent
attacks & DDoS
23. Inherent Risks
Inherent Risk Levels
Least Minimal Moderate Significant Most
CybersecurityMaturityLevelfor
EachDomain
Innovative
Advanced
Intermediate
Evolving
Baseline
24. Level 1 Level 2 Level 3 Level 4 Level 5
FFIEC Maturity Levels
Baseline -
minimum
expectations
required by law
and regulations or
recommended in
supervisory
guidance
Evolving -
additional
formality of
documented
procedures and
policies that are
not already
required
Intermediate -
detailed, formal
processes,
controls are
validated and
consistent
Advanced -
cyber security
practices and
analytics that
are integrated
across lines of
business.
Least Mature Most Mature
Innovative -
driving in
novation in
people,
processes, and
technology for
the institution
and the industry
to manage cyber
risks.
25. FFIEC Cybersecurity Domains
2
3
4
5
Cyber Risk Management and Oversight1
Threat Intelligence and Collaboration
External Dependency Management
Cyber Incident Mgmt. and Resilience
Cybersecurity Controls
26. Cybersecurity Assessment Factors
Cybersecurity Maturity
Domain Assessment Factor
Cyber Risk Management
and Oversight
Governance (Oversight, Strategy/Policies, IT
Asset Management), Risk Management,
Resources, Training and Culture
Threat Intelligence and
Collaboration
Threat Intelligence, Monitoring and Analyzing,
Information Sharing
Cybersecurity Controls Preventative Controls, Detective Controls,
Corrective Controls
External Dependency
Management
Connections, Relationship Management
Cyber Incident
Management and
Resilience
Incident Resilience Planning, Strategy,
Detection, Response, and Mitigation, Escalation
and Reporting
27. Cybersecurity Maturity Statements
Domain 2: Threat Intelligence and Collaboration, Assessment Factor: Information
Sharing, Statement: Information Sharing
Evolving: A formal & secure process is in place to
share threat & vulnerability information with
other entities
Advanced: Relationships exist with employees of
peer institutions for sharing cyber threat
intelligence
Domain 3: Cybersecurity Controls, Assessment Factor: Detective Controls, Statement:
Anomalous Activity Detection
Baseline: Elevated Privileges are Monitored
Innovative: The institution has a mechanism for
real-time automated risk scoring of threats
Domain 1: Cyber Risk Management and Oversight, Assessment Factor: Governance
Statement: Oversight
Baseline: The budgeting process includes
information security related expenses and tools
Advanced: Management has a formal process to
continuously improve cybersecurity oversight
28. What We Did
• Started maturing when hired in 08/2012
• Assess program, changed IS Committee meeting,
recommending anomalous behavior tools
• Utilized other maturity assessments: Gartner 03/2013,
reassess in early 2015
• Surprise!: The FFIEC releases their maturity assessment on
06/30/2015
• Collaborated with CIO/CRO to complete the assessment
• Worked with regulators (OCC) to complete assessment to
Evolving level
• Engaged a 3rd party consulting/audit firm to complete
assessment