Presentation is loading. Please wait.

Presentation is loading. Please wait.

GLBA & IS/IT Risk Assessments

Published byCory Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "GLBA & IS/IT Risk Assessments"— Presentation transcript:

1 GLBA & IS/IT Risk Assessments
Presented by Kristina Buckley of Buckley Technology Group

2 Understanding New Vendor Management Risks and Key Areas for Improvement
Cybercrime Initiative GLBA Overview GLBA Risk Matrix IS & IT Risk Assessments 5 4 3 2 1 GLBA Risk Assessment Report

3 GLBA Program Requires Financial Institution to ensure the security, confidentiality, and integrity of customer information. The bank is required to develop and maintain a written program to assess, manage and control risks associated with customer non-public information. Program must include the monitoring and review of appropriate audits and documentation. Annual Report to board is required by GLBA. Employee information should also be protected.

4 GLBA Program Program should include incident response and security breach notification. It is the bank’s regulatory requirement to notify customers of a security breach so it is critical the bank’s contract includes a security notification clause – 24 hours. The program safeguards are intended to: Insure the security and confidentiality of customer records and information; Protect against any anticipated threats or hazards to the security or integrity of such records; and Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.

5 GLBA Risk Assessment Report
Objectives of assessment are as follows: Identify the services/business processes from the bank’s vendor management and BCP program that have a high NPI Risk level. For each of the business processes: Identify the supporting systems involved and any associated input and output of data. Identify the security controls in place for each identified supporting system. Identify existing internal and external threats associated with each business process.

6 GLBA Risk Assessment Report
Objectives of assessment are as follows: Identify existing controls in place to mitigate risks. Identify additional controls to be considered to mitigate risks. Identify related vendors and their security practices associated with the business process.

7 GLBA Risk Assessment Report
Document the Threat Level Rating Scale Used: High: Threat could lead to disclosure of customer information, significant impact to the reputation of the bank, significant financial loss, interrupt customer service for an unacceptable period of time, and not be in compliance. Medium: Threat could cause interruption or delay in service to customers, impact to the reputation of the bank, moderate financial loss for the bank. Low: Threat considered low given mitigating controls in place.

8 GLBA Risk Assessment Report
Document the Threat Level Rating Scale Used: GLBA Risk Rating Defining Characteristics High Threat could lead to disclosure of customer information, significant impact to the reputation of the bank, significant financial loss, interrupt customer service for an unacceptable period of time, and not be in compliance. Medium Threat could cause interruption or delay in service to customers, impact to the reputation of the bank, moderate financial loss for the bank. Low Threat considered low given mitigating controls in place.

9 GLBA Risk Assessment Report
Document the Threat Level of Effort Scale Used: High: Changes or enhancements that are expected to involve significant incremental costs and/or require significant involvement by administrators and/or significant changes to end-users. Medium: Changes or enhancements that are expected to involve moderate incremental costs and/or require moderate involvement of administrators and little or no direct impact to end-users. Low: Changes or enhancements that are considered to be both low cost and to require moderate to low involvement by administrators and/or minimal to no impact to end-users.

10 GLBA Risk Assessment Report
Document the Threat Level of Effort Scale Used: Level of Effort Defining Characteristics High Changes or enhancements that are expected to involve significant incremental costs and/or require significant involvement by administrators and/or significant changes to end-users. Medium Changes or enhancements that are expected to involve moderate incremental costs and/or require moderate involvement of administrators and little or no direct impact to end-users. Low Changes or enhancements that are considered to be both low cost and to require moderate to low involvement by administrators and/or minimal to no impact to end-users.

11 GLBA Risk Assessment Report
For each Business Process: The vendor name Associated business process with a high NPI risk rating The owner The assigned GLBA Risk Rating (High) An assigned Level of Effort (High, Medium or Low as defined below) A description of GLBA findings An explanation of the risks associated with the finding/observation Recommendations for further risk mitigation Financial Institution’s Update (include possible mitigating controls)

12 GLBA Risk Assessment Report
Vendor Name: CRIF Business Process/Business Process Owner: Indirect Lending – Kris Buckley GLBA Risk Rating: High Level of Effort: Low Finding: Customer account file is transmitted to vendor. The financial institution has received a confidentiality agreement, but is not currently aware of a SSAE16 and/or other security documentation outlining how the vendor protects or properly disposes of NPI, or an incident response plan. It is currently unknown how the data is transmitted to vendors. Risk: Without proper vendor oversight/documentation the bank can be at increased risk of external security threats by information not being properly secured which could result in unauthorized access, system compromise, and/or disclosure of customer data. BTG Recommendations: Request a SSAE16 and/or similar security documentation detailing the protection and proper disposal of NPI, and a security breach notification agreement or incident response plan that includes security breach notification to the bank if there is any possibility that NPI could be compromised. Work with vendor(s) to ensure data is being transmitted securely. Financial Institution Update:

13 GLBA Risk Assessment Report
Other components you may want to add to the table identified on previous screen depending upon the size and complexity of your financial institution. Risk Areas Risk Categories Likelihood Impact Inherent Risk Existing Mitigating Controls Residual Risk

14 GLBA Risk Assessment Report
Report should document the total number of business processes within each Risk Level and the findings. You will identify during the assessment a number of business processes that share vulnerabilities.

15 GLBA Risk Assessment Report
Risk Level Risk/Threat Description 16 High (10 Vendors) Missing vendor due diligence documentation Unsecured or unidentified transmission of data Informal and/or Missing Access Removal Process Single Factor Website Authentication Unidentified retention and disposal of NPI on the Internet 32 Medium Partial and/or Outdated vendor due diligence documentation 16 Low Exceptions noted but corrected on last SSAE16

16 GLBA Matrix Option 2 For each Business Process: Identify any third parties that may provide the organization with initial information. Identify any third parties the organization shares data with during this process. List the methods of collection used to complete the process. List the formats the data is in (i.e. hardcopy, electronic, etc.). List how the data is transmitted or transported. For formats identified, how long are they retained and where? For electronic file formats identified, how are they backed up and where are backups retained? For formats identified, identify disposal process for related information. Will NPI be retained and available via the Internet? If yes, explain security controls in place for vendor, the organization and customer access. Outline retention and disposal of any NPI available via Internet.

17 GLBA Matrix Option 2 What security controls are in place for the business process and all related data formats. Identify who requires access to the business function and related data. What process is in place to remove employee or vendor access? Identify any person or party who has access but it is not required under their job description. What audit controls, reports, and logs are available to monitor employee and vendor access? Has the vendor provided the organization with a confidentiality agreement and/or security documentation outlining the protection of non-public information? Has vendor provided an Incident Response Policy/procedure which includes breach of security notification to the organization if there is any possibility that non public information could be compromised? Identify the possible internal threats. Internal Risk Rating (high, medium, low) Identify the possible external threats. External Risk Rating (high, medium, low) Type of risks associated with internal and external threats (reputation, financial, strategic)

18 GLBA Matrix Option 2: Questions you may want to add to Matrix:
External access points (employee and vendors). Related applications. Security controls for each application. Regulator retention guidelines are met.

19 GLBA Matrix Option 2: Questions you may want to add to Matrix:
Network directories that may contain data. Do the vendor employees have access to the NPI on their PC’s, laptop, etc. outside of the financial institution’s control? Does vendor subcontract with third parties to perform any components related to NPI.

20 IT/IS Risk Assessment An IT/IS risk assessment should be performed annually on high NPI risk vendors as part of GLBA. It should also be performed for any prospective vendor or changed relationship. Business change Product change Controls are changed Regulations are changed (even if your contract states they will remain in compliance)

21 IT/IS Risk Assessment The Business Owner (Contract) is responsible for the Vendor and the Risk Assessment process however IT needs to get involved and be part of the formal process. Require business owners get IT’s sign-off. Report and Matrix noted earlier can be used to document Risk Assessments

22 IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): Identify All new hardware and software involved in product. Is this cloud based? Is software and hardware compatible to Bank’s existing infrastructure? Document expected network infrastructure to ensure it is truly compatible and to identify additional needs. Document expected PC, laptop and device configuration.

23 IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): Identify Any firewall, IDS, IPS changes? New servers (traditional or virtual). New licensing requirements. New telecommunication needs.

24 IT/IS Risk Assessment IT/IS Questions for a Prospect or Product Risk Assessment (refer to sample doc): Identify Wireless required or being introduced? Remote access rights and encryption required. Who is responsible for patch maintenance for items above?

25 Risk Assessment Website Hosting
Some Questions to consider: Does the vendor provide hosting to other financial institutions? Are they aware of the related regulatory guidance? What can they provide you for Security Documentation? SSAE16? What can they provide you for Pen Testing and Monitoring? Objective third party and frequency

26 Risk Assessment Website Hosting
Some Questions to consider: Application design and known vulnerabilities? (open source) Security Breach notification procedures (in contract) Website hosting infrastructure Private or public server Remote Access

27 Risk Assessment Website Hosting
Some Questions to consider: Business Continuity Outside of your region Redundancy Backup policy

28 Monitoring Review all due diligence documentation. Question if reports are not being updated at a minimum of every two years Review of Penetration Test results If they are regulated ensure you are reviewing audit reports.

29 Documentation Red Flags
Be cautious if you run into any of the following during Risk Assessment or Documentation review: IS Policies are not based on any accepted security standard (ISO27001) No formal training and security awareness program noted for employees and subcontractors Encryption does not exist on vendor employee laptops

30 Documentation Red Flags
Can’t provide PEN tests (S/B at a minimum annual) Weak remote access standards Weak BCP/DR Plan Weak data media handling, retention, disposal and return practices Difficulty providing the overall material

31 Cybercrime Initiative Resources
The FS-ISAC is a member-owned, nonprofit and private financial sector initiative. Its primary function is to share timely, relevant, and actionable physical and cyber security threat and incident information to enhance the ability of the financial services sector to prepare for, respond to, and mitigate the risk associated with these threats. Both the U.S. Department of Treasury and the U.S. Department of Homeland Security rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis.

32 Cybercrime Initiative Resources
Members receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats. Provides an anonymous information-sharing capability across the entire financial services industry that enables institutions to exchange information regarding physical and cyber security threats, as well as vulnerabilities, incidents, and potential protective measures and practices.

33 Cybercrime Initiative Resources
United States Computer Emergency Readiness Team (US-CERT) The Department of Homeland Security's US-CERT facilitates the coordination of cyber information sharing and provides cyber vulnerability and threat information through its national Cyber Awareness System. Financial institutions may learn more about US-CERT and subscribe to receive security alerts, tips and other updates through its website at Cyber Security Page 2

34 Cybercrime Initiative Resources
U.S. Secret Service Electronic Crimes Task Force (ECTF) The Electronic Crimes Task Force teams local, state and federal law enforcement personnel with prosecutors, private industry, and academia to maximize what each has to offer in an effort to combat cyber criminal activity. For more information on the Electronic Crimes Task Forces please visit

35 Cybercrime Initiative Resources
FBI InfraGard InfraGard is an information sharing forum between the FBI and the private sector. InfraGard operates more than 60 chapters that conduct local meetings pertinent to their area. Information about InfraGard may be obtained at

36 Related Rules and Regulations
FDIC IT Exam Officers VM Guidance and Questionnaire IT Examination Handbook Outsourcing Technology Services Part of FFIEC IT Rating (URSIT) Part 364-B FDIC Rule and Regulations FFIEC IT Handbook (excel)

37 Kris Buckley, President
THANK YOU Kris Buckley, President

Download ppt "GLBA & IS/IT Risk Assessments"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Vendor Management Presented by Kristina Buckley of

Vendor Management Presented by Kristina Buckley of
Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,

Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google