Baseline Nonbank Cybersecurity Exam Program

CSBS Virtual Discussion Series - Baseline Nonbank Cybersecurity Exam Program

May 19-June 23 , 2021

CSBS Virtual Discussion Series - Baseline Nonbank Cybersecurity Exam Program May 19, 2021

Teams Features

2

CSBS Virtual Discussion Series

• Session 1 of 5  ‐ Document Request List (Today) • Session 2 of 5 – IT Audit, Development Activities & Network/Application Security and Administration • Session 3 of 5 – Network/Application Security and Administration (continued) • Session 4 of 5 – IT Oversight and Supervision • Session 5 of 5 – Business Continuity/Disaster Recovery Planning

3

Speaker Information

Director of Cybersecurity/IT/FinTech MA Division of Banks Holly.Chase@mass.gov Holly Chase

Speaker Information

Cybersecurity Risk Specialist TX Department of Banking Linda.Pearson@dob.texas.gov Linda Pearson

Document Request List

6

Information Security Program – IT-1

a) All policies and procedures that comprise the information security program, including but not limited to: Information Security; Anti ‐ virus; Change Management; Software Development and Maintenance; Vendor Management; Business Continuity/Disaster Recovery/Emergency Preparedness/Incident Response Plans; Remote Access for Employees and Customers; Data Backups; Data Retention; Data Disposal; Acceptable Use; Rules of Behavior; Clean Desk; Encryption/Data at Rest and Data in Motion; Mobile Device Management, including Bring Your Own Device; and Written hardware and software end ‐ of ‐ life policies and procedures

7

Information Security Program – IT-1 (continued)

b) Risk assessment(s) c) Information Security training materials for all employees, including employee completion records

8

Board/ Management Oversight – IT-2 a) IT Strategic Plan/Budget b) Most recent CIO or CISO presentation

c) Materials to support Board discussion of risk acceptance d) Board/committee minutes to support designation of employee(s) to coordinate the information security program

9

IT/IS Organization – IT-3

a) IT/IS Organizational Chart(s) b) Resumes for key IT personnel c) Job descriptions for key IT personnel d) IT Succession Plan (if separate from overall institution plan)

10

Relationships Between Assets and Data Flow – IT-4

a) Network Diagram(s) b) Data Flow Diagram(s) c) Inventory of approved hardware and software assets, including network monitoring tools

11

Vulnerability Management Program – IT-5

a) Written policies and procedures, if not already provided for #1 above b) Vulnerability scans – most recent c) Penetration tests/vulnerability assessments – most recent d) Remediation Actions

12

Patch Management Program – IT-6

a) Written policies and procedures, if not already provided for #1 above b) Patch deployment confirmation c) Rollback settings

13

Change Management Program – IT-7 (includes software development activities)

a) Written policies and procedures, if not already provided for #1 above b) List of software development, acquisition, and maintenance changes within past 12 months c) List of hardware acquisition and maintenance changes within past 12 months

14

IT Audit Function – IT-8

a) IT Audit Policy b) Current and previous IT audit schedule c) IT audit risk assessment and audit plan d) IT audit reports for the past 24 months, including the corresponding engagement letters, if applicable e) Actions taken to remediate findings f) IT audit and regulatory finding tracking list

15

Vendor Management Program – IT-9

a) Written policies and procedures, if not already provided for #1 above b) List of third ‐ party vendors, indicating which vendors are considered critical c) Documentation supporting compliance with vendor management program such as audit reports, contracts, due diligence, financial statement reviews, etc. (a sample will be selected upon receipt of the third ‐ party vendor list)

16

Incident Response – IT-10

a) Incident Response Plan, if not already provided for #1 above b) Documentation to support most recent incident response plan test c) List of incidents occurring within previous 12 months

17

Business Continuity/ Disaster Recovery/ Emergency Management – IT-11 a) Business Continuity/Disaster Recovery/ Emergency Management Plans, if not already provided for #1 above b) Backup policies and procedures, if not already provided for #1 above c) Business Impact Analysis

18

Business Continuity/ Disaster Recovery/ Emergency Management – IT-11 (continued) d) Risk Assessment e) Documentation to support all testing performed during previous 24 months

19

Password Management – IT-12 a) Password settings for all systems b) Screen lockout settings for all systems c) Session expiration settings for all settings

20

Remote Access for Employees & Customers – IT-13 a) Written policies and procedures, if not already provided for #1 above b) Description of who all has remote access, including third ‐ parties, employees and board members with company ‐ owned devices and employees and board members with personal devices

21

Insurance policies (if applicable) – IT-14 a) Cybersecurity, ransomware, data breach notification

22

Products and Services – IT-15

Describe the technology environment: a) Describe all cloud services used by the institution. Include Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

23

Products and Services – IT-15 (continued)

b) List of all core applications, including online applications and network(s), and indicate whether the applications are outsourced or hosted in ‐ house. • If outsourced, please provide the name and location of the third ‐ party provider. • If in ‐ house, please indicate whether the applications are developed and maintained in ‐ house or are a third ‐ party software product. • Include the product name and third ‐ party provider name and location for software products.

24

Products and Services – IT-15 (continued)

c) Describe processes for network monitoring (e.g., performance, intrusion detection, web filtering) and network operations. Include whether these activities are outsourced or performed in house.

25

Questions?

26

CSBS Virtual Discussion Series - Baseline Nonbank Cybersecurity Exam Program June 2, 2021

Teams Features

2

CSBS Virtual Discussion Series

• Session 1 of 5  ‐ Document Request List • Session 2 of 5 – IT Audit, Development Activities & Network/Application Security and Administration (Today) • Session 3 of 5 – Network/Application Security and Administration (continued) • Session 4 of 5 – IT Oversight and Supervision • Session 5 of 5 – Business Continuity/Disaster Recovery Planning

3

Go to www.menti.com & use the code

Speaker Information

G. Henry Hallman, III

Financial Program Manager & Team Supervisor North Carolina Commissioner of Banks ghallman@nccob.gov

Speaker Information

Cybersecurity Risk Specialist TX Department of Banking Linda.Pearson@dob.texas.gov Linda Pearson

Speaker Information

Financial Institutions Manager California Department of Financial Protection & Innovation Matthew.Fujikawa@dfpi.ca.gov Matthew Fujikawa

IT Audit

8

Question 1

Is the scope and frequency of IT audits appropriate for the size and complexity of the institution? Are audit plans driven by the institution's risk assessment process?

9

Question 2

Does the institution have a process for tracking issues identified during testing, monitoring, and auditing and regulatory examinations? This includes assigning the action needed to correct the issue and recording when the issue is resolved, or the risk is accepted.

10

Development Activities

11

Question 3

If the Institution develops their own software, do they follow a documented Software Development Life Cycle and conduct security testing? Is a formal project management process followed?

12

Question 3 - continued

• Rely on audit results, if available • Contact experienced IT examiner, if that resource is available • Use the FFIEC Development and Acquisition booklet for guidance

13

Network/Application Security & Administration

14

Question 16

Are access controls sufficient for employees? Consider the following: • Length, complexity, expiration, and reuse requirements • Default/factory settings are changed • Screen lock after inactivity periods • Lockouts after incorrect login tries • Help desk procedures to deal with failed login attempts • Multi ‐ factor authentication • No shared accounts • Administrative privileges only assigned when needed

15

Question 17

Are appropriate access controls in place for consumer accounts and/or portals? Are the controls different from the access controls for employees?

16

Question 18

How does the institution determine who needs access to what data/information? Is user access limited to business need/least privilege? Are all user access levels, including administrators, monitored and reviewed regularly? How is unauthorized access detected?

17

Question 19

Is there an employee departure checklist, regardless of the reason the employee is leaving (including transitioning to a different position)? Are user accounts disabled for employees who have left the institution or changed job responsibilities?

18

Question 20

How is remote access managed for employees, board members, vendors, and customers? What measures does the institution take to provide remote access in a secure manner?

19

Question 21

What access controls are in place for customer accounts and/or portals? Are there different password requirements for employees vs. customers? Are customers required to use multifactor authentication? How many failed login attempts are permitted before a user must reset their password? Are requirements in place for the strength of passwords?

20

Question 22

If a vendor has access to the institution's network, does the IT staff monitor their access? Is access limited to business needs?

21

Question 28

Are vulnerability scans conducted? How often? By whom? What, exactly, is scanned?

22

Question 29

Are penetration tests conducted? How often? By whom? If the institution does internal development, do they perform application security testing?

23

Questions?

24

CSBS Virtual Discussion Series

Please join us for the next session on June 9 th !

Session 3 of 5 – Network/Application Security and Administration (continued)

25

CSBS Virtual Discussion Series - Baseline Nonbank Cybersecurity Exam Program June 9, 2021

Teams Features

2

CSBS Virtual Discussion Series

• Session 1 of 5  ‐ Document Request List • Session 2 of 5 – IT Audit, Development Activities & Network/Application Security and Administration • Session 3 of 5 – Network/Application Security and Administration Continued (Today) • Session 4 of 5 – IT Oversight and Supervision • Session 5 of 5 – Business Continuity/Disaster Recovery Planning

3

Speaker Information

IT Director Kansas Office of the State Bank Commissioner matt.hodges@osbckansas.org Matt Hodges

Speaker Information

Kylee Fine

Senior IT Examiner Kansas Office of the

State Bank Commissioner kylee.fine@osbckansas.org

Network/Application Security and Administration

6

Question 30

Is an Intrusion Detection/Prevention System in use (IDS/ IPS)? Who is responsible for reviewing/monitoring IDS/IPS event reports?

7

Question 31

Are controls in place to prevent individuals from conducting unauthorized electronic transmission?

8

Question 39

Does the institution maintain an inventory of all approved hardware and software assets? If yes, request a copy of the inventory list and verify it generally matches the topography diagram. Are documented security configuration standards maintained for all authorized operating systems and software?

9

Question 40

Does the institution have an up ‐ to ‐ date network topology (diagram) available for review? Are the following physical devices identified? • Locations of servers or clusters. If clusters or VM hosts are identified, do they specify the virtual machines associated with the host? • Security devices such as firewalls and IDS/IPS devices • Network connections to the internet • User devices, either individually or as a group • Devices or servers that provide key network services such as DNS and DHCP, or core applications • DMZ areas

10

Question 41

Are the following logical resources identified? • Where data is stored • VLANs • Cloud resources • VPN connections to service providers • Remote access entry points for users or vendors (VPN connections)

11

Question 42

Are end ‐ of ‐ life assets identified with an adequate replacement schedule?

12

Question 43

Does the institution have a firewall(s)? How is it monitored? Are firewall rules regularly reviewed?

13

Question 44

Is malicious code protection (e.g., anti ‐ virus) deployed on all workstations and servers?

14

Question 45

If so, how is it deployed, updated, and managed?

15

Question 46

What is the institution's process for applying security patches to organizational assets? Are patch status reports generated and independently reviewed to validate the effectiveness of the patch management program? Are automated systems used to identify and patch systems?

16

Question 47

Is encryption used to secure data at rest and/or in motion?

17

Question 48

Is employee user activity monitored (including vendors) in accordance with an Acceptable Use Policy?

18

Questions?

19

CSBS Virtual Discussion Series

Please join us for the next session on June 16 th !

Session 4 of 5 – IT Oversight and Supervision

20

CSBS Virtual Discussion Series - Baseline Nonbank Cybersecurity Exam Program June 16, 2021

Teams Features

2

CSBS Virtual Discussion Series

• Session 1 of 5  ‐ Document Request List • Session 2 of 5 – IT Audit, Development Activities & Network/Application Security and Administration • Session 3 of 5 – Network/Application Security and Administration (continued) • Session 4 of 5 – IT Oversight and Supervision (Today) • Session 5 of 5 – Business Continuity/Disaster Recovery Planning

3

Speaker Information

Director of Cybersecurity/IT/FinTech MA Division of Banks Holly.Chase@mass.gov Holly Chase

Speaker Information

Cybersecurity Risk Specialist TX Department of Banking Linda.Pearson@dob.texas.gov Linda Pearson

IT Oversight and Supervision

6

Question 4

How are resources allocated across the institution? What are the IT and information security budgets and where does the money primarily go?

7

Question 5

Does the institution have dedicated cybersecurity resources with appropriate job titles and areas of responsibility? Does management have a program to ensure employees are up to date with emerging issues and technologies?

8

Question 6

Is the institution's information security program formally documented and reasonably designed to accomplish the following objectives? (1) Ensure the security and confidentiality of customer information (2) Protect against any anticipated threats or hazards to the security or the integrity of such information (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

9

Question 6 - continued

An Information Security Program is required by the Safeguards Rule (16 CFR 314.3): You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in §314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.

10

Question 6 - continued

Safeguards Rule, Section 314.4 Information Security Program Elements (16 CFR 314.4): • Designated Employee(s) • Risk Assessment • Key Control Testing • Vendor Management/Third Party Risk Program • Annual Program Adjustments

11

Question 7

Does the Information Security program designate an employee or employees to coordinate the information security program? If so, request their name and contact information.

12

Question 8

Are written policies and procedures in place for secure destruction and disposal of physical and electronic records of sensitive information?

13

Question 9

Is there a documented Risk Assessment process that includes inherent and residual risk identification?

• Asset Identification • Risk Identification

• Risk Assessment and Measurement: Analyze the risk (likelihood/impact on specific assets); should allow you to rank/measure risk (High, Medium, Low for impact and likelihood  ‐ and definitions should be provided) • Risk Mitigation: Identify and prioritize ways to reduce those risks; describe how identified risks will be mitigated or accepted • Risk Monitoring

14

Question 9 - continued

Per the Safeguards Rule (16 CFR 314.4(b)), a risk assessment should: Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including: (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.

15

Question 10

Are key IT controls identified during the risk assessment process regularly tested or monitored? Does the institution engage a third party or internal resources to measure their effectiveness?

16

Question 11

Does the institution have an up ‐ to ‐ date data flow diagram that shows the flow and storage of PII data, throughout its lifecycle?

17

Question 12

Is information security awareness training provided to all employees (including managers, senior executives, and contractors) as part of initial training for new users and annually thereafter?

18

Question 13

How does the institution make sure it employs trustworthy third parties? Does the institution perform due diligence before entering into a contract? Is there an active vendor management program and/or methodology?

19

Question 14

Are contracts in place? Do vendor contracts require service providers to implement and maintain appropriate information security safeguards? Consider the confidentiality, availability, and integrity of information stored with the vendor. Does the vendor management program include specified contract deliverables, due dates, and service level agreements? Are vendors monitored on an ongoing basis? (not just at hire/selection)? Does it define each party's information security responsibilities under the contract?

20

Question 15

Is a cloud provider used and if so, are they part of the vendor management program?

21

Questions?

22

CSBS Virtual Discussion Series

Please join us for the final session on June 23 rd !

Session 5 of 5 – Business Continuity/Disaster Recovery Planning

23

CSBS Virtual Discussion Series - Baseline Nonbank Cybersecurity Exam Program June 23, 2021

Teams Features

2

CSBS Virtual Discussion Series

• Session 1 of 5  ‐ Document Request List • Session 2 of 5 – IT Audit, Development Activities & Network/Application Security and Administration • Session 3 of 5 – Network/Application Security and Administration (continued) • Session 4 of 5 – IT Oversight and Supervision • Session 5 of 5 – Business Continuity/Disaster Recovery Planning (Today)

3

Speaker Information

G. Henry Hallman, III

Financial Program Manager & Team Supervisor North Carolina Commissioner of Banks ghallman@nccob.gov

Speaker Information

Bank Examinations Coordinator Alabama State Banking Department Donald.Robinson@banking.alabama.gov Brad Robinson

Business Continuity/Disaster Recovery Planning

6

Question 23

Are the business continuity/disaster recovery plans documented and appropriate for the size and complexity of the institution? Do they include an adequate business impact analysis and risk assessment?

7

Question 24

Are the business continuity and disaster recovery plans tested at least annually? Does testing include both systems and personnel using different testing methods such as failovers and tabletop testing? Does the institution have a data backup program in place? Is data backed up regularly and tested? Is there a contingency location so employees can continue to work? Is data stored offline to mitigate the risk of a ransomware attack on the online backup?

8

Question 25

Are the business continuity/disaster recovery plans reviewed, tested, and updated at least annually or when significant changes occur?

9

Question 26

Are remediation plans developed to address gaps identified during the testing? Are these efforts tracked and reviewed regularly?

10

Question 27

Can the entity successfully restore information and resume business operations from backups? Has this been tested recently?

11

Question 32

Does the institution have an incident response plan that establishes specific procedures for different types of incidents?

12

Question 33

Is there a communication plan in place for contacting employees, vendors, regulators, municipal authorities, emergency response personnel (as needed)?

13

Question 34

Is there a plan in place for notifying customers? Does the notification plan follow all appropriate state (and/or federal and international, if applicable) regulations and/or requirements?

14

Question 35

Is the Incident Response Plan reviewed, tested, and updated at least annually?

15

Question 36

When was the last time an incident occurred? How did the institution handle it? Are all incidents mitigated?

16

Question 37

Are information systems monitored for potential anomalies or security incidents?

17

Question 38

Are event logs collected or stored in a centralized location for later review?

18

Questions?

19

CSBS Virtual Discussion Series

Thank you for joining us!

We hope you have enjoyed the virtual discussion series on the Baseline Nonbank Cybersecurity Exam Program.

20