CyberSecurity: Where to Begin? The financial sector is regularly targeted by cyber-criminals as noted by the 2014 Verizon Data Breach Investigations Report which revealed that the financial sector was the most targeted in terms of 2013 incidents. The recent cyber-attack of J.P. Morgan Chase is just one example, but serves as another reminder that the financial sector faces daily attacks and must stay vigilant.
the data stored? How is the data accessed? These are the questions that must be answered before you can determine how to protect the data. For community banks, customer information might be primarily housed at a third-party vendor, but how do you ensure access is properly secured? Even though your data is stored externally, what might still be housed on your local systems?
The Federal Financial Institutions Examination Council’s (FFIEC) pilot program, Cybersecurity Assessment, was designed to assess community institutions’ vulnerability and preparedness to cyber threats. While the Cybersecurity Assessment aids the FFIEC agencies in identifying and prioritizing actions to enMCM’s Financial Institutions Services Team strives to help banks succeed by hance supervisory programs, assessing and managing the risks associated with vendor management. By guidance and training, finanidentifying and managing risk throughout the vendor life cycle, from planning, cial institutions can also take due diligence and selection, to oversight and accountability, we help ensure that steps to strengthen their own your third-party relationships add value and encourage confidence in your board preparedness.
Meaningful relationships, beyond the bottom line. and regulatory agencies.
Cyber Security Framework The National Institute of Standards and Technology (NIST) Cybersecurity Framework can aid in strengthening your institution’s cybersecurity program. The framework is not a complete checklist, but it is a useful tool to help with developing a cybersecurity program to fit your risks and business needs.
Contact our industry leader to learn more. Henry Hawkins, CPA, Financial Institutions Services Director 502.882.4490, Henry.Hawkins@mcmcpa.com
mcmcpa.com | Indiana | Kentucky | Ohio
While the thought of the Cybersecurity Framework might seem new and overwhelming, the functions and category outcomes should be familiar. Financial institutions should already be developing similar framework as part of the Information Security Program requirements. The Cybersecurity Framework core discusses five functions, each with its own set of outcome categories:
Expert guidance, beyond the bottom line.
Baseline Security Controls Establishing baseline security controls are your foundation at protecting your systems. When determining how secure your internal systems are, start by answering a few questions: What are your defined password policies? What are your audit log policies? What are your firewall rules? Do you know the vulnerabilities in your systems?
•
Identify - asset assessment, governance, risk assessment and risk management strategy
•
Protect - access control, awareness, training, data security and protective technology
•
Detect - security monitoring and detection processes
•
Respond - response planning and communications
How do you monitor changes in your systems? Changes to security controls should not be ad-hoc, but based on a defined approval process. In addition, changes should be proactively monitored to ensure that they are approved and align with baseline settings. Periodic vulnerability assessments are necessary to ensure that security controls are sufficient in the ever changing environment. MCM will be happy to assist in the evaluation of information security programs and other IT general control reviews.
•
Recover - recovery planning and improvements to restore the capabilities of what was impaired
Contact MCM’s Financial Institution Services Team for more information.
Data Asset Inventory The critical building block in tackling cybersecurity is the performance of the data asset inventory, including data classification. What is your data? How critical and sensitive is the data? Where is
October 2014 | 10
Michele Welscher, CPA/CITP, CIA, CISA Michele.Welscher@mcmcpa.com, 502.882.4484 Rick Taylor, CISA Rick.Taylor@mcmcpa.com, 502.882.4495