Blog

Tag: NIST cyber security framework

Use the FFIEC Cyber Assessment Tool to help comply with NYDFS 23 NYCRR Part 500The Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool to help financial institutions establish a better baseline to identify their risks and determine their cybersecurity preparedness. The original intent of the Assessment was to provide a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.

The updates are a response to criticism since its release in June 2015 for its vagueness and diversion from other well-established cybersecurity assessment frameworks, such as the NIST Cybersecurity Framework.  While there are similarities between these tools, the FFIEC is trying to provide guidance to its constituency where the NIST framework is general for all organizations.

While these tools and frameworks are seen by most organizations as guidelines to help them better protect their businesses and customers, the FFIEC regulators have been mandating its use by the banks and credit unions under its jurisdiction.  This raises questions about complying with other regulations and what frameworks financial institutions should use.

The FFIEC assessment tool includes three main components:

  • A risk profile assessment, to help institutions understand how each activity, service and product can impact risk and affect inherent risk
  • A cybersecurity maturity assessment, to determine an institution’s cybersecurity maturity level
  • An interpretation and analysis assessment, to help institutions understand whether their inherent risks are appropriate, relative to their cybersecurity maturity.

Organizations that must comply with GLBA, SOX, the new NYDFS 23 NYCRR 500 cybersecurity regulation and others may have challenges deciding what is the best approach to meet these regulations.  While the NIST Framework has general guidelines to help improve an organization’s cybersecurity posture, regulations like the NYDFS are more prescriptive as they define specific technologies or processes to meet the regulation.  This may require additional guidance.

One enhancement to the updated FFIEC Cybersecurity Assessment Tool is a mapping of the NIST framework to the tool.  For those already using NIST or the FFIEC tool, this helps establish how they compliment each other and where they differ.  It is also helpful for those organizations looking to comply with NYDFS, since many of the same goals are inherent in these tools.

While other regulatory agencies have not explicitly said they will adopt the FFIEC tool, I expect some will rather than creating their own.  It would be nice to have a one size fits all, but as the threat landscape changes and regulations change, tools need to evolve to meet the specific requirements of different industries.

The real goal of these rules and frameworks, lest we forget, is to ensure that you can securely operate your business without compromising your or your customer’s security and privacy.  It’s all about protecting your confidential information and ensuring that you can continue operating as a business with the trust and confidence you have built with your customers and partners.

Ron Arden shows auditors how to protect against cyber threatsRon Arden, Executive Vice President of Fasoo, Inc., spoke to members of the Rochester Institute of Internal Auditors (IIA) at the Hilton DoubleTree Hotel in Rochester, NY on December 7, 2016.  Ron delivered a presentation on “Defending Your Intellectual Property Against Cyber and Insider Threats ” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and cyber attacks.

With the changing regulatory climate and the constant news on data breaches and cybersecurity incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group.  Ron spoke about the new NY State Department of Financial Services (DFS) cybersecurity regulations that require all organizations registered as banks, financial services companies and insurance companies in the state of NY to meet new cybersecurity rules.  A major one is to encrypt all non-public data, which will require major changes in policy and technology.

A number of attendees came up after the presentation and asked about some of the research Ron presented from the recent Ponemon Institute study “Risky Business: How Company Insiders Put High Value Information at Risk“.  One gentleman from a bank commented that finance departments are less likely to expose sensitive information than sales or HR, which may be related to finance professionals having agreed to certain standards of data sharing as part of their professional certifications or degrees.  While that is certainly a possibility, there is still the risk of carelessness, which was cited as the number one cause of data breaches.

Another person asked about protecting information in the supply chain, since third party risk assessment is becoming a bigger issue with regulators.  The HIPAA laws and others make a company responsible for sensitive information shared throughout the supply chain, so a company needs to worry about the security of its suppliers and partners.

As discussed during the event, auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules.  During the keynote presentation by Paul Greene, an attorney from Harter Secrest & Emery LLP, there was discussion on how best to meet what can be either vague or overlapping cybersecurity regulations.  Paul talked about recent Federal Trade Commission (FTC) rulings that stipulate that a non-compliant company must have an external cybersecurity audit every 2 years, for the next 20 years, to prove they meet strict cybersecurity guidelines.

There was also discussion about security versus compliance, which is a constant battle.  An auditor can show a company meets HIPAA, SOX, GLB, PCI and many other regulations, but that doesn’t mean they are secure.  Since many regulations are somewhat vague about how to be compliant, the group talked about using cyber security frameworks from NIST as ways to ensure security that goes beyond compliance.

Another discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal.  There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools.  Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm.  This will help pinpoint insider threats as well as suspicious activity from compromised systems.

The event showed the growing need for security solutions that focus on protecting and controlling sensitive data as companies try to mitigate the risk of both cyber and insider threats.

Bill Blake shows ISACA how Fasoo protects sensitive dataBill Blake, President of Fasoo, Inc., spoke to members of the Western NY Information Systems Audit and Control Association (ISACA) at the Hilton Double Tree Hotel in Rochester, NY on May 10, 2016.  Bill delivered a presentation on “Closing the Threat Gap – A 21st Century Approach to Minimizing Risk” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and external attacks by hackers.

Given the constant barrage of news on data breaches and cyber security incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group.  One statistic that Bill shared was from the 2016 PwC Global State of Information Security survey which found that 81 percent of respondents attribute security incidents to existing staff, vendors and customers, with current employees the most cited source of incidents.  This was an eye opener for many, since most of us tend to focus on external threats.

A number of attendees came up after Bill’s presentation and asked about print-related security risks.  This is an area that many companies don’t think about since most of us focus on digital data.  One recent survey found that 70 percent of businesses admit to experiencing one or more print-related data breaches.  Most of these go unreported and according to the Identity Theft Resource Center, paper breaches seldom trigger state breach notification laws.

Auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules.  There is always the issue of security versus compliance.  As one person mentioned, you can meet PCI compliance requirements, but still having a data breach.  A case in point is the major breach at Target in 2013.  The company met the requirements, but was still vulnerable and lost data.  As one of the speakers discussed, people are still the weakest element in security.  Just because you are compliant, doesn’t mean you are secure.

Another major discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal.  There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools.  Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm.  This will help pinpoint insider threats as well as suspicious activity from compromised systems.

The event showed the growing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.

Ron Arden Shows Rochester IIA ISACA IT Conference How to Protect Sensitive DataRon Arden, Vice President of Fasoo, Inc., spoke to members of the Rochester Institute of Internal Auditors (IIA) and Information Systems Audit and Control Association (ISACA) at the Hilton Double Tree Hotel in Rochester, NY on December 10, 2015.  Ron delivered a presentation on “Data Protection of Sensitive Information” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and external attacks by hackers.

Given the constant drum beat of news on data breaches and cyber security incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group.  A number of attendees came up after the presentation and asked about protecting very sensitive documents in their companies.  I spoke with a gentleman from a retail company who was concerned about protecting contract information with their suppliers and since they have such high employee turnover, was worried about people moving to competitors with sensitive information.

As discussed during the event, auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules.  During one of the panel discussions, attendees and panel members talked about security versus compliance.  Someone brought up meeting PCI compliance requirements, but still having a data breach.  A case in point is the major breach at Target in 2013.  The company met the requirements, but was still vulnerable and lost data.  Since many regulations are somewhat vague about how to be compliant, the group talked about using cyber security frameworks from NIST and RSA Archer as ways to ensure security that goes beyond compliance.  Just because you are compliant, doesn’t mean you are secure.

Another major discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal.  There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools.  Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm.  This will help pinpoint insider threats as well as suspicious activity from compromised systems.

The event showed the growing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.