ffiec and nist: what you need to know about two prevalent new it security compliance frameworks

BUSINESS CONSULTANTS

DEEP TECHNOLOGISTS

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks

© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.

West Monroe Partners is large enough to tackle our clients’ toughest challenges and nimble enough to adapt to unique requirements with custom solutions. Established in 2002

Founded by a team from Arthur Andersen, West Monroe is a full-service business and technology consulting firm.

People Over 600 career consultants, confident enough to engage in constructive debate and understand that it’s okay to disagree.

Organization We are 100% employee owned. We answer to our people and our clients only.

Global reach but geographically close We serve global clients, locally by partnering with BearingPoint Europe and Grupo Assa.

2


In 2009 and 2010 named one of

Crain’s Chicago Business “Best

20 Places to Work in Chicago”

3

Named by National Association of Business

Resources as one of Chicago’s “101 Best and Brightest Companies to

Work For” in 2006, 2007, 2008, 2009 and 2012

Early 2000s

Early 2000s

In 2008, 2011, 2012, 2013, 2014 and 2015

Seattle Business Magazine named West

Monroe “Best Large Company Headquartered

Outside Washington”

From 2010-2015 named as a

“Top Workplace” by

the Chicago Tribune

Named one of Consulting

Magazines “Best Small Firms to Work For” for

second straight year in 2010

In 2012, 2013, 2014 and 2015 named

one of the top Managed Service

Providers in North America by MSP

mentor

In 2011 named to Columbus

Business First’s 2011 “Best

Places to Work”

In 2012, 2013, 2014 and 2015 named one of Consulting magazine’s “Best

Large Firms to Work For”

In 2013 and 2014 named to Great Place to Work “Best Small &

Medium Workplaces” list

published in FORTUNE magazine

2011 2012 2013 2014

In 2012, 2014 and 2015, the Puget Sound

Business Journal selected West Monroe

Partners as a finalist for Washington's Best

Workplaces

Selected for the 2013 “Inner City

100” by The Initiative for a

Competitive Inner City (ICIC) and

FORTUNE

In 2008, 2009, 2011, 2012, 2013 and 2015

named by Crain’s Chicago Business as

one of its “Fast Fifty”

2015


West Monroe’s Security team was built from the ground up with a blending of deep technologists and a focus on strategic security consulting

We emphasize security as a component of an overall risk management approach, meaning we focus on strategic solutions and helping organizations to operationalize their security investments

Where most security consultancies focus on addressing security through tactical assessments and solutions, we deliver prioritized roadmaps that address the areas that will most effectively improve your security posture and reduce risk

West Monroe Partners: An uncommon blend of business consultants and deep technologists solving security challenges in today’s business climate

4


Federal Financial Institutions Examination Council

FRB Federal Reserve Bank -

“The Fed”

OCC Office of the Comptroller

of the Currency

FDIC Federal Deposit

Insurance Corporation

NCUA National Credit Union

Association

CFPB Consumer Financial Protection Bureau

SLC State Liaison Committee

CSBS Conference of State Banking Supervisors

ACSSS American Council of

State Savings Supervisors

NASCUS Nat. Assoc. of State

Credit Union Supervisors

Starting in late 2015, examiners will begin using a new assessment tool to better understand risks and controls related to cybersecurity


There are two pieces of the FFIEC tool that must be accomplished, in order

6

1

2 Technologies

and Connections

Delivery Channels

Online, Mobile, and Tech. Services

Org. Characteristics

External Threats


The Cybersecurity Maturity profile worksheet is hierarchically structured, similar to most compliance frameworks

7

Domain Assessment Factor Component Maturity

Level Declarative Statement


By combining the information from the Inherent Risk and Maturity profiles, gaps can be assessed

8

1

2 3

3 8 21 7 0

Y

N

N

N

N


On its own, use of the FFIEC CAT has clear strengths and weaknesses

9

Easy to conduct Ordained by regulators Good coverage Contextual Thoroughly mapped

Lack of detailed gap analysis Little flexibility Hard for non-technologists to digest Difficult to represent findings


Depending on the ability of your organization to respond to regulatory guidance, additional support or use of alternate frameworks may help

10


Subcategories further divide a Category into specific outcomes of technical and/or management activities.

Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory.

The NIST Framework Core identifies underlying key Categories and Subcategories for each Function, and maps them to Informative References

11

Identify

Protect

Detect

Respond

Recover

Function Category

Subcategory

Informative References

Asset Management Business Environment Risk Assessment Risk Management Strategy

Access Control Awareness and Training Data Security Information Protection Procedures Maintenance Protective Technology

Anomalies and Events Security Continuous Monitoring Detection Processes

Response Planning Communications Analysis Mitigation Improvements

Recovery Planning Improvements Communications

Gov

erna

nce

Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.


The FFIEC Cybersecurity Assessment Tool directly aligns with the NIST Cybersecurity Framework

12

NIST Framework: Industry Alignment

The FFIEC Cybersecurity Assessment Tool (FFIEC CAT) provides a statement by statement and page by page comparison from the NIST Cybersecurity Framework (NIST CSF) to the FFIEC CAT.

FFIEC Cybersecurity

Assessment Tool

NIST Cybersecurity

Framework

Example of the NIST CSF mapping to the FFIEC CAT:


The Core of the NIST Cybersecurity Framework further aligns to other Frameworks

13

NIST Framework: Industry Alignment

Organizations with successful implementations of NIST CSF can benefit from its synergy with other Frameworks

The NIST CSF Core contains Informative References which are specific sections of other Frameworks that illustrate a method to achieve the outcomes associated with each of the Core’s Subcategories.

Example of the NIST CSF Core referring to other Frameworks:

Other Frameworks

NIST Cybersecurity

Framework

Function Category Subcategory Informative References· CCS CSC 1· COBIT 5 BAI09.01, BAI09.02· ISA 62443-2-1:2009 4.2.3.4· ISA 62443-3-3:2013 SR 7.8· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2· NIST SP 800-53 Rev. 4 CM-8

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

IDENTIFY (ID)

ID.AM-1: Physical devices and systems within the organization are inventoried


By assessing both the current state and desired state profiles, an organization can determine the most impactful areas of focus

14

PRISMA Scale

Govern

Protect

Recover Identify

Respond

Detect

Identify

Protect

Detect

Respond Recover

Govern

NIST / WMP Framework

Implementation Testing Procedures Org. Integration Policies

© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited. 15

The NIST framework can be leveraged to monitor and objectively evaluate an organization’s security maturity and associated progress

Function Current Rating

Desired Rating

GOVERN 1.5 3.6

IDENTIFY 1.1 3.5

PROTECT 1.4 3.5

DETECT 1.4 3.2

RESPOND 1.5 3.5

RECOVER 1.2 3.1

LEGEND

Govern

Protect

Recover Identify

Respond

Detect


At the end of the day, regulators will demand more than a completed checklist

16

Questions & Discussion

17

JERIN MAY Director - Infrastructure and Security - Seattle Desk 206.905.0209 Cell 206.920.0958 [email protected]

ROSS MILLER Manager – Infrastructure and Security - Seattle Desk 206.905.0167 Cell 517.525.1843 [email protected]