office of the state bank commissioner and · 01/02/2017 · • prevent potential lawsuits • a...
TRANSCRIPT
1
OFFICE OF THE STATE BANK COMMISSIONERINFORMATION TECHNOLOGY AND
CYBERSECURITY
COMMITTEE ON GOVERNMENT,
TECHNOLOGY AND SECURITY
FEBRUARY 1, 2017
The Office of the State Bank Commissioner regulates all state‐chartered banks, trust companies, mortgage businesses, supervised lenders, credit service organizations, and money transmitters that do business in the State of Kansas.
Our Mission Statement
Ensure the integrity of regulated providers of financial services through responsible and proactive oversight, while protecting and educating consumers.
Our Goals
*ENSURE the fair and reliable supervision of state chartered banks, trust companies/departments, savings and loans, and suppliers of mortgage and consumer credit;*EDUCATE regulated entities to promote a better understanding of and compliance with governing laws and regulations;*PROTECT Kansas consumers from unfair or unscrupulous credit practices;*PRESERVE the dual banking system through chartering of new state banks, maintenance of existing state charters, and equitable regulation of state banks; and*PROMOTE and MAINTAIN the public's trust in a state financial system.
Our Philosophy
The Office of the State Bank Commissioner embraces equitable treatment of regulated institutions, and strivesto maintain the highest ethical and professional standards. We believe the public's reliance upon ourregulatory function is of vital importance to our state's economy. We strive to incorporate regulatoryresponsibilities, education, preservation of the dual banking system, and promote fair and equitable treatmentof Kansas consumers and creditors. We undertake our responsibilities and goals with a deep sense ofcommitment to the State of Kansas, its citizens, and the institutions we regulate. 2
2
TODAY’S TOPICS
• Elements of an Information Security Program within financial institutions
• The Office of the State Bank Commissioner’s Information Technology Examination Process
• Cybersecurity Risk• Bank Self Assessment Tool
• Banker Education• OSBC In‐House IT Protection
3
Information Security Program
4
3
Evolution of Data SecurityStarted with Doors, Windows, and a Vault
5
Evolution of Data Security
Emerging
ATM
6
4
Why Should a Bank Establish an Information Security Program?
• Protect Confidentiality, Integrity, & Availability of Information
• Mitigate Financial Losses
• Prevent Potential Lawsuits• A security program is required by Insurance Companies
• A security program is required by Law (FDIC Rules and Regulations Part 364, Appendix B)
7
Information Security Program
Information Security Program
Governance Structure
Risk Assessment
Physical, Technical, &
Administrative Controls
Policies and
Procedures
Audit Program
Vendor Management
Incident Response
Business Continuity/D
isaster Recovery Planning
Ongoing Review of
ISP
8
5
Information Technology Examinations
9
IT Examination Work Program ‐ InTREx
• The OSBC started IT Examinations in 2004.
• In 2016, a new IT examination work program was adopted called Information Technology Risk Examination Program (InTREx)
• InTREx is an update of IT and Operations Risk examination procedures, with a focus on efficiency using a risk‐focused approach.
• InTREx includes a cybersecurity preparedness assessment
• Goals are to ensure financial institution management promptly identifies and effectively addresses IT and cybersecurity risks.
10
6
IT Examinations
• InTREx provides a pre‐screening process that allows regulators to rate the level of IT risk in a bank (level A, B, or C). A is the most complex.
• The IT Profile (pre‐screening) focuses on an institution’s IT environment.
• The results of the Profile assists regulators with assigning IT human resources to the examination.
• The OSBC has two IT Specialists positions that focus on Level A and high level B examinations.
• The OSBC has 14 field examiners that are cross‐trained on IT that are capable of conducting Level B and C examination.
11
IT Examination Work Program – InTRExThe scoring profile covers the following topics:
• Core processing – applications for loans, deposits, investments, trust, and general ledger
• Network and wireless network
• Online banking
• Development and Programing
• Software and Services
• ACH
• ATM
12
7
IT Examination Work Program – InTRExThe scoring profile covers the following topics:
• Mobile devices (bank and personal)
• Call Center
• Vendors and Third party contractors
• Servers and server rooms
• Cloud storage
• Cybersecurity program
• Staff and training
13
IT Examination Work ProgramInTREx Core Analysis
• Audit
• Management
• Development and Acquisition
• Support and Delivery
• Information Security Standards
• Cybersecurity
In addition to the above, there are expanded procedures for each topic.
14
8
IT Examination Process
What do you have
and where’s the risk?
How is the risk
controlled?
Does the bank have Policies/ Procedures to
Govern?
Audit Coverage/ Testing?
Audit findings tracked and corrected?
Effective management / governance processes in‐
place?
Does the Board provide effective oversight?
15
IT Examination Ratings
• The OSBC conducts two types of IT Examinations: Complex or Non‐complex
• Examinations will use the full InTREx work program on complex institutions and the modified InTREx work program on less‐complex institutions.
• A non‐complex examination will only receive a Composite Rating (1 to 5). 1 rated is the best.
• At complex examinations, examiners will rate the areas of Audit, Management, Development and Acquisition, and Support and Delivery, as well as provide an overall Composite Rating. Each of these will be rated on a scale of 1 to 5.
16
9
IT Risk Management
17
IT Risk ManagementWhat do examiners consider?
• Does the institution possess the proper amount of IT knowledge?
• Has the institution designated an IT Officer?
• Is the IT Officer properly trained?
• Is the IT Officer properly informing the board with an appropriate amount of information that would allow the board to assess risk?
• Are IT reports being included in the board meeting packets?
• The board does not need to specialize in IT, but they need to know enough to assess risk and set overall policy for the institution.
• KEY: Is IT information getting from the backroom to the boardroom?
18
10
IT Risk ManagementWhat do examiners consider?
• Is the board holding management and the IT Officer accountable for any deficiencies that exist?
• Does the bank perform an IT Risk Assessment?
• Is the Risk Assessment properly focused on the bank’s environment?
• Are IT audits being conducted and does the audit scope cover the key risks?
• Is the auditor competent and possess independence?
• Has the board/management initiated remediation tracking, resolution documentation, and risk assessment updating processes?
19
Cybersecurity
20
11
Threat Environment: VulnerabilitiesCybersecurity
Technological Weakness in hardware, software, network, or system
configurations
Organizational Lack of awareness of threats/vulnerabilities, incomplete asset
inventories, weaknesses in/over-reliance on third parties
Human Exploitation of human behavior such as trust and curiosity
Lack of effective security awareness training
Physical Theft, tampering, device failure, or introduction of infected media
21
Threat Environment: ActorsCybersecurity
Cyber Criminals - Financially motivated; attacks include account takeovers, ATM cash-outs, and payment card fraud.
Nation States - Attempt to gain strategic advantage by stealing trade secrets and engaging in cyber espionage.
Hacktivists - Maliciously use information technologiesto raise awareness for specific causes.
Insiders - Abuse their position and/or computer authorization for financial gain or as a response to a personal grievance with the organization.
22
12
Cybersecurity – Types of Attacks
• Phishing e‐mails
• Malware installations (Viruses, Worms, Trojans, Keystroke Logger)
• Patch and Vulnerability Exploits
• Advanced Persistent Threats (APTs)
• Distributed Denial of Service (DDoS)
• Ransomware
• ATM Attacks
23
Cybersecurity – Regulatory EnvironmentThe OSBC Recommends all financial institutions:
• Participate in information sharing through the Financial Services‐Information Sharing and Analysis Center(FS‐ISAC) or United States Computer Emergency Readiness Team (US‐CERT)
• Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so risk can be evaluated
• Possess proper IT related policies and follow policy• Include IT in institution strategic planning• Formally assess cybersecurity risk
• Ensure management preparedness (oversight, intelligence, controls, external dependency, incident management)
• Align resources and departments so they are communicating
24
13
Cybersecurity – Regulatory EnvironmentThe OSBC Recommends all financial institutions:
• Require strong vendor management
• Require strong patch management
• Know your customers and customer habits
• Require employee and board training
• Know your law enforcement and regulatory agency contacts should an emergency occur
• Audit the system for validation
• Conduct penetration testing
25
Highest INTERNAL Risk Areas
• Individual Employees and Directors
• Corporate Culture• Third party vendors and contractors• Failure to apply timely patch management
• Using software and technology that is no longer supported
26
14
Employee Risk
• Flash drives• Social websites• Opening harmful e‐mails or webpages• Opening redirect web pages that look authentic• Failure to update devices (patch management)• Failure to protect devices when away from the workstation• Failure to create secure passwords• Cross use of work and personal email• Cross application of work and personal devices• Stolen or lost devices
27
Cybersecurity Assessment Tool
• Financial institutions are required to formally assess cybersecurity risk
• In 2016, the Federal Financial Institutions Examination Council (FFIEC) issued a federal and state joint work project called the Cybersecurity Assessment Tool (CAT)
• Institutions are not required to use the CAT, but must be using something similar
• CAT is a provided resource to assist institutions in assessing risk and thinking through all the IT risk areas
28
15
Banker Education
29
Banker Education
• Kansas is one of 32 states that have held an Executive LeadershipBriefing on Cybersecurity to raise awareness and provideinformation. The OSBC, in conjunction with the Kansas BankersAssociation and the Conference of State Bank Supervisors held abriefing on November 3, 2015.
• Over 3,000 financial institutions’ executives across the United Stateshave attended these sessions since they began in December, 2014.
30
16
Available Banker Education
• Cybersecurity Assessment Tool (CAT)
• CSBS issued Cybersecurity 101 Resource Guide• Institutions have access to the examination work program (InTREx)
• FS‐ISAC and US‐CERT• FDIC has an IT/Cyber Technical Assistant Video Series online• IT is included in bank director training• Regulators “train and explain” at examinations
• Industry professionals and consultants are available• Classes and seminars for IT topics are abundant
31
Statistics to Consider
• A campaign of just ten e‐mails yields a greater than 90% change that at least on person will become the criminal’s prey
• 11% of recipients of phishing messages click on attachments
• Estimated cost of a breach is upwards of $254 per record
• Employees are curious, and there is a high likelihood that an employee will introduce a found flash drive into a work computer
• In 38% of cases, it took attackers just seconds to compromise a system
• In 60% of cases, attackers were in within minutes
32
17
Statistics to Consider
• In 28% of cases, it took attackers minutes to exfiltrate data
• It sometimes takes weeks & months before a company knows it was hacked
• 25% are targeted attacks / 75% are victims of opportunity
• 89% of breaches have financial or espionage motive
• 99.9% of compromises were more than 1 year after a public warning
• 97% of breaches were avoidable (patch management failures)
• Experts say it is often cheaper to trash all tech after a breach, and start over
33
OSBC In‐House Security Measures
34
18
OSBC In‐House Security Measures• All portable storage and mobile computing devices, including agency cell phones, laptops, and USB flash drives are encrypted.
• Electronic transfer of files with institutions are encrypted‐in‐transit and encrypted‐at‐rest (FDICConnect, OSBC Sharefile)
• Independent security assessments are performed annually, including “ethical hacking” attempts to exploit weaknesses or discover vulnerabilities.
• All PCs protected by managed antivirus solution and reputation based network filtering.
• Emails containing sensitive information automatically encrypted during transit. All email communications with federal counterparts are encrypted in transit.
• Network Intrusion Prevention System in place to constantly observe network traffic and automatically respond to security events.
35
OSBC In‐House Security Measures• Primary data center (ISG, Topeka) is monitored 24/7 with strict access controls, fire suppression system, and 1,000 gallon fuel generator with uninterruptable power system.
• Off‐site secondary data center (in Salina) with fail‐over capabilities.
• Monthly off‐site, off‐line encrypted backups of exam reports and licensing database.
• Comprehensive software patching capabilities, ensuring latest security patches for operating system and third‐party applications are deployed to workstations.
• Multiple layers of email security including attachment sandboxing, phishing analysis, and a series of automated and manual checks on external emails that fit suspicious criteria.
36
19
Questions from the Committee• What information is collected, stored, and accessed by the agency?
Personally Identifiable Info (PII), Federal Tax Information (FTI), Criminal Justice Information (CJI), examination data of financial institutions, and other information that assists with licensing and evaluating institutions, including an institution’s volume and assets.
• With whom does the agency share this information?Federal agencies such as the FDIC and the Federal Reserve Bank, and other States during joint examinations.
37
Questions from the Committee
• What are your emergency/back‐up plans?
In case of the main data center’s loss of function, a second data center in Salina, KS replicates our production system each day. Email has additional redundancy which could keep email functional even without either data center functioning.
Data backups are performed at various intervals up to hourly. In addition to our normal backup strategy and replication to a second data center, some business‐critical data is also stored on media at a safety deposit box, which rotates monthly.
38
20
Questions from the Committee
• Have you gone through a security audit? By whom, when, and with what results?
January, 2016 – Conducted by Optiv. They had five medium‐risk recommendations, none in the “High” risk category.
September 2014 – Conducted by Optiv. There were six medium‐risk recommendations, none in the “High” risk category.
Another security audit is scheduled to be conducted in 2017.
39
Questions from the Committee
• What kind of security training is conducted? By whom? How often? What is covered in the training?
All agency employees must attend yearly training, prepared by theagency. In addition, all employees review and sign anacknowledgement of the agency security policy. This training coversagency policies, social engineering, phishing, internet security, and datasecurity.
40
21
Questions from the Committee
• What kind of security training is conducted? By whom? Howoften? What is covered in the training
Agency IT staff have attended formal training, equal to or in excess of 40 hours on the following topics. As a result of their training they hold certifications in several of these areas.
Certifications held from CompTIA:• A+• Security+• Network+Microsoft Windows Server ‐• Active Directory• Server Management• Network Infrastructure
Microsoft Windows 7 Enterprise SupportMicrosoft SQL Database AdministrationCCNA (Cisco Certified Network Associate)Java Programming FundamentalsTransact SQL ProgrammingCEH (Certified Ethical Hacker)CHFI (Computer Hacking Forensic Investigator)
41
Legislative Post Audit Study
• During the legislative post audit study of 2014 our agency was found to have 0 Critical Findings and 2 High Findings.
Finding Resolution
Lacked formal policy on password rotation,
complexity and auditing on encrypted USB
drives.
Added specifics to our current policy on rotation, complexity and
auditing.
All USB drives were reissued passwords with a more complex
password. This will occur each year.
Yearly reissue of encrypted thumb drives for all employees will occur
in the future.
We will complete quarterly random auditing to ensure compliance
of retention policy and security.
Lacked formal policy on conducting background
checks on IT staff. Agency had no record of
background checks being performed. Three of
the four staff had passed background checks
independently for data center access.
Introduced formal policy requiring background checks prior to hiring
of IT staff.
Conducted background checks of existing IT staff.
42
22
Division of Banking
Judi M. Stork
Deputy Commissioner
785‐296‐1515
Ken Torgler
Director of Examinations
785‐296‐1379
Division of Consumer and Mortgage Lending
Jennifer Cook
Deputy Commissioner
785‐296‐1532
Mike Enzbrenner
Director of Examinations
785‐296‐1878
Michelle W. BowmanBank Commissioner
[email protected]‐296‐1520
OFFICE OF THE STATE BANK COMMISSIONER
QUESTIONS?