Information Security Officer Cybersecurity Advisor
As institutions grow with increasing regulations surrounding information technology and cybersecurity, maintaining an information security program can be overwhelming. From vendor management to risk assessment to information security training for staff to IT committee meetings, disaster recovery, the list goes on an on, the amount of knowledge and time that needs to be devoted to information security only continues to increase.
We have developed this program to assist financial institutions with developing and/or maintaining a strong information security program. Whether your financial institution is looking to have an expert there to guide and train current staff in the ISO role or whether the institution is seeking permanent information security advisory services, this program can fill multiple objectives. As a cybersecurity and IT audit company with over 200 banking clients, we have seen successful and unsuccessful programs; our objective is to bring this knowledge to each financial institution we work with to better their programs.
We will provide direct assistance in some cases; however, ultimately, a strong information security program must be built on decisions made by the financial institution; as such, we will provide expert guidance to assist the institution in making the best possible decisions to mitigate risk and document the management of customer information and information systems, as well as act as a trusted advisor and provide templates, tools, education, and expertise to strengthen the institution's knowledge and management of cybersecurity risk.
We propose assistance with the institution to complete the following tasks on an annual basis:
- Assist with the maintenance (and design if needed) of the bank’s IT risk assessment
- Assist with the maintenance (and design if needed) of the bank’s written Information Security Program
- Assist with completion of the FFIEC Cybersecurity Assessment Tool
- Assist with understanding new regulatory guidance as it is published, as well as new risks
- Conduct annual information security training for both staff and Board (onsite)
- Assist with ongoing information security awareness training / reminders to staff; if KnowBe4 is implemented, we will utilize this for some ongoing awareness training.
- Assist with changes to disaster recovery, business continuity or pandemic plans
- Facilitate disaster recovery roundtable discussions annually – including the below:
- Disaster recovery testing (e.g., loss of location)
- Contingency testing (e.g., loss of single system)
- Pandemic testing (e.g., loss of randomized 30% of staff)
- Facilitate annual incident response roundtable testing
- Assist with performing vendor management due diligence of critical and medium risk vendors
- critical vendor due diligence annual
- medium risk every 2 years
- implementation of vendor sign in sheets
- Assist with risk assessing new products, services, vendors, etc.
- Participate in quarterly IT committee meetings
- Provide framework for performing an annual GLBA report
- Perform periodic internal security assessments (these would be considered independent scans since we are not performing patch management)
- Perform periodic external security assessments (these would be considered independent tests as we are not responsible for patching or updating or monitoring firewalls)
- Perform quarterly social engineering attacks (these could be phishing, phone, USB drops, etc.)
- Assist in completing quarterly firewall rules reviews
- Monthly review of IT reports including the following:
- Patch management reports
- Firewall reports
- Remote access reports
- Software inventory reports (see below software inventory section)
- Email hardening package (in some cases, full email hardening might require additional purchase)
- Assist with annual user access reviews, including initial set up of matrix establishing who has access to what
- Perform a software inventory (to be reviewed monthly with client)
- Note: this requires additional licensing fee, as well as additional charge for set up. PDQ Inventory pricing is approximately $500
- Assist with IT auditor selection for annual IT general controls reviews
- Implement log event monitoring (LEM) on internal critical servers (Optional)
- li>Note: this would require an additional licensing fee (approximately $595 per year, as well as additional charge for set up, approximately $2000).
- Additional storage requirements may be required, which could potentially increase cost.
- >ManageEngine EventLog Analyzer or similar solution will be utilized
- Additional options available as needed (e.g., Active Directory monitoring)
- Bank would receive alerts directly
We will provide direct assistance in many cases; however, in cases where direct conversations are required (e.g., with vendors or the bank’s network support vendor), we will rely on the bank to facilitate those conversations and provide us with responses back. Additionally, from a regulatory perspective, we do not guarantee ratings. Some discussions may involve future purchases as part of the bank’s information security program and would not be included in our pricing.
IT Risk Assessment
The FFIEC has stated that financial institutions must maintain an ongoing information security risk assessment program that effectively
- Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
- Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and
- Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.
A sound IT risk assessment helps an organization identify gaps and risks to its information and infrastructure assets. The Secure Guard Consulting IT risk assessment methodology leverages both extensive regulatory and IT experience and expertise to identify gaps and classify the inherent risks that an organization faces
Secure Guard Consulting will develop a comprehensive IT risk assessment. This process will be mostly performed in conjunction with bank personnel in order to facilitate understanding. Additionally, the bank will be able to update, add, and delete data from the risk assessment based on future technology changes.
Generally, the IT risk assessment development process is as follows:
- Identify all information and infrastructure assets (e.g., PCs, Servers, BYOD, Wire Transfer, etc.)
- Identify pertinent risks
- Assign probability
- Assign impact
- Compute inherent risk
- Assign overall GLBA asset value
- Compute composite risk
- Identify general controls
- Cross reference policies and procedures
- Assign residual risk
IT Policy Development
Secure Guard Consulting's approach to policy development is simple; policies should be short, concise, and to the point, yet they should provide ample guidance for the protection of an organization's information and infrastructure assets. Whether an organization is developing new policies and procedures, or enhancing existing ones, Secure Guard Consulting can help.
The scope of the policy development will be to streamline or condense existing policies, or rewrite policies such that they identify security measures and controls for information and infrastructure assets identified in the risk assessment. The developed policies should be easy to read, to the point, and meet both state and FDIC regulatory scrutiny. Sample areas that will be covered include (where applicable):
- Information Security Program
- IT Risk Assessment
- Document security
- Change management
- Audit program
- Network remote access
- System logging and monitoring
- Separation of duties
- IT management
- Internet banking (including CATO)
- Web site
- Systems authentication
- Network services
- Electronic funds transfer (EFT)
- Incident response
- Core banking system
- Security awareness training
- IS/IT policies and procedures
- Wire transfer
- Automated Clearing House (ACH)
- Customer identification procedures
- Backup procedures
- Branch/Remote capture
- Information Security Strategy
- Access Controls
- Network Access
- Application Access
- Remote Access
- Physical and Environmental Safeguards
- Patch Management
- Malicious Code Prevention
- Configuration and Change Control
- Personnel Security
- Data Security
- Service Provider Oversight / Vendor Management
- Business Continuity / Disaster Recovery
- Security Monitoring / Firewall Administration
- GLBA Compliance
Secure Guard Consulting works with you to develop a recovery program tailored to your business that allows you to create, maintain, and execute a business continuation plan effectively. We take a common sense approach to disaster recovery applying industry standards in a way that encourages sound disaster recovery development practices.
Our disaster recovery planning includes the following:
- Disaster Recovery risk assessment.
- Disaster Recovery business impact analysis.
- Disaster Recovery plan.
- Disaster Recovery plan walkthrough and testing.
Banks should consider adopting a risk management program for all vendors (IT and non-IT) proportionate with the level of risk of the vendors in order to identify and to be able to take the steps necessary to manage those relationships.
Secure Guard Consulting's vendor management services are designed to assist banks develop or enhance their vendor management programs to address increasing risks. Our consulting services help banks address the following areas
- Risk assessment
- Due diligence
- Ongoing monitoring
- Proper documentation and reporting
- Nondisclosure/Confidentiality agreements
Corporate Account Takeover (CATO)
Corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable.
Cyber thieves target employees through phishing, phone calls, and even social networks. It is common for thieves to send emails posing as a bank, delivery company, court or the Better Business Bureau. Once the email is opened, malware is loaded on the computer which then records login credentials and passcodes and reports them back to the criminals.
Our CATO consulting involves assisting banks with the following:
- CATO Risk assessment
- CATO Board Reporting
- CATO Incident Response
- Checklists for customer onsite visits