CYBERSECURITY

NBA Cybersecurity

Why Cybersecurity has become such an issue in regulatory reviews?

In addition to the publicity of high profile cybersecurity issues in the news and the need to keep your institution from being involved in one of those stories, regulatory agencies see increasing need to insure that the institutions are taking steps to protect their information. In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups.

During the summer of 2014, Federal Financial Institutions Examination Council (FFIEC) members piloted a cybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutions to evaluate their preparedness.
Financial institutions are critically dependent on IT to conduct business operations. This dependence, coupled with increasing sector interconnectedness and rapidly evolving cyber threats, reinforces the need for engagement by the Board of Directors and senior management, including understanding the institution’s cybersecurity preparedness.

Our Cybersecurity control evaluation and testing programs are the best in the industry and can be tailored to your institution as a total outsource or in partnership with existing Internal Audit programs. As always, NETBankAudit delivers highly technical and specialized auditors and engineers with top shelf tools and techniques. Regulatory compliance is guaranteed with value-add assistance built into every process.

OVERVIEW:
Our Cybersecurity Audits and Control Reviews comply with FFIEC guidance and focus the following key areas to ensure your institution’s ability to identify and mitigate cybersecurity risks:

  • Risk Management and Oversight
    • Governance Structure and Practices
    • Strategic Risk Management
    • Policy and Program
  • Threat Intelligence and Collaboration
    • Personnel Knowledge and Training
    • Cyber Intelligence Integration
    • Information Flow and Assessment
  • Cybersecurity Controls
    • Network Security Controls
    • Infrastructure Patching and Hardening
    • Logging and Monitoring
    • Vulnerability Assessment and Penetration Testing
  • External Dependency Management
    • Risk Assessment and Documentation
    • External Support and Integration
    • Vendor Management and Oversight
  • Cyber Incident Management and Resilience
    • Incident Response and Preparedness
    • Decision Making Structure and Resiliency
    • Cyber Response Experience and Training
    • Contingency Preparation and Insurance

 

Our reviews also include an External Penetration Test including social engineering tactics to gain access to the financial institution’s network, similar to what an intruder would do to gain unauthorized access.  Any successfully established connections from the social engineering or external penetration tests are leveraged to complete internal penetration testing.  These steps include:

  • Public Information Gathering
  • Network Mapping
  • Host Discovery
  • Vulnerability Identification
  • Privilege Escalation
  • Anti-Virus and Intrusion Detection avoidance
  • Attempt Vulnerability Exploits
  • Observations/confirmation that the attack was recognized, and recommendations

 

If your institution is interested in learning more about our approach to Cybersecurity, please contact NETBankAudit at 800-243-0416, extension 507.