Cyber security assessment for credit unions

Cyber attacks make headlines almost daily.  Once an organization is breached the spotlight on the issue remains well after the technical issues are resolved.  A breach and the attendant publicity can result in brand damage, breach costs, loss of competitive advantage, and in certain markets loss of ability to bid for contracts.  Customers may switch their accounts to other providers or not renew contracts.  Companies that provide products or services to other businesses may experience additional requests from their customers regarding IT Security Programs, and processes.  The lack of fulfilling these requests often results in customers switching their business to other suppliers.  Indeed, given the increase in highly publicized cyber security breaches, breach insurance premiums continue to rise and reputational damage may be one of the greatest long term threats.

The emergence of Information Security Law is also growing; placing an enormous focus on the executive management team and the board to ensure corporate governance is in place to manage cyber security risk within the organization not just internally but externally as well.  Company officers, directors and board members may experience an evolving legal obligation to involve themselves in Information Security.  The board must now ensure that an effective enterprise-wide Cyber Security Program with comprehensive policies and procedures for establishing appropriate accountability and oversight be developed and implemented.   The IT Security function is no longer primarily responsible for the mitigation of cyber security threats.

The assessment of cyber security risk and preparedness requires both technical and cyber intelligence competencies.  Many midsized organizations do not have the expertise on staff to properly assess their current cyber security  “maturity” level and develop a plan to close identified  gaps in associated information technology, business processes, policies and procedures, and management.  They struggle with the necessary steps required to design a foundation based upon best practices to mitigate cyber security threats, and demonstrate due diligence to regulators, customers and other interested parties.

The remainder of this article focuses on the Cyber Security Assessment.  The Assessment, when combined with a network penetration test, provide the necessary information to have  “fact based” discussions regarding IT Security vendors, changes needed by vendors/partners,  and changes needed to internal policies, procedures and management practices.  In succeeding posts we will address next steps, including Cyber Security IT Plan Development, Deployment, Interim CISO Resources and Continuous Improvement.

ASSESSMENT TOOLS

Credit Unions and Banks utilize various Assessment models.  Two are highlighted below.

FFIEC

Screen Shot 2015-10-22 at 4.52.48 PMScreen Shot 2015-10-22 at 4.52.56 PM

The FFIEC Cyber Security tool is actually a cyber risk compliance framework that has been developed to assist management and the board in assessing their financial institution’s cyber security risk and preparedness.   The execution of this assessment provides vital information necessary for the development of a Cyber Security Program.  The tool has been designed specifically for the financial services industry, is based on the NIST Cyber Security Framework, and has become a key component of a financial institution’s enterprise-wide governance process.    The results of assessments using this framework are more easily understood given that it uses language and terms familiar to Credit Unions.  The maturity levels have been specifically customized for financial institution products and services offered.  Overall, the FFIEC framework is very accommodating for the credit union environment.

CRR

Screen Shot 2015-10-22 at 4.54.25 PMThe CRR Methodology is a non-technical assessment to evaluate an organization’s operational resilience and cyber security practices. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices and provide the foundation for a cyber security strategy.

Screen Shot 2015-10-22 at 4.55.40 PM

SHOULD INTERNAL OR EXTERNAL RESOURCES COMPLETE ASSESSMENT?

Both frameworks could be completed by internal resources.  Before taking this step, Credit Unions should first consider whether sufficient competent internal resources are available.  Do the resources have the expertise to perform the Assessment on internal processes and those of Vendors/Partners?  For example, the Assessment may ask for specific data, that does not directly translate to the context and titles associated with internal or external documentation.  .  A trained Assessor can work with the Credit Union and Vendor/Partners to insure that all relevant data is gathered to complete the Assessment.

“…while internal IT staff may be extremely capable network administrators, they often lack the in-depth security knowledge and experience necessary to perform a comprehensive audit…An external, objective assessment provides access to the experienced professionals with the latest, advanced tools to provide an informative assessment that will be the foundation of a security roadmap”. –North Star Group Blog

Richard Wright

Richard Wright

Mr. Wright is a senior technology leader with an extensive background in a multitude of industries. This includes over 25 years’ experience delivering large scale, complex technology solutions in payments, ... Web: www.vertoandassociates.com Details