This interactive seminar, presented by Kentucky Bankers Association (KBA) and SBS Institute, provides the latest information on evolving threats and what your bank should do to build a strong Information Security Program (ISP). We will identify components of a comprehensive ISP that enables successful IT examinations and minimizes your risk against real-world threats. The program will walk you through various FFIEC and FDIC resources, as well as industry best practices. We will also review the FFIEC Cybersecurity Assessment Tool (CAT) and the 10 common CAT baseline controls missing in most financial institutions.
Location: WKU Knicely Center, 2355 Nashville Road, Bowling Green, KY
Description: This seminar will walk you through various FFIEC and FDIC resources, as well as other industry best practices. It will also review the FFIEC Cybersecurity Assessment Tool (CAT), and the 10 most-common CAT Baseline controls missing in most financial institutions.
- FFIEC Guidance and GLBA Overview: Banking guidance continues to evolve as our cybersecurity challenges increase. Sometimes it seems that cybersecurity challenges are growing faster than we are evolving. We will review GLBA requirements and highlight some of the newest regulatory requirements from the FFIEC, including the updated CAT. These will establish the foundation of what must be incorporated in our Information Security Programs. We will discuss the FFIEC Information Security Booklet and its 21 security controls; the FFIEC Management Booklet and the roles and responsibilities it outlines for IT Operations vs. Information Security, as well as Senior Management and the Board; and the FFIEC Mobile Financial Services Guidance, which is included in the Retail Payments booklet.
- Cybercrime Trends: Cybercriminals are always searching for innovative ways to steal our data and our money. Sometimes existing techniques are improved, as we have seen with sextortion phishing scams, and sometimes there are new attack vectors that are surface, as with ATM Jackpotting and Unlimited Operations. We will explore the following areas to expose the complex and organized nature of cybercrime:
- Phishing Attacks
- System Vulnerabilities
- Business Email Compromise (BEC)
- ATM Fraud
- Top 10 Missing CAT Baseline Controls: The Federal Financial Institutions Examination Council (FFIEC) updated the Cybersecurity Assessment Tool (CAT) in June of 2017, and the CAT continues to be an active part of regulatory exams. Within the CAT, the Baseline controls are a level of security that every financial institution needs to maintain or achieve. We will review the most commonly missed Baseline controls, and how institutions might address those gaps. There are also great new security controls emerging in our industry, and we will explore some of these best practices to fortify our networks.
- FDIC InTREx Overview: FDIC's InTREx (Information Technology Risk Examination) was published in 2016 and is being used by the FDIC, Federal Reserve, and most State banking regulatory departments as an IT exam framework. We will review how InTREx is structured, common challenges, and how to prepare for your next examination by reviewing InTREx. There is a common set of documentation referenced within InTREx, and we will extract those items and review the other controls towards which InTREx guides institutions. We will also compare the FFIEC CAT process against InTREx.
- Information Security Programs: All banks are required to have a written, comprehensive Information Security Program that starts with a risk assessment. This section will overview the primary components of an Information Security Program to ensure your organization has a solid foundation on which to build its information security governance. With a risk-based Information Security Program, there are three major elements: Risk Assessment, Documentation, and Audit. We will explore these three areas, as well as how the risk assessment process drives the creation of documented policies, procedures, and plans that the institution can then implement. We will also discuss how the audit process then provides verification that those controls are both implemented and adequate.
- Cybersecurity Culture and Training Programs: The human element of information security is an increasing target for cybercriminals and generally considered the weakest area in information security. Security awareness and training on proper protocols is an essential element of good security and regulatory compliance. We will discuss many methods of constructing an adequate security awareness and training program for both employees of your bank and customers of your online products and services. Awareness to cybersecurity issues, training on what is expected, and clear accountability for employees and management responsible for protecting customer information. These elements can help establish a lasting culture that includes a passion for protecting customer information and a desire to be successful against cybercrime.
Instructor: Chad Knutson CISSP, CRISC, CISA
President, SBS Institute
Who Should Attend: This seminar is perfect for Information Security Officers and Information Technology Staff, but will also provide great value to Compliance Officers, Auditors, Presidents and Board of Directors.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.