Executive Summary
I reviewed and analyzed the report
released by the New York Department of Financial Services (DFS). With cyber-attacks
becoming more prevalent, Governor Andrew Cuomo has directed the department to
conduct more comprehensive assessments of DFS regulated banks and financial
institutions. The New York DFS conducted a survey of 154 financial institutions
inquiring into their information security practices and general IT environment.
The results showed that the participants experienced cyber security events that
can be prevented in the future, such as intrusions that led to account
takeovers.
The use of the internet for financial
services has become omnipresent, and it is imperative that the assurance of
proper cyber security measures are implemented to mitigate the risks associated
with the information technology environment within financial institutions in
accordance with compliance regulations. In order to implement the necessary
controls for technological risks, financial institutions in New York are
required to have I.T. audits conducted to identify and address cyber security
concerns.
Technology Risk / I.T. audit is a
service line that encompasses the factors necessary for maintaining a strong
and secure IT environment including, but not limited to, network security
assessments, penetration testing, logical access controls, IT system management
task allocation, and compliance regulation testing such as GLBA and SOx. Technology
Risk Consulting can provide tremendous value by assessing and evaluating technology
risks in the environment with experts. An in depth inspection of the current IT
practices in place and advice on the best methods and solutions to mitigate the
risk with findings and observations that are present. By collaborating with clients,
Technology Risk Consulting is able to provide extensive knowledge and advice
that will lead beyond the satisfaction of the new compliance regulations.
On May 6th, New York
Governor Andrew Cuomo announced the release of a cyber security report
indicating the growing risk and sophistication of cyber-attacks on financial
institutions in New York. In an effort to install countermeasures to control
such risks, Governor Cuomo has directed the Department of Financial Services
(DFS) to consistently conduct new targeted cyber security preparedness
assessments of DFS regulated banks. Due to the growing number of users using
the internet for their financial activities, this has led to an exponential
increase in targets for cyber-attacks. This has demonstrated that it is
important now more than ever to address the need for assurance in cyber
security.
“With
today’s growing cyber threats we need to make sure New Yorkers’ finances are
protected from online predators,” Governor Cuomo said. “Targeted cyber security
assessments for banks will better safeguard financial institutions from attacks
and secure personal bank records from being breached. When consumers sign up
for online banking they expect their personal information to be secure and we
are working to make sure financial institutions take the proper precautions to
safeguard it.”
The New York State Department of
Financial Services conducted an industry-wide survey in 2013 on the cyber
security programs in effect. The survey inquired about the following:
- Information security frameworks,
- Corporate governance in regards to cyber security,
- Use and frequency of penetration testing and results,
- Budget and costs associated with cyber security,
- The frequency, nature, cost of, and response to cyber security breaches, and
- Future plans on cyber security.
The report demonstrated the findings
as a result of the year-long survey that was taken from the 154 banks that the
DFS regulates. It was found that cyber-attacks have become more sophisticated
in nature, with most institutions experiencing intrusions and/or attempted
intrusions. Most of the aforementioned events resulted in account takeovers and
identity theft. With such events taking place and the risk of future events
present, it is imperative that adequate cyber security programs are in effect and
regularly assessed in order to prevent and minimize such malicious activity. According to the report, it was discovered
that the majority of the banks that participated in the survey indicated that
the institutions planned to ramp up their cyber security spending in the coming
years. An increase in cyber security budgets represents a key opportunity for
job growth and creation that will contribute to economic development in New
York.
The Department of Financial
Services has introduced new initiatives to gain control of the growing cyber threat,
particularly involving a new targeted assessment of DFS regulated bank’s cyber
security programs that will supplement the existing DFS examination process.
Included in the new assessment are additional questions in the areas of IT
management and governance, incident response, access controls, network
security, vendor management, and disaster recovery.
Technology Risk Consulting provides
risk management solutions from the information technology perspective to
mitigate the risks associated with cyber security. Technology risk services includes,
(but are not limited to) internal and external hack penetration testing,
assessing logical access controls, network security assessments, evaluating
procedures for outsourcing technology services, as well as performing a general
IT audit.
Internal Hack Penetration Testing
By performing an internal hack
penetration test, Technology Risk Consulting determines if an attacker has unauthorized
access to internal application systems of the organization. The results will
demonstrate just how the intruder may have gained access to the system and what
malicious activity can be carried out in the event of a successful intrusion.
Best Practices strongly encourages organizations to include internal
penetration testing as a part of their regular cyber security program to ensure
that internal networks are properly secured.
External Hack Penetration Testing
External hack penetration testing
exposes what information is vulnerable to intrusions from the exterior of the
organization. Technology Risk Consulting penetration testers mimic the actions
of an intruder exploiting the weaknesses in the network security that could
potentially disrupt the integrity of the IT network. Performing an external
penetration test provides value to clients by identifying key IT security
compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) that
require an organization to conduct testing of information security programs in
an effort to identify vulnerabilities and address findings of concern
accordingly.
Network Security Assessment (NSA)
Performing network security
assessments is crucial in reviewing clients’ IT security controls. This assessment
includes examining IT security policies, IT security management practices, a
review of the IT secure architecture, as well as penetration testing. With more
regulatory compliance standards being installed, it is not only required that
such an assessment is conducted, but is beneficial to clients for their
information security needs in knowing that they have consulted experts to
ensure that their organization has mitigated risks by putting controls in
place.
Logical Access Controls
Logical access controls are the
tools utilized for identification, authentication, authorization, and
accountability of access to an organization’s program data and key financial
information. These tools are in place to protect information assets from
unauthorized remote access. Through assessment and evaluation of logical access
controls, Technology Risk Consulting identifies if the entity’s information
security policy is relevant and compliant with Industry Best Practices and IT
governance programs. Technology Risk Consulting works provides advice and
solutions to address any audit findings and observations associated with access
controls.
Evaluate Outsourcing of
Technology Services
According to the report released
by New York’s DFS, it was shown that the majority of banks of all sizes have a
mix of managed in-house and outsourced IT systems. As technology services are
outsourced, additional risks are posed as critical information is in the
possession of a third-party’s possession. It is important to periodically
evaluate the processes for vendor management in order to mitigate the related risks.
As an element of Technology Risk Consulting IT general controls audit, experts
take a close look at client’s policies and procedures in place for dealing with
third-party vendors as well as the service agreements involved. Through the
evaluation of such contracts Technology Risk Consulting ensures that
appropriate components of the service agreements are in place to protect the
client and reduce the risks associated with outsourcing critical IT tasks such
as data storage and processing. Technology risk consultants work with clients
to identify key findings and provide the best solutions in safeguarding their
organization when dealing with vendors.
General I.T. Audit
In an organization IT risk can
stem from human error, malicious activity, or discrepancies in compliance
regulations. It is imperative to identify significant events such as network
failures, electronic fraud, data breaches, and the like as such events can
result in damage to the organization’s brand, finances, information, and
reputation. Such outcomes can result to risks of liabilities, loss of business,
and prevent businesses from reaching their goals. Technology Risk Consulting practice
provides the service of performing a IT general controls review audit to assess
the risks posed in client’s IT environment. Within the IT audit, evaluations
are conducted in information privacy and data protection measures, industry
regulatory compliance, penetration testing, cloud computing and social media
risk assessments. Additionally, for financial institutions, testing for
compliance with GLBA, SOx, HIPAA, and other regulatory acts in place that
consistently require an IT audit.
Comments
Post a Comment