5 WSECU Cyber Security Journey for Filene Conf 1-26

WSECU Cyber Security Journey David Luchtel VP – IT Infrastructure & Opera:ons Objec:ve of Presenta:on •  Share WSECU’s journey •  Overview of WSECU’s Security Program approach •  Overview of WSECU’s self-­‐assessment on the new NCUA Cybersecurity Assessment Tool (CAT) About WSECU • 
• 
• 
• 
2nd Largest Washington state based Credit Union 233,000 members and $2.4B assets 550 employees and 20 branches Roots in Public Services –  Original charter: Washington state public employees Agenda • 
• 
• 
• 
WSECU Journey Influencers to our journey WSECU’s Security Program CAT self assessment Our Journey Our Journey Me Too Era (>2014) •  Goal: Be as good as our Peers •  Benchmark: Pass our audits •  Feedback loop: What are our peers doing Security is a Top Priority Era (2015+) •  Goal: Protect member confiden:al data is a top priority •  Benchmark: Follow security industry best prac:ces •  Feedback loop: Test ourselves like hackers do Influencers to our Journey •  The world changed •  Regulators are reac:ng to the changing world •  Added exper:se •  Number of breaches over :me •  Number of Banking breaches over :me •  Number of Payment breaches over :me The World Has Changed Based on 2014 Verizon Data Breach report Aeacker Tac:cs Changed •  Targeted •  Sophis:cated How are our Regulators Changing? •  Responding to public concern •  Becoming more targeted and sophis:cated •  Developed a new cyber security technical security audit star:ng in 2H2016 –  Cybersecurity Assessment Tool (CAT) Added Exper:se •  David joined WSECU in 2013 •  Sr. Security Engineer in 2014 •  Sr. Security Analyst in 2015 WSECU Security Program Framework INPUTS Regulatory Program Performance ERM Industry Administra:ve Awareness Technical Member Informa:on Compliance Controls Training Controls OUTPUTS Roadmap Architecture Assessments Policies Incident Plans Governance Framework Responsibili:es: – 
– 
Regulatory compliance Voice of the member Responsibili:es: –  Strategic decisions –  Security Tone –  Alignment to business –  Monitor performance Board and Supervisory Commieee Info Security Governance Commieee Security Program WSECU Security Roadmap Priority
Broad Focus Area
2013
2015
2016
Vulnerabiltiy mgmt
HIGH
Malware mgmt
Monitoring/analysis
Security Training
Incident Mgmt
MEDIUM
Identity mgmt
Application security
Data security
Security perimeter
LOW
Security governance
Security architecture
Evaluate New Threats 2017
2019
We Test Ourselves •  Internally: –  Scan our environment monthly –  Scan web apps before produc:on –  Test our controls –  Grade the effec:veness of our controls –  End user tes:ng and learning program •  Hire external experts to test us –  Social engineering test –  Aeempt to hack our systems •  Self-­‐assess to the NCUA Cybersecurity Assessment Tool (CAT) NCUA Cybersecurity Assessment Tool (CAT)
•  FFIEC goal – “repeatable and measureable process to inform management of their ins:tu:on’s risk and cybersecurity preparedness” •  Published July 2015 and will be used by NCUA auditors star:ng 3Q2016 –  All agencies of the FFIEC are adop:ng the tool •  NCUA has stated use of the Assessment Tool is not mandatory by FIs. –  Auditors will be using it for guidance and consistency. Overview of Assessment Tool •  Two parts to tool: 1)  Inherent Risk Profile • 
5 categories, 39 risk aeributes to assess 2) Cybersecurity Maturity • 
5 domains, 493 assessment ques:ons •  Your Inherent Risk Profile determines your desired maturity level WSECU Inherent Risk Inherent Risk Profile
(by Category)
1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
Inherent Risk
Level
Minimal
Moderate
Least
4. Organizational Characteristics
Minimal
5. External Threats
Minimal
Composite - Inherent Risk Results
Minimal
WSECU Inherent Risk Domain Maturity Domain
1: Cyber Risk
Management &
Oversight
2: Threat
Intelligence &
Collaboration
Assessment Factor
1: Governance
Sub-Baseline
2: Risk Management
Baseline
3: Resources
Advanced
4: Training & Culture
Baseline
1: Threat Intelligence
Evolving
2: Monitoring & Analyzing
Evolving
3: Information Sharing
WSECU 2019 1: Preventative Controls
3: Cybersecurity
2: Detective Controls
Controls
3: Corrective Controls
4: External
Dependency
Management
Current Maturity
1: Connections
2: Relationship Management
WSECU 2019
Intermediate
Intermediate
Advanced
Sub-Baseline
Sub-Baseline
Intermediate
Intermediate
Sub-Baseline
Evolving
Sub-Baseline
5: Cyber Incident 1: Incident Resilience Planning & Strategy Baseline
Management & 2: Detection, Response, and Mitigation Sub-Baseline
Resilience
3: Escalation and Reporting
Intermediate
Intermediate
CAT Self-­‐Assessment Observa:ons •  How will CAT be used by the examiners? •  Did we interpret the ~500 ques:ons the same as examiner? •  CAT is very detailed and prescrip:ve to “what” we should be doing •  Gepng consensus we meet the “what” •  This increases risk of more technical examiners being prescrip:ve in “how” our controls meet the requirements •  Need to meet all requirements to be at Maturity level •  Board oversight of the Security Program •  Baseline maturity vs announcement memo CAT Self-­‐Assessment Lessons Learned •  Ra:ng scale is based on FI industry, not CU •  No guidance on sepng Maturity level based on Inherent Risk •  Will the examiners agree with the domain maturity levels we set? •  Some maturity categories have a higher bar for baseline than we expected •  How will CAT influence or direct your Security Program Learnings from our Journey •  Have a collabora:ve approach to security focused on the business •  Have dedicated staff focused on security •  Use industry best prac:ce frameworks to organize your program •  Don’t assume, test yourself •  Be prepared to respond