Five Goals for Credit Union IT Controls in 2016
The head regulator for the credit union industry has expressed worry that a cyberattack on a credit union vendor could wreak havoc, compromising the integrity of your institution and the trust of your members. But believe it or not, your credit union has more power to thwart an attack than you may realize.
A new Data Breach Investigation Report from Verizon says more than 70 percent of cyberattacks exploit known vulnerabilities that have patches available! But finding and addressing the cracks in your cyber armor requires a team effort between credit union leaders, the board, the IT department, and internal audit.
Here are five key methods for identifying risks and evaluating IT controls at your credit union.
1. Know where your risks reside
Step one is knowing where your credit union is at risk — right now. An IT risk assessment can give you that baseline understanding. While management is responsible for performing the assessment, internal audit should evaluate the risk assessment to verify that it is performed in a thorough and accurate manner. After all, risk assessments are only as good as the effort put into them.
There are many risk assessments in the National Credit Union Administration (NCUA) and Federal Financial Institutions Examination Council (FFIEC) guidance, but the two most important to cybersecurity are the ones found within the Graham Leach Bliley Act (GLBA) and the FFIEC Cybersecurity Assessment Tool.
GLBA information security risk assessment
The GLBA assessment has been required by 12 CFR Part 748 Appendix A since 2001. But many credit unions that I come across do not have this risk assessment or have not updated it in the past 12 to 24 months. The GLBA risk assessment must:
- Consider reasonably foreseeable internal and external threats via documentation
- Document the controls that mitigate each threat
- Document the impact and likelihood of the threat given control implementation
- Conclude on the overall sufficiency of the controls
Examiners and vendors can mis-state the GLBA risk assessment. Examiners may add requirements to risk assessments based upon IT assets or they may add requirements to conclude on inherent or residual risks. While these additional requirements may be relevant, they are not addressed in 12CFR Part 748 and should not be required elements in a GLBA Risk Assessment. While guidance clearly distinguishes between risk assessment and tests of key controls, vendors can also mis-state the differences and will refer to their controls testing as a risk assessment. In either case, internal auditors need to master the requirements of risk assessment and controls testing guidance so they are not erroneously advised.
FFIEC Cybersecurity Assessment
The FFIEC Cybersecurity Risk Assessment guidance was released in June 2015 to help credit unions consistently evaluate cybersecurity controls and practices. The guidance includes a tool to help the effort, which will also be used as an examination aide. While not officially mandatory, credit unions are encouraged to use the tool (or one very similar) to assess the inherent risks and maturity of their cybersecurity program.
The maturity model component of the tool features nearly 500 independent statements about a cybersecurity program. These statements are grouped by domains and sub-domains. Each of these statements is either true or false. The statements are also grouped by maturity levels ranging from baseline to innovative. A credit union’s maturity is measured as the most advanced maturity level for which all statements are true. The most significant weaknesses of the FFIEC assessment tool are inconsistency in how it is completed and a missing validation component to verify that statements are accurate.
2. Scan for vulnerabilities
Credit union management is responsible for keeping systems free from known vulnerabilities and insecure configurations. The best tool for this is the vulnerability scanner. Three scanners are routinely rated as best, Nessus, Nexpose, and Qualys. CLA uses Nessus for scanning as it is routinely rated among the best, is consistently up to date, and is an affordable solution when compared to its competitors.
Internal audit should regularly evaluate management’s use of vulnerability scanners through the following two activities:
- Verify that scanning is performed using domain administrator credentials. This method reduces scanning time and the impact of scans on the network, and greatly improves the accuracy of the scan results.
- Evaluate the process and practices used by management to ensure that identified vulnerabilities are either addressed in a timely manner (within 15 to 45 days of discovery) or accepted through written documentation and approval.
3. Simulate a breach with a penetration test
The primary purposes of a penetration test are to demonstrate the potential impact of a targeted attack and to evaluate incident detection and response. To be most beneficial, a test should closely simulate an actual attempted breach. That means the simulated breach is a surprise even to those responsible for detecting and responding to it.
Penetration testing most closely simulates an actual breach when it is initiated through social engineering or when it starts from an employee’s workstation that is assumed to be compromised by social engineering.
Internal audit should be onsite during a penetration test to monitor incident detection and response activities so they do not impact member service or excessively waste limited IT resources. Internal audit should also verify that penetration testing truly simulates a breach and that management receives a report on the penetration testing performed. With the frequency of breaches on the rise, many credit unions are now contracting for penetration testing one to four times per year.
4. Spot your weaknesses
A vulnerability assessment complements penetration testing and vulnerability scanning by identifying weaknesses in your network. Unlike penetration testing, effective vulnerability assessments require IT participation. For the most comprehensive assessment, IT will need to allow access to the network, provide configuration and practice documentation, show the tester consoles such as those used to manage patching, anti-virus, and more.
Do not be concerned if your security testing partner requests that some controls be disabled to facilitate testing. Because effective security is the composite of multiple layers of controls, some “outer” layers need to be disabled in order to evaluate “inner” layers.
Like looking for a needle in a haystack, vulnerability assessments are less accurate when sampling is used and testing is limited to a subset of systems. So make sure your internal audit group evaluates the depth and breadth of the testing provided by potential testing partners. It is critically important that all systems are evaluated and all key stakeholders are present for the assessment.
5. Get a general controls review
The final area of testing is often referred to as a general controls review (GCR). A GCR evaluates many non-technical controls that contribute to security. For example, a GCR evaluates vendor management, physical security, board oversight of security, core and network access administration, and information security policies.
The good news is that, given sufficient training and experience, many GCR controls could be evaluated by internal auditors, either as a dedicated audit or as a part of regular branch and departmental audits. Internal audit leaders should provide training so auditors can, at a minimum, follow up on GCR findings.
How we can help
These five key methods for identifying risks and evaluating IT controls will not provide a guarantee that a cybersecurity event will be avoided in 2016, but, if performed with rigor, they will greatly reduce the likely impact should an event occur. Contact your CLA advisor to help your credit union understand how vulnerable you are to a breach.