How to Use New CSBS Cybersecurity Examination Tool
Any nonbank institution looking to protect against, mitigate and respond to cybersecurity threats should take advantage of the Conference of State Bank Supervisors’ (CSBS) new cybersecurity examination tool.
Unveiled during the Nationwide Multistate Licensing System Annual Conference in February, the resource is designed for state regulators to use during examinations, and for organizations to self-evaluate cyber risk management in preparation for regulatory enforcement.
The tool is meant to be a baseline assessment, specifically targeted to “less complex and lower risk” institutions including fintech and payment companies–though it is applicable to all nonbank institutions. A tool designed for more complex institutions could be released in Q2 2021.
Establishing a General Cybersecurity Profile
The tool provides a list of questions for an organization to consider in order to assess its general cybersecurity profile. Organizations are urged to respond “Yes”, “No” or leave comments for any of the following questions that apply to them:
Does the institution have an employee(s) with the designated responsibility of implementing an information security program?
Does the institution have a list of all audits (including the name of the auditor and the date completed) performed in the last 24 months in relation to information technology and information security?
How many people does the institution employ?
How many branches and/or locations does the institution operate?
Is activity conducted internationally? If so, in what countries?
Are online transactions performed or enabled?
Is the institution subject to Payment Card Industry (PCI) compliance? If so, what is the institution’s PCI compliance level?
Has the institution received a SOC 2 Type 2 audit? If so, obtain a copy of the report.
What is the daily transaction volume?
What is the average transaction dollar volume?
What is the transaction origination source/channel?
Does the institution manage its own datacenter?
Is any development performed in-house including front end UI, middleware/API, and backend data manipulation?
How many servers?
How many PCs?
Have any cybersecurity incidents occurred in the past 24 months? If yes, how many?
Are cloud services used?
After establishing a sense of their overall cybersecurity program, organizations should consider more specific questions for the examination itself. These questions are expansions of the NIST Framework’s five functions.
Identify
The Identify Function is used to help an organization further understand its internal cybersecurity landscape, including business context, resources and risks. Things to consider include:
How are resources allocated across the institution? What are the IT and information security budgets and where does the money primarily go?
Does the institution have dedicated cybersecurity resources with appropriate job titles and areas of responsibility? Does management have a program to ensure employees are up to date with emerging issues and technologies?
Is the institution’s information security program formally documented and reasonably designed to:
(1) Ensure the security and confidentiality of customer information
(2) Protect against any anticipated threats or hazards to the security or the integrity of such information
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Does the Information Security program designate an employee or employees to coordinate the information security program? If so, request their name and contact information.
Is there a documented Risk Assessment process that includes inherent and residual risk identification?
Does the institution have an up to date data flow diagram that shows the flow and storage of personally-identifiable information throughout its lifecycle?
How does the institution make sure it employs trustworthy third parties? Does the institution perform due diligence before entering into a contract? Is there an active vendor management program and/or methodology?
Are up-to-date contracts in place? Do vendor contracts require service providers to implement and maintain appropriate information security safeguards?
If a vendor has access to the institution’s network, does the IT staff monitor their access? Is access limited to business needs?
Does the institution maintain an inventory of all approved hardware and software assets?
Protect
The Protect Function considers the safeguards in place to limit and contain cybersecurity threats. Things to consider include:
If an institution develops its own software, does it follow a documented Software Development Life Cycle and conduct security testing? Is a formal project management process followed?
Are written policies and procedures in place for secure destruction and disposal of physical and electronic records sensitive information?
Is information security awareness training provided to all employees as part of initial training for new users and annually thereafter?
Are appropriate access controls in place for employees, consumer accounts and portals?
How does the institution determine who needs access to what data/information?
Is there an employee departure checklist that documents all exits–regardless of the reason the employee is leaving? Are user accounts disabled for employees who have left the institution or changed job responsibilities?
How is remote access managed for employees, board members, vendors, and customers? What measures does an institution take to provide remote access in a secure manner?
What access controls are in place for customer accounts and/or portals?
Are there different password requirements for employees vs. customers?
Are customers required to use multifactor authentication? How many failed login attempts are permitted before a user must reset their password?
Are the business continuity and disaster recovery plans tested at least annually? Does testing include both systems and personnel using different testing methods such as failovers and tabletop testing?
Does the institution have a data backup program in place? Is data backed up regularly and tested?
Are remediation plans developed to address gaps identified during the testing? Are these efforts tracked and reviewed regularly?
Does the institution have an incident response plan that establishes specific procedures for different types of incidents?
Does the institution have a firewall? How is it monitored? Are firewall rules regularly reviewed?
Is malicious code protection deployed on all workstations and servers?
Detect
The Detect Function outlines how to identify the occurrence of a cybersecurity event. Things to consider include:
Is the scope and frequency of IT audits appropriate for the size and complexity of the institution? Are audit plans driven by the institution’s risk assessment process?
Does the institution have a process for tracking issues identified during testing, monitoring, and auditing and regulatory examinations?
Are key IT controls identified during the risk assessment process regularly tested or monitored? Does the institution engage a third party or internal resources to measure their effectiveness?
Are vulnerability or penetration scans conducted? How often? By whom? What, exactly, is scanned?
Are information systems monitored for potential anomalies or security incidents?
Are event logs collected or stored in a centralized location for later review?
Is employee user activity monitored in accordance with an Acceptable Use Policy?
Respond
The Respond Function details action to take in the case of a cybersecurity event. Things to consider include:
Are the business continuity/disaster recovery plans documented and appropriate for the size and complexity of the institution? Do they include an adequate business impact analysis and risk assessment?
Are the business continuity/disaster recovery plans reviewed, tested, and updated at least annually or when significant changes occur?
Is there a communication plan in place for contacting employees, vendors, regulators, municipal authorities, emergency response personnel?
Is there a plan in place for notifying customers? Does the notification plan follow all appropriate regulations and requirements?
Is the Incident Response Plan reviewed, tested, and updated at least annually?
When was the last time an incident occurred? How did the institution handle it? Are all incidents mitigated?
Recover
The Recover Function shows how to restore any losses suffered in a cybersecurity event. Organizations are encouraged to conduct tests that ensure they can successfully restore information and resume business operations from backups.
A full list of both the Cybersecurity Profile and the Baseline Cybersecurity Exam Program can be downloaded here.
The CSBS also advises institutions to have certain documents on file in case of a request from a state regulator. A full list can be found here, but some of the big ones include:
All policies that make up the information security program, such as anti-virus, vendor management, encryption, data backups, and data retention;
Information security training materials, including completion records for employees;
Materials to support Board discussion of risk acceptance;
Network and data flow diagrams;
Inventory of approved hardware and software assets, including network monitoring tools;
Written vulnerability and patch management policies and procedures;
IT Audit policy, schedule, risk assessment and plan;
IT audit reports, engagement letters and remediation actions for the past 24 months;
List of third-party vendors and documentation of their compliance with the vendor management program (contracts, due diligence, financial statement reviews);
Incident response plan;
List of security incidents in the last 12 months;
Password, screen lockout and session expiration settings for all systems;
Written procedure for remote access of customers and employees;
Description of cloud services, core applications and network monitoring activities used by the company.