Vantage Consulting LLC
Vantage Consulting LLC

What is Cyber Security

Protection against the potential adverse effects can arise from the following:
 
• Disclosure of information to unauthorized individuals.

• Unavailability or degradation of services.

• Misappropriation or theft of information or services.

• Modification or destruction of systems or information.

• Records that are not timely, accurate, complete, or consistent.

Vantage applies the Federal Financial Institutions Examination Council (FFIEC) IT Processes

Corporate Governance 

Management should promote effective IT governance by doing the following:
 
• Establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems.

• Clearly defining and communicating information security responsibilities and accountability throughout the institution.

• Providing adequate resources to effectively support the information security program.

1. Governance of the Information Security Program 

Management should promote effective IT governance by doing the following:
 
• Establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems. 
 
• Clearly defining and communicating information security responsibilities and accountability throughout the institution. 
 
• Providing adequate resources to effectively support the information security program.

2. Program Risk Identification

Management should develop and implement a process to identify risk.

3. Risk Measurement

Management should develop risk measurement processes that evaluate the inherent risk to the institution.

4. Risk Mitigation

Management should develop and implement appropriate controls to mitigate identified risks.

5. Incident Identification and Assessment

Management should have a process to enable the following:

 

• Identify indicators of compromise. 
• Analyze the event associated with the indicators. • Classify the event. 
• Escalate the event consistent with the classification. 
• Report internally and externally as appropriate

6. Assurance and Testing

Management should ascertain that the information security program is operating securely, as expected, and reaching intended goals by doing the following:
 

• Testing and evaluating through self-assessments, tests, and audits with appropriate coverage, depth, and independence. 
 
• Aligning personnel skills and program needs. 
 
• Establishing and implementing a reporting process that includes the assembly and distribution of assurance reports that are timely, complete, transparent, and relevant to management decisions.

Examination Procedures 

Determine the quality and effectiveness of the institution’s information security. Examiners should use these procedures to measure the adequacy of the institution's culture, governance, information security program, security operations, and assurance processes. In addition, controls should be evaluated as additional evidence of program quality and effectiveness. Controls also should be evaluated for conformance with contracts, indicators of legal liability, and conformance with regulatory policy and guidance. Failure of management to implement appropriate controls may expose the institution to potential loss from fines, penalties, and customer litigation.
 
These examination procedures (commonly referred to as the work program) are intended to help examiners determine the effectiveness of the institution’s information security process. Examiners may choose, however, to use only particular components of the work program based on the size, complexity, and nature of the institution’s business. Examiners should also use these procedures to measure the adequacy of the institution’s cybersecurity risk management processes.

 

 

Print Print | Sitemap Recommend this page Recommend this page
Copyright Vantage Consulting LLC - All Rights Reserved