[BreachExchange] How FDIC rebounded from major cyber incidents

[Audrey McNeil]

https://federalnewsradio.com/ask-the-cio/2018/03/how-fdic-
rebounded-from-major-cyber-incidents/

Two years after the Federal Deposit Insurance Corporation endured as many
as six cyber incidents over the course of eight months, the changes in
policies and procedures have demonstrated success.  But with cybersecurity,
every chief information officer knows success is short lived.

This is why Howard Whyte, the FDIC CIO, brought in a third party expert to
help develop a roadmap to further keep his agency’s data and network secure.

“We have taken action to address each and every one of those, I call,
advisories provided to us. We continue to align ourselves with the
cybersecurity framework maturity model. We are looking at where we are
today and where do we want to be,” Whyte said on Ask the CIO. “We have
taken action to deploy capabilities to detect data leakage, to detect
malware. The list of things that are outlined as cyber threats we look to
employ capabilities to ensure our folks are trained, we have processes to
detect and also to recover.”

Whyte said these efforts are complimentary and on top of the Homeland
Security Department’s continuous diagnostics and mitigation (CDM) program
and other cyber tools.

Whyte, who came to the FDIC in January 2017 as the chief information
security officer and became CIO in October, said he took on a broad review
of the agency’s policies, practices and procedures around cybersecurity,
including risk management and basic cyber hygiene due diligence.

One big challenge when Whyte came to the FDIC is he was the third CIO in
three years with the other two leaving under unfortunate circumstances.

Whyte said FDIC is trying to move toward to the top of the cyber maturity
model.

“We are actually conducting an external, independent assessment of our
cyber capabilities this year. Then we will improve or try to attain the
score that has been set by Federal Information Security Management Act
(FISMA) and where we fall short, we will continue to take action over the
next months, years to continue to make improvements,” he said. “It’s in the
planning stages. It’s looking at all of the controls listed, I think there
are 108 or more, and then doing an assessment of where we are with those
108 controls, and creating a dashboard so we have the transparency needed
not only for the CIO organization but to our customers as well because they
want to know how well we are doing to protect the information systems they
depend on to execute their mission.”

Whyte, like many CIOs, must find the right balance of controls. No
organization can implement every FISMA control because of the potential
impact on the mission.

He said FDIC is focusing on indicators of exposure and what actions are
they taking to mitigate the level of exposure of people, assets and data.

“We are taking a multi-pronged approach looking externally, looking
internally and looking for risks. We are discovering risk and ensuring you
are aware of them, and you are ensuring you have the right resources to
address the risk,” Whyte said. “Where you can’t address the risk, you have
to do some type of acceptance of that risk. But it should never leave your
radar because as new technologies and processes come out, you should look
at those risks you’ve accepted and try to work them out of your
environment.”

Even with dashboards and new tools, the weakest link for most organization
are the people. This is what happened to the FDIC in April 2015 when it
learned an employee inadvertently compromised the data of 44,000 customers.
About a month later, the agency learned of five more “low-risk” incidents
where employees mishandled sensitive data.

Whyte said FDIC is heavily focused on stopping data leakage. He said
through training, including phishing exercises, other reminders such as
posters, and meetings with the divisions discussing the near and actual
data leakage incidents.

“We have our own corporate university that helps us develop training where
we see a need that we can quickly react, put training together and deliver
it to our customers,” he said. “We’ve turned off access and implemented a
data loss prevention capability that looks at who is copying data, from
thumb drives to CD readers and writers. That is very well controlled and
monitored.”

Additionally, the FDIC also relies on a 24/7 security operations center,
which monitors the network for misuse cases and other threats.

In addition to cybersecurity, Whyte said his priorities include improving
the agency’s operational efficiencies, improving how they manage and
protect their data and, of course, IT modernization.

Whyte said for FDIC, IT modernization is as much a technology challenge as
a people challenge.

He said having the right people to implement the modernization efforts
using approaches such as agile or dev/ops while implementing services in
the cloud.

“If we are going to move to the cloud, we have to make sure we have people
who are trained in vendor management, trained in the different technologies
of the application stack that Amazon or Google or Microsoft may provide.
How do we get that information that we would normally walk downstairs and
be able touch and feel when you are potentially hundreds of miles away from
the data center?,” Whyte said. “We do need to ensure that we have the right
human resource capabilities in the corporation to execute on those new
operational environments. We are offering them training to readjust the
focus areas that they may have been used to operating in.”

He added it’s an education opportunity for both the IT side and the
business or mission side.

“We are relooking at our governance processes around IT. I want IT to be
agile, but I do not want the governance process to stifle innovation or the
delivery of capabilities to the business,” Whyte said. “We want to
streamline governance. We want to publish how we operate and what are the
requirements and gates that have be passed through to get IT operational,
and then monitored and continuously improved. We are looking at enterprise
architecture and governance as frameworks and wrapping it around risk
management to make sure we are doing the right things based on
requirements.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180312/b6f5cf6a/attachment.html>