Of particular interest to us is its new Appendix J: Strengthening the Resilience of Outsourced Technology Services. It has a section titled Cyber Resilience, which contains clauses on the risks arising from malware, insider threats, Data or Systems Destruction and Corruption, Communications Infrastructure Disruption, and incident response.

The FFIEC agencies encourage financial institutions to adopt a cyclical, process-oriented approach to business continuity planning. This process-oriented approach will be discussed in the first part of the booklet, with additional information included in the appendices. The four steps in this process include:

1. Business Impact Analysis;
2. Risk assessment;
3. Risk management; and
4. Risk monitoring and testing.

The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.

And very interesting, the guidelines specify that key tests should be observed, verified, and evaluated by independent parties. This provides assurance to the board and other stakeholders of the validity of the testing process and the accuracy of test results. This independent assessment is typically conducted by internal audit, although it can be performed by other qualified third parties.

This week and next week, many organizations are consumed with keeping the lights on and making sure e-commerce platforms keep up with the anticipated spike in demand due to the big sale event. We are days away from Black Friday and many are crying foul before the whistle blows to start the game.

Justified or unjustified fear? I can tell you with certainty, coupled with many years of experience, that some of that fear is justified. American holidays such as Thanksgiving, Christmas and the Super Bowl are days when security operation center monitors go up, up, up in events volume.

So, make no mistake, Black Friday and Cyber Monday will not only attract shoppers, they will also attract hackers.

Unfortunately, most organizations do not have the resources to keep a fully staffed 24/7 network event monitoring effort, especially around non-working days such as weekends and holidays. Is it really necessary? My answer will bother some, but yes, it is necessary.

Why?

Well, is your network important to you? Are those assets important to you? Will your brand be affected by unauthorized access? Are there legal ramifications in the event of a data breach? The answer to all of these is most likely yes. However, the most important question is will a data breach negatively affect your clients? This is a yes/no question. If the answer is yes then, unequivocally, your organization must find ways to monitor your networks twenty-four hours a day seven days a week.

In that effort, I’d like to offer some insights:

• Monitor both external and internal events.
• Aggregate and analyze your logs to establish a baseline.
• If outsourcing is not possible, combine automatic alerting with on-call designations, or staff a 24/7 security operations center. A minimum of nine analysts with one manager should suffice. In terms of technologies, the options are plenty and varied.
• Reduce unnecessary noise without ignoring relevant events.
• Address the alerts generated, otherwise members of the organization will soon treat these alerts the same way they treat spam email.
• Define your incident response and apply the priority that the risk deserves. Not all threats are equal.
• Do not overlook access control related events such as failed logon attempts, even if it painful due to the volume.

In terms of commercial tools, there are many out there and some could be very pricey. In terms of open source tools, there are also plenty of options; icinga, snort, logstash, etc.

Is it possible to combine open source tools with commercial tools? Absolutely. It requires a solid architecture design and strategic planning, but very possible.

Although HIPAA has been around for a while, and organizations have been preparing and complying with the mandates for quite some time, it is this and last year when we hear a lot about organizations being fined for HIPAA violations.

I’d love to see how Walgreens handles the issue and also to see if they attempt to transfer liability to the pharmacist, time will tell.