In many cases, software vulnerabilities are the root cause of attacks. Attackers will exploit these vulnerabilities to gain access to your network. You can help mitigate these risks by keeping your software up to date, regularly reviewing and removing unauthorized software, and preventing the installation of unauthorized software (i.e., limiting local permission, blocking internet download capabilities, etc.). 3. Data Protection This control helps you protect your data from unauthorized access and loss. It includes ensuring that sensitive data is encrypted at rest and in transit. It is also understanding where data is stored and how it travels. Data breaches are becoming more common and more costly. One way to help mitigate the risk of a data breach is by using Data Leak Protection. This makes it hard to copy and move sensitive data and will make it much more difficult for attackers to access your data if they are able to breach your network. 4. Secure Configuration of Enterprise Assets & Software It is crucial to implement a solid program for software, and operating system patching, establish written policies for “hardening” new servers, workstations, and network devices, and regularly review policies to ensure they are enabled on all devices. This control boosts your financial services cybersecurity and keeps your assets and software secure. The first step in this process is to create a secure baseline configuration for all enterprise assets, including hardware, software, and firmware. Once the baseline has been established, it is important to deploy security hardening techniques to further secure systems and reduce their attack surface. This can be accomplished by disabling unnecessary features and services, using strong passwords, and reducing privileges where possible. It is also important to regularly patch software and operating systems to mitigate known vulnerabilities. Patches should be deployed as soon as they are released or on a schedule appropriate for the organization’s risk tolerance. Be sure to test patches before deploying them to production systems. 5. Account Management For added cybersecurity, ensure that only authorized users can access your data and systems. This is not just for Windows login – it includes logins to core systems, email, and any hosted or internet-based accounts that potentially house confidential data. One of the most important things you can do to protect your data is to control who has access to it. This can be accomplished by requiring strong passwords, using twofactor authentication, and regularly reviewing permissions to ensure that only authorized users have access to sensitive data and systems. It’s also good to establish separate admin accounts for admin tasks. This way, if an attacker does gain access to an admin account, they will not have direct access to data. 6. Access Control Management This control helps your bank manage and monitor user access to data and systems. This includes ensuring that only authorized users have access to sensitive data, that all access is logged, and that privileged users are properly supervised. One way to help ensure that only authorized users have access to sensitive data is to implement least privilege principles. This means that users should only have the permissions they need to do their job, and no more. It is also important to log all access to data and systems. This can help you track down unauthorized access and identify potential insider threats. 7. Continuous Vulnerability Management This control helps you identify and remediate vulnerabilities in your systems and software. This includes patching software and operating systems, using security scanning tools, and conducting regular penetration tests. One way to help identify vulnerabilities in your systems is to use security scanning tools at least quarterly. These tools can be used to scan for known vulnerabilities, as well as to look for general weaknesses that could be exploited. Be sure to scan all systems, including web servers, application servers, and database servers. How to Incorporate CIS Controls To help your bank incorporate these Controls, look for an IT company that specializes in IT security and compliance for banks and who is also able to manage and automate many of the tasks associated with each of the CIS controls. More information about the Center for Internet Security can be found at https://www.cisecurity.org/controls. About the Author: Mike Gilmore is the Chief Compliance Officer at RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years experience in the banking industry. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at mgilmore@resultstechnology.com. 19 ISSUE 6 | 2022
RkJQdWJsaXNoZXIy ODQxMjUw