Pub. 19 2024-2025 Issue 1

10TECH TALK Information Security Topics to Discuss in Your Next Review Christy Thomas, Audit Manager SBS CyberSecurity As data breaches continue to trend up, organizations are spending more money and resources to ensure they have the appropriate solutions in place to prevent attacks without disrupting normal business. All organizations should consider the following topics as part of an information security program review. Continued on page 18 1. Ransomware Awareness The CSBS recently updated the Ransomware Self-Assessment Tool (R-SAT) to version 2.0 due to evolutions in the ransomware threat environment, bad actor tactics, and changes in environments and controls. The R-SAT provides significant advantages by raising awareness about ransomware risks, identifying security gaps and giving executive management and the board of directors the information they need to make informed decisions and allocate resources appropriately. It also assists auditors, consultants and examiners in evaluating security practices and incorporates lessons learned from organizations that have experienced ransomware attacks. 2. Board Cybersecurity Training An organization’s board of directors is ultimately responsible for its overall security. Without a solid grasp of cybersecurity, the board may make decisions that inadvertently weaken the organization’s security posture and lead to insufficient budget allocation for cybersecurity initiatives. Additionally, a lack of understanding can result in security strategies not aligning with overall business objectives, as well as underestimation of cybersecurity risks, leading to inadequate risk management and crisis response plans. 3. Firewall Reporting and Monitoring To mitigate the risks of vendor firewall management, it is important to implement appropriate controls, including defining roles, responsibilities and expectations in written contracts to eliminate any questions as to who is doing what. Periodic security audits of the vendor’s practices should be conducted as part of your vendor management program. Administrative access to the firewall should be limited to authorized personnel only, and require strong authentication mechanisms, such as MFA and individual authentication (no shared accounts). Oversight should include receipt and review of comprehensive logs or read-only access, at a minimum, to monitor these logs for suspicious activities or policy violations. 4. Multi-Factor Authentication (MFA) Implementing MFA is a key defense strategy, adding an essential layer of security by requiring two or more verification factors. Enhancing network security with MFA solutions helps increase data-center security, boosts cloud security for a safer remote working environment and minimizes cybersecurity threats. Additional controls surrounding administrative access to directory services, network backup environments, network infrastructure, organization’s endpoints/servers, remote access (employees and vendors) and firewall management are recommended. Many cybersecurity insurance vendors now require organizations to complete a self-attestation to renew policies. Included within the attestation is the verification of multi-factor authentication for remote access users and administrative users. 16 NEBRASKA BANKER

RkJQdWJsaXNoZXIy MTg3NDExNQ==