NFA Interpretive Notice on Info Security
- 1. Informa(on Systems Security Programs Na(onal Futures Associa(on 9070 -‐ NFA COMPLIANCE RULES 2-‐9, 2-‐36 AND 2-‐49: INFORMATION SYSTEMS SECURITY PROGRAMS hNp://www.nfa.futures.org/nfamanual/NFAManual.aspx?RuleID=9070&Sec(on=9 Wesley.Moore@Quarule.com
- 2. What Comprises the Informa(on Systems Security Program? Regulatory rules Five areas of an Informa.on Systems Security Program (ISSP): 1. Wri<en Program 2. Security and Risk Analysis 3. Deployment of Protec.ve Measures Against Iden.fied Threats and Vulnerabili.es 4. Response and Recovery from Threats to Electronic Systems 5. Employee Training © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 2
- 3. Do We Have a WriNen Informa(on Security Systems Program (ISSP)? Regulatory rules a) Members must adopt and enforce a wri<en ISSP designed to provide safeguards and protect against security threats or hazards to their technology systems. b) The wri<en ISSP must be appropriate to the Member's size, complexity of opera.ons, type of customers and counterpar.es, the sensi.vity of the data accessible within its systems, and its electronic interconnec.vity with other en..es. c) There are several cybersecurity best prac.ces and standards readily available, including those promulgated by SANS, OWASP, ISACA's COBIT 5, and NIST. Key Compliance Ques(ons 1. Does the Member have a wri<en ISSP? 2. Is the ISSP appropriate for the Member’s specific needs? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 3
- 4. Do We Analyze Security and Risk? There are many different types of internal and external threats, including: a) Loss, destruc.on or thea of data; b) A<acks by viruses, spyware and other malware; and c) Intercep.on and compromising of electronic transmissions. Key Compliance Ques(ons 1. Does the Member keep track of their hardware and soaware? 2. Has the Member reviewed the vulnerabili.es of their electronic infrastructure? 3. Is the Member’s data secure? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 4
- 5. Do We Assess and Priori(ze? Members must assess and priori.ze the risks associated with the use of their informa.on technology systems. Regulatory rules a) Es.mate the severity of the poten.al threats; b) Perform a vulnerability analysis; and c) Decide how to manage the risks of these threats. Key Compliance Ques(ons 1. Have there been any past incidents? 2. What are the known threats iden.fied by other en..es? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 5
- 6. How Do We Protect Against Iden(fied Threats and Vulnerabili(es? A Member should document in their ISSP the safeguards that they deploy aaer reviewing and priori.zing threats and vulnerabili.es. These safeguards will depend on the Member’s specific needs, and can include: a) Physically protec.ng buildings, equipment and assets; b) Using and maintaining up-‐to-‐date firewall, an.-‐virus and an.-‐malware soaware; c) Limi.ng both physical and electronic access; d) Ensuring that systems are regularly and properly updated; e) Deploying encryp.on soaware; f) Preven.ng the use of unauthorized soaware; g) Backing up systems and data; and h) Ensuring that mobile devices are subject to similar applicable safeguards. © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 6
- 7. How Do We Detect Poten(al Threats and Vulnerabili(es? Regulatory rules Members should also document and implement reasonable procedures to detect poten.al threats, including new and emerging threats. Key Compliance Ques(ons 1. What procedures does Member have in place? 2. Do those procedures meet the proper standards? 3. Is the Member a part of a threat sharing organiza.on which can alert the Member of new and emerging threats? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 7
- 8. How Do We Respond to Threats to Electronic Systems? Regulatory rules Members should create an incident response plan to provide a framework to manage detected security incidents, analyze their poten(al impact and take appropriate measures to contain and mi.gate their threat. The response plan should list out how the Member will address poten(al incidents, including how it will communicate and escalate incidents internally, and how it will communicate externally with customers, counterpar.es, regulators, and law enforcement. The Member’s response plan should also include how the Member plans to restore compromised systems and data, and how it will incorporate lessons learned into the ISSP. Key Compliance Ques(ons 1. Does the Member have a response plan? 2. Does the response plan detail how to determine the level and type of threat and how to respond? 3. Does the response plan detail how restore compromised systems and data? 4. Does the response plan detail who, how and when to communicate details of an incident? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 8
- 9. Does Everyone Know What to Do? Regulatory rules A Member's ISSP should contain a descrip.on of the Member's educa(on and training rela.ng to informa.on security for all appropriate personnel. This training program should be conducted for employees upon hiring and periodically during their employment, and should be appropriate to the security risks the Member faces as well as the composi.on of its workforce. Key Compliance Ques(ons 1. Are the Member’s employees trained in informa.on security? 2. Does the Member train employees on informa.on security both at hiring and throughout employment? 3. Is the training appropriate for the risks and the workforce? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 9
- 10. How Do We Know if the Info Systems Security Plan (ISSP) is Effec(ve? Regulatory rules A Member should monitor and regularly review the effec(veness of its ISSP, including the efficacy of the safeguards deployed, and make appropriate adjustments. The review should be done at least once every year, and may be done by in-‐house staff with appropriate knowledge or by engaging an independent third-‐party informa.on security specialist. Key Compliance Ques(ons 1. Does the Member schedule regular reviews of its ISSP? 2. Does the Member have qualified employees who can perform the review or does the Member need to hire an outside party? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 10
- 11. Are Third-‐Party Service Providers Secure? Regulatory rules A Member’s ISSP should also address the risks posed by third-‐party service providers that have access to a Member's systems, operate outsourced systems for the Member or provide cloud-‐ based services to the Member. Since the Member does not control the third-‐party service providers, it is crucial that the Member perform due diligence on a service provider's security prac.ces and avoid using third par.es whose security standards are not comparable to the Member's standards in a par.cular area or ac.vity. A Member should also place appropriate access controls to their informa.on systems and data and have a procedure to remove access when a service provider is no longer providing services. Key Compliance Ques(ons 1. Does the Member keep a list of any service providers it employs? 2. Does the Member monitor the security prac.ces of its service providers? 3. Does the Member have access controls in place to prevent improper access? © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 11
- 12. ISSP Resources SANS Ins.tute (SANS) – h<ps://www.sans.org/ Open Web Applica.on Security Project (OWASP) – h<ps://www.owasp.org ISACA's Control Objec.ves for Informa.on and Related Technology (COBIT) 5 – h<ps://cobitonline.isaca.org/ Na.onal Ins.tute of Standards and Technology (NIST) – h<ps://www.nist.gov/ © 2014-‐2016 Quarule, Inc. -‐ Confiden.al & Proprietary 12