Академический Документы
Профессиональный Документы
Культура Документы
5. Update information security awareness and 7. Review, update, and test incident response and
training programs, as necessary, to include cyber business continuity plans periodically
attacks involving extortion and social engineering Test the effectiveness of incident response plans at
testing such as phishing attacks the institution and with third party service providers to
Conduct regular, mandatory information security ensure that all employees, including individuals respon-
awareness training across the institution, including how sible for managing risk, information security, vendor
to identify, prevent, and report phishing attempts and management, fraud detection, and customer inquiries,
other potential security incidents. Ensure that the training understand their respective responsibilities and their in-
reflects the functions performed by employees. stitution’s protocols. ln addition:
6. Implement and regularly test controls around • Ensure that processes are in place that update, re-
critical systems view, and test incident response and business conti-
nuity plans address cybersecurity threats involving
Ensure that appropriate controls, such as access con-
extortion.
trol, segregation of duties, audit, and fraud detection, and
monitoring systems are implemented for systems based • Ensure that incident response and business conti-
on risk. Limit the number of sign-on attempts for criti- nuity plans are updated to address notification of
cal systems and lock accounts once such thresholds are service providers, including Internet service pro-
exceeded. Implement alert systems to notify employees viders (lSP), as appropriate, if the institution sus-
when baseline controls are changed on critical systems. pects that a DDoS attack is occurring.
Test the effectiveness and adequacy of controls periodi-
cally. Report test results to senior management and to the 8. Participate in industry information-sharing forums
board of directors or a committee of the board of direc- Incorporate information sharing with other institu-
tors. Include in the report recommended risk mitigation tions and service providers into risk mitigation strategies
strategies and progress to remediate findings. In addition: to identify, respond to, and mitigate cybersecurity threats
• Encrypt sensitive data on all portable, internal, and and incidents. Since threats and tactics change rapidly,
external facing data storage devices and systems, participating in information-sharing organizations can
for data in transit and, where appropriate, at rest. improve an institution’s ability to identify attack tactics
and to mitigate cyber attacks involving ransomware mal-
• Implement an adequate password policy. ware on its systems successfully. In addition, there are
• Review the business processes around password government resources, such as the U.S. Computer Emer-
recovery. gency Readiness Team (US-CERT), that provide informa-
tion on vulnerabilities.
• Regularly test security controls, such as Web appli-
cation firewalls. Data Recovery
• Implement procedures for the destruction and • If you do experience a successful attack, there are
disposal of media containing sensitive informa- some tools available from multiple vendors to pos-
tion based on risk relative to the sensitivity of the sibly recover the system; however, it has been our
information and the type of media used to store the experience that these are not universally successful.
information. Many times, the malware encryption may be re-
Questions about
pro bono service?
www.nysba.org/probono
(518) 487-5641
probono@nysba.org