In response to industry feedback, including Wavestone’s continuous involvement in the framework development (see our most recent contributions here and here), NIST is now working hard to allow the guidelines to more easily apply to organizations, thanks to sector-specific “Profiles” (e.g., Manufacturing Profile released in September 2017).

The Financial Services Sector Coordinating Council (FSSCC) recently held a workshop hosted by NIST in Washington, D.C., to further develop the Financial Services Profile of the framework. It gathered not only industry members but also regulators such as the FED and the OCC. While it is still preliminary, here are few takeaways…

A new risk-tiering methodology

First and foremost, the profile introduces the concept of risk tiering similar to that of the FFIEC Cybersecurity Assessment Tool (CAT), but with qualitative rather than quantitative criteria. It proposes thirteen questions to determine the organization’s criticality level from 1 (Critical) to 4 (Relevant) based on criteria such as systemic importance, as well as geographical and geopolitical considerations. This criticality level then determines applicable “diagnostic statements” to assess.

The methodology aligns well with industry best practices and is tailored to financial services. However, the sequence of questions to determine an organization’s inherent risk is likely to have most if not all financial institutions rated at Level 1 or 2. For example, any organization collecting and/or managing end-consumer Personally Identifiable Information (PII) would be designated a Level 2: Significant risk. While coverage of PII and privacy in general is welcome in a context of increased privacy concerns, it may not be so relevant from an inherent risk perspective.

Qualitative assessments, such as the one proposed here, are relevant for smaller institutions, but bringing cybersecurity risk management practices closer in maturity to those of credit and market risk management would require leveraging quantitative assessment methodologies. The recent paper Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment from an IMF economist points in that direction.

Significant changes to the Framework Core and diagnostic statements

The profile builds on to the Framework Core with two new functions: “Governance” and “Supply Chain/Dependency Management.” These additions put more emphasis on key areas, but at the cost of changing the well-known “Identify-Protect-Detect-Respond-Recover” structure, which is helpful for communicating with business and senior management.

The profile does not stop here, as it also increases the number of Categories and Subcategories, +8 and +20 respectively. While these additions are mostly relevant, they are not specific to Financial Services and could therefore be added to the Framework Core itself.

Based on this structure, the profile defines 300 diagnostic statements leveraging again the FFIEC CAT and other resources from NYS DFS, FSB, and CPMI-IOSCO.

More precise assessment criteria

When utilizing the NIST CSF, the FFIEC CAT, or any other generic framework or tool, most firms at some point end up defining specific potential answers to assessment criteria. Indeed, firms may have protection mechanisms in place, but they may not be consistently deployed across all assets. Similarly, while a measure may not yet be in place, a clear path forward may have been defined. Such scenarios are relevant to reflect an organization’s cybersecurity maturity.

The profile addresses this issue by proposing seven possible answers which successfully address common scenarios: “Not Applicable,” “Yes,” “Yes-Risk Based,” “Yes-Compensating Controls Used,” “Partial-Ongoing Project w/Action Plan,” “Not Tested,” and “No.” This addition is certainly an important step toward more consistent framework use and a foundation for maturity measures across organizations and across industries.

The need to think global

The proposed profile is currently presented as U.S.-centric. Indeed, most questions in the risk-tiering section and most diagnostic statement references relate to U.S. references. While this focus would be helpful for initial adoption in the U.S. market, it could be a barrier to expansion moving forward. Country-specific references are helpful, but the Profile itself should be kept as generic as possible, with U.S. references provided as add-ons only. FSSCC peers could then develop other add-ons at the country or region-level.

Moreover, the proposed profile must further address the challenge of managing different maturity levels across geographies. Given the pervasive nature of cyber risk, shouldn’t organizations ensure a consistent maturity across geographies unless sufficient segregation is ensured? As challenging as it sounds, the magnitude of risk certainly justifies this approach.

As regulations are introduced worldwide and organizations are more and more global, managing complexity and avoiding inconsistencies necessitate a common framework. The Financial Services Profile as intended by the FSSCC has an important role to play in this respect. More than a pragmatic approach to leverage the NIST CSF, it aims at greater regulatory harmonization and streamlined regulatory compliance efforts. It is laudable and certainly long-anticipated by organizations.

Cet article NIST and FSSCC Team Up for Financial Services Cybersecurity est apparu en premier sur RiskInsight.

The presidential race was marked by a strong emphasis on cybersecurity. The topic, considered during the campaigns as “one of the most important challenges the next president is going to face” (Hilary Clinton, Derry, New Hampshire, February 3, 2016) and “an immediate and top priority,” (Donald Trump, Herndon, Virginia, October 3, 2016) was on the agendas of both final candidates, who expressed a strong willingness to better protect the country’s “cyberspace.” Furthermore, the leakages from various political organizations during the electoral process highlighted the weaknesses of the society against cyber threats.

U.S. critical infrastructure sectors, such as financial services, transportation systems, and energy, will inevitably have a role to play.

The cyber community is now eager to see the new government’s cybersecurity plan. In addition to federal agencies, private institutions that are heavily involved in U.S. critical infrastructure sectors, such as financial services, transportation systems, and energy, will inevitably have a role to play.

Significant efforts have been made to increase cybersecurity in the U.S. and abroad. A common trend is to improve protection of what is generally called critical infrastructure. To that end, the previous U.S. administration launched several governmental initiatives, including the development of the Framework for Improving Critical Infrastructure Cybersecurity by NIST (“NIST Cybersecurity Framework”). The framework is used worldwide aside major standards and is now being updated. In 2016, the Cybersecurity National Action Plan (CNAP), planned to increase the country’s Federal budget for cybersecurity to $19 billion in 2017. In Europe, the Directive on Security of Network and Information Systems (“NIS Directive”) requires Member States to adopt and publish sufficient laws and regulations to protect essential services. This is a global trend which is already visible in many countries such as France with the LPM law and China through the recently enacted Cybersecurity Law. Even international organizations such as NATO are promoting critical infrastructure cybersecurity protection.

Will President Trump focus the country’s cybersecurity program on critical infrastructure?

The two draft Executive Orders released show the new administration is seriously considering the issue.

The first draft Executive Order Strengthening U.S. Cyber Security and Capabilities suggests President Trump will order an extensive review of the country’s weaknesses, strengths, and enemies within an aggressive timeline. The previous administration initiated similar effort less than a month after taking office in 2009, resulting in the rather theoretical Cyberspace Policy Review.

This draft focuses on the following initiatives:

• Vulnerabilities – Review most critical cyber vulnerabilities and submit a list of initial recommendations for enhanced protection of national security systems and most critical infrastructure;
• Adversaries – Review principal cyber adversaries and submit a first report on their identities, capabilities, and vulnerabilities;
• Capabilities – Review relevant cyber capabilities and identify an initial set needing improvements to adequately protect critical infrastructure; review efforts to educate and train the cyber workforce and make recommendations for the future;
• Incentives – Propose options to incentivize private sector adoption of effective cybersecurity measures and submit recommendations.

Leveraging incentives reduces the immediate need for additional regulation or legislation.

While the review of vulnerabilities, adversaries, and capabilities is consistent with actions taken by foreign governments, a more original approach may be taken to ensure adoption of cybersecurity measures by the private sector. Indeed, the focus on Leveraging incentives reduces the immediate need for additional regulation or legislation, which echoes well President Trump’s “Two-for-One” Regulation Executive Order. On the contrary, in Europe, the NIS Directive calls for “effective, proportionate, and dissuasive penalties” to ensure requirements are fulfilled.

Based on currently available information, it is difficult to discern how and to what extent the government would be able to fully execute these initiatives, as they are relatively sweeping in scope. However, the assessment of tangible vulnerabilities and adversaries may indicate a willingness to focus on launching concrete actions.

The second draft Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is similarly ambitious, ordering the government to produce no less than 11 reports and requiring the involvement of the whole executive branch of the Federal Government and critical infrastructure actors.

This draft retains the initiatives on vulnerabilities and capabilities from the first draft, but the scopes are quite different. It suggests more stringent effort will be made on the protection of executive branch and less on critical infrastructure. Among other things, the government here aims to:

• Hold heads of executive departments and agencies accountable for managing cyber risk. This follows a trend already adopted by regulators in the financial services sector, for example through the NYS-DFS 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies  and the NFA Interpretive Notice on Information Systems Security Programs (ISSP). Bringing accountability to the senior management level is a necessary step toward reinforced focus on cybersecurity and inclusion at the enterprise level, beyond technology departments;
• Generalize the use of the NIST Cybersecurity Framework. While the framework was originally intended for critical infrastructure, it is easy to imagine it applied to federal agencies. It would likely complement and structure the usage of other materials such as the NIST FIPS PUB 200 Minimum Security Requirements for Federal Information and Information Systems and the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, which agencies are already required to leverage under the Federal Information Security Management Act of 2002 (FISMA). It would also increase alignment of practices between the public and private sectors;
• Review executive departments’ and agencies’ risk management practices and actual risk decisions, assess whether they are appropriate and sufficient, as well as develop a plan for improvement. Such effort is consistent with the first draft but this time applies only to the executive branch;
• Develop a plan to modernize IT architecture by transitioning to shared IT services and consolidating network architecture, especially for National Security Systems. Shared IT services allow for increased security through industrialization, and consolidated network architectures are easier to protect and monitor.
• Identify authorities and capabilities to support cybersecurity efforts of entities managing critical infrastructure at greatest risk in case of cyber attack, in collaboration with those entities. The notion of critical infrastructure at greatest risk originates from President Obama’s Executive Order 13636 Improving Critical Infrastructure Cybersecurity;
• Assess the Federal policies and practices efficiency to promote market transparency of cyber risk management. No more incentives here, but a market-driven approach to foster extended cybersecurity measures among the private sector, and no reference to any new regulation;
• Identify and promote initiatives to improve resiliency of core telecommunications infrastructure. Those initiatives, likely at the Internet service provider level, would mainly focus on preventing continuously increasing distributed attacks.

The initiatives described in the two drafts are aligned with general market practices and are headed in the right direction.

Overall, the initiatives described in the two drafts are aligned with general market practices and are headed in the right direction. However, some uncertainty remains on a number of topics such as privacy and protection of PII, and private-public collaboration. Moreover, as American technology companies that have historically stored their data in the U.S. are opening more and more data centers abroad to meet local regulatory requirements, the U.S. will have to define their own data localization requirements.

The challenge for the new administration is to develop unified data protection policies to drive consistent regulations

The U.S. has led the effort in defining modern cybersecurity tools such as the NIST Cybersecurity Framework and the FFIEC Cybersecurity Assessment Tool but now needs to focus on execution. The challenge for the new administration is to develop unified data protection policies to drive consistent regulations, and move from a theoretical approach to concrete results.

If we are to expect actual results, the effort should enable a country-wide response that is transversal and coordinated, with sufficient oversight. Putting in charge a single agency, as announced by White House officials moments before the President’s signature was called off, may well be a first step in that direction. The new administration will have to define clear roles and responsibilities between the public and private sectors, a governance for collaboration, and a strategy to drive implementation.

Beyond this transformation, the upcoming challenge will be on the collaboration with other countries to align with foreign initiatives with a NATO-like approach, with the objective to drive harmonization of standards and requirements for a more efficient approach to cybersecurity. Stakes and expectations are higher than ever.

Cet article The trends of Trump’s Cyber Regulation est apparu en premier sur RiskInsight.