Choosing a Cybersecurity Framework
It is a good practice to identify a cybersecurity framework as part of an institution’s Information Security Program. A framework helps to identify...
The National Institute for Standards and Technology released an update to its Cybersecurity Framework (CSF) late February. The CSF was originally created in 2014 to help critical national infrastructure combat cybersecurity threats.
Though it doesn’t directly translate to requirements for financial institutions, the framework does heavily influence the guidance by financial regulators via the Federal Financial Institutions Examination Council (FFIEC). So, we can anticipate changes to this framework will influence guidance and focus by examiners.
Some of the biggest issues and failures I’ve found with cybersecurity programs boil down to the lack of governance. It drives a disconnect between management and Information Technology (IT) which leaves risks uncovered or unmitigated. Bridging this gap is a large part of our role as Information Security Offers (ISO) because it really ensures the soundness of the program and enables good decisions.
What should you do as a financial institution because of this update? Don’t aim to fully comply with the CSF 2.0, it’s still broader in scope than FFIEC, rather use it as a reference and benchmark in your security strategy. As ISOs it could be very worthwhile to review the new governance domain and see if there are any gaps in your approach.
The addition of community profiles can also be very helpful in determining your gaps and target state. There is a profile out there specifically for the financial services industry, which points to the Cyber Risk Institute’s profile, and I’ve heard a lot of good things about this tool. Here’s the link: https://cyberriskinstitute.org/the-profile/.
I hope that this update to the CSF can help solve some of the complexity in managing cyber risk and understanding what is truly important. I’m excited about the emphasis on governance and risk management, from which I’ve seen a lot of improvement in in programs and getting all stakeholders on the same page. I hope it can be helpful to you too.
If you need help implementing better governance in your program, we can help! Contact us at support@bedelsecurity.com.
It is a good practice to identify a cybersecurity framework as part of an institution’s Information Security Program. A framework helps to identify...
Last week, we saw the Federal Financial Institutions Council (FFIEC) announce an update to its Cybersecurity Resource Guide. It was originally...
I want to talk about something that’s been on my mind a lot lately: corporate account takeover (CATO). As someone who has worked in the cybersecurity...