To address cybersecurity threats to the nation?s critical infrastructure systems, President Barack Obama issued Executive Order 13636, ?Improving Critical Infrastructure Cybersecurity,? on Feb. 12, 2013. The Order established that ?it is the Policy of the United States to enhance the security and resilience of the nation?s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.? Through collaboration between the government and private sector, a Cybersecurity Framework was developed and published by the National Institute of Standards and Technology. The Framework provides a set of industry standards and best practices to help organizations manage cybersecurity risks and is comprised of five functional areas with 22 categories and 93 subcategories.
In June 2013, the Federal Financial Institutions Examination Council established the Cybersecurity and Critical Infrastructure Working Group to collaborate on this important issue. This group has been coordinating with intelligence, law enforcement, Homeland Security, and industry officials to make sure the member agencies have accurate and timely threat information to assist institutions in protecting themselves and their customers from the growing risk posed by cyber-attacks. These activities are part of a broad FFIEC cybersecurity awareness initiative that covers institutions of all sizes and complexity. The FFIEC is currently focusing on providing resources to support community institutions that may not have access to the resources available to larger institutions. In light of the increasing volume and sophistication of cyber threats, the FFIEC members are piloting an exam work program (Cybersecurity Assessment) designed for federal and state banking regulators to assess the vulnerability of community institutions to cyber threats and their preparedness to mitigate cyber risks.
The first efforts by the FFIEC to gauge cybersecurity adoption and awareness were launched in 2014 through a Cybersecurity Exam Pilot program involving financial institutions from banking through asset management/investments. As part of their examination, the National Credit Union Association provided an artifact request list to help credit unions prepare. Interestingly enough, the request list mirrors the five functional areas of the NIST Cybersecurity Framework. Artifacts requested and areas reviewed include:
To prepare for cybersecurity scrutiny, or even better, to take your information security program to a higher level, begin measuring your institution against the Cybersecurity Framework. This is no simple task. Remember that underneath the five functional areas there are 22 categories and 93 subcategories. The NCUA artifact request list condenses this down to 40 items? still daunting nonetheless and subject to change. If you have performed a Gramm-Leach-Bliley Act Gap Analysis, this information will be a good starting point as a GLBA Gap Analysis naturally flows into the Cybersecurity Framework. The FFIEC Cybersecurity Brochure is a useful tool to help you get started and contains additional resources. You can find the brochure here.
Why is this so important? Cyber threats expose institutions to operational, reputational and financial risks. By taking proactive steps, you strengthen your information security program while documenting your compliance with existing and evolving guidance. The Cybersecurity Framework is rising in regulator importance and may become the de-facto standard by which your information security program is measured.
About the Author
Brian Fischer is a business development manager for Security Compliance Associates in Clearwater, Fla. He is responsible for new client acquisition and developing relationships with strategic partners. Brian?s technology background includes imaging, network management and information security services. He has been with Security Compliance Associates (SCA) for three years helping them to become one of Tampa?s 50 fastest growing companies. SCA specializes in delivering world-class information security services to financial institutions across the country.