Part 1 of a 6-Part Series
Network security, once thought of as an IT issue, is now Cybersecurity. A name change was necessary to keep up with the times, but no matter what it is called, is it still just an IT issue? We don’t think so. A shift in thinking and a different perspective is necessary – Cybersecurity is different and far more comprehensive; plus today, everyone is responsible for cybersecurity. Technology is certainly part of the solution, and that part is certainly an IT concern, but that’s not the end of the discussion. Cybersecurity is here to stay, and everyone needs to have at least a basic understanding of the issues and concepts.
Who is everyone? Everyone from the Board of Directors to the janitor needs to be aware and informed!
This is the first article in a series of articles that demonstrates, at a high level, the concepts of the NIST Cybersecurity Framework. This framework is widely accepted as an industry best practice and the de facto standard for cybersecurity.
Who or what is the NIST?
NIST stands for the National Institute of Standards and Technology. The NIST’s mission is to promote innovation and industrial competitiveness by providing information on numerous activities such as nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. To check out the website, use this link: www.nist.gov.
The cybersecurity framework is developed as a collaboration by experts in the security field. Draft documents are created with open periods for comment. This ensures that as many voices as possible have the ability to improve the document’s best practices.
Did you know that the FFIEC Handbooks are based on part of the NIST Cybersecurity Framework?
Banks might not be familiar with the NIST Cybersecurity Framework. However, it is already used in the FFIEC Handbooks covering developing IT internal policy and procedures. Each item in the FFIEC IT Handbooks maps directly into the NIST cybersecurity framework. Also, the Cybersecurity Assessment Tool (CAT) promoted by the FDIC is based on the NIST framework. Each item from the almost 500 maturity questions and the inherent risk profile are modified to represent a financial institution, but they all have an origin in the NIST Cybersecurity Framework.
There will be five more articles introducing the framework and giving an overview of each of the five different areas of the framework. This first article will focus on the five areas that the framework addresses – which are Identify, Protect, Detect, Respond and Recover.
Here is a high-level overview of each of these areas:
1. Identify
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
2. Protect
- Identity Management and Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and Procedures
- Maintenance
- Protective Technology
3. Detect
- Anomalies and events
- Security Continuous Monitoring
- Detection Processes
4. Respond
- Response Planning
- Communications
- Analysis
- Mitigation
- Improvements
5. Recover
- Recovery Planning
- Improvements
- Communications
The focus throughout the series is on developing best practices – but remember, there isn’t just one correct way to implement any of these concepts. Each bank is different! Banks have different cultures, risk appetites, products and bankers say: “No other bank is like us.” The takeaway from these articles is not a checklist; rather, the articles aid the development of a pragmatic approach to build an understanding of the components that should be reviewed, thought about, acted upon and implemented in a way that reflects the cybersecurity needs of your bank, products and customers.
The application of the framework concepts applies to all the IT Policies including, but not limited to, Vendor Management, Information Security, Incident Response, Disaster Recovery, and of course GLBA.
Security is certainly about protecting the bank, but it goes further. What are your customers’ expectations? Customers expect their information is protected. Stakeholders also have expectations. Do they match the level of effort that is put into cybersecurity? Does it match their expectations?
How do you match up to the best practices? That will be described in the upcoming articles. To begin a discussion about this or any of your IT concerns, you can contact Jim Baron at [email protected] or directly at 630-770-8982.