Cyber security is an increasing concern for every business. And especially for banks who held a lot of confidential data and transaction details, it is utmost important for banks to have required cyber security solution and processes at the place.
Many regulatory bodies like RBI in India, FFIEC in U.S., monetary authority of Singapore (MAS), etc. have made it compulsory for banks to follow some specific guidelines and created the frameworks to help them in finding the gaps in the existing system.
In this article, I will be covering some of the top security frameworks for the banks around the globe.
FFIEC stands for Federal Financial Institutions Examination Council. FFIEC has taken numerous initiatives to raise the awareness of the cybersecurity risks and the need to identify, assess, and mitigate these risks among financial institutions and their critical third-party service providers.
In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and help in strengthening the activities of other interagency and private sector groups related to cyber security by assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators' examination procedures and training.
The National Institute of Standards and Technology (NIST) is a measurement standards laboratory and a non-regulatory agency of the United States Department of Commerce with a mission of promoting innovation and industrial competitiveness.
The NIST Cybersecurity Framework provides a common language and mechanism for organizations to:
1) describe current cybersecurity posture;
2) describe their target state for cybersecurity;
3) identify and prioritize opportunities for improvement within the context of risk management;
4) assess progress toward the target state; 5) foster communications among internal and external stakeholders.
The Interesting thing about NIST Cybersecurity Framework is that it complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program. Rather, the organization can use its current processes and leverage the NIST Cybersecurity Framework to identify opportunities to improve an organization’s cybersecurity risk management. It also provides a consensus description of what's needed for a comprehensive cybersecurity program.
CBEST vulnerability testing framework is an intelligence-led testing framework, which was devised by the UK Financial Authorities in conjunction with CREST (the Council for Registered Ethical Security Testers) and Digital Shadows.
The official launch of CBEST was done on 10 June 2013.
CBEST uses intelligence from government and accredited commercial providers to identify potential attackers to a particular financial institution. It then replicates the techniques these potential attackers use in order to test the extent to which they may be successful in penetrating the defenses of the institution, allowing a firm to understand where they are vulnerable and prepare and implement remediation plans.
The aim of this framework is to assist the boards of financial firms and infrastructure providers, and regulators, in improving their understanding of the types of cyber-attack that could undermine financial stability in the UK, and the extent to which the UK financial sector is vulnerable to those attacks.
PHIS (Privately Held Information Systems) are defined as computer systems that are owned by organisations, both public and private, and that contain private data collected from their customers.
The CIPHER framework addresses digitalised types of information, electronic systems, and means for data exchange, processing, and maintenance (not paper documents).
The main objective of the CIPHER methodological framework is to propose a set of methods and best practices for cyber security of Privately Held Information Systems (PHIS).
The key characteristics of the CIPHER methodological framework are:
- Technology independent (versatility) – This means applicable for every organisation operating in every domain, can be applied even if technologies are getting older or are replaced by new ones.
- User-centric – explicitly focuses on the key users, namely: PHIS owners, PHIS developers, and citizens.
- Practicality –lists practical guidelines and controls to follow in order to enhance or check if the organisation is protecting the data from cyber threats.
- Easy to use and user-friendly – not requiring a special expertise from organisations and individuals.
Some of the other security frameworks which may be useful for CISOs who are implementing cyber security guidelines, are as following:
There are frameworks issued by the local regulatory bodies of a country like Reserve Bank of India (RBI) issued cyber security framework in banks, Technology Risk Management (TRM) Guidelines by Monetary Authority of Singapore (MAS), Cybersecurity Fortification Initiative by Hong Kong Monetary Authority (HKMA). You can find the overview of these frameworks as following:
Information security talks about the confidentiality, integrity, and availability of information. While cyber security means securing the information from the cyber-attacks in the cyber world. These two words are very confusing and people use them synonymously. To find the difference between these words you can refer “Cyber security vs. Information security” article.
RBI has mandated banks to follow specific guidelines based on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (G.Gopalakrishna Committee) vide Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011.
As per the guidelines, measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures, and technologies based on new developments and emerging concerns.
You can refer our article “Key takeaways from RBI cyber security framework” for the highlights of the RBI cyber security framework.
TRM Guidelines published by The Monetary Authority of Singapore (MAS) has a strong regional and global impact. These guidelines are not just limited to banks.
Types of organizations included are:
- Finance Companies
- Insurance Companies
- Financial Advisers
- Securities Exchanges
- Futures Exchanges
- Clearing Houses
While these Guidelines are not mandatory, they do provide good direction to financial institutions on tackling cybersecurity and cyber threats.
Cybersecurity Fortification Initiative (CFI) is being pursued by the Hong Kong Monetary Authority (HKMA) in collaboration with the banking industry.
To enhance the cyber resilience of the banking sector, the HKMA has been working closely with the banking sector to develop the CFI, which is underpinned by three pillars outlined below
- Cyber Resilience Assessment Framework: It is a risk-based framework for Authorized Institutions to assess their own risk profiles and benchmark the level of defence and resilience required for appropriate protection against cyber attacks.
- Professional Development Programme: It seeks to increase the supply of qualified professionals in cybersecurity domain.
- Cyber Intelligence Sharing Platform: It provides an effective infrastructure for sharing intelligence on cyber attacks.
I hope this article has helped you to know some of the best frameworks for banking industry around the globe. This article might be useful for people who want to implement cybersecurity framework and do risk assessment in their organizations.