Cyber Talk: How to Implement Cybersecurity Frameworks

Hello. My name's Allen North. I'm an officer at the Federal Reserve Bank in St. Louis. I want to provide a brief introduction to our most recent video series, Cyber Talk, and encourage you to watch these videos focusing on managing this key risk facing banks of all sizes.

It seems like we hear of new attacks daily and potential threats that have to be considered. For many bankers, the task of determining whether the bank is secure is daunting, and the prospects for an attack or breach is high. The question is not if an attack will occur, but when it will occur, and will we be ready?

But how do we truly know we're ready? While banks have relied on technology for years, and management understands the need for controls, technical controls—specifically cybersecurity controls— can be especially difficult. Due to competitive pressures for IT expertise, some banks lack the technical resources to identify specific controls that may be needed.

The effectiveness of technical controls can be difficult to assess, and identifying return on investment once a control’s been implemented is extremely challenging. Many community bankers rely on one person or a small team of IT experts to ensure the bank's information is secure and safe from cyber-attacks. Unfortunately, this may not be enough to keep up with the current dynamic environment, which involves rapidly changing technology advances and the multitude of threats.

In this series, we'll look at some practical methods and common language that every bank can use, regardless of the size or complexity. The Cyber Talk series will provide a method to not only understand the current cybersecurity posture or status of the bank, but will also give suggestions to educate non-technical directors and provide a way to gauge progress in establishing additional controls for future development. We'll begin in the second video by providing a description of cybersecurity framework and why it's the best approach for assessing the current state of your bank's cybersecurity. The framework will provide a mechanism to not only gauge the current state, but will assist in developing controls as the bank's IT environment matures and increases in complexity.

The third video focuses on the fundamentals of controls. We discuss why establishing at least baseline controls is essential and will introduce the concept of basic cyber hygiene.

In the fourth video, we discuss ways to identify control gaps by conducting a gap analysis. Identifying these gaps are critical because the bank is only as safe as its weakest control. Specifically, we'll cover how to perform a technical control gap analysis and expectations for the overall quality of that analysis.

The fifth video provides options for filling those identified gaps. In this video, we'll discuss the pros and cons of filling gaps in-house versus outsourcing, and we'll talk about managed services and third-party risk. Finally, fintech can be a beneficial option, but bankers have to understand the heightened risks and adequately prepare for these arrangements.

The last video summarizes how to take what we've learned about our cybersecurity posture and report that information to the board of directors in a meaningful but easy-to-understand way. We talk about the types of reports that can be useful on how best to present that to the board.

In closing, the Federal Reserve System strives to provide useful information to bankers about current risks and emerging trends. We hope you enjoy the series and it provides you with the necessary tools to answer the question: how is the bank doing in terms of cybersecurity?

Hello. My name is Matt Case, and I'm a senior examiner with the Federal Reserve Bank of St. Louis. Welcome back to video two of our Cyber Talk series. In this video, we will show why it is critical to consider using a cybersecurity control framework in your IT security program. First, let's define a few terms that we will be using throughout this video series.

Cybersecurity posture. This term, NIST defines as the security status of an enterprise's networks, information, and systems based on information assurance resources and capabilities in place to manage the defense of the enterprise and to react as the situation changes. The next term, IT estate. This encompasses all components of an organization's IT program, regardless of the geographic location or logical separation.

In developing a cybersecurity program, the goal is to gain a strong understanding of what the bank's cybersecurity posture really is and to develop a plan to maintain and increase that security posture into the future. In following videos, we will discuss the process necessary to determine the cybersecurity posture and how to report it to the board of directors. Often, I have asked bank management to identify the IT assets located across their IT estate which they would be okay with being compromised. Of course, the answer I always hear back is that there are no IT assets which the bank would be okay with being compromised.

This means that the entire IT estate must meet a minimum baseline standard of security. We refer to this baseline as a basic cyber hygiene. We reach this basic cyber hygiene by utilizing a reliable, industry-accepted technical control framework specific to cybersecurity controls.

Now, the formal adoption and implementation of this framework provides several benefits, including the following. One, helping management identify gaps in the bank's control structure which may not be currently covered. Two, providing a measured approach to determine a bank's current level of control implementation in comparison to their chosen cybersecurity framework. Three, providing a means in which to educate the board on the cybersecurity posture of their bank in a way that is understandable, regardless of the director's experience in information technology. And four, assisting the board in identifying the areas where resources need to be allocated to achieve a stronger cybersecurity posture.

As with most other industries today, the financial sector is wrestling with a lack of experienced information security professionals available in the marketplace. This means that banks will likely continue to struggle in not only understanding the true measure of the risks to their networks, but also in determining which controls to implement. The cybersecurity framework goes a long way in filling this knowledge gap within the bank staff. There are a few different cybersecurity control frameworks for banks to consider, but, for purposes of this video series, we will focus on the Center for Internet Security's top 20 critical controls. Join us for our next video as we dig deeper into this prioritized list of security controls and begin to understand the process needed to align our security control structure with this and other methodologies.

Hello. My name is Carey Sharp. I'm a senior examiner here at the Federal Reserve Bank of St. Louis. In the previous video, we discussed cybersecurity frameworks, what they are, and how they are utilized. In this video, we'll take a look at the fundamentals of controls.

Establishing a baseline of cybersecurity controls is an essential concept. Without a foundation to start from, understanding how to build controls can be a daunting task. It's really all about structure. That's where cybersecurity frameworks, which we covered in video two of this series, really make an impact.

Controls need to be established with rigor and authority. Adopting a framework gives you that necessary structure or rigor, as well as the tone from the top—the authority to enforce it. It is also important to understand that a baseline is a fundamental, or foundational, level of controls necessary for any enterprise. Remember, these critical controls should be established prior to any sort of risk assessment evaluation. They are fundamental.

A common term used in the world of IT and cybersecurity is basic cyber hygiene. In order to keep everyone on the same page, we need to define this term. The Center for Internet Security and the Council on Cybersecurity defines cyber hygiene as a means to appropriately protect and maintain IT systems and devices and implement cybersecurity best practices.

To help break this down even further, let's think about cyber hygiene in more tangible terms. Oral hygiene—brush twice a day, floss, et cetera—is foundational to good health. Cyber hygiene is foundational to good network health.

The Center for Internet Security further defines basic cyber hygiene as critical security controls 1 through 6. These are the first six controls within the top 20 controls. Let's explore these basic cyber controls a bit further.

Control 1 is inventory of hardware. You need to know the devices connected to your network. Number 2 is inventory of software. You need to know and approve the applications that are running on your devices.

The third basic control is vulnerability management, commonly called patch management. Applications are constantly updated for security and feature sets. You need to scan your environment and apply patches and updates as necessary. It's kind of like washing your hair. Wash, rinse, and repeat. It's a never-ending cycle.

Control 4 is administrative privileges. These are typically user accounts that have the keys to the kingdom, if you will. Access to high-level user accounts should be restricted and monitored closely.

Secure configurations is control number 5. Harden the inside of the network in the same way you harden and restrict the perimeter, that is, your firewall. Lastly, control number 6 speaks to audit logs. Keeping watch on the environment 24/7, 365, can help identify issues before they become breaches or aid in putting the pieces back together in the event of a breach.

Now, to better illustrate the criticality of these controls, let's examine the Equifax breach from 2017. The breach occurred through a security flaw in a server software application. The security patch that addressed the flaw was available two months prior to the breach. However, this wasn't a failure of the vulnerability management control.

No, ultimately, it was a failure of control number 2, software inventory. Equifax's IT team was unaware that this particular application was even running in their environment. So, remember, you can't secure what you don't know you have. It really doesn't get much more basic than that.

Now, a simple way to think about cyber controls is to put them in terms of physical controls. All of your financial institutions have physical safeguards, like locked doors and vaults, alarm systems, et cetera. Now, tell me: Which doors in your bank are okay to leave unlocked? I'm going to guess the answer is none.

Which alarms can you ignore? Again, I'm going to say none of them. You see, security is the same, whether we're talking about physical or cyber. The difficulty is that you can't necessarily see the cyber controls like you can the physical controls. Join us next time as we define the term gap analysis and work towards identifying the gaps in cyber controls.

Hello. My name is Matt Case, and I'm a senior examiner with the Federal Reserve Bank of St. Louis. Welcome back to video four of our Cyber Talk series. In this video, we will talk through the steps needed to identify your bank's technical control gaps.

At this point in the series, the bank has identified and adopted a technical control framework and realizes its need to establish a basic cyber hygiene across its IT estate. Throughout the framework adoption process, executive management should have also communicated to the board of directors that the new framework is now the standard upon which the IT security control structure will be measured. What bank executives need to understand is that when they are asked, how are we doing on cybersecurity, they're really being asked, are we secure or not?

In the world of IT, determining whether or not a bank's IT assets are secure is somewhat of a moving target as technology and its associated risks change at a dramatic pace. It leaves management saying, well, we haven't knowingly been compromised, so I guess we're secure. As mentioned in the previous video, it is easier to see and understand weaknesses in physical security controls because they are typically out in the open. Door locks, alarm systems, and vault security mechanisms are all examples of physical controls which can commonly be seen.

The technical control gap analysis provides the bank with a standard process by which they can determine the level of implementation of those cybersecurity controls which they cannot normally see. So, this next step will be the comparison of the controls stated within the framework against the bank's current set of cybersecurity controls. This process is referred to as a control gap analysis.

Now, during this phase, the goal is to identify gaps in the security control structure, and the final output of this process is what we consider to be the cybersecurity posture of the bank’s IT estate. Additionally, when filling the bank's identified control gaps, it should be understood that it is also increasing its overall cybersecurity posture. Remember, the board of directors needs to be aware of the necessity for this gap analysis and be provided a level of expectations in which to rely on the analysis's product.

Once the results are reported to the board, the next step will be action in the form of resource allocation to fill the gaps which were identified during the review. Regardless of the size and scale of operations, all banks should consider utilizing a control gap analysis when analyzing their information security and cybersecurity programs. Following this process can provide the bank with a strong understanding of where they stand in terms of their cybersecurity controls. This leads us into our next video, which will walk through the steps needed to fill the gaps identified during the review.

Hello. My name is Carey Sharp. I'm a senior examiner with the Federal Reserve Bank of St. Louis. In the previous videos, we discussed cyber security frameworks (what they are and how they are utilized), fundamentals of controls, basic cyber hygiene, and identifying gaps—how to figure out where our security gaps might be. And in this video, we'll take a look at how to fill those gaps.

Many institutions utilize a mix of in-house and outsourced IT services. When it comes to cybersecurity controls, it is important that each institution understand what options are available to them. Do you have the talent and knowledge on staff currently? If not, can you attract the talent to your market or location? Being self-aware of your capabilities and limitations is essential in answering these questions.

Next, you should understand what best fits your organization. Do you currently outsource some or all aspects of IT? Again, that self-awareness factor is key. Lastly, cost. Cost should not be the overriding factor. The cheapest option isn't necessarily the best option when it comes to cybersecurity.

Managed Security Service Providers, or MSSPs, are often seen as a way to implement stronger controls. While these types of firms can provide significant resources, you should weigh the advantages and disadvantages of outsourcing to these entities. Advantages include knowledge. They will typically have a larger talent pool to draw from and will be able to keep up with the latest security trends.

Scalability. Typically, MSSPs can easily expand with the growth of your institution. 24/7, 365 security monitoring. Hackers don't take a day or night off, plus MSSPs can provide potentially faster response times. Disadvantages include the loss of control over how and when things get done. Also, responsiveness can potentially be diminished if you are a small client of a large MSSP. These are factors all institutions should weigh when making this type of decision.

Of course, this discussion would be incomplete without talking about third-party risk. Third-party or vendor management risk increases as you rely more and more on outsourced services, especially those as critical as cybersecurity. Monitoring of the vendor's activities via reports, both point-in-time and real-time, become a necessary critical function of your in-house staff. Just because someone else does the function for you doesn’t mean you transferred the risk. The bank always owns the risk.

Finally, let's spend a moment with one of the trendiest topics of today: fintech. Fintech covers many types of financial products and services. When engaging with these types of firms, it is important you understand how and what data might be accessed by them. Additionally, security should be a key consideration. This is the same as it would be with any new product or service you might introduce.

Fintech, in simple terms, is really heightened vendor and model risk management. Although fintech is a fairly new concept, vendor and model risks are well known. Institutions should always know their vendor and should be risk aware of how they interact with them. Join us next time as we wrap up this video series by answering that age-old question: how are we doing on cybersecurity?

Hello, my name is Matt Case, and I'm a Senior Examiner with the Federal Reserve Bank of St. Louis. Welcome back to video six of our cyber talk series. In this video, we will wrap up the previous discussions and answer that looming question of, how is the bank doing on cybersecurity?

One of the great benefits gained from the adoption of a technical control framework is that it gives us a methodology by which we can measure and report on technical security controls. As we mentioned earlier in the series, reporting on the cybersecurity posture in a way that is digestible to non-technical personnel has been a considerable challenge, yet the goal is certainly achievable.

In video four, we discussed the need to perform a technical control gap analysis when considering reports. Let's start by taking the output of that analysis and present it in a way that is familiar with our target audience. For technical staff, control specifics are appreciated and should be easily digestible. Therefore, details about configurations and other granular topics are going to be necessary items to include in the report, and we'll provide the information needed for them to perform their jobs. For executive management, a more summarized and prioritized report would be appreciated. Executive management needs to understand details, but typically only as it relates to the overall cybersecurity program. These reports should help to support the information security strategy that they have put together, and the projects they have identified within that strategy that will increase the cybersecurity posture of the bank.

For the board of directors, it is best to consider limiting technical jargon and focus on information that will help them with their job function. The board is concerned with oversight of the bank. And when the IT managers determine it is necessary to spend capital on cybersecurity controls, a report to show the accountability of the spend will be very helpful.

Of course, there are a number of different ways in which to present the necessary information. However, for the purposes of this series and in keeping with our CIS top 20 example, we are going to highlight a report approach that identifies each of the top 20 controls.

After the control gap analysis is complete, it will be necessary to determine how best to report this information in a way that is digestible to executive management and the board. One way to do this is to identify each of the CIS top 20 controls on a spreadsheet, and then correlate the level of implementation of each control across the bank's IT estate.

Here in our example, we report the percentage of implementation for each control within the basic cyber hygiene. Providing the information in this way will support the cybersecurity program in the following ways. First, it shows the level of implementation for each critical control. Providing this level of implementation through a bar graph that is based on percentage completed is easily digestible and understood by even non-experienced personnel.

Next, as resources are implied to increase the level of implementation of each control, accountability of that capital spend is easily reported within the same graph. Since this is a list of prioritized controls, it is also easier for executive management and the board to understand the status of the bank's cybersecurity posture as long as they also understand that the framework implementation equates to a stronger set of controls.

Next, it makes it easier to correlate information security strategy projects to specific areas of the cybersecurity program and provides the CISO with the mapping that he or she needs to report on the necessity of those projects. Finally, it gives a visual representation to the security status of the bank's IT estate. This is critical when executive management intends to answer the question, how are we doing on cybersecurity?

Throughout this series, we have attempted to show that there is a methodical approach that banks can take to implement the critical controls it takes to secure their IT estate. This plan can be tailored to any institution regardless of its size and scale of operations. Remember that creating actionable, repeatable, systematic processes will help to ensure a consistent application of security standards, and will help to build a strong basic cyber hygiene, reporting the output of a thorough control gap analysis.

We'll provide executive management and the board with a better understanding of just how secure their networks really are, and help support the requests for resource allocation. We hope the series has been beneficial for your financial institution, and we appreciate your time to go through it with us.