The FDIC Cyber Security Framework
The NIST (Institute of Standards and Technology) defines cyber security as “the process of protecting information by preventing, detecting and responding to attacks.” In 2013, the President Barack Obama issued Executive Order 13636 “Improving Critical Infrastructure Cyber Security”, delegating the development of a cyber security framework to NIST.
The framework they developed serves as a set of consensus standards and industry best-practices and guidelines to ensure the cyber security of corporations and institutions. Noting the insurmountable threats financial institutions have been suffering lately, the FDIC (Federal Deposit Insurance Corporation) released a framework of their own late last year.
Cyber Attacks and the Ever-Present Skill Gap
The FDIC Framework for Cyber Security outlines potential risk factors, training guidelines, patch-management programs, and regulatory response resources for financial institutions. In order to combat cyber crime, the FDIC prescribes cybersecurity awareness campaigns, comprehensive patching programs, risk-management programs and corresponding controls in order for financial institutions to mitigate threats.
There are three common types of cyber security threats facing financial institutions today:
- Malicious Software (Malware)
- Distribution of denial-of-services (DDoS)
- Compound Attacks
The most frightening aspect of potential cyber attacks is that the kind and scale of attacks are rapidly evolving. The FDIC urges banks’ security programs to evolve as the threat landscape changes saying “An effective information security program is not static and should be regularly evaluated and updated.”
This brings us to a buzzword in the field, often mourned by cyber security professionals and institutions looking for effective security programs and task forces: the cyber security skill-gap. Many institutions are hesitant about spending the time and money required to implement successful programs and the amount of experts who can put together such programs are insufficient. Even if institutions make an effort to prevent cyber attacks with Corporate Governance, Threat Intelligence, Security Awareness Training and Patch-Management Programs (all urged by the FDIC Framework) an expert in the field is required to consult the development of these programs and procedures and essential to combatting attacks.
The Four Components of a Successful Security Program
With the help of trained professionals, financial institutions can implement programs to meet the aforementioned four components of traditional security programs.
1. Corporate Governance:
Executive management and board members need to oversee programs to protect data and assets, establishing a corporate culture which will nurture awareness of potential risks.
2. Threat Intelligence:
Monitoring and maintaining sufficient awareness of threats and vulnerability information to evaluate risks and allow for fitting responses. Financial institutions should have a program in place which can gather and analyze information about vulnerabilities and threats to develop understanding to arrive at “actionable intelligence”
3. Security Awareness Training:
Cybersecurity training programs should highlight the importance of preventing cyber attacks of all kinds, across all business lines and functions. It is imperative that all staff members, from entry-level to board of directors, participate in mandatory cybersecurity awareness training. Consistent training mechanisms should be in place to keep the staff up to date with current trends in cyber crime as well as keep discernment on the forefront of everyone’s minds.
4. Patch-Management Programs:
An effective patch-management program includes written policies and procedures which prioritize, test and apply patches urgently. This program should use information received from threat intelligence sources and require regular, standard reports to the institution’s board and senior management of metrics on the status of the program.
The FDIC Framework for Cyber Security also includes a long list of resources to help aid institutions in getting their cyber security protocol up-to-snuff, refer to page 9 of the framework for their list of resources.
Looking for a well-rounded and cost effective way to train your employees in cyber security awareness? We have recently launched a new academy just for you! Check out this video and go to DataSecurity365.com to see what your organization needs to know.