The revised version of the 2008/21 circular of FINMA, the Swiss Federal supervisor of the financial market, is in force since July 2017, and provides indications on how to deal with electronic client data; among the new items, there is the explicit requirement of a risk management concept addressing cyber-risks. Specific parts of the regulation are strongly oriented toward the NIST’s Cyber Security Framework (CSF). This is reason enough to have a closer look at this standard in our Cyber Security Blog, independently from any specific branch.
5 functions – 360° coverage for your cyber security
The Cyber Security Framework was published, as early as 2014, by the NIST, the National Institute of Standards and Technology, which is a Federal agency of the USA. Initially thought as a protection scheme for critical infrastructures, the CSF was quick to spread in the private sector, as the customary standard in dealing with cyber-risks. Not least, because the standard’s stepwise approach – five functions and specifically related categories – is easy to understand, and at the same time very concrete, with specific technical and organisational measures. The CSF bundles at the highest level the five underlying functions in the domain of cyber security. Read ahead and learn what do these functions offer in concrete, and why you should go more in depth into the subject.
The first function deals with the development of specific understanding of the enterprise itself, and of its organisation. The focus lies in the identification of business-critical systems, data and functions. Unless an enterprise knows where its “Crown Jewels” lie, it can hardly hope to succeed in protecting them adequately. Thus, “Identify” is the absolute foundation of all following building bricks of the CSF. Basically, Identify deals with the identification of enterprise-relevant information, and the related dangers. Do you know what they are, in your own enterprise? You should ask yourself the following questions:
- Where are your data?
- Who is using them?
- What is their value?
- How are they protected at this time?
- Can they be attacked?
- If so, where from?
Once the critical systems and functions have been identified, we can take care of the development and implementation of adequate protection countermeasures. The “Protect” function supports the ability to delimit and contain the effects of a possible cyber-security incident, still taking into consideration technologies, processes and the workforce. The area can be subdivided as follows – and our cyber-security experts will also deliver to you a selection of possible controls and suggestions:
- Access processes and access protection: develop a role-based access rights concept
- Perimeter security: you need a painstaking, periodic revision of your firewall rules
- Endpoint security:this is where we suggest an adequate antivirus solution, one that matches your requirements
- System hardening (based on best practice) and maintenance, which means change and patch management (Change & Patch Management)
- Encryption and data security, which means “Data at Rest & Data in Transit”: find out which ciphered communication protocols you need
- Awareness and training for your employees: security awareness events or live hacking shows are proven methods for demonstration of how dangers act out
The third of five functions, is the first that offers a relatively new perspective onto cyber security. Often, traditional approaches focus on the domain “Protect”; the slogan being, «protection against threats from the outside». However, our experience shows that present-day enterprises must assume that they have already been the target of a – most often successful – attack, or that they will soon become one.
And how does an enterprise get to know if it has already been infiltrated? This is exactly where “Detect» starts from; it consists of the development and implementation of the capabilities to identify a possible incident. For instance, it may be done by monitoring the internal infrastructure in search of security-relevant events, and in a second phase analysing the identified events by correlation and aggregation.
Once a cyber-attack has been detected, then it is important to be able to react as fast as possible, so that on the one side its effects are understood, and on the other, they are quickly reduced to a minimum. The core competences of “Respond” include:
- Reaction planning
- Communication and coordination
- Attack analysis and mitigation
After an attack, the enterprise must be able to go back to its standard “Modus Operandi». Systems and data which were affected by the attack, must be restored to their previous status; not to be forgotten is the continual improvement process. The enterprise must be able to draw important feedbacks from each incident, to improve and optimise the security of its future.
NIST CSF Gap Assessment – an InfoGuard Security Consulting Service
Determining their own status quo in the five functions, identifying strengths and weaknesses, and deducing a strategic direction with a concrete implementation plan is a challenge, and not just for the smaller enterprises.
This is exactly what InfoGuard’s consulting team can achieve for you – and of course much more yet. We analyse your current situation, determine your maturity level relative to a defined target, and/or the average of the industry branch you belong to. Then we collect and represent your strengths and weakness in a risk heat map, and define concrete measures to reduce potential weaknesses. With the wide know-how and experience of our cyber-security consultants, we can follow you in the implementation of these concrete measures. Get in touch with us – we shall be pleased to assist you!