1 min read

Creating a Simple Threat Information Sharing Policy to Achieve Baseline Compliance

Chris Bedel : May 18, 2016

Uncategorized

Several clients of mine have asked about adopting a threat information sharing policy to move towards baseline compliance in the FFIEC Cybersecurity Assessment Tool (CAT).

And while most of those clients are at least members of FS-ISAC (CERT is also mentioned in the CAT, and INFRAGARD is another good one), they weren’t sure why a policy would be necessary and what it would look like.

The wording in the tool is as follows (D1.G.SP.B.3):

The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC E- Banking Booklet, page 28)

This brief blog post is directed at answering the why and the what at a baseline level; these concepts can be described in a paragraph or two for smaller community institutions and can be elaborated on as size and complexity increases.

Why

Cybersecurity at Financial Institutions is rapidly changing that a subscription to applicable alerts is now so important to a solid information security program. These alerts should be used to:

  • Apply proper controls to mitigate the threats
  • Train staff on how to identify and respond to threats
  • Discuss with the management team to promote awareness

What

For baseline maturity, these items should be addressed in the policy:

  • Who should be a member of what entities?
  • How should threat information be shared internally?
  • How should threat information be shared to external parties? Who can the FI share with? Under what circumstances? What is the approval process? (the idea here is that management should have some control over what information is going out the door, to whom, and by whom)

Again, this can typically be addressed by just a paragraph or two for smaller institutions, and can easily grow for more complex organizations.

If you would like sample wording as a starting point, email me at chris@chrisbedel.com and I’ll send you a copy that you can edit and add to your information security policy.

Still haven’t completed the CAT? Click here.
CISA’s Cybersecurity Performance Goals: A New Opportunity for Community Financial Institutions

CISA’s Cybersecurity Performance Goals: A New Opportunity for Community Financial Institutions

Trisha Durkin : Jan 16, 2025

The Cybersecurity and Infrastructure Security Agency (CISA) recently released its Cybersecurity Performance Goals (CPGs) Adoption Report,...

CAT Cybersecurity Risk Management CISA CPGs
Read More

FDIC Article Provides Insights on Where to Focus Your Efforts on Cybersecurity

Chris Bedel : Feb 10, 2016

It’s no secret that Governance, Threat Intelligence, Security Awareness Training, and Patch Management are all part of a solid cybersecurity program,...

Uncategorized
Read More

Community Bank CISO: New IT Booklet Calls for More Strategic Role

Chris Bedel : Dec 16, 2015

The role of the community bank ISO has seen some changes over the years. The position at one time was thought to only be applicable to the big banks....

Uncategorized
Read More