Several clients of mine have asked about adopting a threat information sharing policy to move towards baseline compliance in the FFIEC Cybersecurity Assessment Tool (CAT).
And while most of those clients are at least members of FS-ISAC (CERT is also mentioned in the CAT, and INFRAGARD is another good one), they weren’t sure why a policy would be necessary and what it would look like.
The wording in the tool is as follows (D1.G.SP.B.3):
The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC E- Banking Booklet, page 28)
This brief blog post is directed at answering the why and the what at a baseline level; these concepts can be described in a paragraph or two for smaller community institutions and can be elaborated on as size and complexity increases.
Why
Cybersecurity at Financial Institutions is rapidly changing that a subscription to applicable alerts is now so important to a solid information security program. These alerts should be used to:
- Apply proper controls to mitigate the threats
- Train staff on how to identify and respond to threats
- Discuss with the management team to promote awareness
What
For baseline maturity, these items should be addressed in the policy:
- Who should be a member of what entities?
- How should threat information be shared internally?
- How should threat information be shared to external parties? Who can the FI share with? Under what circumstances? What is the approval process? (the idea here is that management should have some control over what information is going out the door, to whom, and by whom)
Again, this can typically be addressed by just a paragraph or two for smaller institutions, and can easily grow for more complex organizations.
If you would like sample wording as a starting point, email me at chris@chrisbedel.com and I’ll send you a copy that you can edit and add to your information security policy.
Still haven’t completed the CAT? Click here.