Several clients of mine have asked about adopting a threat information sharing policy to move towards baseline compliance in the FFIEC Cybersecurity Assessment Tool (CAT).
And while most of those clients are at least members of FS-ISAC (CERT is also mentioned in the CAT, and INFRAGARD is another good one), they weren’t sure why a policy would be necessary and what it would look like.
The wording in the tool is as follows (D1.G.SP.B.3):
The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC E- Banking Booklet, page 28)
This brief blog post is directed at answering the why and the what at a baseline level; these concepts can be described in a paragraph or two for smaller community institutions and can be elaborated on as size and complexity increases.
Cybersecurity at Financial Institutions is rapidly changing that a subscription to applicable alerts is now so important to a solid information security program. These alerts should be used to:
For baseline maturity, these items should be addressed in the policy:
Again, this can typically be addressed by just a paragraph or two for smaller institutions, and can easily grow for more complex organizations.
If you would like sample wording as a starting point, email me at chris@chrisbedel.com and I’ll send you a copy that you can edit and add to your information security policy.
Still haven’t completed the CAT? Click here.