I recently had the chance to have some lengthy, and very valuable, discussions with a DFI IT Examiner on current areas of focus for them.
Wait... before you roll your eyes: he knew his stuff, with a lot of IT experience and the security certifications to go with it (CISSP & CISA).
He was taking a very operational approach, meaning that he was looking for controls in practice, rather than the wording in policies. He focused on securing the information, rather than just complying with the regulations.
His 5 areas of focus:
- Know your assets and assess the risks (everything starts here)
- Patch your systems
- Test for vulnerabilities - and he was very clear that he likes to see true penetration tests, not just vulnerability scans AND he likes to see internal penetration testing (which we said back in 2016 in this article)
- Encrypt data in transit and at rest - with further focus on encryption of servers and workstations
- Train your users. Train your board members (as they are ultimately and legally responsible)
Obviously, these weren't the only things reviewed in an InTREx exam, but they seem like a great place to start (and they make a great Friday 5!)