It’s no secret that Governance, Threat Intelligence, Security Awareness Training, and Patch Management are all part of a solid cybersecurity program, but could they be getting more attention in your next regulatory examination?
The article, “A Framework for Cybersecurity” by Michael B. Benardo and Kathryn M. Weatherby, appeared in the Winter 2015 issue of the FDIC’s Supervisory Insights, and can be found here.
It’s written in a way that it could be given to executive management or board members as a status of today’s cyber landscape (even describing phishing and DDoS in laymen’s terms) and does a good job addressing bank cybersecurity at a high level. I’d recommend giving it a look over.
What caught my attention is in the second section (page 5 for those of you following along) where it calls out four critical components in addressing the risk of cybersecurity:
"When designing a cyber risk control structure, four components of traditional information security programs are critical: Corporate Governance, Threat Intelligence, Security Awareness Training, and Patch-Management Programs."
Alright. Nothing too earth shattering…
I would definitely include those four components when designing a cybersecurity program. But after completing the Cybersecurity Assessment Tool several times with my best clients, I KNOW there is way more to cybersecurity than just that!
In describing those four components as critical, is the FDIC (or at least the authors) suggesting that Governance, Threat Intelligence, Awareness Training and Patch Management are all you need for bank cybersecurity?
No way.
But maybe what they are saying is that these four components could be the FDIC’s areas of focus for now in their efforts to help banks improve their ability to address cyber risk. (You know the old saying: “How do you eat an elephant? One bite at time.” Well, maybe it should be: “How do you get banks more serious about cybersecurity? Four critical components at time.”)
And if that’s the case, it’s highly likely that your next IT examination will include heavy focus on those areas.
Just to be clear, and to increase the helpfulness of this article above my merely speculative ramblings, here are some things that the FDIC is looking for in each of the components:
- Governance – Cybersecurity should be a top-down priority, involving the entire organization, not just IT. Your board and executive management should be involved. If you’ve completed the Cybersecurity Assessment Tool, presenting the results to the board, along with the FFIEC’s overview is a great place to start.
- Threat Intelligence – I’ve had a colleague tell me that the CNOP membership at FS-ISAC is the best route to go for community banks, because its free, and it only sends you the critical alerts, preventing you from having to sort through all the other stuff. The article also references subscribing to https://www.us-cert.gov/
- Security Awareness Training – All staff should be getting regular (annual at minimum) training on phishing, malicious links, malware, and proper escalation for events and incidents. Just walking staff through your security policies doesn’t cut it any longer. They don’t just need to know the rules, they need to be aware of the threats.
- Patch Management – Maintain an asset inventory. Develop a policy that defines who will be responsible for patches, how patches will be installed based on priority, and how patches will be tested before installation. Regular vulnerability scanning and Microsoft Baseline Security Analyzer (MBSA) are good ways to determine the effectiveness of your patch management program.
Like this post? Please share:
[feather_share]
Or sign up for our newsletter to receive articles like this delivered to your inbox weekly.
[mc4wp_form id="451"]