The Cybersecurity & Information Systems Information Analysis Center (CSIAC) was asked to identify which cybersecurity risk assessment framework is best suited for the financial industry and provide examples of such frameworks.  CSIAC identified the National Institute of Standards and Technology (NIST) Cybersecurity Framework as the most applicable and provided examples of other industry-specific implementation guidance.  A presentation specific to the financial services sector was also provided.

 

---

From a top-level perspective, the overarching cybersecurity compliance framework for the nation’s critical infrastructure (which includes financial services) [1] is NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” [2], also referred to as the NIST Cybersecurity Framework (CSF). This publication was released in response to Executive Order (EO) 13636/Presidential Policy Directive (PPD) 21, “Critical Infrastructure Security and Resilience,” released in February 2013 [3].

This voluntary cybersecurity risk management strategy consists of three main components:

1. Framework Core: a collection of cybersecurity risk management practices and a related hierarchy of functions, categories (e.g., activities and desired outcomes), subcategories, and informative references (e.g., standards defining related security control implementations).

2. Framework Implementation Tiers: a scoring system to determine where an organization’s cybersecurity policies and practices satisfy components of the NIST CSF. While advancing from lower tiers to higher tiers is recommended, the tiers are not considered to reflect cybersecurity maturity.

3. Framework Profile: a profile is determined from an estimation as to where the components of the framework core (i.e., cybersecurity outcomes) rank among the organization’s priorities. Profiles can be used to compare an organization’s “as is” to the desired “to be” states and facilitate the identification of the necessary improvements to improve that organization’s risk posture.

This standardization is an important step towards implementing a unified framework instead of industry-specific (or ad-hoc) solutions that fail to provide a comprehensive strategy. However, it also presents the challenge of having to address such a wide range of critical infrastructure sectors. As such, the guidance is typically written at a higher-level so the individual sectors can develop and publish industry-specific implementation guidance consistent with the higher-level NIST CSF. For example, the Department of Energy has published documentation for the energy sector, including “Energy Sector Cybersecurity Framework Implementation Guidance” [4] and the “Cybersecurity Capability Maturity Model (C2M2)” [5]. CSIAC is not currently aware of a similar implementation guide for the banking/finance sector but admittedly is funded to support the defense community.

Information security has been, and continues to remain, a critical requirement for the banking sector given the obvious motivation for attacks and the severity of the potential consequences. As such, a variety of industry-specific frameworks has been developed for this community. Furthermore, the many different components of the financial services sector and the related regulatory bodies have further convoluted the cybersecurity requirements and compliance reporting. Research suggests that similar standardization efforts are underway to address this issue, which are likely best described by the accompanying NIST presentation “Financial Services Sector Specific Cybersecurity “Profile,” an NIST cybersecurity workshop in coordination with the Financial Services Sector Coordinating Council [6].

 

---

REFERENCES

[1] Cybersecurity & Infrastructure Security Agency. “Critical Infrastructure Sectors.” https://www.dhs.gov/critical-infrastructure-sectors, 21 October 2020.

[2] NIST. “Framework for Improving Critical Infrastructure Cybersecurity.” Draft version 1.1, https://www.nist.gov/cyberframework, January 2017.

[3] The White House. Presidential Policy Directive (PPD) 21. “Critical Infrastructure Security and Resilience,” 12 February 2013.

[4] Office of Cybersecurity, Energy Security, and Emergency Response. “Energy Sector Cybersecurity Framework Implementation Guidance,” 6 January 2015.

[5] Office of Cybersecurity, Energy Security, and Emergency Response. “Cybersecurity Capability Maturity Model (C2M2).” https://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program/cybersecurity, July 2021.

[6] Financial Services Sector Coordinating Council. “Financial Services Sector Specific Cybersecurity ‘Profile’.” NIST Cybersecurity Workshop, 17 May 2017.