Technology and Cyber Resilience Benchmarking Report December 2013
|
|
- Abner Clark
- 7 years ago
- Views:
Transcription
1 Technology and Cyber Resilience Benchmarking Report 2012 December
2 Foreword by Andrew Gracie Executive Director, Special Resolution Unit, Bank of England On behalf of the UK Financial Authorities (The Bank of England, including the Prudential Regulation Authority, The Financial Conduct Authority and HM Treasury) I am pleased to attach our Report setting out the high-level findings from the Technology and Cyber Resilience Benchmarking exercise we initiated in The main output from the exercise was an individual report to each of the 30 participants comparing their responses to our survey with those of their peers and with the participants as a whole. Follow up to those reports is being taken forward bilaterally with the participants through the normal supervisory /oversight processes. As the Report makes clear, the purpose of the exercise was to establish an initial overview of the participants approach to technology and cyber resilience challenges. There was no pre-determined benchmark against which participants responses were assessed so no value judgements were made. Where participants responses differed from their peers and/or the wider group, these were highlighted in the individual reports for the recipients to consider the rationale for those differences. Several participants have indicated that they have found the reports to be a useful tool for reviewing their technology and cyber resilience arrangements. From the Authorities perspective, the overall results of the exercise have provided a positive indication that technology and cyber resilience are taken seriously by the participants and that in general, differences in approach largely align with the differences in the nature and scale of their activities. Where that is not the case, we will seek to undertake additional assessments as part of the substantive programme of further work described in the final section of the Report. This benchmarking exercise was a collaborative venture between the Authorities and the participants. We are grateful to those who committed substantial time and resources to help develop the questionnaire and to pilot and deliver the exercise which reflects a clear recognition of the value of cross-firm work to strengthen the technology and cyber resilience of the sector. 2
3 Technology and Cyber Resilience Benchmarking There is now a greater reliance on IT systems and networks across the finance sector than ever before. While this provides many opportunities, it also increases the risk of disruption to the sector from technology failures and cyber-attacks. In the latter case, the rapid evolution of the cyber threat landscape poses challenges to firms' ability to maintain resilience. The pace of change is such that prevention, detection and response arrangements can quickly become dated and insufficient. Discussions with the financial sector over the past three years have highlighted concerns over the increasing persistence, intensity and sophistication of electronic attacks upon IT systems. Alongside the Authorities 1, the UK financial sector has been exploring and testing its response to cyber-attacks since early 2010, including high-level sector discussions in September In March 2011, thirty three firms from the UK finance sector together with the Authorities took part in a desk-top cyber exercise Waking Shark I. Lessons learned from the exercise were fed into the cyber element of the Market-wide Exercise (MWE) which took place in November In 2005, 2007 and 2009 the UK Financial Authorities undertook projects to benchmark the operational resilience of the UK financial sector (details of which can be found on the Bank of England s website). In 2012 the Authorities responded to increasing technology and cyber threats and feedback from the sector and focused on developing smaller, more targeted surveys, to delve deeper into the theme of technology and cyber resilience. Thirty key firms and financial market infrastructure providers participated in resilience benchmarking 2012 and each received an individual report which provided their results and anonymous comparisons with other participants. There was no predefined benchmark against which firms were assessed; rather the aim was to more widely understand how the sector plans and manages technology and cyber resilience and to allow firms to compare themselves against their peers. 1 Prior to April 2013, the Authorities referred to the Bank of England, the FSA and HM Treasury. The Authorities now comprises of the Bank of England, including the PRA, the FCA and HM Treasury. 3
4 The results of benchmarking have provided valuable input to the on-going work of the Authorities together with firms. The results reported in this Report are as of 2012 and, in response to increased attacks, firms have continued to address and improve their cyber security; such measures taken since the survey are not stated in the results (see Further Work below). The technology and cyber resilience surveys have, however, provided the Authorities and participants with a good high-level understanding of how the sector approaches technology and cyber resilience. Common Practices Participants benchmarking responses highlighted a number of common technology and cyber resilience practices which help firms to achieve a base layer of technology and cyber resilience to build upon. The majority of participants (62%) reported that they have a methodology for learning from near miss events, allowing them to better detect and respond to small failures and low level disruption which provide feedback on the overall functioning of the firm in relation to its environment. Near miss events may also provide early warning of larger or cascade failures which the firm can avoid or better manage by learning from the early warnings. The 2011 MWE underlined the importance of firms having dedicated, well-trained professionals who are appropriately empowered in the firm to prepare for and respond to cyber-attacks. In total, 86% of participants reported that their technology and cyber resilience specialists are involved at all stages and activities of responding to technology and cyber related incidents, from being a part of the response team and providing Subject Matter Expert (SME) input to being empowered to make key decisions. All participants reported that they have an Incident Management Plan (IMP) or similar document. Within those plans the content is largely consistent between different firms and peer groups and includes; key objectives / operational resilience requirements, incident response processes, criticality and business impact criteria and a testing and exercise approach, showing a level of maturity across all participants. In addition, participants reported that their IMPs provide significant practical guidance for responders to use during an incident. 4
5 Participants take a proactive approach to monitoring their operating environment and detecting and responding to threats before they have damaging effects. In total 77% of all participants reported that they have an active Intrusion Detection System (IDS) which can enable them to monitor malicious activity and identify new threats and potential vulnerabilities. A number of participants also either reported that they have an active Intrusion Prevention System (IPS) or are awaiting its activation. Further to this, all participants reported performing a wide range of network monitoring for event detection presenting a positive picture of the layers of defences, including monitoring, which were reported by all participants. Specific Findings Comparison of firms responses identified a number of positive practices as well as some areas where firms could improve or provide a higher level of assurance. Governance Coordination and strategic alignment between different areas responsible for IT and business continuity teams is important to ensure a common goal for effective planning and response. The 2012 benchmarking results showed that the majority of participants manage technology and cyber resilience as part of IT production (73%), IT risk (63%), or that it was managed in part by business continuity and in part by IT risk (56%) suggesting there is further opportunity for collaboration between the two areas of work. It is essential that business continuity and technology and cyber practices are reviewed by top management and that one does not take precedence over the other. In total, 97% of all participants reported that they discuss technology and cyber resilience during top management meetings. This presents a positive view of top managements prioritisation of technology and cyber issues. However, only around half of participants reported that they discuss these issues monthly or quarterly. Given the significant increase in cyber-attacks on financial firms since this survey was completed, we would expect that proportion to have increased in the ensuing period. 5
6 The survey did not assess top managements discussion of technology and cyber issues in sufficient detail to reach a view on the quality of those discussions. Nor was it able to establish clearly whether boards themselves are taking appropriate responsibility for cyber risks or whether these are labelled as purely IT problems and are thus delegated to IT committees and subgroups. However it is important for firms themselves to consider these key questions. Assessing controls Once IT and cyber security controls are implemented it is essential that they are tracked, reviewed and evaluated to ensure that they are effective and fit for purpose. The majority of participants reported that they assess their controls on a monthly basis (53%) against current and emerging threats and identify key risks requiring remediation after major incidents (70%). This reflects the changing nature of the cyber threat and the rapid pace of change. What firms do with information about the effectiveness of controls and whether they are able to escalate issues to senior management is also important. Whilst the majority of firms indicated that they report the implementation of controls to mitigate current and emerging threats to top management, nearly a quarter of participants indicated that they do not, raising questions over whether top management have sufficient visibility of technology and cyber risks and the corresponding mitigation and controls to enable them to make effective managerial and strategic decisions. Situational awareness Triggers for reviewing technology and cyber resilience policies varied across participants. Retail and investment firms responses suggested that they focus more on external drivers and are more likely to review policies based on emerging threats and major incidents which they have experienced. In contrast, financial market infrastructure firms responses suggested that they review technology and cyber resilience policies in response to changes in related policies and organisation strategy. A combination of approaches enables firms to develop policies and mitigations which are responsive to changes in the threat profile and the firms risk environment. 6
7 When asked, 78% of participants reported that they formally revise their assessment of current and emerging technology and cyber resilience threats and protection against those threats after a major incident. Although the surveys did not examine how threat assessments are used, if used effectively it may increase firms awareness of their threat environment enabling them to adapt to changing conditions as they emerge. As part of reviewing their threat assessment, all participants reported that they used a full range of sources of threat intelligence, from vendors and third parties to audit findings and peer groups. Participants responses suggest that they are largely consistent in sharing information about their current threat landscape with key internal stakeholders and decision makers, although it is not clear from benchmarking how effective this is in practice. Incident management Participants approach to managing technology and cyber incidents was largely consistent and demonstrates maturity across the sector. In total, 70% of firms take a comprehensive and consistent approach to their incident detection and analysis procedures and include all of the elements that were provided as options in the benchmarking survey. All participants reported that they use a wide range of monitoring techniques and a variety of information to detect technology and cyber events; this establishes a baseline of positive techniques for event detection. The majority of participants also reported that they formally record a full range of information when an event is reported. Vendor technology and cyber resilience One of the challenges of managing vendors technology and cyber resilience is how to assess and understand the level of resilience across multiple vendors in a way which will aid decision making. The majority of firms reported established processes for reviewing vendors technology and cyber resilience with many using questionnaires to gather information. Despite this, the documentation and evidence which vendors are required to provide is minimal, consisting mainly of a business continuity policy and standards accreditation certificates; evidence of cyber threat preventative measures are noticeably absent. 7
8 Although this information may be collected through a vendor management department, unit or group, firms responses indicate that business continuity management (70%), information security (70%), and IT security (67%) are the main groups responsible for conducting reviews of vendor technology and cyber resilience which demonstrates that information is being scrutinised by specialists. Top 3 risks In addition to answering the benchmarking questions, participants were also asked to provide evidence to elaborate on key themes. As part of this, firms were asked to identify, from their corporate risk registers, their top 3 technology and cyber risks. The top 3 technology risks reported by firms were network and critical system outages, development or emergence of new technology and poor change management in relation to new technologies, and access management and control of administration privileges. The top 3 cyber related risks were reported as hactivism, malware and social engineering, and denial of service or distributed denial of service attacks. Since the 2012 resilience benchmarking exercise, the Authorities have been working in conjunction with the UK financial sector to address concerns and improve firms technology and cyber resilience. Further Work Since the initiation of the resilience benchmarking exercise in 2012, the Authorities have continued to work with firms to evaluate and improve technology and cyber resilience. In August 2012, the FSA wrote to nine major retail firms to establish whether they had taken appropriate action to assess and mitigate the risk of an outage and to evaluate whether technology risk is appropriately articulated and discussed at Board level. Follow up to this work was taken forward bilaterally through the normal supervisory processes. In June 2013 the Financial Policy Committee (FPC) made the following recommendation to HM Treasury: HM Treasury, working with the relevant government agencies, the PRA, the Bank s financial market infrastructure supervisors and the FCA should work with the core 8
9 UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. Since the recommendation was made, HM Treasury and the regulators have further enhanced their programme of work to test and improve the financial system s resilience to cyber-attacks. That enhanced programme was approved in September by the FPC which encouraged HM Treasury and the regulators to ensure that the institutions at the core of the financial system, including banks and infrastructure providers, have a high level of protection against cyber-attacks. The programme of work to assess, test and improve the resilience of the financial sector to cyber-attack is based around four main themes: 1. Understanding the current nature of the cyber threat 2. Strengthening assessment work 3. Developing plans for testing the resilience of the sector to cyber-attack 4. Improving information-sharing The work programme is designed to provide a broad-based response to the FPC s cyber recommendation and will inevitably take time to implement in full. In order to strengthen the assessment, the Authorities have been working with government agencies and have developed a comprehensive joint questionnaire which has been issued to a number of firms and FMIs to assess the adequacy of their cyber resilience and security arrangements. Additionally as part of this programme, on Tuesday 12 November an exercise took place to test the financial sector s response to a sustained and intensive cyber-attack. This exercise was called Waking Shark II and involved participants from investment banks, FMIs, the financial authorities and the relevant government agencies. The exercise was organised by the Securities Industry Business Continuity Management Group (SIBCMG) which drew on extensive cyber expertise to design a scenario in which a cyber-attack caused disruption to wholesale markets and the financial infrastructure supporting those markets. The exercise tested the communication between firms, between firms and the authorities, and aimed to improve understanding of the impact of a cyber-attack on the participants and wider financial sector. A thorough review of the lessons learned is underway to identify potential 9
10 improvements to the resilience of the sector. A report will be published early in the New Year to share the outcomes and lessons with the participants and wider finance sector. Thank you We would like to thank everyone across the sector who was involved in resilience benchmarking 2012 and in particular the Benchmarking Support Group who developed the questions and helped to pilot and deliver the programme. If you have any comments on this Report please send them to BusinessResilience@bankofengland.co.uk. 10
Waking Shark II Desktop Cyber Exercise
Waking Shark II Desktop Cyber Exercise Tuesday 12 November 2013 Author: Chris Keeling Summary The Waking Shark II exercise, held on 12 November, was designed to rehearse the response of the wholesale banks
More informationInternal Audit Division
Internal Audit Division at the Financial Conduct Authority Information Pack April 2013 Contents of Information Pack A. Introduction B. Internal Audit Terms of Reference C. Organisation D. Skills and Competencies
More informationCFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM
CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM Objectives Provide an overview of the CBEST program Overview will include answers to the following questions: What types
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationAppendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises
Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis
More informationUnder control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint
Under control 2015 Hot topics for IT internal audit in financial services An Internal Audit viewpoint Introduction Welcome to our fourth annual review of the IT hot topics for IT internal audit in financial
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationESKISP6064.03 Conducts vulnerability assessment under supervision
Conducts vulnerability assessment under supervision Overview This standard covers the competencies required to conduct vulnerability assessments under supervision. This includes following processes for
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationCyber Security Evolved
Cyber Security Evolved Aware Cyber threats are many, varied and always evolving Being aware is knowing what is going on so you can figure out what to do. The challenge is to know which cyber threats are
More informationManaging cyber risk the global banking perspective
1 Managing cyber risk the global banking perspective Speech given by Andrew Gracie, Executive Director, Resolution, Bank of England British Bankers Association Cyber Conference, London 10 June 2014 2 I
More informationDealer Member Cyber-security
Administrative Notice General Please distribute internally to: Legal and Compliance Senior Management Contact: Wendy Rudd Senior Vice President, Member Regulation and Strategic Initiatives 416 646-7216
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationCBEST FAQ February 2015
CBEST Frequently Asked Questions: February 2015 At this time, the UK Financial Authorities have only made CBEST available to firms and FMIs which they consider to be core to the UK financial system. Those
More informationRisk Management & Business Continuity Manual 2011-2014
ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page
More informationIT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski
IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing
More informationCyber Security Risk Management
Our Ref.: B1/15C B9/29C 15 September 2015 The Chief Executive All Authorized Institutions Dear Sir/Madam, Cyber Security Risk Management I am writing to draw your attention to the growing importance of
More informationESKISP6046.02 Direct security architecture development
Overview This standard covers the competencies concerned with directing security architecture activities. It includes setting the strategy and policies for security architecture, and being fully accountable
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...
More informationISO27032 Guidelines for Cyber Security
ISO27032 Guidelines for Cyber Security Deloitte Point of View on analysing and implementing the guidelines Deloitte LLP Enterprise Risk Services Security & Resilience Contents Foreword 1 Cyber governance
More informationFCA FACTSHEET. How the FCA will supervise firms
FCA FACTSHEET How the FCA will supervise firms The FCA will be the conduct supervisor for approximately 26,000 firms across all industry sectors and the prudential supervisor for approximately 23,000 firms
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationSecuring Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.
Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement June 2011 DISCLAIMER: This document is intended as a general guide only.
More informationA NEW APPROACH TO CYBER SECURITY
A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively
More information2 Gabi Siboni, 1 Senior Research Fellow and Director,
Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationCommittee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions. Consultative report
Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Consultative report Guidance on cyber resilience for financial market infrastructures
More informationCareer proposition for software developers and web operations engineers
Career proposition for software developers and web operations engineers Introduction The Government Digital Service is at the centre of the digital transformation of government, making information and
More informationESKISP6054.01 Conduct security testing, under supervision
Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to
More informationA&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report
A&CS Assurance Review Accounting Policy Division Rule Making Participation in Standard Setting Report April 2010 Table of Contents Background... 1 Engagement Objectives, Scope and Approach... 1 Overall
More informationMarch 2014. Guide to the regulation of workplace defined contribution pensions
March 2014 Guide to the regulation of workplace defined contribution pensions The Financial Conduct Authority (FCA) and The Pensions Regulator have jointly developed this guide to provide an overview of
More informationESKISP6055.01 Manage security testing
Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting
More informationOverview TECHIS60441. Carry out security testing activities
Overview Information, services and systems can be attacked in various ways. Understanding the technical and social perspectives, how attacks work, the technologies and approaches used are key to being
More informationOECD PROJECT ON CYBER RISK INSURANCE
OECD PROJECT ON CYBER RISK INSURANCE Introduction 1. Cyber risks pose a real threat to society and the economy, the recognition of which has been given increasingly wide media coverage in recent years.
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationthe role of the head of internal audit in public service organisations 2010
the role of the head of internal audit in public service organisations 2010 CIPFA Statement on the role of the Head of Internal Audit in public service organisations The Head of Internal Audit in a public
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationAsset and liability management: suggestions for greater effectiveness
Supervisory Statement LSS1/13 Asset and liability management: suggestions for greater effectiveness April 2013 Supervisory Statement LSS1/13 Asset and liability management: suggestions for greater effectiveness
More informationREPORT. Next steps in cyber security
REPORT March 2015 Contents Executive summary...3 The Deloitte and Efma questionnaire...5 Level of awareness...5 Level of significance...8 Level of implementation...11 Gap identification and concerns...15
More informationBusiness Continuity Policy
Business Continuity Policy Reference Number: 243 Author & Title: Siân Dyson Resilience Manager Responsible Director: Chief Operating Officer Review Date: 29 May 2018 Ratified by: Francesca Thompson Chief
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationSYMANTEC CYBERV ASSESSMENT SERVICE OVER THE HORIZON VISIBILITY INTO YOUR CYBER RESILIENCE MORE FOCUS, LESS RISK.
SYMANTEC CYBERV ASSESSMENT SERVICE OVER THE HORIZON VISIBILITY INTO YOUR CYBER RESILIENCE Cyberspace the always-on, technologically hyperconnected world offers unprecedented opportunities for connectivity,
More informationCommittee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions
Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Guidance on cyber resilience for financial market infrastructures June 2016 This publication
More informationMalware isn t The only Threat on Your Endpoints
Malware isn t The only Threat on Your Endpoints Key Themes The cyber-threat landscape has Overview Cybersecurity has gained a much higher profile over the changed, and so have the past few years, thanks
More informationIT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
More informationConsultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions
Committee on Payment and Settlement Systems Board of the International Organization of Securities Commissions Consultative report Principles for financial market infrastructures: Assessment methodology
More informationHow To Assess A Critical Service Provider
Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight
More informationPORTCULLIS. 2nd Annual Financial Services Cyber Security Summit. CBEST Workshop
PORTCULLIS 2nd Annual Financial Services Cyber Security Summit CBEST Workshop CBEST portcullis David Byrne CBEST Service Owner Introduction Portcullis has been established for over 23 years as an independent
More informationA fresh start for the regulation of independent healthcare. Working together to change how we regulate independent healthcare
A fresh start for the regulation of independent healthcare Working together to change how we regulate independent healthcare The Care Quality Commission is the independent regulator of health and adult
More informationCyber Threat Intelligence Move to an intelligencedriven cybersecurity model
Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Stéphane Hurtaud Partner Governance Risk & Compliance Deloitte Laurent De La Vaissière Director Governance Risk & Compliance
More informationCourse 4202: Fraud Awareness and Cyber Security Workshop (3 days)
Course introduction It is vital to ensure that your business is protected against the threats of fraud and cyber crime and that operational risk processes are in place. This three-day course provides an
More informationCYBER SECURITY TRAINING SAFE AND SECURE
CYBER SECURITY TRAINING KEEPING YOU SAFE AND SECURE Experts in Cyber Security training. Hardly a day goes by without a cyber attack being reported. With this ever-increasing threat there is a growing need
More informationCustomer Experience Functional Lead - BaseCamp. Business Change Manager
Position Profile Position: Customer Experience Functional Lead - BaseCamp Position Incumbent: Company: Location: Reporting to: Meridian Energy Christchurch Business Change Manager Date: December 2008 This
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationSmart Security. Smart Compliance.
Smart Security. Smart Compliance. SRM are dedicated to helping our clients stay safe in the information environment. With a wide range of knowledge and practical experience, our consultants are ready to
More informationSection A: Introduction, Definitions and Principles of Infrastructure Resilience
Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose
More informationKeeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit
Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit 2014 Welcome to our third annual review of the IT hot topics facing Internal Audit functions within
More informationTwin-peaks regulation: key changes and challenges
financial services Twin-peaks regulation: key changes and challenges november 2012 kpmg.co.uk/fs Twin peaks: the new landscape On 15 and 16 October 2012, the fsa released publications outlining the approach
More informationInternal Audit and supervisory expectations building on progress
1 Internal Audit and supervisory expectations building on progress Speech given by Sasha Mills, Director, Cross Cutting Policy, Bank of England Ernst & Young, London 3 February 2016 2 Introductions Hello,
More informationBusiness Plan 2012/13
Business Plan 2012/13 Contents Introduction 3 About the NFA..4 Priorities for 2012/13 4 Resources.6 Reporting Arrangements.6 Objective 1 7 To raise the profile and awareness of fraud among individuals,
More informationPosition Description
Position Description Job title Group Section Responsible to Responsibility for staff Project Coordinator Natural Resource Operations Rotorua Lakes Protection & Restoration Programme Rotorua Lakes Business
More informationOngoing N/A TBC. Baseline
Position Title: Executive General Manager, Core Services Systems Operations Classification: SES Band 2 Position Number: 1018 Position Status (ongoing/nonongoing): Ongoing Division: Core Services Systems
More informationThe Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary) July 2, 2015 Financial Services Agency
The Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary) July 2, 2015 Financial Services Agency 1 Challenge for Cyber Security in Financial Sector (1) Necessity to Strengthen
More informationRethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council
Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult
More informationCQC s strategy 2016 to 2021. Shaping the future: consultation document
CQC s strategy 2016 to 2021 Shaping the future: consultation document January 2016 The is the independent regulator of health and adult social care in England We make sure health and social care services
More informationA GOOD PRACTICE GUIDE FOR EMPLOYERS
MITIGATING SECURITY RISK IN THE NATIONAL INFRASTRUCTURE SUPPLY CHAIN A GOOD PRACTICE GUIDE FOR EMPLOYERS April 2015 Disclaimer: Reference to any specific commercial product, process or service by trade
More informationshareplc: Pillar 3 Disclosures CONTENTS Oxford House Oxford Road Aylesbury Buckinghamshire HP21 8SZ phone 01296 41 41 41 visit www.shareplc.
Pillar 3 Disclosures 3 March 2015 Based on Financial Data as at 31 December 2014 CONTENTS 1.0 Introduction 3 2.0 Risk Appetite 5 3.0 Risk management objectives and processes 6 4.0 Risk categories and exposures
More informationDPC - Strategy and Project Delivery Unit Project Management Methodology. Updated April 2010
DPC - Strategy and Project Delivery Unit Project Management Methodology Updated April 2010 This project management methodology is designed to help SPDU staff to plan, manage and measure a successful project
More informationChris Moulder Director, General Insurance Prudential Regulation Authority T 020 3461 7885 chris.moulder@bankofengland.co.uk.
Chris Moulder Director, General Insurance Prudential Regulation Authority T 020 3461 7885 chris.moulder@bankofengland.co.uk 25 April 2016 Letter sent to CEOs of participating firms Dear CEO General Insurance
More informationAppendix 1: Performance Management Guidance
Appendix 1: Performance Management Guidance The approach to Performance Management as outlined in the Strategy is to be rolled out principally by Heads of Service as part of mainstream service management.
More informationCLICK TO OPEN FOOD AUTHENTICITY FIVE STEPS TO HELP PROTECT YOUR BUSINESS FROM FOOD FRAUD
CLICK TO OPEN FOOD AUTHENTICITY FIVE STEPS TO HELP PROTECT YOUR BUSINESS FROM FOOD FRAUD Click on tabs below FOOD AUTHENTICITY FIVE STEPS TO HELP PROTECT YOUR BUSINESS FROM FOOD FRAUD Food and drink manufacturers
More informationRISK MANAGEMENT POLICY (Revised October 2015)
UNIVERSITY OF LEICESTER RISK MANAGEMENT POLICY (Revised October 2015) 1. This risk management policy ( the policy ) forms part of the University s internal control and corporate governance arrangements.
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationAddressing Cyber Risk Building robust cyber governance
Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services The future of security The business environment is changing The IT environment is changing The cyber
More informationCyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen
Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or
More informationHelmut Wacket Head of Oversight Division. Cybersecurity: regulatory framework and central bank initiatives in the EU
Helmut Wacket Head of Oversight Division Cybersecurity: regulatory framework and central bank initiatives in the EU Cybersecurity in the EU Securing network and information systems in the EU is essential
More informationAppendix 4 - Statutory Officers Protocol
Appendix 4 - Statutory Officers Protocol Accountability Protocol for role of Director of Children s Services within the London Borough of Barnet Introduction In September 2014, the Chief Executive of the
More informationCyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.
Cyber Security Personal and commercial information is the new commodity of choice for the virtual thief, argues Adrian Leppard, Commissioner for City of London Police, as he sets out the challenges facing
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationConfident in our Future, Risk Management Policy Statement and Strategy
Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents
More informationCivil Aviation Authority. Regulatory Enforcement Policy
Civil Aviation Authority Regulatory Enforcement Policy PAGE 2 REGULATORY ENFORCEMENT POLICY Civil Aviation Authority This policy is subject to a phased implementation process please therefore check applicability
More informationQUALITY MANAGEMENT POLICY & PROCEDURES
QUALITY MANAGEMENT POLICY & PROCEDURES Policy Statement Cotleigh Engineering Co. Limited specialises in the recruitment of engineering & technical personnel in the oil & energy, rail, civil engineering,
More informationHousing Association Regulatory Assessment
Welsh Government Housing Directorate - Regulation Housing Association Regulatory Assessment Melin Homes Limited Registration number: L110 Date of publication: 20 December 2013 Welsh Government Housing
More informationGuideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016
Guideline Subject: Category: Sound Business and Financial Practices No: E-21 Date: June 2016 1. Purpose and Scope of the Guideline This Guideline sets out OSFI s expectations for the management of operational
More informationHow To Manage Risk On A Scada System
Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document
More informationA COMPLETE APPROACH TO SECURITY
A COMPLETE APPROACH TO SECURITY HOW TO ACHEIVE AGILE SECURITY OPERATIONS THREAT WATCH Cyber threats cost the UK economy 27 billion a year 200,000 new threats are identified every day 58% of businesses
More informationHow small and medium-sized enterprises can formulate an information security management system
How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and
More informationBusiness Continuity Policy. Version 1.0
Business Continuity Policy Version.0 January 206 Contents Contents Version control Foreword Policy. Scope.2 Aim and objectives.3 Methods and standards.4 Responsibilities.5 Governance.6 Training and exercises
More informationDERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY
DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY VERSION 1.0 ISSUED JULY 2015 CONTENTS Page CONTENTS VERSION CONTROL FOREWORD i ii iii POLICY 1 Scope 1 Aim and Objectives 1 Methods and Standards 1
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationSecurity & Privacy Current cover and Risk Management Services
Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology
More informationDelivering Excellence in Insurance Claims Handling
Delivering Excellence in Insurance Claims Handling Guide to Best Practice Delivering Excellence in Insurance Claims Handling Contents Page 1. Introduction 1 2. Executive Summary 2 3. Components of Best
More informationConcept of Operations for Line of Business Initiatives
Concept of Operations for Line of Business Initiatives Version 1.0 Office of E-Gov and IT, OMB March 2006 Table of Contents FOREWORD...2 1 OBJECTIVES OF THE LINES OF BUSINESS CONCEPT OF OPERATIONS...3
More informationCYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY
CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes
More informationEPA Victoria Engagement Policy ENVIRONMENT PROTECTION AUTHORITY
EPA Victoria Engagement Policy ENVIRONMENT PROTECTION AUTHORITY The aspirations of the people of Victoria for environmental quality shall drive environmental improvement Environment Protection Act 1970
More informationthe Defence Leadership framework
the Defence Leadership framework Growing Leaders at all Levels Professionalism Loyalty Integrity Courage Innovation Teamwork Foreword One of the founding elements of Building Force 2030, as outlined in
More informationU.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO
U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and
More informationWhite Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation
White Paper Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation Table of Contents Introduction... 3 Common DDoS Mitigation Measures...
More informationRequest for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll
Request for Proposal Supporting Document 3 of 4 Contract and Relationship December 2007 Table of Contents 1 Introduction 3 2 Governance 4 2.1 Education Governance Board 4 2.2 Education Capability Board
More information