CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM



Similar documents
CBEST FAQ February 2015

Managing cyber risk the global banking perspective

Helmut Wacket Head of Oversight Division. Cybersecurity: regulatory framework and central bank initiatives in the EU

Technology and Cyber Resilience Benchmarking Report December 2013

PORTCULLIS. 2nd Annual Financial Services Cyber Security Summit. CBEST Workshop

CBEST Implementation Guide

ESKISP Assist security testing, under supervision

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

Managing Cyber Attacks

ESKISP Conduct security testing, under supervision

Waking Shark II Desktop Cyber Exercise

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Cyber Security Evolved

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

How To Assess A Critical Service Provider

Procuring Penetration Testing Services

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

ISO Information Security Management Services (Lot 4)

A Guide to the Cyber Essentials Scheme

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Business Continuity Policy

CBEST/STAR Threat Intelligence

State of the Applications : Only 11% of Information Security Managers Feel Their Applications are Secure. 1/11

HMG Security Policy Framework

FFIEC Cybersecurity Assessment Tool

Medical leadership for better patient care: Support for healthcare organisations 2015

ASTRAZENECA GLOBAL POLICY QUALITY AND REGULATORY COMPLIANCE

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

REPORT. Next steps in cyber security

Legal Notice Knowledge Consulting Group All rights reserved 2013

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Under control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint

Cyber Essentials Scheme. Summary

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness.

Industrial Security & Compliance Using the Holistic Lifecycle Model

BS BUSINESS CONTINUITY MANAGEMENT

CYBER SECURITY FOUNDATION - OUTLINE

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

Cyber Essentials Scheme

INTELLIGENCE. RISK MITIGATION. RESPONSE. CONSULTANCY.

Internal Audit Practice Guide

Committees Date: Subject: Public Report of: For Information Summary

The UK Cyber Security Strategy. Report on progress December Forward Plans

2015 A CyberSecurity Year. Robert

How To Protect Your Business From A Cyber Attack

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

Masternaut Consulting Pilot+ Pilot Management Familiarisation Training Objective based Training Change Management Return on Investment

Overview TECHIS Carry out security testing activities

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Asia Policy Partners LLC 2015

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

FINANCIAL MANAGEMENT MATURITY MODEL

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

Business Continuity Management Policy and Plan

i Network, Inc Technology Solutions, Products & Services Providing the right information, to the right customer, at the right time.

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

Into the cybersecurity breach

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Application Guidance CCP Penetration Tester Role, Practitioner Level

Malware isn t The only Threat on Your Endpoints

ONLINE, DISTANCE AND BLENDED LEARNING

Who s next after TalkTalk?

CASSIDIAN CYBERSECURITY

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management Framework

JOB DESCRIPTION: SUPERVISING IMMIGRATION SOLICITOR

Higher National and Vocational Qualifications Internal Assessment Report 2015 Oral Healthcare: Dental Nursing

CESG Certified Professional

OECD PROJECT ON CYBER RISK INSURANCE

Business Plan 2012/13

Smart Security. Smart Compliance.

Assuria from ZeroDayLab

Resilience and Cyber Essentials

ESKISP Conducts vulnerability assessment under supervision

Advanced Practice (Public Health)

Business Continuity Business Continuity Management Policy

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Risks and uncertainties

Dealer Member Cyber-security

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Policy Document Control Page

CYBER SECURITY TRAINING SAFE AND SECURE

Learning and Development

ESKISP Manage security testing

Stand out for the right reasons Financial Services Risk and Regulation. Hot topic. Solvency II Long Term Guarantee Package Update

ESKISP Direct security testing

NHS Lancashire North CCG Business Continuity Management Policy and Plan

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

House of Commons Corporate Governance Framework

Code Subsidiary Document No. 0007: Business Continuity Management. September 2015

Cyber security in healthcare

Vulnerability/Penetration (PEN) Testing (Lot 4) Service: 5.G

Stakeholder workshop Central government. Thursday 26 March 2015

JOB DESCRIPTION: SUPERVISING IMMIGRATION SOLICITOR

Business Continuity Management Policy

1. This report outlines the Force s current position in relation to the Policing of Cyber Crime.

Hosting and data centre services

HP Fortify application security

Transcription:

CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM

Objectives Provide an overview of the CBEST program Overview will include answers to the following questions: What types of financial institutions are participating in the CBEST program? How was the program developed? And how is it maintained? What is the scope of testing? How does CBEST accommodate the evolution of threats and changing technology landscape? How does the program remain up-to-date? What are the lessons learned from the experience so far? Facilitated Q&A with an aim of understanding: What some of the costs / benefits of having a similar program would be for CFTC registrants?

Origins of CBEST Financial Policy Committee, June 2013 HM Treasury, working with the relevant government agencies, the PRA, the Bank s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack. September 2013 ensure that the various institutions at the core of the financial system, including banks and infrastructure providers, had a high level of protection against cyber attacks to ensure such attacks do not undermine the system. A review of testing practices revealed that the variation in activities (scope, methods, goals, frequency etc) was large. The testing provided no insight to capability against likely attack methods. As a result the Bank was unable to assess adequacy of cyber security capabilities. Therefore could not, at the time, provide assurance that the core of the UK financial system had [or knew what it needed to do to achieve] a high level of protection.

Building CBEST The Bank of England set about building a repeatable and scalable vulnerability testing framework Principles Each test should include the same steps, no matter which organisation is to be tested Tests should be holistic in nature, ensuring that people, processes and technology are tested The content of each step should be bespoke to each organisation being tested Intelligence (commercial and government) should influence the behaviours of the testers The tests should provide an accurate understanding of the threats faced by each institution (and therefore the core as a collective)

Building CBEST (2) Principles continued The tests would be conducted in partnership with the regulator They would benefit from GCHQ input The resource commitment on the regulators and the involvement of GCHQ would limit participation to the core only Participation was not to be mandatory (at the time we felt this would undermine the partnership principle) The tests should provide an assessment of where each firm s current capability is vs where it needs to be

Building CBEST (3) The test framework was piloted on the Bank of England A small industry working group was established to take development from pilot phase to launch Working group included banks and infrastructures, penetration testers, threat intelligence providers, regulators and agencies New accreditation standards, including examinations, for penetration testers and threat intelligence providers were created. They are maintained by the Council of Registered Ethical Security Testers on behalf of the Bank of England

Accreditation To carry out CBEST tests, penetration testing and threat intelligence companies must demonstrate to the Bank of England, via written application process, the following: CREST membership (evaluation of company operating procedures and standards; personnel security and development; approach to testing; data security) Personnel qualified to the right levels Personnel have the required minimum experience Verifiable references

Accreditation (2) The Bank of England conducts a site visit (penetration testing and threat intelligence companies) Interviews company staff, clairifies any anomalies in the application process Issues recommendation: Be accredited Be accredited subject to certain requirements being met Application rejected The Bank of England reserves the right to revoke accreditation

Maintenance of CBEST The Bank of England maintains CBEST Liaises with supervisory functions to ensure relevance Consults with penetration testers, threat intelligence providers and industry on effectiveness seeks feedback Close liaison with CREST Promotion of CBEST via industry events; international liaison etc Updates webpage periodically

Testing Threat intelligence identifies threat actors and tactics, techniques and procedures for the test This ensures that no matter which organisation is being tested, or when, the test is based on current threat intelligence The scope is agreed by regulators and the financial institution Functions which if disrupted could have an adverse effect on UK financial stability Technology systems supporting those functions are identified target systems (no-go areas, de-scoping is kept to an absolute minimum) Goals are pre-determined Penetration testers and financial institution devise a robust control framework Financial institution controls the test on a day-to-day basis

Post-test activity KPIs on both process, and outcome captured Workshop to discuss testing activity conducted A remediation plan is agreed by regulators and financial institution The plan looks to address gaps identified in where they are vs where they need to be Progress against agreed actions is monitored via routine engagement Re-test may be part of the remediation plan

Lessons to date CBEST attracted considerable media attention Each test takes approximately 6 months from start to finish Procurement process can be drawn out (especially with threat intelligence providers) Outsourcing majority of accreditation work greatly reduces the burden on the Bank of England Working with industry to finalise the test helped achieve buy-in within industry Nervousness within industry remains at some levels As more undergo CBEST testing we expect this nervousness to dissipate Raises unanswered questions on next steps for those firms not considered core

QUESTIONS Dave Evans, Senior Manager Sector Cyber, Bank of England david.evans@bankofengland.co.uk http://www.bankofengland.co.uk/financialstability/fsc/pages/cbest.aspx

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information