Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises



Similar documents
External Supplier Control Requirements

Cybersecurity and internal audit. August 15, 2014

Attachment A. Identification of Risks/Cybersecurity Governance

Cyber Security Risk Management

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

OCIE CYBERSECURITY INITIATIVE

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

The Protection Mission a constant endeavor

Into the cybersecurity breach

SANS Top 20 Critical Controls for Effective Cyber Defense

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Circular to All Licensed Corporations on Information Technology Management

Defending against modern threats Kruger National Park ICCWS 2015

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Supplier Security Assessment Questionnaire

VA Office of Inspector General

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

State of Oregon. State of Oregon 1

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Technology and Cyber Resilience Benchmarking Report December 2013

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Five keys to a more secure data environment

Security Overview. BlackBerry Corporate Infrastructure

Data Breach Response Planning: Laying the Right Foundation

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Cybersecurity The role of Internal Audit

Defending Against Data Beaches: Internal Controls for Cybersecurity

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Keyfort Cloud Services (KCS)

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

NATIONAL CYBER SECURITY AWARENESS MONTH

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

FACT SHEET: Ransomware and HIPAA

Critical Controls for Cyber Security.

Office of Inspector General

Security Management. Keeping the IT Security Administrator Busy

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Network and Security Controls

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

Security Controls in Service Management

SECURITY. Risk & Compliance Services

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

NERC CIP VERSION 5 COMPLIANCE

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Four Top Emagined Security Services

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

Security Controls What Works. Southside Virginia Community College: Security Awareness

VA Office of Inspector General

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Information Technology Security Review April 16, 2012

National Cyber Security Policy -2013

MEDIA RELEASE. IOSCO reports on business continuity plans for trading venues and intermediaries

Information security controls. Briefing for clients on Experian information security controls

Injazat s Managed Services Portfolio

How To Protect Your Network From Attack From A Network Security Threat

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

IT Security Testing Services

Appendix J: Strengthening the Resilience of Outsourced Technology Services

SUPPLIER SECURITY STANDARD

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Cybersecurity Health Check At A Glance

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Internal Audit Report on. IT Security Access. January January - English - Information Technology - Security Access - FINAL.

Enterprise Cybersecurity: Building an Effective Defense

Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions. Consultative report

10 Smart Ideas for. Keeping Data Safe. From Hackers

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

HIPAA Compliance Evaluation Report

Guideline on Auditing and Log Management

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Transcription:

Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis and benchmarking, were insufficient when they were conducted with a main focus to assess only the risks associated with LCs Internet-facing systems and infrastructure. Mission critical systems and networks residing within the LCs internal environments, or other non-internet facing systems and environments which might also be the enticing targets for cyber-attacks by insiders, were not sufficiently covered in the cybersecurity risk assessment. Moreover, these cybersecurity risk assessment exercises only tested the effectiveness of controls in place to guard against basic types of cyber-attacks. Furthermore, the approach of conducting these cybersecurity risk assessments was not frequently updated to cover the latest cybersecurity threat landscape with some advanced/sophisticated cyber-attacks (e.g. Advanced Persistent Threats with the aid of stealthy malwares that facilitate sensitive data transfer activities). ii. Inadequate cybersecurity risk assessment of service providers LCs did not seem to take a pro-active approach to integrate the systems and control environments supported/maintained by service providers into the LCs cybersecurity risk management frameworks. LCs did not have any formal procedures or guidelines detailing the requirements of conducting cybersecurity risk assessment or on-site audit, if needed, on service providers. LCs only placed heavy reliance on the attestations, without documentation provided by the service providers or regular on-site audit to confirm that the service providers had performed cybersecurity risk assessments on their control environments. In addition, LCs did not further enquire or scrutinize the scope, approach and results of the cybersecurity risk assessments and/or the follow up actions taken by the service providers to mitigate cybersecurity risks identified. iii. Insufficient cybersecurity awareness training Despite the regular cybersecurity awareness training provided to staff, the content of the training did not seem to be updated with the latest cybersecurity related issues (e.g. any latest findings identified and recommendations proposed during the latest cybersecurity review) to keep the staff abreast of the latest cyber threats. iv. Inadequate cybersecurity incident management arrangements The coverage of cybersecurity incidents in the incident response plan and crisis management procedures were inadequate to address the risks imposed by the latest cybersecurity threats. The cybersecurity incident response plan did not properly include some serious or catastrophic, yet common, cyber-attack scenarios (e.g. loss of sensitive data, simultaneous cyber-attack to both primary and backup IT infrastructures). In addition, the coverage of the regular drills on cybersecurity incident response plans and crisis management was insufficient. Most of these drills were performed primarily to test the failover of some specific technical components only, instead of testing the

viability and adequacy of the end-to-end crisis management process which should cover, but not be limited to, incident management process and reporting and escalation of issues. Furthermore, when LCs performed regular drills or simulation exercises on the cybersecurity incident response plan and crisis management procedures, they only performed these drills/simulation exercises on a global level without the involvement of local LCs in Hong Kong. Additionally, some LCs might have performed these drills or simulation exercises locally, however, only technology staff were involved. v. Inadequate data protection programs Data protection programs were inadequate to address the latest cybersecurity threat landscape. For example, LCs did not include the following controls and procedures into their data protection programs: identify and document the data flow to keep track of both approved and emergency channels for internal and external data exchange; tailor the data protection processes and technologies (e.g. appropriate configurations and parameters of applicable tools and appliances to prevent unauthorized bypass of the data protection controls) according to their security policies, protection needs and regulatory requirements (e.g. personal data with privacy impact) to prevent data leakage from identified data flows; and appropriate responses (e.g. block or suspend the data flow) based on the sensitivity of data upon detection of suspicious data transfer activities. 2

Suggested Cybersecurity Controls i. Establish a strong governance framework to supervise cybersecurity management a. Designated resources should be adequately allocated to operate, govern and audit the controls in place to mitigate cybersecurity risks. b. Cybersecurity topics should be included as a regular agenda item in senior management level meetings in order to set the direction and cybersecurity strategy for LCs. Regular evaluation of staff s understanding and compliance with LCs policies should be conducted to ensure the alignment of staff s behaviour with the LCs cybersecurity strategy. c. Cybersecurity awareness training should be regularly provided to all staff, from senior to junior levels, and service providers, if applicable, followed by assessments (e.g. a simulated phishing exercise) to assess whether staff and/or service providers are equipped with a strong cybersecurity awareness culture. ii. Implement a formalized cybersecurity management process for service providers a. Cybersecurity risk management for service providers should be formalized and integrated into the LCs cybersecurity control frameworks. b. In addition to cybersecurity risk assessments conducted by the LCs during evaluation, on-boarding and/or termination of service providers, it is also crucial for the LCs to incorporate cybersecurity requirements in the agreements with service providers and to perform on-going cybersecurity risk assessments or on-site audits when necessary throughout the engagements. iii. Enhance security architecture to guard against advanced cyber-attacks Process a. Cybersecurity should be considered in the software development life cycle ( SDLC ) to allow early identification and remediation of security vulnerabilities prior to the launch of software (e.g. involve security specialists at the beginning of the planning stage, assess the protection needs and security requirements in the collection of system requirements stage, adopt security best practices in the design and implementation stages, perform security acceptance test in the testing stage, etc). Network b. Multi-tier network defences (e.g. firewall, Intrusion Detection System, Intrusion Prevention System and access controls on network level) and multi-layered security covering physical perimeters, network, operating systems, applications and data (e.g. internal network monitoring, application whitelisting 1, restriction of channels for data transfer and email encryption, etc) should be implemented to enforce on-going monitoring and timely detection of abnormal system/network activities and user behaviour so as to mitigate the risk of advanced and persistent attacks. 1 Approve a list of applications which are allowed to be installed or run in operating systems to ensure only authorized applications could be executed in the LCs systems. 3

c. Security zones (e.g. demilitarized zone) should be considered within LCs networks for compartmenting systems and components according to their required level of cybersecurity protection (e.g. sensitivity of information resided in/processed by the systems). Control mechanisms should be in place to monitor, detect and restrict the connections established for unauthorized data transfer between different security zones. Operating Systems d. In order to protect computers and networks from cyber-attacks by malicious applications (e.g. some sophisticated malwares might not be effectively detected by anti-virus software), privileged user access to the operating system should be restricted to prevent installation of malicious applications, unauthorized manipulation of system configurations or removal of security tools in the users computers. LCs may also consider strengthening the control environment by implementing additional safeguards (e.g. application whitelisting) to prevent execution of unauthorized applications on users computers. iv. Formulate information protection programs to ensure sensitive information flow is protected a. Data protection programs should be established to ensure the data flow of sensitive information has been defined, identified, documented and protected. The deployment of data protection processes and technologies (e.g. Data Loss Prevention solutions) should provide adequate coverage for the identified data flows and trigger appropriate responses (e.g. block exchange of restricted data, suspend transfer of potential confidential data or escalate suspicious data transfer activities to designated personnel, etc.) according to the sensitivity of data. b. LCs should tailor the solutions and their underlying parameters to enable detection of malicious activities by behavioural monitoring (e.g. monitoring the data exfiltration over certain types of information, such as customer identifiers, source codes and large volume of encrypted files, after normal office hours) by taking into consideration different types of cyber-attacks and applicable regulatory requirements. c. Formal policies and procedures should be established for information security and data classification in order to classify data based on its level of sensitivity value and criticality to LCs. Data protection and baseline security controls should be established and determined based on the data classification to ensure sufficient controls are applied to meet the protection needs. Furthermore, formal data disposal and physical device destruction procedures should be established for disposing of confidential documents and physical devices to prevent data leakage. d. Recertification should be performed periodically on removable media access (e.g. removable hard disk) to monitor and restrict data exchange through the use of removable media according to a need-to-have basis. e. Mobile secure containers should be implemented in staff s mobile devices to create an encrypted environment and separate the firms applications and information from other personal data and applications in mobile devices. Data wipe-out functions should be enforced to remove the firms applications and information when the loss of mobile device is reported. 4

v. Strengthen threat, intelligence and vulnerability management to pro-actively identify and remediate cybersecurity vulnerabilities a. Cybersecurity risk assessment, including cybersecurity control gap analysis and benchmarking exercises, should be regularly conducted, with coverage of cybersecurity controls over both Internet-facing and internal systems/environments, taking into consideration the latest cybersecurity threat landscape. Such cybersecurity controls should also be adequately designed and regularly tested. b. Simulations of real-life cyber-attack scenarios (e.g. in a form of red team versus blue team in which red team would launch the cyber-attacks and blue team should defend the cyber-attacks and protect the systems and networks of the LCs) and the latest trends of cyber-attacks should be carried out to validate the effectiveness of the cyber-attacks defence mechanisms. c. Management should supervise the implementation of improvement initiatives when deficiencies are identified during cybersecurity risk assessment. Implementation timeline and milestones at a more granular level for each of the improvement initiatives should be defined. Management should make enquiries where there is any delayed implementation of improvement initiatives or prolonged period of implementation timelines. d. Vulnerability and security patch management process and procedures to implement bug fixes or upgrade for technologies should be formalized to remediate vulnerabilities identified in a timely fashion. Sufficient risk assessment and testing should be conducted before applying security patches to prevent unexpected system and business disruption. e. Effective controls should be implemented to prevent and detect any unauthorized devices being connected to LCs networks to access sensitive information or launch cyber-attacks within LCs networks. f. Anti-distributed denial of service ( DDoS ) mechanisms should be deployed to prevent DDoS attacks by filtering high volume and suspicious incoming traffic/cyberattacks. vi. Enhance incident and crisis management procedures with more details of latest cyberattack scenarios a. Incident response plan and crisis management procedures should include cyberattack scenarios which might seriously affect the business operations of LCs (e.g. loss of data, simultaneous attacks to both primary and backup IT infrastructures) and be tested by regular drills or simulation exercises to ensure all key stakeholders (including relevant representatives from the local business) have a good understanding of the cybersecurity incident and crisis handling procedures. vii. Establish adequate backup arrangements and a written contingency plan with the incorporation of the latest cybersecurity landscape a. A written contingency plan to cope with emergencies and disruptions due to cyberattacks should be established. Review and update of the written contingency plan should be performed regularly to ensure the latest cyber-attack scenarios and the 5

corresponding contingency handling procedures are incorporated into the contingency plan. b. The contingency plan with emergencies and disruptions related to cyber-attacks should be periodically tested covering the end-to-end cyber crisis management process with local stakeholders involvement to ensure the plan is viable and adequate to deal with cybersecurity incidents. c. Disaster recovery drill for mission critical systems should be performed to validate the switch over capabilities of IT components in the event of emergency. d. All backup tapes should be encrypted and protected physically (e.g. use of locked box for storage transportation) to ensure secure storage and transportation between locations. viii. Reinforce user access controls to ensure access to information is only granted to users on a need-to-know basis a. User access controls, including privileged users and recertification process, should be enforced to ensure user access rights are granted on a need-to-know basis with segregation of incompatible duties in place so that only appropriate personnel are authorized to access the data and information required for their job duties. b. Measures (e.g. virtual private network connection and two-factor authentication) should be taken for securing remote access from external networks to LCs internal networks. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information