Cyber Security Survey



Similar documents
MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Financial Sector Cybersecurity: who s in charge? Aquiles A. Almansi Lead Financial Sector Specialist WBG-Finance & Markets

Dealer Member Cyber-security

The Protection Mission a constant endeavor

External Supplier Control Requirements

Cisco Advanced Services for Network Security

T141 Computer Systems Technician MTCU Code Program Learning Outcomes

Cybersecurity Academies roundtable Tina Allison

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

ABB s approach concerning IS Security for Automation Systems

CYBER SECURITY, A GROWING CIO PRIORITY

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Defending Against Data Beaches: Internal Controls for Cybersecurity

i Network, Inc Technology Solutions, Products & Services Providing the right information, to the right customer, at the right time.

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Protecting Your Organisation from Targeted Cyber Intrusion

Data Security and Healthcare

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Computer Security: Principles and Practice

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

DOWNTIME BREACHES DATA LOSS. SYMANTEC TECHNICAL SERVICES HELP YOU AVOID THEM.

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

SANS Top 20 Critical Controls for Effective Cyber Defense

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CompTIA Security+ (Exam SY0-410)

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Internal Audit Report on. IT Security Access. January January - English - Information Technology - Security Access - FINAL.

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Multi State Information Sharing and Analysis Center. Briefing Paper. Keeping Your Broadband Internet Connection Secure

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

Security Management. Keeping the IT Security Administrator Busy

CISCO IOS NETWORK SECURITY (IINS)

OCR LEVEL 3 CAMBRIDGE TECHNICAL

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Information Technology

External Supplier Control Requirements

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

DeltaV System Cyber-Security

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Enterprise Cybersecurity: Building an Effective Defense

Supplier Security Assessment Questionnaire

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

September 20, 2013 Senior IT Examiner Gene Lilienthal

Cyber Security Risk Management: A New and Holistic Approach

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S

IIABSC Spring Conference

Top 20 Critical Security Controls

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

THE TOP 4 CONTROLS.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Goals. Understanding security testing

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Cyber Risk to Help Shape Industry Trends in 2014

ESKISP Conduct security testing, under supervision

ICT Security. High-Quality Information and Know How Protection. Design and implementation of security. Covering almost all of ICT security

INFORMATION TECHNOLOGY ENGINEER V

Network Security and the Small Business

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Cybersecurity and internal audit. August 15, 2014

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Security Issues with Integrated Smart Buildings

IBX Business Network Platform Information Security Controls Document Classification [Public]

Practical Steps To Securing Process Control Networks

FINRA Publishes its 2015 Report on Cybersecurity Practices

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

DATA RECOVERY SOLUTIONS EXPERT DATA RECOVERY SOLUTIONS FOR ALL DATA LOSS SCENARIOS.

Looking at the SANS 20 Critical Security Controls

Assessing the Effectiveness of a Cybersecurity Program

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

Cyber Security Risk Management

Cybersecurity Enhancement Account. FY 2017 President s Budget

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cisco Certified Security Professional (CCSP)

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

TUSKEGEE CYBER SECURITY PATH FORWARD

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

A Systems Approach to Protecting the U.S. Air Traffic Control System Against Cyber-Terrorism

H.I.P.A.A. Compliance Made Easy Products and Services

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

G o v e r n m e n t o f I n d i a M i n i s t r y o f C o m m u n i c a t i o n s a n d I n f o r m a t i o n T e c h n o l o g y D e p a r t m e n t

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Domain 1 The Process of Auditing Information Systems

GEARS Cyber-Security Services

Application Security in the Software Development Lifecycle

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Global Corporate IT Security Risks: 2013

A PROVEN THREAT A TRUSTED SOLUTION MCCANN CYBER SECURITY SOLUTIONS

Actions and Recommendations (A/R) Summary

Improving Cyber Security Risk Management through Collaboration

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Transcription:

Cyber Security Survey SELF ASSESSMENTS AQUILES A. ALMANSI THE WORLD BANK

Objective and Scope The objective of the World Bank Group s Vienna Center for Financial Sector Advisory Services (FinSAC) survey was to contribute to cyberrisk awareness and preparedness. Fifteen Central Banks were invited to comment on cyber incidents in their respective jurisdictions, and to assess the current state of their own cyber security practices. The results reported here correspond to the fourteen responses received. FinSAC took as a model OSFI s cyber security self assessment questionnaire.

Main Findings Information on Incidents Eleven of the fourteen respondents have been target of cyber attacks. Of these, all but one have registered incidents of actual network penetration, and at least three are regularly blocking (from daily to once or twice a week) attacks. Knowledge about cyber attack attempts and successful breach incidents of financial institutions in their respective jurisdictions varies considerably across the fourteen countries. No information In five of them. Ten of fourteen respondents reported to have no information about cyberattacks to major utility providers, retail stores, or other public or private institutions holding customer bank or credit card data.

Main Findings Self Assessments The strongest self assessments correspond to technical issues typically in charge of IT departments. The weakest self assessments correspond to areas typically in the hands of Senior Management and/or the Governor/Board, with institutional developmental issues similar to those frequently present in every other area of financial regulation and supervision. Self assessments were far from unanimous, the highest dispersion corresponding to areas with the weakest self assessments.

Self Assessment Ratings: 4 3.5 Average self assessment 4. Fully Implemented 3. Largely Implemented 2. Partially Implemented 1. Not Implemented 0. NA SELF ASSESSMENT 3 2.5 2 1.5 1 0.5 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 QUESTION

Strongest Self Assessments Q18, avg. 3.50: The Central Bank segments its network into multiple, separate trust zones. Q17, avg. 3.43: The Central Bank has implemented network boundary monitoring and protection. Q15, avg. 3.29: The Central Bank has implemented the following security tools and provides for their automated updates, and institutionwide application: Intrusion detection / protection systems; Web application firewalls; Anti virus; Anti spyware; Anti spam; DDoS protection; other. Q25, avg. 3.21: The Central Bank tightly controls the use of administrative privileges. Q24, avg. 3.21: The Central Bank applies strong authentication mechanisms to manage user identities and access. Q16, avg. 3.21: The Central Bank has a process to obtain, test and automatically deploy security patches and updates in a timely manner. Q11, avg. 3.21: The Central Bank maintains current a knowledge base of its users, devices, applications and their relationships, including but not limited to software and hardware assets, network maps (including boundaries, traffic and data flow), and network utilization and performance data. Q29, avg. 3.07: The Central Bank s incident management process is designed to ensure that the following tasks are fully completed: Recovery from disruption of services; Assurance of systems integrity following the cyber security incident; Recovery of lost or corrupted data.

Weakest Self Assessments Q4, avg. 1.57: Cyber security awareness is provided to all commercial bank employees. Q10, avg. 1.71: The Central Bank conducts regular cyber attack and recovery simulation exercises. Q28, avg. 1.71: The Central Bank has an external communication plan to address cyber security incidents that includes communication protocols and draft pre scripted communications for key external stakeholders (i.e. customers, media, critical service providers, etc. Q13, avg. 1.86: 'The Central Bank monitors and tracks cyber security incidents in the financial services industry and other relevant sectors. Q9, avg. 1.93: The Central Bank conducts regular testing with third party cyber risk mitigating services. Q33, avg. 1.93: The Central Bank has utilized scenario analysis to consider a material cyber attack, mitigating actions, and identify potential control gaps. Q34, avg. 2.14: A Senior Management committee has been established that is dedicated to the issue of cyber risks, or an alternative Senior Management committee has adequate time devoted to the discussion of the implementation of the cyber security framework.

Dispersion of Self Assessments Dispersion of self assessments per question Mean vs Dispersion per Question 1.00 1.00 0.90 0.90 0.80 0.80 0.70 0.70 STDEV/MEAN 0.60 0.50 0.40 STDev/MEAN 0.60 0.50 0.40 0.30 0.30 0.20 0.20 0.10 0.10 0.00 1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435 QUESTION 0.00 1 1.5 2 2.5 3 3.5 4 MEAN SELF ASSESSMENT

Understanding the dispersion 4 Average self assessment per cluster 3.5 3 2.5 2 1.5 1 0.5 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 Cluster A Cluster B Cluster C

Areas of greatest dispersion 13. The Central Bank monitors and tracks cyber security incidents in the financial services industry and other relevant sectors. 28. The Central Bank has an external communication plan to address cyber security incidents that includes communication protocols and draft pre scripted communications for key external stakeholders (i.e. customers, media, critical service providers, etc.). 31. The Central Bank has established an institution wide cyber security policy, with supporting procedures in place that set forth how the Central Bank will identify and manage its cyber security risks. 32. The Central Bank has a cyber security implementation plan that outlines key initiatives and timelines. 33. The Central Bank has utilized scenario analysis to consider a material cyber attack, mitigating actions, and identify potential control gaps. 34. A Senior Management committee has been established that is dedicated to the issue of cyber risks, or an alternative Senior Management committee has adequate time devoted to the discussion of the implementation of the cyber security framework. 35. The Board, or a committee of the Board, is engaged on a regular basis to review and discuss the implementation of the Central Bank s cyber security framework and implementation plan, including the adequacy of existing mitigating controls.

Conclusions Information on cyber security events: good about incidents affecting the Central Bank, limited about incidents affecting supervised institutions, very limited or inexistent about incidents affecting other sectors. Self Assessments: the strongest correspond to issues typically in charge of IT departments, the weakest self assessments correspond to areas typically in the hands of Senior Management and/or the Governor/Board.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information