Security Assessments for Financial Services Organisations

NIST

As cyber security continues to mature and be at the top of everyone’s mind, a natural shift has occured from focusing on meeting regulatory compliance mandates, to involving the business and reducing risks associated to their valuable assets.

Blocking every threat would be nice, but is cost-prohibitive (not to mention nearly impossible). Instead, organisations are responsible for allocating resources to reduce areas of cyber risk within their defined tolerance levels. This is where the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) excels.

The NIST CSF was first published in 2014 under the Presidential Executive Order of ‘Improving Critical Infrastructure Cybersecurity’, which called for a standardised security framework. Existing frameworks like NIST 800-53 and ISO27001 provided specific controls and processes, whilst the creating of NIST CSF offered a more digestible and flexible cybersecurity framework, allowing all adopters to see their security program form a more strategic, business-centric view.

A NIST CSF assessment is not an audit, rather an engagement to drive business value by identifying risks. In heavily regulated industries, it may be a requirement to perform a risk assessment each year. However, in lesser or unregulated industries, it is recommend to get an assessment every two years due to the continual evolution of threats.

A typical SysGroup NIST CSF assessment follows three steps:

1. Interviews and workshops with relevant subject matter experts and control owners.
2. Review of documentation (policies, standards and procedures) and evidence of controls in place.
3. Report on the detailed findings, risks and recommended steps to remediation.

It’s important to work with an independent assessor who has seen how the controls are applied across different industries and similar organisations. An experienced assessor can give organisations assistance on how the framework should be successfully applied, offer valuable insight into the level of maturity compared to others, provide risk mitigation techniques, and incorporate ‘hot topics’ during the risk assessment ensuring the organisation is well protected.

Leveraging a professional brings many benefits for an organisation, including:

• Uncover control weaknesses and hidden/unknown risks. Interviews include discussions on how and where systems are connected and protected, which often uncover unknown risks. Likely to happen when operational and security departments function as silos and or/ don’t have formal or centralised processes.
• Identify areas where additional resources would help reduce risk. Risk reduction is fundamentl, and NIST CSF assessments are valuable to identify the most key areas for investment of human, technology and financial resources.
• Realign cyber security priorities based on independent perspectives. It’s easy for decision-makers to ignore internal voices, but harder to do so with an unbiased independent assessment.
• Address questions from executive management. An assessment provides an impartial answer to “are we covering all major information security risks?” and boosts executive confidence in the programme.

If you choose to collaborate with an assessor, remember to always be transparent. Sharing all weaknesses enable the assessor to provide better guidance, which may also provide a platform for obtaining additional support or resources from management to address the areas of risks.

PCI-DSS

A PCI-DSS risk assessment is a formal process that companies use to identify threats and vulnerabilities that could have a negative effect on the security of payment card data.

According to requirement 12.2 of the Payment Card Industry Data Security Standard (PCI DSS), any organisation that processes or handles payment cards must implement a risk assessment process that is performed at least annually and when there are significant changes to the environment.

The risk assessment process must identify critical assets, threats, and vulnerabilities, and the effect they may have on the cardholder data environment. The risk assessment should result in formal, documented analysis of risk.

Merchants have been required to conduct risk assessments since the PCI DSS was first released in December 2004. The PCI DSS cites OCTAVE, ISO:27005, and the National Institute of Standards and Technology (NIST) Special Publication 800-30 as examples of risk assessment methodologies. However, the PCI DSS doesn’t dictate the process that companies should use to conduct their risk assessments.

The PCI DSS risk assessment offers organisations guidance to help them identify, analyse, document and manage the information security risks that may affect their cardholder data.

Organisations can identify these vulnerabilities using vulnerability assessment reports, penetration testing report, and technical security audits. The PCI DSS risk assessment also provides companies with remediation strategies so they can implement risk management strategies to mitigate those vulnerabilities.

Conducting a risk assessment helps provide direction on what vulnerabilities a company should address first.

According to the PCI DSS risk assessment,  an organisation must:

• Conduct a risk assessment once a year or anytime it makes significant changes to the cardholder data environment.
• Perform a thorough risk assessment before it outsources any portion of its cardholder data environment to a third party. The business also has to consider the effect outsourcing could have on the organisation and the credit/debit card information.
• Identify any vulnerabilities and threats to both its primary and secondary critical assets.
• Document the outcome of the PCI risk assessment, identifying all the risks during the risk assessment.
• Have a proper risk mitigation or treatment plan to deal with any case of emergency.
• Protect its critical assets from any threats that could surface in the future.
• Identify weaknesses and correct vulnerabilities in a timely manner to reduce the likelihood that a vulnerability will be exploited.
• Cover all payment channels in the risk assessment, including all the critical assets that can directly or indirectly impact the security of the cardholder data enviornment

SysGroup consultants have extensive knowledge working in the financial services industry and have conducted a number of PCI DSS risk assessments.

Cyber Essentials

The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organisations protect themselves against common online security threats.

The full scheme, launched on 5 June 2014, enables organisations to gain one of two Cyber Essentials badges. It is backed by industry, including the Federation of Small Businesses, the CBI and a number of insurance organisations which are offering incentives for businesses.

Cyber Essentials is suitable for all organisations, of any size, in any sector.

The Government requires all suppliers bidding for contracts involving the handling of sensitive and personal information to be certified against the Cyber Essentials scheme.