May 2, 2019
The many security challenges that leading CISOs face are overwhelming. This is due to the rapidly expanding variety of devices used in the digital transformation of business processes in the following ways:
- The Cloud
- IOT (Internet of Things)
- BYOD (Bring Your Own Device)
These challenges are compounded in several ways:
- Shortages in qualified information security personnel
- Increasing regulations such as HIPPS, GDPR, HIPAA and Sarbanes Oxley (Sox)
- Increasing sophistication of cyber attacks
To overcome these challenges, CISOs must pragmatically implement a sound plan of action to protect their organizations sensitive data using four critical steps.
Step 1 – Select the FFIEC CAT Review Tool
Selecting a framework is the first step that all knowledgeable security officers take to solving the above data security challenges. This data security framework provides security standards that will define the cyber security topics and related controls that are necessary to reduce and manage the security risk throughout the organization including on premise, at all endpoints and in the cloud.
The most useful framework would be one that specifies the data security problem or data risk weaknesses and prescribes actions to take in order to solve them. One such framework that is used by Financial Service auditors is the Cybersecurity Assessment Tool created by the Federal Financial Institutions Examination Council, better known as the FFIEC CAT.
The FFIEC CAT was developed by the council members to provide a comprehensive guide to help organizations identify their cybersecurity risks or shortcomings and then implement applicable steps to secure their cybersecurity preparedness based on their organization type and the threats they may face.
Step 2 – Review each action item in the Review Tool
A helpful whitepaper with a supporting spreadsheet tool was created to review each necessary action item as a defined data security standard by the FFIEC CAT. It also provides a valuable cross reference to the corresponding cyber security action items in the National Institute of Standards and Technology (NIST) framework.
A concise review of the framework structure and applications as well as each of the specific action items to review can be downloaded at the link mentions below. Although it would be ideal to acquire one solution that would manage every action item and concern, a thoughtfully planned combination of integrated data security applications along with ruggedized policies and procedures are necessary for the CISO or CIO to assure complete cyber security.
For the considerations that specifically address data loss prevention, there are three primary areas that the FFIEC CAT addresses; Data In Motion, Data At Rest and Data In Use.
In addition, the monitoring and analysis of user behavior is also a primary focus for all information security officers. To review the challenges that can be accommodated by an acquired solution, an Excel based “Cheat Sheet” that specifically reviews all 495 action items is available via the whitepaper at the links below.
Step 3 – Conduct A Thorough Audit of Your Data Vulnerabilities
Before implementing any of the FFIEC CAT framework’s action items, the organization must know where its data is. Data in motion, data at rest, and data in use is a massively complex moving target. What is needed is a system that can capture all these moving pieces, tag them, and give the CISO absolute control of the data.
Step 4 – Implement the suggested cyber security tools
As detailed in the FFIEC CAT Whitepaper mentioned above, the applicable appliances should be evaluated and then implemented to provide a cost effective and thorough solution.
The evaluation should consider the solutions ability to seamlessly apply to your existing data security applications while leveraging your new or existing information security systems. Other considerations are the total cost of ownership which includes the amount of time, money and personnel resources necessary to implement and manage the solutions.
CISOs are facing many security challenges. This is no secret. But there is a solution that can be implemented to overcome these challenges. Through the selection, review, audit, and implementation of the FFIEC CAT framework, these challenges can be systematically and thoroughly overcome.
Learn more about FFIEC CAT and get a jump start on your data audit. Conduct a concise review of each of the line items to be considered by downloading the FFIEC CAT Whitepaper here.