USA: +1(669)289-8683 
Sign in
Policy development is a core competency required of Chief Information Security Officers. In order to develop policy, however, it is necessary that the CISO and other business leaders understand the underlying issues and, where technology is involved, they must also understand those issues as well.
Read this article:
https://www.bigcommerce.com/blog/social-media-advertising/#the-6-best-social-networks-for-ecommerce-advertising
Choose one of the social media platforms listed in the article above and research its privacy policy. Then prepare an “expert opinion” paper for the senior leaders in your organization. (If you cannot find the privacy policy for a given social media platform, choose a different platform.)
For your opinion paper, you must
answer the following questions in your paperWhat do you think about your selected platform’s approach to privacy? How would the platform’s privacy policy impact an organization that is contemplating using the platform for advertising and marketing?Which of the social media services provided by the platform would you allow Padgett-Beale’s marketing department to use? Should Padgett-Beale’s employees in general be permitted to use the platform during the work day (using company networks and/or IT resources). What risks are involved with permitting such usage?
\
Financial Services Sector Specific Cybersecurity “Profile”
NIST Cybersecurity Workshop
May 17, 2017
1
\
Our Sector’s Shared Goal
A Complex Regulatory and Cybersecurity Environment for
Financial Services
Financial Services Sector Specific Cybersecurity “Profile”
The Way Forward: Collaboration and Next Steps
2
\
Our Sector’s Shared Goal with the Financial Services Regulatory Community:
Advancing the safety, soundness, and resilience of the financial system by mitigating and protecting
financial institutions and the financial sector from increasing cybersecurity risks.
Collective Action to Meet Our Shared Goal:
1) Established the Financial Services Information Sharing and Analysis Center (FS-ISAC) in 1999.
Today, the FS-ISAC has ~7,000 members in 38 countries.
2) Fostered sector-wide cybersecurity collaboration through eight Joint Financial Associations
Cybersecurity Summits.
3) Created Sheltered Harbor to enhance resiliency and provide augmented protections for
financial institutions’ customer accounts and data.
4) Developed and convened 13 “Hamilton Series” cyber exercises in 2014-16 in collaboration
with the various U.S. Government agencies.
5) Developed a DRAFT Financial Services Sector Specific Cybersecurity “Profile” in response to a
complex regulatory and cybersecurity environment.
3
\
Our Sector’s Shared Goal
A Complex Regulatory and Cybersecurity Environment for
Financial Services
Financial Services Sector Specific Cybersecurity “Profile”
The Way Forward: Collaboration and Next Steps
4
\
The U.S. Financial Services Regulatory Structure (2017)
5
\
Many Financial Services Cyber-Related Proposals Describe Similar Concepts to
the NIST Cybersecurity Framework (but with Different Terminology)
6
\
Why Language Matters
NIST’s “Identify” function
regarding “Risk Management
Strategy” mapped to 9 different
regulatory requirements.
The “Requirement” column,
shows how each proposal
modifies language and
definitions, requiring firms to
comply with largely the same but
distinct requirements.
7
\
Meanwhile, with respect to the NIST Cybersecurity Framework …
NIST Cybersecurity Framework (CSF) is – De facto standard for firms seeking guidance to counter cyber threats.1
– Meets the requirements to be flexible, repeatable, performance-based, and cost-effective.
– Adaptable to organization’s maturity through implementation Tiers.
According to an industry survey 91% of companies surveyed either use NIST CSF or ISO/IEC
27001/27002.2
Federal entities and Sector-specific agencies (SSA) have promoted and supported the adoption of
the NIST CSF in the critical infrastructure sectors.
– Department of Homeland Security (DHS) Critical Infrastructure Cyber Community (C3) Program
– SSAs for 5 sectors – Communications, Energy, Healthcare and Public Health, Transportation
Systems, and Water and Wastewater Systems, developed NIST CSF implementation guidance.
7 other sectors (Chemical, Commercial Facilities, Critical Manufacturing, Dams, Emergency
Services, Information Technology, and Nuclear Reactors, Materials, and Waste) have begun drafting
implementation guidance in partnership with their SSAs.
______________________________________
1. U.S. Department of the Treasury, Office of Financial Research. “Financial Stability Report.” 15 December 2015. https://financialresearch.gov/financial-stability-reports/files/OFR 2015-Financial-Stability-Report 12-152015.pdf
8
2. PwC. “Global State of Information Security Survey 2016.” 9 October 2015: http://www.pwc.com/ gx/en/issues/cyber-security /information-security-survey.html
Source: US GAO, Critical Infrastructure Protection: Measures Needed to Assess Agencies’ Promotion of the Cybersecurity Framework (December 2015): http://www.gao.gov/products/GAO-16-152
\
Our Sector’s Shared Goal
A Complex Regulatory and Cybersecurity Environment for
Financial Services
Financial Services Sector Specific Cybersecurity “Profile”
The Way Forward: Collaboration and Next Steps
9
\
Sector is Working on a Detailed Profile Intended as Discussion Starting Point
Why the Profile
Since NIST CSF release, the FS sector has had to respond to a multitude
agency-issued cyber-related
NIST CSF and ISO/IEC 27001 have emerged as de facto standards
Mapped most significant FS regulations to NIST CSF and ISO/IE 27001
Validated mapping with FS industry stakeholder group
Achieved consensus on the Profile structure
Developed profile by summarizing regulatory statements
Our Process
o
Common themes
o
Applicable to industry
o
Flexible to accommodate different size and type entities
Solicited and received comments
Adjudicated comments in a group setting with the members achieving
consensus in the meeting (a la standards)
Currently revising to address comments
10
\
The Profile provides us numerous benefits
Better capabilities in protecting our financial and economic platforms
Enhanced collective understanding of the state of cybersecurity for
regulators and industry
Greater intra-sector, cross-sector and international cybersecurity
collaboration and understanding
Benefits of Profile
Adoption
Enhanced internal and external oversight and due diligence and Third Party
Vendor management programs
Improved Boardroom engagement
Reduced cybersecurity administrative burdens and regulatory compliance
complexity
More efficient and effective resource allocation to address risks
Greater innovation as technology companies, including FS startups
11
\
We are proposing to add two Functions of priority to the FS Sector
Functions
Categories
Subcategories
Potential
Diagnostic
Statements
FS Specific
Regulatory
References
Governance
NEW Column
Identify
NIST Today
Protect
Detect
Respond
Recover
Supply Chain/
Dependency
Management
SAME Column
SAME Column
Pieces,
however, might
be added,
moved, etc.
Pieces,
however, might
be added,
moved, etc.
The risk-based
diagnostic
statements knit
together the
multitude of
regulatory
expectations
and the NISTcentric
Subcategories;
Will aid
regulatory
agencies with
their oversight
and
examination
responsibilities.
FFIEC IT Exam
Handbooks
FFIEC CAT
NYDFS
ANPR
NAIC, Etc.
12
\
Identify
ID.AM
Asset Management
ID.BE
Business Environment
ID.GV
Governance
ID.RA
Risk Assessment
ID.RM
Risk Management
ID.SC
Supply Chain
Supply Chain /
Dependency
Management
Governance
GV.SF
Strategy and Framework
GV.RM
Risk Management
DM.IM
Internal Dependencies
GV.PL
Policy
DM.ED
External Dependencies
GV.RR
Roles and Responsibilities
DM.RS
Resilience
GV.SP
Security Program
DM.BE
Business Environment
GV.AU
Assurance and Audit
13
\
The Governance Function provides greater level of detail and
granularity
• Establishing appropriate cybersecurity
governance in an FS organization
Governance
GV.SF
Strategy and Framework
GV.RM
Risk Management
GV.PL
Policy
GV.RR
Roles and Responsibilities
GV.SP
Security Program
GV.AU
Assurance and Audit
• Implementing robust risk management
practices
• Maintaining a comprehensive
cybersecurity policy
• Designating appropriate senior individuals
and giving them the resources and access
they need
• Putting together and running a
comprehensive cybersecurity program
• Giving appropriate attention to
segregation of duties between security
implementation, oversight, and audit
14
\
The Supply Chain/Dependency Management Function helps
manage many dependencies in the FS Sector
Supply Chain /
Dependency
Management
DM.IM
Internal Dependencies
DM.ED
External Dependencies
DM.RS
Resilience
DM.BE
Business Environment
• Managing risks from internal
dependencies
• Managing risks from external
dependencies – business partners,
suppliers, contractors, consultants,
customers, etc…..
• Assuring resilience of the enterprise,
financial services sector, and entire critical
infrastructure
• Establishing and maintaining robust
business environment
15
\
Our Sector’s Shared Goal
A Complex Regulatory and Cybersecurity Environment for
Financial Services
Financial Services Sector Specific Cybersecurity “Profile”
The Way Forward: Collaboration and Next Steps
16
\
Making this all work
To achieve success, we have to collaborate with the regulators
Collaboration is
Essential
The Profile is a starting point for discussions with the regulators and selfregulatory bodies
This will set the stage for international collaboration
Complete initial drafting process for the Profile
Collaborate with the regulators on Draft Profile to meet expectations & needs
Together, develop a risk-tiering and maturity model that could
Profile
Development Next
Steps
Work seamlessly with the Profile
Fulfill expectations for institutions of all sizes & complexity
If you are a representative of a financial institution and want to
participate, please contact Josh Magri, VP and Counsel, Financial
Services Roundtable/BITS at Josh.Magri@FSRoundtable.org
17
\
Appendix – Detailed Profile
Examples
18
How It Might Look
Governance (Partial)
Functions
\
Categories
Subcategories
NIST CSF Potential Diagnostic Statements / FS Profile
v1.1 Ref
Policy (GV.PL):
The
organization
established
cybersecurity
policy in
support of its
cyber risk
management
framework.
Technology
ID.GV-1
GV.PL-1:
Organizational
cybersecurity
policy is
established and
has been
approved by
appropriate
governance
bodies.
GV.PL-1.1: The organization maintains a
documented cybersecurity policy or policies
approved by appropriate Senior Officer or an
appropriate governing authority.
GV.PL-2:
None
Organizational
cybersecurity
policy addresses
appropriate
controls,
identified
through risk
assessment.
GV.PL-2.1: The cybersecurity policy is based on the
organization’s risk management program, legal and
regulatory requirements, and other applicable
factors.
GV.PL-1.2: The organization’s cybersecurity policy
integrates with appropriate employee
accountability policy to ensure that all personnel
are held accountable for complying with
cybersecurity policies and procedures.
GV.PL-2.2: Cybersecurity processes and procedures
are established based on the cybersecurity policy.
GV.PL-2.3: Cybersecurity policy is reviewed and
revised by a responsible cybersecurity manager
(e.g., CISO) and organization to address changes in
the inherent risk profile, based on a periodic risk
assessment, as well as to address other changes,
e.g., new technologies, products, services,
interdependencies, and evolving threat
environment.
Potential Diagnostic
Statement Reponses
FS References
(NIST) Informative
References
COBIT 5
APO01.03,
EDM01.01,
EDM01.02
ISA 62443-21:2009 4.3.2.6
ISO/IEC
27001:2013
A.5.1.1
• NIST SP 800-53
Rev. 4 -1
controls from
all families
Not Applicable
FFIEC/1, FFIEC- TBD
Yes
APX E,
Yes – Risk Based Approach NYDFS/500.08
Yes – Compensating
/500.09, NFA
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Partial – Ongoing Project
Not Tested
No
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
ANPR/1/Consi •
derations,
NYDFS/500.03,
NFA, SAMA,
FRBNY/I/ II/ III, •
FFIEC/1
•
19
How It Might Look
Detect (Partial)
Functions
\
Categories
Subcategories
NIST CSF Potential Diagnostic Statements / FS Profile
v1.1 Ref
Security
Continuous
Monitoring
(DE.CM): The
information
system and
assets are
monitored at
discrete
intervals to
identify
cybersecurity
events and
verify the
effectiveness
of protective
measures.
DE.CM-2: The
DE.CM-2 DE.CM-2.1: The organization’s controls include
physical
monitoring and detection of anomalous activities
environment is
and potential cybersecurity events across
monitored to
organization’s physical environment and
detect potential
infrastructure, including unauthorized physical
cybersecurity
access to high-risk or confidential systems.
events.
Potential Diagnostic
Statement Reponses
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
DE.CM-3 through DE.CM-7 not included for presentation purposes
DE.CM-8:
Vulnerability
scans are
performed.
DE.CM-8 DE.CM-8.1: The organization conducts periodic
vulnerability scanning, including automated
scanning across all environments to:
(1) identify potential system vulnerabilities,
including publicly known vulnerabilities, upgrade
opportunities and new defense layers;
(2) identify vulnerabilities before
deployment/redeployment of new/existing
devices.
DE.CM-8.2: The organization conducts, either by
itself or by independent third-party, periodic
penetration testing and red team testing on
organization’s network, internet-facing applications
or systems, critical applications, to identify gaps in
cybersecurity defenses.
DE.CM-8.3: The organization establishes a process
to prioritize and remedy issues identified through
vulnerability scanning.
FS References
CPMI•
IOSCO/Protect
ion, CPMIIOSCO/Detecti •
on, FFIEC/3,
FINRA/Technic
al Controls,
ANPR/2,
ANPR/5,
FTC/5, G7/ 4,
NAIC/4, NFA
CFTC/E, CFTCCyber Exam/E,
CPMIIOSCO/Detecti
on, CPMIIOSCO/Testing
, FFIEC/3,
FFIEC-APX
E/Risk
Not Applicable
Mitigation,
Yes
FINRA/Technic
Yes – Risk Based Approach al Controls,
Yes – Compensating
ANPR/2,
Partial – Ongoing Project
FTC/7, G7/ 4,
Not Tested
NYDFS/500.05,
No
SEC-OCIE/1
Not Applicable
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
(NIST) Informative
References
•
•
•
•
ISA 62443-21:2009
4.3.3.3.8
NIST SP 800-53
Rev. 4 CA-7,
PE-3, PE-6, PE20
COBIT 5
BAI03.10
ISA 62443-21:2009 4.2.3.1,
4.2.3.7
ISO/IEC
27001:2013
A.12.6.1
NIST SP 800-53
Rev. 4 RA-5
20
How It Might Look
Supply Chain/Dependency Management (Partial)
Functions
\
Categories
Subcategories
NIST CSF Potential Diagnostic Statements / FS Profile
v1.1 Ref
Resilience
(DM.RS): The
organization is
resilient and
able to
operate while
experiencing a
cyber under
attack.
DM.RS-3:
Organizational
incident
response,
business
continuity, and
disaster
recovery plans
and exercises
incorporate its
external
dependencies
and critical
business
partners.
Similar
to
ID.SC-5
Potential Diagnostic
Statement Reponses
DM.RS-3.1: The organization has incorporated its
external dependencies and critical business
partners into its cyber resilience (e.g. incident
response, business continuity, and disaster
recovery) strategy, plans, and exercises.
DM.RS-3.2: The organization’s cyber resilience
strategy addresses the organization’s obligations
for performing core business functions in the event
of a disruption, including the potential for multiple
concurrent or widespread interruptions and cyber-
attacks on multiple elements of interconnected
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
Not Applicable
Yes
Yes – Risk Based Approach
Yes – Compensating
Partial – Ongoing Project
Not Tested
No
critical infrastructure, such as energy and
telecommunications.
DM.RS-3.3: The organization designs and tests its
cyber resilience plans, and exercises to support
financial sector’s sector-wide resilience and address
external dependencies, such as connectivity to
markets, payment systems, clearing entities,
messaging services, etc.
DM.RS-3.4: The organization periodically identifies
and tests alternative solutions in case an external
partner fails to perform as expected.
DM.RS-3.5: The organization prioritizes incident
response of systems critical to the enterprise and
to the financial services sector.
FS References
(NIST) Informative
References
ANPR/4,
•
ANPR/5, NAIC5, FFIEC/1
•
•
•
•
•
CIS CSC: 19.7,
20.3
COBIT 5:
DSS04.04
ISA 62443-21:2009:
4.3.2.5.7,
4.3.4.5.11
ISA 62443-33:2013: SR 2.8,
SR 3.3, SR.6.1,
SR 7.3, SR 7.4
ISO/IEC
27001:2013
A.17.1.3
NIST SP 80053: CP-2, CP-4,
IR-3, IR-4, IR-6,
IR-8, IR-9
21
