USA: +1(669)289-8683 
Sign in
Introduction
Developing a cybersecurity management program for Padgette-Beale Financial Services (PBI-FS) is essential to ensure the organizations adequately manages its risk and mitigates potential threats to its business operations. Several frameworks are available and are great references to utilize for developing this program as they often reference industry best practices and international standards for an organization to implement. Meanwhile, utilizing a maturity model will enable the organization to assess the thoroughness of their cybersecurity management program and address any weaknesses that exist. Through the use of a maturity model, PBI-FS can help ensure compliance with applicable laws and regulations for the financial service industry and better safeguard the security and privacy of their information assets.
What to use?
The development of a cybersecurity management program might be a daunting task if the proper resources are not utilized. NIST has formalized the Cybersecurity Framework which “references existing standards, guidelines, and [best] practices” to complement and enhance an organization’s cybersecurity program (NIST, 2014, p. 2). These standards, guidelines and best practices include COBIT 5 processes for IT management and governance, ISO/IEC 27001 information security management requirements, and NIST defined security and privacy controls in Special Publication 800-53. The use of guidance provided in this formalized framework ensures the organization will implement a program that addresses defined cybersecurity functions. The framework organizes activities that align with these basic functions: identify, protect, detect, respond, and recover. This enables the organization to utilize these best practices and security principles to improve organizational security and resilience when implementing their cybersecurity management program (NIST, 2014, p. v).
Laws and Regulations
A cybersecurity management program must also address applicable laws and regulatory requirements to effectively protect the organization from unnecessary risk and excessive penalties. Two such laws include the Bank Secrecy Act (BSA) and its implementing anti-money laundering rules and the Safeguards Rule which implements certain provisions of the Gramm-Leach-Bliley Act (GBLA). The BSA requires a system of internal controls, employee training, reporting of suspicious activity, and independent compliance testing (Treasury, n.d., Procedures & Reports sections). Meanwhile, the GBLA Safeguards Rule requires the protection of privacy for customer information that financial institutions collect (FTC, 2006, para. 1). Failing to comply with the requirements in either of these laws could result in strict penalties for PBI-FS and/or any individuals involved.
Best practices to Assess Maturity
To evaluate and further improve PBI-FS’s cybersecurity management program, the DOE’s Cybersecurity Capability Maturity Model (C2M2) should be used. The C2M2 assesses and strengthens cybersecurity capabilities by evaluating the organization’s cybersecurity program, facilitating the sharing of knowledge and best practices, and helps to prioritize actions, goals, and investments of the organization (DOE, 2014, p. 1). This helps to focus the attention of the organization to assuring the cybersecurity controls they have implemented meet the needs of the organization by effectively reducing its risk and protecting the security and privacy of its information assets. In addition, this model enables the organization to benchmark their performance. Organizations can than determine how well they are performing by examining the capabilities of other organizations (DOE, 2014, p. 3).
Summary
Implementing a cybersecurity management program is a great first step for an organization PBI-FS to take. However, unless the maturity of that program is assessed, holes and weaknesses in its prescribed safeguards may still exist. While the use of NIST’s Cybersecurity Framework will help to develop that program, assessing its adequacy with the use of a maturity model like the DOE’s Cybersecurity Capability Maturity Model (C2M2) may still be a necessity to ensure it is effective and thorough. This will enable PBI-FS to ensure they are meeting regulatory requirements and sufficiently protecting their assets and business operations.
References
DOE (2014, February). Cybersecurity Capability Maturity Model (C2M2). Retrieved from
https://www.energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf
FTC (2006, April). Financial institutions and customer information: Complying with the Safeguards Rule. Retrieved from
https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
NIST (2019, April 16). Framework for improving critical infrastructure cybersecurity. Version 1.1. Retrieved from
https://doi.org/10.6028/NIST.CSWP.04162018
Treasury (n.d.). Bank Secrecy Act (BSA) & related regulations. Retrieved from
https://www.occ.treas.gov/topics/supervision-and-examination/bsa/bsa-related-regulations/index-bsa-and-related-regulations.html
