G7 publishes ‘eight elements’ of security

The G7 has decided to wade in and gives its opinion on what will make the global financial sector secure using its "eight elements of cyber security".
 
The elements are non-binding and high-level. They tread familiar ground. However it's interesting to see that 'information sharing' has warranted its own 'element' which is in line with a sector wide push for organisations to share 'threat intelligence', telling everyone you've been hacked and how they did it. It is great from a moral and ethical point of view so others can learn from your mistakes, but how is it going to affect your share price? That is an interesting dilemma.  
 
1. Cyber security strategy and framework
Entities in the financial sector should establish cyber security strategies and frameworks tailored to their nature, size, complexity, risk profile, and culture.

2. Governance
Consistent with their missions and strategies, boards of directors should establish the cyber risk tolerance for their entities and oversee the design, implementation, and effectiveness of related cyber security programmes.

3. Risk and control assessment
Ideally as part of an enterprise risk management programme, entities should evaluate the inherent cyber risk presented by the people, processes, technology, and underlying data that support each identified function, activity, product, and service.

4. Monitoring
Establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.

5. Response
As part of their risk and control assessments, entities should implement incident response policies and other controls to facilitate effective incident response.

6. Recovery
Resume operations responsibly, while allowing for continued remediation, including:
  • by eliminating harmful remnants of the incident;
  • restoring systems and data to normal and confirming normal state;
  • identifying and mitigating all vulnerabilities that were exploited;
  • remediating vulnerabilities to prevent similar incidents;
  • communicating appropriately internally and externally.
7. Information sharing
Engage in the timely sharing of reliable, actionable cyber security information with internal and external stakeholders on threats, vulnerabilities, incidents, and responses to enhance defences, limit damage, increase situational awareness, and broaden learning.

8. Continuous learning
Review the cyber security strategy and framework regularly and when events warrant – including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components – to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.

If you would like to find out more information about these details, please contact us.

Leave a comment

 Security code