Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

17 CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) 18 National Institute of Standards and Technology (NIST) cybersecurity framework As defined on the official site, the NIST cybersecurity framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes . The framework consists of three parts: Framework Core, Framework Profile and Framework Implementation Tiers . Notably, the Framework Core is a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. The core includes five high-level functions: Identify, Protect, Detect, Respond, and Recovery . International Standards Organization (ISO)/IEC 27001 The ISO 27001 is a globally recognized standard for information security management system (ISMS), focusing on keeping the information assets secure. This ISO standard gives organizations guidance on establishing, implementing, maintaining, and continually improving an ISMS. The standard covers ten clauses , including the organization’s context, leadership and commitment, planning, support, operation, performance evaluation and improvement. Organizations that meet the standard’s requirements can choose to be certified by an accredited certification body after completing an audit. The Center for Internet Security Critical Security Controls (CIS CSC) The CIS CSC is a set of prioritized and simplified best practice guidelines for computer security. Also known as CIS Controls, the publication is owned by the Center for Internet Security, a community- driven non-profit organization of IT professionals. Aimed at protecting organizations and data from known cyberattack vectors, the controls consist of 20 key actions for three implementation groups . The actions cover basic, foundational and organizational measures ranging from asset management, data protection to incident response and penetration testing. [ Exhibit 6 ] Examples of commonly used cybersecurity assessment frameworks C-RAF AND OTHER CYBERSECURITY ASSESSMENT FRAMEWORKS Recall that the C-RAF Maturity Assessment consists of seven domains: Governance, Identification, Protection, Detection, Response and Recovery, Situational Awareness, and Third-party Risk Management. These domains have in fact incorporated more aspects than their name implies. We have split and mapped the relevant areas in Exhibit 7. C-RAF* Domain of Analysis* Governance (81) Governance (59) Expertise and training (22) Protection (106) Data security (28) Security control and incident prevention (78) Detection (60) Detection (60) Response and Recovery (51) Incident management (51) Situational Awareness (18) Situational awareness (18) Third-party Risk Management (27) Oversight of interconnections (27) Identification (23) Risk analysis and assessment (23) Continuous learning/improvement * Numbers in brackets denote the number of controls included in the C-RAF Maturity Assessment. With the mapping in mind, Exhibit 8 presents a table that compares C-RAF with a few additional reference frameworks in terms of 10 domains: governance, risk analysis and assessment, data security, security control and incident prevention, expertise and training, detection, incident management, situational awareness, oversight of interconnections, and continuous learning / improvement. Essentially, we found that the C-RAF has covered nine of the ten domains commonly included in other cybersecurity frameworks, but C-RAF does not measure continuous learning and improvement, similar to the NERC Cybersecurity standards and the BCBS Cyber-Resilience-Range of Practice. A security framework provides a common reference to measure cybersecurity capabilities within an organization (Le and Hoang, 2016). The framework may variously consider user, networking device, software, network, process, application, and information in storage or transit that can be directly or indirectly connected to the network (Srinivas et al., 2018). Multiple parties worldwide, including industry organizations, governments, and international organizations, have published cybersecurity standards, frameworks, or guidance. Below, we briefly introduce three internationally applied frameworks, compare them against C-RAF in terms of coverage and focus, and provide a comparison table with additional frameworks. [ Exhibit 7 ] Mapping of maturity assessment domains and the ten domains of analysis