3 minutes
Three key areas CUs should review.
In December, the National Institute for Standards and Technology released an update to its four-year-old Framework for Improving Critical Infrastructure Cybersecurity.
With the original framework, NIST and other stakeholders sought to provide an approach to cybersecurity risk management that would meet government and business needs and also be aligned with security and risk management best practices and standards. The goal was a standard comprehensive enough for complex organizations, yet flexible enough to meet the abilities and needs of smaller organizations.
The version released in December includes updates based on comments, feedback and changes within the cybersecurity landscape, and leaves in place the original core framework items (identify, protect, detect, respond, recover). The majority of the changes to the framework are additions to clarify framework items and cybersecurity smart-practices.
The changes are significant; they support the idea that the framework is a “living” document that will keep evolving with time. This changing nature means credit unions must actively monitor activity related to the framework as it changes so internal items (policies, standards, procedures) can be updated accordingly.
In particular, credit unions should examine four key areas of the new version of the framework.
1. Supply Chain Risk
Section 3.3 of the update contains additional information on cybersecurity risk related to supply chains (vendors) and communication of that risk. The use of the term “supply chains” is significant because it emphasizes the idea that your credit unions’ vendors also engage vendors and suppliers, and cyber-risks exist in and amongst these “sub-vendors” that can impact your credit union. For example, while your online banking vendor may have a noted disaster recovery location (hot/warm site) in its documentation, the facility (building/infrastructure) itself may be managed and operated by another different vendor.
Additionally, the new version notes the importance of looking “up the chain,” where the credit union is the vendor/supplier to another organization or entity, such as a credit union service organization.
2. Identification and Authorization
The update expands and clarifies items related to identification and authorization of users (i.e., identity and access management). It notes the importance of having appropriate controls for the full identity management life-cycle, from granting to removal of access. The update also clarifies that management of authorizations includes not only users, but also processes and devices. As the use of artificial intelligence systems and devices built on the Internet of Things expand in credit unions and their supply chains, appropriate controls and cyber-risk management for identity and access management will need to expand accordingly. Any smart device, such as a chatbot or a smart TV, needs to be looked at.
3. Measurement and Assessment
The new version of the framework also includes information on the importance of measuring or assessing cybersecurity risks in conjunction with business goals and objectives. Just as CUs work to balance and align share/loan growth, marketing, personnel, and ALM goals into one cohesive vision, they should be adding cyber-security goals into the mix.
While not an aspect of the framework itself, NIST has provided an updated “roadmap” document for the framework. This roadmap outlines what’s been done so far with the framework, and what’s on the horizon. A review of the roadmap is valuable for understanding what future items the credit union can look for.
Overall, the updates within this new version of the framework should assist your credit union in better understanding the guidelines, and implementing the framework in an effective manner.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insights to CU’s on information technology governance, information security, and technology risk management.
You may be interested in reading these previous articles by Benlein: “Tech Time: Building Security Into Your RFPs,” “Tech Time: Cyberthreat Intelligence and Your CU" and “Know Thy Hacker.”
Learn more about Cornerstone Advisors, CUES’ strategic provider of risk management services.
