On-site cyber

examinations - A view
from the European Single
Supervisory Mechanism
JUNE 27, 2019

Roberto Franconi
Technology Risk Inspection Manager
Prudential Analytics & Inspections Directorate
Central Bank of Ireland

INTERNATIONAL MONETARY FUND 1

 Agenda

 Approach
 Framework
 Challenges & Results

INTERNATIONAL MONETARY FUND 2

 Approach

EUROPEAN SINGLE SUPERVISORY MECHANISM (SSM)

The Single Supervisory Mechanism (SSM) refers to

the system of banking supervision in Europe.

It comprises the European Central Bank (ECB) and

the National Competent Authorities (NCAs) of the
19 participating countries.

INTERNATIONAL MONETARY FUND

3 3
 Approach (2)

EUROPEAN SINGLE SUPERVISORY MECHANISM (SSM)

https://www.bankingsupervision.europa.eu/about/ssmexplained/html/ssm.en.html

INTERNATIONAL MONETARY FUND

4 4
 Approach (3)

EUROPEAN SINGLE SUPERVISORY MECHANISM (SSM)

ssm_banking_supervision_guide

INTERNATIONAL MONETARY FUND

5 5
 Approach (4)

SSM ON-SITE INSPECTIONS

• In-depth investigations of risks, risk controls and governance

• Pre-defined scope and time frame
• Carried out at the institutions’ premises
• Risk-based and proportionate
• Intrusive
• Forward-looking
• Action oriented

INTERNATIONAL MONETARY FUND

6 6
 Approach (5)

SSM ON-SITE INSPECTIONS

• Scope and frequency planned according to supervisory priorities and specific characteristics of each institution

• Additional ad-hoc inspections may be launched in response to events

• Types of on-site inspections:

• Full-scope
• Targeted
• Thematic reviews across a group of institutions
• Follow-up inspections when needed

INTERNATIONAL MONETARY FUND

7 7
 Approach (6)

SSM ON-SITE INSPECTIONS

• On-site teams act independently but cooperate with Join Supervisory Teams (JSTs), who are responsible for the on-going
supervision

• On-site inspection team:

• Head of Mission

• Team members

• Optionally, JST members participation but never as HoM

• If necessary and appropriate, external experts

INTERNATIONAL MONETARY FUND

8 8
 Approach (7)

SSM ON-SITE INSPECTIONS

Phases of on-site inspections

Preparatory Investigation Reporting

Follow-up
phase phase phase

ssm_on-site_inspections

INTERNATIONAL MONETARY FUND

9 9
 Approach (8)

SSM ON-SITE INSPECTIONS

Cyber-security in the general supervisory framework

INTERNATIONAL MONETARY FUND

10 10
 Approach (9)

CYBERSECURITY MANAGEMENT

Cybersecurity management process should be a key part of any sound IT Security management and of the general IT Risk
management as a whole

Principles

- Identify Cybersecurity risks associated with their activities and IT infrastructure

- Protect from and Detect Cybersecurity attacks

- Respond to and Recover from Cybersecurity incidents

Lessons learned should be documented and allow continuous improvement

INTERNATIONAL MONETARY FUND

11 11
 Framework
IDENTIFY IDENTIFY

GOVERNANCE FRAMEWORK

Ensure that the management body is aware of Cybersecurity risks and this information is used to define and provide relevant
policies, processes and procedures to manage and monitor external and internal environments

Expected controls
• Existing Cybersecurity policy, including clear roles and responsibilities, linked to the IT risk policy and
based or in line with appropriate standards (e.g., ISO 27005, NIST)
• Legal and regulatory requirements are defined, understood, assessed and managed
• Outsourced IT resources comply with the same requirements as in-house resources

Inspection techniques
• Interviews with CIO, CISO, senior IT management and members of the board to assess their awareness of
Cybersecurity risks
• Verify that a Cybersecurity (risk) policy exists, has been approved by senior management (board level) and
is regularly reviewed

INTERNATIONAL MONETARY FUND

12 12
 Framework (2)
IDENTIFY IDENTIFY

RISK MANAGEMENT STRATEGY

To inform operational risk and Cybersecurity risk decisions, based on the institutions’ priorities, constraints, risk tolerance and its risk
assumption

Expected controls
• The institution’s risk management processes include Cybersecurity risks
• Cybersecurity targets and controls are aligned with IT and Business
• Dependencies and critical functions for the delivery of critical Cybersecurity services
• An independent risk control body (Second Line of Defence function) responsible for designing
Cybersecurity risk processes and ensuring their adherence/compliance

Inspection techniques
• Review the institution’s risk governance framework and verify that IT security and Cybersecurity are
adequately addressed
• Obtain the terms of reference of the risk committee, verify that its roles include the oversight of IT and
Cybersecurity risk and senior management is properly represented

INTERNATIONAL MONETARY FUND

13 13
 Framework (3)
IDENTIFY IDENTIFY

RISK ASSESSMENT

Understand Cybersecurity risks to the institution’s business operations, critical assets and members of staff; appropriately
assess risks and base decisions on the institution’s priorities, constrains, risk tolerance and its risk assumptions

Expected controls
• Target security level: processes to enable a structured identification, control, monitoring and assessment
of the protection requirements to safeguard the integrity, confidentiality and availability of data
• Threats, vulnerabilities, likelihoods, and impacts used to determine Cybersecurity risks

Inspection techniques
• Verify that IT risk procedures provide a classification of data and IT systems, a categorisation of security
requirements for individual protection requirements of systems and data, a target / actual comparison of
protection requirements, a residual risk evaluation, a review of protection requirements and of security
requirements to determine adequacy and an IT risk reporting systems

INTERNATIONAL MONETARY FUND

14 14
 Framework (4)
IDENTIFY IDENTIFY

ASSET MANAGEMENT

To accurately record information on data, devices, systems, facilities and staff; assets are risk assessed, security managed and
prioritised in accordance to their business criticality and security requirements

Expected controls
• Existing inventory of: physical devices, systems, software platforms, applications, authorized systems, etc.
managed based on their classification, criticality and business value
• Processes are in place to ensure that the inventory is kept up-to-date

Inspection techniques
• Verify that the institution maintains a central IT asset register (e.g. CMDB) for hardware (physical),
network topology (e.g. firewall, router, IP addresses, etc.), software and applications (logical) assets and
related dependencies, with links to information necessary to safeguard against Cybersecurity risks

INTERNATIONAL MONETARY FUND

15 15
 Framework (5)
IDENTIFY IDENTIFY

BUSINESS ENVIRONMENT

Methods to understand the institution’s Business Environment, including their mission and prioritisation of their objectives, internal /
external stakeholders and activities, provide information to inform Cybersecurity roles, responsibilities, and risk management
decisions

Expected controls
• The institution has mapped its communication, business processes and data flows
• Resilience requirements to support delivery of critical services are established

Inspection techniques
• Verify that business critical systems and applications have business owner’s assigned
• Verify that assets are prioritized and safeguarded based on the criticality of the business function they
support
• Sample assets that support business critical function and verify that they are recorded on the asset
register, with criticality and priorities properly assigned

INTERNATIONAL MONETARY FUND

16 16
 Framework (6)
PROTECT PROTECT

ACCESS CONTROLS

Ensure access is granted in line with the least privilege or need-to-know principle and limited to authorised users,
processes, or devices, and to authorised activities and transactions, with proper access controls

Expected controls
• Credentials and access permissions are managed for authorised devices
• Remote access is managed and secured by two factor authentication, sensitive remote access is based on
strong authentication, sensitive access to systems and assets is protected, controlled and monitored
(principle of least privilege)
• Contracts with external service providers incorporate requirements for access management

Inspection techniques
• Verify that access management processes cover all data and systems, with proper segregation
• Conduct system walkthroughs of access control management software and sample system access control
settings
• Verify that unauthorised access events are regularly monitored and responded upon

INTERNATIONAL MONETARY FUND

17 17
 Framework (7)
PROTECT PROTECT

FORMAL INFORMATION SECURITY POLICIES, PROCESSES, PROCEDURES

Ensure that processes and procedures are maintained in line with policy to manage protection of the institution’s
systems and assets, addressing at a minimum the purpose, scope, roles and responsibilities, management
commitment and coordination among institution’s risk and security entities

Expected controls
• Identification of vulnerabilities, baseline configuration of IT systems, security by design
• Configuration change control processes in place
• Cybersecurity is included in human resources practices (e.g., screen personnel background)

Inspection techniques
• Verify the existence of security baseline configurations, security by design, etc.
• Sample recent IT projects to verify that the documented policy was followed
• Verify that IT changes were sufficiently tested

INTERNATIONAL MONETARY FUND

18 18
 Framework (8)
PROTECT PROTECT

MAINTENANCE AND REPAIRS

Ensure that maintenance and repairs of critical control and information systems are performed consistently and in
line with policies and procedures

Expected controls
• Maintenance and repair of all assets is performed and logged in a timely manner
• Data stored on decommissioned assets is properly destroyed
• Vulnerability management plan developed and implemented

Inspection techniques
• Verify that a central tool is in operation for incident and problem management
• Evaluate whether the defined scope and frequency for vulnerability management and penetration
testing is appropriate with regard to the criticality of the IT landscape
• Review the institution assets life-cycle / decommissioning policy and procedures

INTERNATIONAL MONETARY FUND

19 19
 Framework (9)
PROTECT PROTECT

PROTECTIVE TECHNOLOGY

Ensure the security and resilience of systems and assets are in line with relevant policies, procedures, and
agreements, with reasonable assurance that the institution manages information and records (data) in line with its
risk strategy to protect the confidentiality, integrity and availability of information

Expected controls
• Data-at-rest and in-transit is protected, institution’s network is protected
• Integrity checking mechanisms are used to verify software, firmware, and information integrity
• Adequate system capacity to ensure system and data availability is maintained

Inspection techniques
• Verify that critical and sensitive data is protected, review network protocols and network communication
encrypted
• Verify that integrity monitoring for critical software, firmware and information is conducted
• Verify that the institution has established a capacity management procedure

INTERNATIONAL MONETARY FUND

20 20
 Framework (10)
PROTECT PROTECT

AWARENESS AND TRAINING

Performed across the institution and to relevant third parties and contractors, ensuring that key security staff is
adequately trained to perform their information and Cybersecurity related duties and responsibilities

Expected controls
• All users are informed and, where needed, trained, privileged users understand roles and responsibilities
• Third party stakeholders understand their roles and responsibilities
• Senior executives understand possible social engineering threats
• Security awareness tests are conducted to analyse the effectiveness of awareness campaigns

Inspection techniques
• Verify the existence of a Cybersecurity awareness training for all staff
• Conduct sample interviews with staff, third parties / contractors, senior management to verify
Cybersecurity awareness

INTERNATIONAL MONETARY FUND

21 21
 Framework (11)
DETECT DETECT

DETECT ANOMALOUS ACTIVITY

Ensure that Cybersecurity incidents and anomalous activity is detected in a timely manner and that detection
processes and procedures are tested and maintained

Expected controls
• A definition for security incidents is established, alert thresholds are defined
• Expected system data flows (users and data) are established and documented
• Incidents are reported in a timely manner to all relevant stakeholders, detected Cybersecurity incident are
analysed for deployed attack methods and acted upon in a timely manner

Inspection techniques
• Review the documentation about detection processes, including the definition of Cybersecurity incident
thresholds (e.g. incident classification) taken into account for incident impact analysis
• Verify that log files from systems processing critical / sensitive data are collected, and they are scanned for
Cybersecurity related incidents in an appropriate manner

INTERNATIONAL MONETARY FUND

22 22
 Framework (12)
DETECT DETECT

CONTINUOUS MONITORING

Ensure that the institution has established continuous security monitoring of its information systems and IT assets
to identify Cybersecurity incidents

Expected controls
• Monitoring of network, IT infrastructure components, user activity, external provider activity, etc. to
detect potential Cybersecurity incidents
• Monitoring for unauthorised users, connections, devices, software, etc. is performed

Inspection techniques
• Verify that the institution has established processes and is utilizing tools to continuously monitor
anomalous activities, devices, changes to standard configuration
• Assess if the institution has an effective and timely process in place to updated network data flow
diagrams
• Verify reports and alerts regarding anomalous user activity

INTERNATIONAL MONETARY FUND

23 23
 Framework (13)
DETECT DETECT

DETECTION PROCESSES

Ensure that the institution implements right procedures to maintain and test the effectiveness of protective
measures and verify the effectiveness of its detection processes

Expected controls
• Vulnerability scans and penetration tests are performed
• Monitoring of anomalous user activity

Inspection techniques
• Verify that the institution has solutions in place in order to prevent data leakage
• Obtain, if available, recent internal and external penetration test results
• Obtain recent scans and evaluate results and timeliness of remediation plans
• Evaluate the effectiveness of email, anti-spam and content filtering tools

INTERNATIONAL MONETARY FUND

24 24
 Framework (14)
RESPOND RESPOND

RESPONSE PROCESSES AND PROCEDURES

Ensure that measures have been put in place to respond to a Cybersecurity incident in a planned manner and that
incidents are contained, stakeholders are informed and a formal investigation process has been established

Expected controls
• Cybersecurity response plan exists and the institution has established a process to regularly update the
plan
• Cybersecurity response plan incorporate lessons learned
• Existing Crisis Management framework that includes Cybersecurity incident / risk situations

Inspection techniques
• Verify that the institution has established and tested a Cybersecurity response plan, containing lessons
learned and ensure that new knowledge gained feeds into the next version of the plan
• Verify, if available, by sampling of past incidents, that the established response plan was followed

INTERNATIONAL MONETARY FUND

25 25
 Framework (15)
RESPOND RESPOND

RESPONSE COMMUNICATIONS

Existence of coordinated response communications with relevant internal and external stakeholders, including
external support from law enforcement agencies where applicable

Expected controls
• Personnel know their roles and order of operations when a response is needed
• Information is shared consistently with the response plan
• Coordination with stakeholders and collaboration with external entities occurs whenever required to
respond to Cybersecurity incidents

Inspection techniques
• Verify that communication is handled centralised and that public communication is authorised
• Conduct interviews to verify that staff is aware of their communication roles and responsibilities
• Verify that information channels are established and maintained in accordance with the established
response plan

INTERNATIONAL MONETARY FUND

26 26
 Framework (16)
RESPOND RESPOND

RESPONSE ACTIVITIES

Ensure that adequate response activities are timely performed to prevent expansion of an incident, mitigate its
effects and eradicate the incident

Expected controls
• Notifications from detection systems are investigated in a timely manner
• The impact of the incident is understood
• When required, response plans are swiftly executed
• Incidents are contained and eradicated

Inspection techniques
• Verify that the institution has established measures to contain and mitigate Cybersecurity incidents (if
possible, obtain a sample of past incidents and review the effectiveness)
• Based on a sample of publically known vulnerabilities, verify how the institution has responded (e.g.,
assess the detection time, the correction time and the alignment with the plan)

INTERNATIONAL MONETARY FUND

27 27
 Framework (17)
RESPOND RESPOND

RESPONSE ACTIVITIES

Ensure that adequate response activities are timely performed to prevent expansion of an incident, mitigate its
effects and eradicate the incident

Expected controls
• Forensics are performed
• Newly identified vulnerabilities are mitigated or documented as accepted risks

Inspection techniques
• Verify if Cybersecurity scenarios are used in the preparation of Cybersecurity responses
• Verify if the institution has the capability, internal or externally, to perform forensic analysis to identify
the unfolding Cybersecurity incident
• Verify that any lessons learned from Cybersecurity incidents, especially from new Cybersecurity threats
are documented and appropriate risk assessments are conducted

INTERNATIONAL MONETARY FUND

28 28
 Framework (18)
RECOVER RECOVER

RECOVERY PROCESSES AND PROCEDURES

Obtain reasonable assurance that after Cybersecurity incidents information systems affected are timely restored by
the institution, as well as data affected

Expected controls
• Existence of a recovery plan exists and recovery activities are executed soon after in accordance with
defined processes and procedures
• Recovery plan activities are clearly and promptly reported to incident handling teams, internal
stakeholders and senior management
• Recovery processes and procedures are regularly tested, maintained and continuously improved

Inspection techniques
• Check roles and responsibilities, hierarchical level of personnel responsible for recovery processes, etc.,
interview individuals identified by roles and check if they are aware of their role and responsibilities and if
they are involved according to a well-defined escalation workflow
• Sample recovery activities related to recent Cybersecurity incidents, verify if the procedure adopted is
aligned with formal processes, check if RTOs and RPOs were met

INTERNATIONAL MONETARY FUND

29 29
 Framework (19)
RECOVER RECOVER

COORDINATED RESTORATION ACTIVITIES

Ensure coordinated restoration activities with internal and external parties, such as coordinating centres, Internet
Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors

Expected controls
• Public relations are adequately managed and formalised in the recovery plan
• Recovery processes and procedures aligned to applicable legal and regulation requirements
• A Cybersecurity knowledge base is established and maintained
• A Cybersecurity post analysis is conducted and results fed into a Cybersecurity knowledge base

Inspection techniques
• Obtain the last PR announcement related to Cybersecurity incidents
• Verify that a Cybersecurity post-analysis is being conducted for all incidents
• Conduct interviews with IT security / Cybersecurity staff to verify that a continuous improvement for
Cybersecurity management activities has been implemented

INTERNATIONAL MONETARY FUND

30 30
 Challenges & Results

• Since 2015, an average of 6-7 IT risk related on-site inspections per year

• On-site work is complemented with JST’s work and other sources of information, including
cyber-incidents and IT risk questionnaires

• Other interventions: horizontal thematic reviews (risk management, outsourcing, cyber)

• Better knowledge of the cyber situation at institutions

• Intensifying training activities on IT and cyber topics

INTERNATIONAL MONETARY FUND

31 31
 Challenges & Results (2)

• Still some challenges:

• Changing threat landscape and priorities

• Methodology needs to be constantly evolving due to adapt to the environment and the new
regulation

• Not enough skilled resources to cover all institutions in a 3 years review cycle

• Recruiting and retaining skilled staff is an increasing challenge

• Need for training and raising awareness among non-IT supervisors

• IT / cyber risk needs to be better integrated in general supervision

• More focus is needed on the smaller institutions

INTERNATIONAL MONETARY FUND

32 32
INTERNATIONAL MONETARY FUND 33
 Presenter: Roberto Franconi

Master Degree in Computer Science Engineering,

CISA, CISM, CISSP, Prince2, PMP
 2004-2012 Different roles in accounting firms, in Italy and Ireland,
providing consultancy services on IT audit and information security
 2012-2017 IT internal audit roles in financial services, including the ECB
 Since 2017 Technology Risk Inspection Manager @ Central Bank of
Ireland

www.linkedin.com/in/robertofranconi/

Roberto.Franconi@centralbank.ie
Tel: +353 1 224 6995
Mobile: +353 87690 0325

INTERNATIONAL MONETARY FUND 34

 Thank you very much for your attention!

INTERNATIONAL MONETARY FUND 35