Professional Documents
Culture Documents
examinations - A view
from the European Single
Supervisory Mechanism
JUNE 27, 2019
Roberto Franconi
Technology Risk Inspection Manager
Prudential Analytics & Inspections Directorate
Central Bank of Ireland
Approach
Framework
Challenges & Results
https://www.bankingsupervision.europa.eu/about/ssmexplained/html/ssm.en.html
ssm_banking_supervision_guide
• Scope and frequency planned according to supervisory priorities and specific characteristics of each institution
• On-site teams act independently but cooperate with Join Supervisory Teams (JSTs), who are responsible for the on-going
supervision
• Head of Mission
• Team members
ssm_on-site_inspections
CYBERSECURITY MANAGEMENT
Cybersecurity management process should be a key part of any sound IT Security management and of the general IT Risk
management as a whole
Principles
GOVERNANCE FRAMEWORK
Ensure that the management body is aware of Cybersecurity risks and this information is used to define and provide relevant
policies, processes and procedures to manage and monitor external and internal environments
Expected controls
• Existing Cybersecurity policy, including clear roles and responsibilities, linked to the IT risk policy and
based or in line with appropriate standards (e.g., ISO 27005, NIST)
• Legal and regulatory requirements are defined, understood, assessed and managed
• Outsourced IT resources comply with the same requirements as in-house resources
Inspection techniques
• Interviews with CIO, CISO, senior IT management and members of the board to assess their awareness of
Cybersecurity risks
• Verify that a Cybersecurity (risk) policy exists, has been approved by senior management (board level) and
is regularly reviewed
To inform operational risk and Cybersecurity risk decisions, based on the institutions’ priorities, constraints, risk tolerance and its risk
assumption
Expected controls
• The institution’s risk management processes include Cybersecurity risks
• Cybersecurity targets and controls are aligned with IT and Business
• Dependencies and critical functions for the delivery of critical Cybersecurity services
• An independent risk control body (Second Line of Defence function) responsible for designing
Cybersecurity risk processes and ensuring their adherence/compliance
Inspection techniques
• Review the institution’s risk governance framework and verify that IT security and Cybersecurity are
adequately addressed
• Obtain the terms of reference of the risk committee, verify that its roles include the oversight of IT and
Cybersecurity risk and senior management is properly represented
RISK ASSESSMENT
Understand Cybersecurity risks to the institution’s business operations, critical assets and members of staff; appropriately
assess risks and base decisions on the institution’s priorities, constrains, risk tolerance and its risk assumptions
Expected controls
• Target security level: processes to enable a structured identification, control, monitoring and assessment
of the protection requirements to safeguard the integrity, confidentiality and availability of data
• Threats, vulnerabilities, likelihoods, and impacts used to determine Cybersecurity risks
Inspection techniques
• Verify that IT risk procedures provide a classification of data and IT systems, a categorisation of security
requirements for individual protection requirements of systems and data, a target / actual comparison of
protection requirements, a residual risk evaluation, a review of protection requirements and of security
requirements to determine adequacy and an IT risk reporting systems
ASSET MANAGEMENT
To accurately record information on data, devices, systems, facilities and staff; assets are risk assessed, security managed and
prioritised in accordance to their business criticality and security requirements
Expected controls
• Existing inventory of: physical devices, systems, software platforms, applications, authorized systems, etc.
managed based on their classification, criticality and business value
• Processes are in place to ensure that the inventory is kept up-to-date
Inspection techniques
• Verify that the institution maintains a central IT asset register (e.g. CMDB) for hardware (physical),
network topology (e.g. firewall, router, IP addresses, etc.), software and applications (logical) assets and
related dependencies, with links to information necessary to safeguard against Cybersecurity risks
BUSINESS ENVIRONMENT
Methods to understand the institution’s Business Environment, including their mission and prioritisation of their objectives, internal /
external stakeholders and activities, provide information to inform Cybersecurity roles, responsibilities, and risk management
decisions
Expected controls
• The institution has mapped its communication, business processes and data flows
• Resilience requirements to support delivery of critical services are established
Inspection techniques
• Verify that business critical systems and applications have business owner’s assigned
• Verify that assets are prioritized and safeguarded based on the criticality of the business function they
support
• Sample assets that support business critical function and verify that they are recorded on the asset
register, with criticality and priorities properly assigned
ACCESS CONTROLS
Ensure access is granted in line with the least privilege or need-to-know principle and limited to authorised users,
processes, or devices, and to authorised activities and transactions, with proper access controls
Expected controls
• Credentials and access permissions are managed for authorised devices
• Remote access is managed and secured by two factor authentication, sensitive remote access is based on
strong authentication, sensitive access to systems and assets is protected, controlled and monitored
(principle of least privilege)
• Contracts with external service providers incorporate requirements for access management
Inspection techniques
• Verify that access management processes cover all data and systems, with proper segregation
• Conduct system walkthroughs of access control management software and sample system access control
settings
• Verify that unauthorised access events are regularly monitored and responded upon
Ensure that processes and procedures are maintained in line with policy to manage protection of the institution’s
systems and assets, addressing at a minimum the purpose, scope, roles and responsibilities, management
commitment and coordination among institution’s risk and security entities
Expected controls
• Identification of vulnerabilities, baseline configuration of IT systems, security by design
• Configuration change control processes in place
• Cybersecurity is included in human resources practices (e.g., screen personnel background)
Inspection techniques
• Verify the existence of security baseline configurations, security by design, etc.
• Sample recent IT projects to verify that the documented policy was followed
• Verify that IT changes were sufficiently tested
Ensure that maintenance and repairs of critical control and information systems are performed consistently and in
line with policies and procedures
Expected controls
• Maintenance and repair of all assets is performed and logged in a timely manner
• Data stored on decommissioned assets is properly destroyed
• Vulnerability management plan developed and implemented
Inspection techniques
• Verify that a central tool is in operation for incident and problem management
• Evaluate whether the defined scope and frequency for vulnerability management and penetration
testing is appropriate with regard to the criticality of the IT landscape
• Review the institution assets life-cycle / decommissioning policy and procedures
PROTECTIVE TECHNOLOGY
Ensure the security and resilience of systems and assets are in line with relevant policies, procedures, and
agreements, with reasonable assurance that the institution manages information and records (data) in line with its
risk strategy to protect the confidentiality, integrity and availability of information
Expected controls
• Data-at-rest and in-transit is protected, institution’s network is protected
• Integrity checking mechanisms are used to verify software, firmware, and information integrity
• Adequate system capacity to ensure system and data availability is maintained
Inspection techniques
• Verify that critical and sensitive data is protected, review network protocols and network communication
encrypted
• Verify that integrity monitoring for critical software, firmware and information is conducted
• Verify that the institution has established a capacity management procedure
Performed across the institution and to relevant third parties and contractors, ensuring that key security staff is
adequately trained to perform their information and Cybersecurity related duties and responsibilities
Expected controls
• All users are informed and, where needed, trained, privileged users understand roles and responsibilities
• Third party stakeholders understand their roles and responsibilities
• Senior executives understand possible social engineering threats
• Security awareness tests are conducted to analyse the effectiveness of awareness campaigns
Inspection techniques
• Verify the existence of a Cybersecurity awareness training for all staff
• Conduct sample interviews with staff, third parties / contractors, senior management to verify
Cybersecurity awareness
Ensure that Cybersecurity incidents and anomalous activity is detected in a timely manner and that detection
processes and procedures are tested and maintained
Expected controls
• A definition for security incidents is established, alert thresholds are defined
• Expected system data flows (users and data) are established and documented
• Incidents are reported in a timely manner to all relevant stakeholders, detected Cybersecurity incident are
analysed for deployed attack methods and acted upon in a timely manner
Inspection techniques
• Review the documentation about detection processes, including the definition of Cybersecurity incident
thresholds (e.g. incident classification) taken into account for incident impact analysis
• Verify that log files from systems processing critical / sensitive data are collected, and they are scanned for
Cybersecurity related incidents in an appropriate manner
CONTINUOUS MONITORING
Ensure that the institution has established continuous security monitoring of its information systems and IT assets
to identify Cybersecurity incidents
Expected controls
• Monitoring of network, IT infrastructure components, user activity, external provider activity, etc. to
detect potential Cybersecurity incidents
• Monitoring for unauthorised users, connections, devices, software, etc. is performed
Inspection techniques
• Verify that the institution has established processes and is utilizing tools to continuously monitor
anomalous activities, devices, changes to standard configuration
• Assess if the institution has an effective and timely process in place to updated network data flow
diagrams
• Verify reports and alerts regarding anomalous user activity
DETECTION PROCESSES
Ensure that the institution implements right procedures to maintain and test the effectiveness of protective
measures and verify the effectiveness of its detection processes
Expected controls
• Vulnerability scans and penetration tests are performed
• Monitoring of anomalous user activity
Inspection techniques
• Verify that the institution has solutions in place in order to prevent data leakage
• Obtain, if available, recent internal and external penetration test results
• Obtain recent scans and evaluate results and timeliness of remediation plans
• Evaluate the effectiveness of email, anti-spam and content filtering tools
Ensure that measures have been put in place to respond to a Cybersecurity incident in a planned manner and that
incidents are contained, stakeholders are informed and a formal investigation process has been established
Expected controls
• Cybersecurity response plan exists and the institution has established a process to regularly update the
plan
• Cybersecurity response plan incorporate lessons learned
• Existing Crisis Management framework that includes Cybersecurity incident / risk situations
Inspection techniques
• Verify that the institution has established and tested a Cybersecurity response plan, containing lessons
learned and ensure that new knowledge gained feeds into the next version of the plan
• Verify, if available, by sampling of past incidents, that the established response plan was followed
RESPONSE COMMUNICATIONS
Existence of coordinated response communications with relevant internal and external stakeholders, including
external support from law enforcement agencies where applicable
Expected controls
• Personnel know their roles and order of operations when a response is needed
• Information is shared consistently with the response plan
• Coordination with stakeholders and collaboration with external entities occurs whenever required to
respond to Cybersecurity incidents
Inspection techniques
• Verify that communication is handled centralised and that public communication is authorised
• Conduct interviews to verify that staff is aware of their communication roles and responsibilities
• Verify that information channels are established and maintained in accordance with the established
response plan
RESPONSE ACTIVITIES
Ensure that adequate response activities are timely performed to prevent expansion of an incident, mitigate its
effects and eradicate the incident
Expected controls
• Notifications from detection systems are investigated in a timely manner
• The impact of the incident is understood
• When required, response plans are swiftly executed
• Incidents are contained and eradicated
Inspection techniques
• Verify that the institution has established measures to contain and mitigate Cybersecurity incidents (if
possible, obtain a sample of past incidents and review the effectiveness)
• Based on a sample of publically known vulnerabilities, verify how the institution has responded (e.g.,
assess the detection time, the correction time and the alignment with the plan)
RESPONSE ACTIVITIES
Ensure that adequate response activities are timely performed to prevent expansion of an incident, mitigate its
effects and eradicate the incident
Expected controls
• Forensics are performed
• Newly identified vulnerabilities are mitigated or documented as accepted risks
Inspection techniques
• Verify if Cybersecurity scenarios are used in the preparation of Cybersecurity responses
• Verify if the institution has the capability, internal or externally, to perform forensic analysis to identify
the unfolding Cybersecurity incident
• Verify that any lessons learned from Cybersecurity incidents, especially from new Cybersecurity threats
are documented and appropriate risk assessments are conducted
Obtain reasonable assurance that after Cybersecurity incidents information systems affected are timely restored by
the institution, as well as data affected
Expected controls
• Existence of a recovery plan exists and recovery activities are executed soon after in accordance with
defined processes and procedures
• Recovery plan activities are clearly and promptly reported to incident handling teams, internal
stakeholders and senior management
• Recovery processes and procedures are regularly tested, maintained and continuously improved
Inspection techniques
• Check roles and responsibilities, hierarchical level of personnel responsible for recovery processes, etc.,
interview individuals identified by roles and check if they are aware of their role and responsibilities and if
they are involved according to a well-defined escalation workflow
• Sample recovery activities related to recent Cybersecurity incidents, verify if the procedure adopted is
aligned with formal processes, check if RTOs and RPOs were met
Ensure coordinated restoration activities with internal and external parties, such as coordinating centres, Internet
Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors
Expected controls
• Public relations are adequately managed and formalised in the recovery plan
• Recovery processes and procedures aligned to applicable legal and regulation requirements
• A Cybersecurity knowledge base is established and maintained
• A Cybersecurity post analysis is conducted and results fed into a Cybersecurity knowledge base
Inspection techniques
• Obtain the last PR announcement related to Cybersecurity incidents
• Verify that a Cybersecurity post-analysis is being conducted for all incidents
• Conduct interviews with IT security / Cybersecurity staff to verify that a continuous improvement for
Cybersecurity management activities has been implemented
• Since 2015, an average of 6-7 IT risk related on-site inspections per year
• On-site work is complemented with JST’s work and other sources of information, including
cyber-incidents and IT risk questionnaires
• Methodology needs to be constantly evolving due to adapt to the environment and the new
regulation
• Not enough skilled resources to cover all institutions in a 3 years review cycle
www.linkedin.com/in/robertofranconi/
Roberto.Franconi@centralbank.ie
Tel: +353 1 224 6995
Mobile: +353 87690 0325