In February 2013, the National Institute of Standards and Technology (NIST) developed a voluntary framework – based on existing standards, guidelines and practices – to reduce cyber risks to critical infrastructure.
The prioritised, flexible, repeatable, and cost-effective approach to the Framework helps owners and operators of critical infrastructure to manage cybersecurity related risk.
The Framework provides a common language and systematic methodology for managing cybersecurity risk.
The Framework is designed to complement, not replace, an organisation’s cybersecurity programme and risk management processes.
The Core includes activities to be incorporated into a cybersecurity programme that can be tailored to meet any organisation’s needs. Importantly, the Framework is designed to complement, not replace, an organisation’s cybersecurity program and risk management processes.
Several financial services firms have implemented elements of the NIST cybersecurity framework.
The five elements of the framework are:
The NIST framework aligns to both the Bank of England’s and the FCA’s view of cyber resilience.
While this approach appears to be straightforward, cybersecurity and cyber resilience are areas that firms find challenging for numerous reasons; primarily the complexity of the issue and the fast-moving nature of the threat.
Download our ‘Building a cyber resilient firm’ to learn more about how effective planning and a structured approach to cybersecurity can help protect your business.
GAP analysis – The Foulkon approach
Foulkon helps firms build cyber resilience frameworks that align to NIST, the Bank of England and the FCA.
The benefit of our approach is that we build a tailored framework that meets your particular risks and is in line with regulatory expectations. Carrying out a gap analysis can help put you on the “front foot” with the regulator in an area that is high on their agenda.
- ANALYSIS OF CONTEXT Cyber Risk Context
The foundations of a robust resilience framework depend on the specific needs of your firm. Your context is based on your organisational, technology and data landscapes.
The organisational landscape considers people and process and includes the governance of cyber risk. The technology and data landscapes are the operational elements that underpin the organisational landscape.
- DETERMINE REQUIREMENTS Foulkon Cyber Resilience Framework Requirements based on context (High, medium and low exposure)
The foundations of a robust resilience framework depend on the specific needs of your firm. Your context is based on your organisational, technology and data landscapes. The organisational landscape considers people and process and includes the governance of cyber risk. The technology and data landscapes are the operational elements that underpin the organisational landscape.
- IDENTIFICATION OF GAPS High-risk, medium-risk and low-risk gaps
Based on your context and the specific framework elements, we identify the gaps that need to be remediated. The latest FCA report on cyber and technology resilience indicates the types of gaps that the regulator has identified as follows: “…The areas seen by firms as requiring the most improvement were the identification of key assets, services and people, including those provided by third parties, sharing information and detection of attacks.”
- HOW TO GET THERE Transformation roadmap
Once the gaps have been identified, we build a transformation roadmap that remediates the issues in a practical, pragmatic and cost-effective manner. The roadmap is based on quick wins, the criticality of the gaps and the regulatory impact.
The roadmap provides your firm with a robust response to cyber resilience, allowing you to demonstrate to the regulator that you are dealing appropriately with an issue that is subject to regulatory scrutiny.
Speak to the Foulkon team to explore how you can build a cyber resilient business.