Cis Framework: A Secure Banking Future?

do banks follow the cis for security

Banks are increasingly being targeted by cybercriminals, and the stakes are high. To protect sensitive data, banks must have a robust cybersecurity strategy. The Center for Internet Security (CIS) is a nonprofit organization that provides guidance and best practices for improving financial services cybersecurity. CIS offers a framework of critical security controls that are effective in protecting against the most common attacks. These controls are put in place to manage identified risks and can be physical barriers, electronic barriers, software, policies, procedures, and training. Banks use CIS controls to determine their cybersecurity baseline and conduct a gap analysis. This helps them identify and remediate vulnerabilities in their systems and software.

Characteristics Values
CIS Controls CIS Critical Security Controls (CSC)
CIS Purpose Guidance and best practices for improving financial services cybersecurity
CIS Controls Implementation CIS Controls implementation with the NIST 800-53 framework
CIS Controls Baseline Determine cybersecurity baseline and conduct a gap analysis
CIS Controls Management Manage and automate tasks associated with CIS controls
CIS Controls Security Protect against the most common attacks
CIS Controls Compliance Compliance with strict regulations
CIS Controls Data Protection Ensure only authorized users have access to sensitive data, all access is logged, and privileged users are properly supervised
CIS Controls Risk Management Identify and remediate vulnerabilities in systems and software
CIS Controls Asset Management Keep track of assets, regularly review, and generate alerts for asset changes
CIS Controls Software Management Keep software up to date, regularly review and remove unauthorized software, and prevent installation of unauthorized software

bankshun

CIS Critical Security Controls (CSC)

The CIS Critical Security Controls (CSC) are a set of best practices that organisations can use to strengthen their cybersecurity. They are designed to be prescriptive, prioritised, and simplified, providing a cybersecurity approach that is proven to defend against common threats. The CIS Controls were initially developed by the SANS Institute and released as the "SANS Top 20" in 2008. They were then transferred to the Council on Cyber Security in 2013 and, finally, to the Center for Internet Security (CIS) in 2015.

The CIS Controls consist of 18 critical security controls (originally 20) that are fundamental practices to improve an organisation's cybersecurity posture. They are designed to be implemented, enforced, and monitored through primarily automated means. These controls are effective in protecting against the most common attacks, including physical barriers such as locks and walls, electronic barriers like firewalls, and software like antivirus programs. They also encompass policies, procedures, and training.

Banks, in particular, have been targeted by cybercriminals, and CIS Controls play a crucial role in managing these risks. By implementing the CIS Controls, banks can determine their cybersecurity baseline and conduct a gap analysis to identify areas for improvement. Additionally, the CIS Controls help banks ensure that their assets are properly configured and secure. This includes managing user access to sensitive data, data encryption, and understanding data storage and transit.

To support the evolving needs of modern systems and software, CIS Controls have introduced versions like v7.1 and v8.1, with a focus on hybrid or fully cloud environments and supply chain security. The CIS also offers accreditation to demonstrate a company's ability to implement, audit, and assess the CIS Controls for their customers.

bankshun

Protecting sensitive data

Banks have always held large amounts of personal and financial information about their customers. With the advent of new technologies, such as online banking and mobile payments, this data has become more vulnerable to cyberattacks and data breaches. As such, banks have had to implement robust cybersecurity measures to protect sensitive data and prevent attacks by cybercriminals.

One key method to protect sensitive data is through redaction, which involves removing sensitive information from a document before it is shared or published. This can be done manually or through advanced AI-powered tools such as Redactable, which can automatically identify and permanently redact confidential data. Banks also use various security solutions, such as DLP (Data Loss Prevention) tools, to monitor and control how information is used, reducing the risk of insider threats and data loss from malicious or negligent users.

To ensure efficient and cost-effective cybersecurity, banks can align their practices with frameworks such as CIS (Center for Internet Security) Controls, which offer a set of critical security controls to protect against common attacks. This includes implementing physical and electronic barriers, such as locks, walls, and firewalls, as well as antivirus software and intrusion detection systems. Banks should also ensure that only authorized users have access to sensitive data, and that all data is properly backed up and encrypted.

Additionally, banks should educate their customers on protecting their financial information. This includes using strong passwords, avoiding fraudulent websites, and not sharing sensitive information via email. By combining robust cybersecurity measures with customer education, banks can better protect sensitive data and maintain the trust of their customers.

bankshun

Compliance and risk assessments

One key aspect of compliance for banks is ensuring that only authorized users have access to sensitive data. This includes establishing separate admin accounts for admin tasks, so that even if an attacker gains access to an admin account, they won't have direct access to data. All access to data and systems should be logged, and privileged users should be properly supervised. Banks should also regularly review or use tools to generate alerts for any asset changes, especially with unsecured IoT devices like security cameras, thermostats, and IP phones, which can provide entry points for attackers.

To maintain compliance and security, banks must also have strong knowledge of their networks and be able to identify and remediate vulnerabilities. This includes regularly patching software and operating systems, using security scanning tools, and conducting penetration tests. By identifying vulnerabilities, banks can implement measures to protect their data, such as encryption of sensitive data at rest and in transit, and ensuring proper backup procedures.

CIS Controls are fundamental to a strong cybersecurity strategy and are considered industry best practices. Banks can use these controls to determine their cybersecurity baseline and conduct gap analyses to identify areas for improvement. By implementing these controls, banks can strengthen their security posture and better protect their systems and data from the ever-evolving threats in the cyber landscape.

bankshun

Continuous vulnerability management

Banks are increasingly being targeted by cybercriminals, and the stakes are high. To combat this, many banks are turning to the Center for Internet Security (CIS) Critical Security Controls (CSC). CIS is a nonprofit organization that provides guidance and best practices for improving financial services cybersecurity. CIS Control 3, Continuous Vulnerability Management, is an essential component of a bank's cybersecurity program.

One of the key benefits of continuous vulnerability management is the ability to provide 24/7 monitoring of an IT environment through automation. This reduces the burden on IT security teams, improving the mean time to resolution and the return on security investment. Next-generation vulnerability management technologies streamline vulnerability management activities, reduce costs, and increase a cybersecurity program's return on security investment (ROSI).

To implement continuous vulnerability management effectively, banks should develop a plan to continuously assess and track vulnerabilities on all enterprise assets within their infrastructure. This includes ensuring that only authorized users have access to sensitive data, keeping software up to date, and regularly reviewing and removing unauthorized software. By following these practices, banks can improve their cybersecurity posture and protect against common attacks.

bankshun

Incident response guidance

Banks are prime targets for cyberattacks as they hold valuable data that, when compromised, may lead to identity theft and financial loss. Regulatory agencies have therefore mandated that certain incident response requirements be included in a bank's information security program.

The Center for Internet Security (CIS) is a nonprofit organization that provides guidance and best practices for improving financial services cybersecurity. CIS offers a framework of critical security controls that are effective in protecting against the most common attacks. These include physical barriers (e.g., locks and walls), electronic barriers like firewalls, and software like antivirus programs. CIS controls also include policies, procedures, and training. Banks can use CIS controls to manage identified risks and improve their ability to recover from incidents.

In terms of incident response guidance, the Federal Deposit Insurance Corporation (FDIC) has outlined some best practices that banks can follow. These include:

  • Preparation: This involves establishing incident response teams and developing procedures for notifying senior management when the situation warrants.
  • Detection: Banks should implement tools to monitor various systems and processes to detect security incidents.
  • Containment: During this phase, banks should implement their predefined procedures for responding to the specific incident. This includes notifying the appropriate regulatory agencies and individuals within the bank.
  • Recovery: Banks should have procedures in place to handle various security incidents and ensure that their assets are properly configured and secure.
  • Follow-up: This includes conducting a review of the incident and making any necessary adjustments to prevent similar incidents in the future.

Additionally, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation have established computer-security incident notification requirements for banking organizations and their service providers. These requirements mandate that banks must notify their primary Federal regulator of any "computer-security incident" that rises to the level of a "notification incident" as soon as possible and no later than 36 hours after determining that an incident has occurred.

Frequently asked questions

CIS stands for Center for Internet Security. CIS is a nonprofit organization that provides guidance and best practices for improving financial services cybersecurity. CIS is a parent of MS-ISAC, which serves as the information-sharing and analysis center for state, local, tribal, and territorial governments.

CIS Controls help banks manage and monitor user access to data and systems. This includes ensuring that only authorized users have access to sensitive data, all access is logged, and privileged users are properly supervised.

Banks can implement CIS Controls by establishing separate admin accounts for admin tasks. They can also use security scanning tools, conduct regular penetration tests, and keep software up to date to identify and remediate vulnerabilities in their systems.

Banks need CIS Controls to protect sensitive data and maintain compliance with strict regulations. CIS Controls help banks have stronger controls, better knowledge of banking networks, better reaction times to threats, and improved ability to recover from incidents.

CIS Controls can be physical barriers like locks and walls, electronic barriers like firewalls, or software like antivirus programs. They can also include policies, procedures, and training. Banks can also use tabletop exercises to ensure procedures are in place to handle various security incidents, business continuity issues, and other emergencies.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment