Closing the CIP Technology Gap in the Banking and Finance Sector Treasury Department Office of...
-
date post
30-Jan-2016 -
Category
Documents
-
view
222 -
download
0
Transcript of Closing the CIP Technology Gap in the Banking and Finance Sector Treasury Department Office of...
Closing the CIP Technology Gap in the Banking and Finance Sector
Treasury Department
Office of Critical Infrastructure Protection and Compliance Policy
March 2005
Long-term Policy Mandate to Expand CIP R&D for Banking and Finance
• Presidential Decision Directive 63 (May 1998)– “Department of the Treasury and the financial
sector are expected to … Recommend a program of research and development to keep the industry at the cutting edge of information systems security…”
…Expanded in the National Strategy to Secure Cyberspace “Action Recommendation”
• Action Recommendation 3-6:
“A public-private partnership should continue work in helping to secure the Nation’s cyber infrastructure through participation in, as appropriate and feasible, a technology and R&D gap analysis to provide input into
the federal cybersecurity research agenda, coordination on the conduct of associated research,
and the development and dissemination of best practices for cybersecurity.”
The Banking and Finance Sector Is A Significant Factor in Cyberspace
• 9% of the U.S. Gross Domestic Product
• 12% consumer of IT sector products and services
• Large provider of e-commerce services
• Heavily dependent on telecom and IT sectors
Closing the CIP Technology GAP in the Banking and Finance Sector
• There is a significant difference between “state-of-the-practice” vs. “state-of-the-art” in CIP protection
• This is driven by a variety of factors including:– Cost vs. perceived benefits– Dissemination of information about state-of-the-art– Creation of “best practices”– Adoption time (“early-mid-late adopter” curve)
• Closing the gap must be a priority for government and industry
State-of-the-Practice vs. State-of-the-Art
N.B. Hypothetical data
The Treasury CIP R&D Agenda Project
• Goals– Advance BOTH the state-of-the-art and the state-of-the-
practice in the banking and finance sector. – Facilitate “closing the gap” between state-of-the-art and
state-of-the-practice in CIP.
• Strategy– Encourage public-private partnerships to engage in R&D
that will develop technology and business practices of near term as well as longer term value to the banking and finance sector.
Approach
• Analyzed existing R&D agendas for applicability to goals of project
• Augment with topics based on industry needs• Vet with industry experts and organizations• Develop funding and governance model• Work with public and private sector to create funding
sources• Manage RFP process• Organize information sharing
Multiple Frameworks for R&D Projects
“CIP Life-cycle:” Policy and Strategy Awareness and
Assessment Preparation and
Prevention Detection and
Restoration Risk Management
Business/Tech Impact:
• Business Continuity
• Authentication and Access Control
• Information Security
• Network and Communications
• Operations Center Management
• Best Practices
Example Projects
• Enterprise security management
• Integration of physical and cyber security
• Securing software Securing software environments including environments including COTSCOTS
• Access control language standards
• Defending against “insider” Defending against “insider” attacksattacks
• Biometric identification Biometric identification systemssystems
• Wide-scale identify theftWide-scale identify theft
• Asset movement pattern Asset movement pattern recognitionrecognition
• Business continuity strategies
• Data replication technologyData replication technology• Data decontamination
approaches• Clearing system
interoperability• Best practices repository• Life-cycle costing• Creating public policy to
promote business continuity best practices
Securing Software Environments Including COTS
• The issue:– Banks and financial institutions use and integrate software
they develop themselves and from dozens of different vendors, each with (or without) appropriate security. How can they create a secure environment with that architecture?
• Life-cycle: – Awareness and Assessment, Preparation and Prevention,
Detection and Reaction• Business/technology impact:
– Improved security of integrated systems environments• Time frame:
– Mid-term
Defending Against Insider Attacks
• The issue:– Although financial institutions vet their employees, by the
nature of their jobs they have access to large amounts of sensitive information. In addition, IT personnel have access to sensitive systems. What technology can be developed to reduce vulnerabilities in this type of environment?
• Life-cycle: – Awareness and Assessment, Preparation and Prevention,
Detection and Reaction• Business/technology impact:
– Information Security, Business Continuity, Authentication and Access Control
• Time frame: – Mid-term
High-reliability Biometric Identification Systems
• The issue:– The public is very sensitive to use of biometric identification,
particularly when reliability is less than perfect. How can systems be improved to a level of reliability that will be accepted in the financial environment?
• Life-cycle: – Awareness and Assessment, Preparation and Prevention
• Business/technology impact: – Authentication and Access Control
• Time frame: – Mid-term
Wide-spread Identity Theft
• The issue:– Credit and related information is stored in databases where
the theft of millions of identifies is possible (cf. NYTimes report 2/24 on theft of 145,000 identities from ChoicePoint)
• Life-cycle: – Preparation and Prevention, Detection and Reaction,
Recovery and Restoration• Business/technology impact:
– Information Security, Business Continuity, Authentication and Access Control
• Time frame: – Mid-term
Asset Movement Pattern Recognition
• The issue:– It is relatively easy to track small number of large value
transactions. In today’s world, terrorists are more likely to be funding operations with large numbers of small value transactions. How do we find them?
• Life-cycle: – Detection and Reaction
• Business/technology impact: – Authentication and Access Control
• Time frame: – Near term
Data Replication Technology
• The issue:– To continue operating in the face of potential wide-scale
disruptions, FIs are locating secondary and tertiary sites hundreds of miles apart. The need for “aggressive” recovery time and recovery point objectives implies the need for new types of data replication approaches.
• Life-cycle: – Preparation and Prevention, Recovery and Restoration
• Business/technology impact: – Business Continuity
• Time frame: – Near term
Selection Criteria
• Program will seek diversity in:– CIP “life-cycle phases”
– Business process and technology impact areas
– Time frame
– Research risk (exploratory to developmental)
Current Activities
• Analyzed existing R&D agendas for applicability to goals of project
• Augment with topics based on industry needs• Vet with industry experts and organizations• Develop funding and governance model• Work with public and private sector to create
funding sources• Manage RFP process• Organize information sharing
Closing the CIP Technology Gap
State-of-the-Art (Proven Technology)
State-of-the-Practice
Time
Te
chn
olo
gica
l Ad
van
ce
The State-of-the-Practice must improve at an average rate faster than improvements in the State-of-the-Art, and must deal with the uneven progress of improvements in the State-of-the-Art.
Variation among organizations can be large at any point in time.
Goal is also to reduce the variation among organizations.
For more information, contact:
– Scott Parsons, Deputy Assistant Secretary [email protected]@do.treas.gov
– Brian Peretti, Program Manager [email protected]@do.treas.gov
The Treasury CIP R&D Agenda Project: “Close the Gap”