FFIEC Risk and Relationship Series: IT Risk Management

Over the past few months, resilience and risk management have become priority topics in enterprise IT as the COVID-19 pandemic has put Business Continuity Management (BCM) processes to test in ways that were not broadly anticipated. As a society – from a business, technical and even personal standpoint-  we have seen the value of being resilient. However, due to this sudden and major paradigm shift to a digital and dispersed workforce, we have been forced to move to a new form of resilience where operational and cyber risks are viewed as more fluid and continuous problems; as opposed to being rigidly focused upon specific pre-prescribed disaster scenarios that were the traditional norm in the Business Continuity Planning (BCP). This transition to a more proactive form of resilience has actually been ongoing for some time, but as we have seen in many recent breaches and attacks, has not been implemented or executed mainstream.

Session One: Operational and Cyber Resilience 

In session one, we will explore: Strength versus Resilience in Business Continuity Management (BCM); Operational and Cyber Resilience Approaches for Risk Management; the Role of the FFIEC; FFIEC Key Publications; and we will explore how an Application Relationship Management solution, such as the vArmour Application Controller, allows you to automate each aspect of the BCM process.

To learn more, watch the webinar and view the full demonstration, or read the excerpt below.

Watch the Full Webinar:

Strength versus Resilience

Historically, business continuity practices were constructed around mostly static planning related to a set of standard scenarios. Those plans were constructed manually, tested periodically in isolation and often led to stale information being used when a plan was actually executed. In addition, the planning scenarios (for example, loss of a single office building) did not often match the more variable actual events (such as a global pandemic or internally executed cyber attack). And although the business continuity plans were strong- detailed, well thought through and tested – they were not necessarily resilient to unexpected real-world events and changes within the enterprise environment. 

In Aesop’s tale of the oak and the reed, the tree boasted of its strength and ability to resist any known weather. Yet, it’s strength was brittle and when a hurricane occurred (an unplanned event), the oak tree was broken. In contrast, the reed was flexible and resilient, which allowed it to survive this particular storm. Our operational and cyber risks processes and tools need to reflect that resilience, so we can respond to less predictable events (in a highly unpredictable world) while using an understanding of our business functions as they are now, in an environment where our applications and cloud environments are always changing. 

Operational and Cyber Resilience

So, what are the business and technical properties of a resilient approach to operational and cyber risk management? In November 2019, the FFIEC identified the following five key principles within their ‘Business Continuity Management Handbook’:

1. Continuous – Business continuity should not be focused only on the planning process to recover operations after an event, but rather, it should include the continued maintenance of systems and controls for the resilience of operations.
2. Protect Critical Business Functions – Critical Business Functions should be identified and protected, including critical assets, infrastructure and dependencies. 
3. Identify and Protect Critical Business Function’s Interdependencies – Identify, analyze and prioritize interdependencies among business functions and systems for alignment with resilience and recovery objectives.
4. Risk Identification – Apply the application of proactive controls to mitigate cyber and operational risks, which can include controls such as segmentation and thorough testing of operational changes. 
5. Cyber Resilience – A challenge for cyber resilience is maintaining operations despite ever-changing risks (e.g., malware, data or system destruction and corruption, and communications infrastructure disruption). The sophistication and frequency of cyber attacks increase the potential for disruption and destruction of data and systems. Given the broad and increasing spectrum of cyber threats, resilience measures should be flexible enough to adapt to a diverse range of events. For example, a cyber attack could impact both production and backup facilities simultaneously, potentially rendering both inoperable, whether hosted internally or by a third-party service provider.”

The FFIEC further defines resilience as “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”  

The Role of the FFIEC 

The FFIEC is an interagency regulatory body which was formed to prescribe uniform principles and standards for the examination of US financial institutions across Banking, Insurance, Credit Unions and other Financial Services entities. It’s scope is broad, and includes operational, technical and cyber control requirements as they are deemed critical to the continuity and resilience of institutions and of the financial system itself. FFIEC aligns closely with the NIST cybersecurity framework for Cyber resilience, and there are equivalent entities around the world providing governance to regional Financial Services entities, for example, FCA (Financial Conduct Authority) in the UK and Apra in Australia. 

FFIEC has proven to be a leader in terms of risk management definitions over the years, including the adoption of maturity models for board level engagement, an understanding that relationships and interdependencies are crucial to providing resilience in a highly interconnected world, and a recognition of the need for continuous controls in addressing the need for resilience. 

FFIEC Key Publications

The FFIEC has published several of its own books and guides that reflect the key principles described above from the Business Continuity Management Handbook, including critical business controls, interdependencies, board and executive level risk assessments through maturity model frameworks, continuous management, and culture and organization. 

Additional key publications include the FFIEC Information Technology Examination Handbook, Information Security Handbook (Sept 2016) and the Cybersecurity Assessment Tool (May 2017). 

The Risk and Relationship Series

This Risk and Relationship Series blogs accompanied by seven educational video sessions will look at aspects of financial services regulatory requirements around operational and cyber resilience, specifically, the FFIEC (Federal Financial Institutions Examination Council) Business Continuity Management (BCM) and cybersecurity guidance, including their equivalents in the major financial centers across the globe. We will also explore solutions to the requirements in the form of demonstrations, and discover how a risk-based approach can be enabled by an understanding of relationships and dependencies.  Please see the series agenda for more information on the series topics.

The Risk and Relationship Series Agenda

This series will also include topic-relevant demonstrations of a continuous data-driven approach solution called Application Relationship Management, using the vArmour Application Controller. 

The series topics are as follows:

1. FFIEC IT Risk Management
2. Business Continuity Management: Governance & Risk Management
3. Business Continuity Management: Assessing Impact
4. Assessing Cyber Risk with the Cyber Assessment Tool (CAT)
5. Controls – Network Controls and How to Build Dynamic Inventory 
6. Controls – Change Management, Assurance and Testing
7. Controls – Remote Access
8. Controls – Cloud Computing 
9. Security in a Cloud Computing Environment

Watch the FFIEC IT Risk Management session on demand now. A new session will be available on demand every two weeks beginning April 23.

If there are any aspects of Operational or Cyber Resilience you would like to see covered in this series, please get in touch with me at vcomm@varmour.com.