Published on

Cybersecurity frameworks to support financial regulatory obligations in 2023

Authors
  • avatar
    Name
    Adam Parrish
    Twitter

Introduction


Cybersecurity is a complex topic, and every organisation's needs will be different. I recommend getting independent advice to assess your cyber needs and offer all the information below with no warranty to correctness or applicability. The following guidance is not comprehensive and is only provided for information purposes. I am also not a legal professional so please seek appropriate legal advice from one to confirm your cyber obligations


The financial year 2022-23 has fast become the year of the breach for Australian businesses, with Optus, Medibank, and now Latitude in the news for some of Australia's largest ever cyber breaches. These breaches have affected a significant portion of Australian and New Zealand residents via a swathe of sensitive personally identifiable data that can be used for cybercrime, such as identity fraud. Based on the experience of my personal network, these breaches are already creating a significant burden to affected victims - not to mention the huge reputational damage they have brought on the businesses affected.

These cyber attacks are also playing out on a smaller scale which you may not be seeing in the news, with the Office of the Australian Information Commissioner - Australia's regulator for cyber incidents - having just released its independent report into notifiable data breaches.

Worryingly, breach notifications were up 26% between July and December compared to the six months prior, and I will be interested to see if the trend continues for January through July 2023.

If you are an executive or manager responsible for cyber in some shape or form, you are probably sleeping a little less soundly at night knowing you might be one slip up away from being in the news - especially considering obligations you have under Australian law. Australia has a number of pieces of regulation relating to cyber security, and if you process or handle personally identifiable data as a business or organisation, they probably apply to you.

Regulatory status and considerations

There are a number of obligations organisations have under Australian law from a compliance perspective, and before jumping into cyber frameworks, it's worth giving a high level overview of some key regulations that might apply to you. Know that regulation will be subject to change based on government commitments to overhaul cyber laws, with the existing government regulations being defined as "bloody useless". As a result, commitments to changes on how cybersecurity strategies and obligations are managed nationally are currently being made by Cyber Security Minister Clair O'Neil in February in an ABC interview.

Your risk and compliance teams and legal counsel can likely provide you more information on your exact obligations if you are not aware of them.

Regulations you should know

Australian Privacy Act

The Australian Privacy Act covers organisational obligations, and is regulated and enforced by the OAIC, Australia's data privacy watchdog. If you are:

  • Australian Government agency,
  • An organisation with an annual turnover of more than $3 million, or
  • A small business covered by specific prescriptions in the Act,

Then this regulation applies to you.

The Australian Privacy Act and prescribed organisational obligations are summarised under the Australian Privacy Principles framework, which contains 13 principles that underpin obligations of the Act. While all are related to cyber, information security, data governance of personally identifiable data, APP 11 is the most cyber centric, which states that if you are an Australian Privacy Principle entity, you must:

  • Take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure,
  • Take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs. This requirement does not apply where the personal information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information (APP 11.2)

Reasonable steps is a defined term, and the OAIC provide guidance on what exactly that means. If you have a read you'll see that the definition is open to interpretation, but the guidance indicates that your obligations (of having a reasonable security posture) generally increases with your organisational size, resources, information sensitivity, and how much or how little said controls would be considered unreasonable based on the cost and complexity of implementing them. The OAIC broadly expects that these reasonable steps should extend to controls and strategies covering:

  • Governance, culture and training,
  • Internal practices, procedures and systems,
  • ICT security,
  • Access security,
  • Third party providers (including cloud computing),
  • Data breaches,
  • Physical security,
  • Destruction and de-identification,
  • Standards,
  • A defined information lifecycle protection strategy

Notifiable Data Breaches Scheme

The Notifiable Data Breaches scheme was an addition to the Privacy Act in 2018 that legislates obligations of organisations to report on data breaches. Organisations must report on eligible data breaches to the OAIC, which are defined as instances when personal information is accessed or disclosed without authorisation or is lost.

  • There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds,
  • This is likely to result in serious harm to one or more individuals, and;
  • The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.

The provision to lost data extends to circumstances such as employees losing an unencrypted thumb drive with personal information on that they leave on the bus.

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) and the Security of Critical Infrastructure Act 2018 (the SOCI Act)

If you work for a responsible entity of a critical infrastructure asset (with critical infrastructure including 'those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic well being of the nation, or affect Australia’s ability to conduct national defence and ensure national security.​'), you may be obligated to have an enhanced level of cyber security such as:

  • develop cyber security incident response plans to prepare for a cyber incident.
  • undertake cyber security exercises to build cyber preparedness.
  • undertake vulnerability assessments to identify vulnerabilities for remediation.
  • provide system information to build Australia’s situational awareness

Director Specific Obligations - Corporations Act 2001

Other regulations are more specific on what Cyber obligations exist for organisations, however the Corporations Act regulates that directors must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise as per CORPORAcdTIONS ACT 2001 - SECT 180. While the Corporations Act is not cyber specific guidance, Section 912A(1)(h) requires Australian Financial Services LicenseS (AFSLs) to have "adequate risk management systems" and that the supplied financial services are provided 'efficiently, honestly and fairly'.

Common law rulings such as the 'Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496' case show that this expectation now extends to cyber security.

This ruling defines an expectation that organisations with cyber obligations will have adequate cybersecurity and cyber resilience controls implemented by a robust implementation program, underpinned by documentation, controls and risk management systems that are adequate to manage risk in respect of cybersecurity concerns of the organisation. The ruling against RI Advice being underpinned by two major findings:

  • RI Advice contravened s 912A(1)(a) of the Act in that it failed to do all things necessary to ensure that the financial services covered by its Licence were provided efficiently and fairly, by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its Authorised Representatives.
  • RI Advice contravened s 912A(1)(h) of the Act in that it failed to have adequate risk management systems, by failing to implement adequate cybersecurity and cyber resilience measures and exposing its Authorised Representatives’ clients to an unacceptable level of risk.

CPS 234 - Management of Security Risk in Information and Information Technology

APRA regulated organisations (which covers a large section of the Australian financial services industry) must adhere to 'CPS 234 - Information Security'. A CPS is a prudential standard, and CPS 234's key requirements are establishing APRA-regulated entity obligations to:

  • Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
  • Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
  • Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
  • Notify APRA of material information security incidents.

To meet these obligations, there are a few key take aways within the standard. Consider the following:

  • Clearly define roles, responsibilities and mandates for cyber and information security responsibilities via a RASCI model.
  • Have clear information security mapping, including the 5 knows of data security to clearly identify risk, criticality and exposure of your information assets, as well as retention, deletion and lifecycle obligations of data.
  • Have a defined information security policy framework and the supporting implementation and ongoing testing and validation of controls against this framework, supported by both three line of defence internal auditing and review, and external validation through regular auditing and penetration tests.
  • Have clear third party vendor and partner risk and information security management controls in place.
  • Clear incident management policies, procedures and run books that are regularly road tested.
  • A report and escalation process to APRA that occurs with 72 hours of material breaches or breaches that would need to be reported to other regulators both domestically and internationally.

In many ways the APRA guidance for CPS 234 is most closely aligned with an obligation to adhere and test against a mature comprehensive framework, and implementation guidance is clearly defined in CGP 324, APRA's Prudential Practice guide for the standard.

PCI-DSS

The Payment Card Industry Data Security Standards have been developed by the PCI Security Standards Council to mandate security requirements for any company that processes payment card data in the course of business. It is up to its fourth version as of March 2022 and outlines 12 principal requirements your organisation must follow if it processes payments via credit cards across 6 key areas. The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. PCI-DSS has over 300 controls, and a tiered obligation level for what your organisation may need to do if it processes payment data. Payment providers that handle credit card payments on your behalf can ensure you avoid the burden of needing to be PCI-DSS compliant as long as no payment card data is stored or handled by your organisation. The PCI Security Standards are publicly available at https://www.pcisecuritystandards.org/document_library/.

The 12 principle requirements are:

Build and Maintain a Secure Network and Systems

  1. Install and Maintain Network Security Controls.
  2. Apply Secure Configurations to All System Components.

Protect Account Data

  1. Protect Stored Account Data.
  2. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

Maintain a Vulnerability Management Program

  1. Protect All Systems and Networks from Malicious Software.
  2. Develop and Maintain Secure Systems and Software.

Implement Strong Access Control Measures

  1. Restrict Access to System Components and Cardholder Data by Business Need to Know.
  2. Identify Users and Authenticate Access to System Components.
  3. Restrict Physical Access to Cardholder Data.

Regularly Monitor and Test Networks

  1. Log and Monitor All Access to System Components and Cardholder Data.
  2. Test Security of Systems and Networks Regularly.

Maintain an Information Security Policy

  1. Support Information Security with Organizational Policies and Programs

Obligations in Summary

Based on the above, a number of key requires and expectations stand out. If you operate in Australia as an organisation with any considerable turn over or your business provides any public utility, you:

  • Need to protect the confidentiality, integrity and availability of your information assets.
  • Need a cyber security framework.
  • Need a cyber resilience framework.
  • Need to consider cyber risk and cyber resilience as part of a broader risk management system.
  • Need to consider security holistically across physical, cyber and information assets.
  • Need to consider the impact a data breach would have on the impacted parties that the information is associated with (customers, staff, shareholders, partners).
  • Need a data management framework, which should explicitly address your obligations under the Privacy Act and data lifecycle needs both from a data destruction and data retention perspective.
  • Need adequate capabilities to detect and respond to cyber events in a timely manner, underpinned by regular testing, run books, and response policies and procedures.
  • Needs to have a holistic approach to address cyber security across your supply chain, considering customers, partners, suppliers and internal perspective.
  • And you need to have all this ready before a breach happens....

I haven't included an in depth overview of obligations that impact organisations operating within or targeting individuals in the EU - so also be aware of GDPR if you have a European footprint and what your general risk management obligations might be under industry specific regulations such as RG209.

So I need a framework?

For most organisations of any reasonable size, chances are, you will need a framework to effectively manage, review and control your cyber posture, you may also have a regulatory burden to not just consider cyber security, but have a well thought out and well implemented cyber governance program aligned with best practice frameworks.

Common cyber frameworks seek to address the above concerns.

An Overview on Information & Cyber Security

All cyber frameworks typically seek to address cyber and information security. Before jumping into them, it's worth addressing what these terms generally mean:

Information Security

Information security is commonly explained by the CIA triad of Security, which is:

  • Confidentiality: Keeping your information secret from those who should not know it.
  • Integrity: Ensuring your information is correct, that it is not tampered with, modified or otherwise manipulated without your consent, whether deliberate or accidental.
  • Availability: Ensuring your information is available and recoverable as and when needed.

Information security is primarily concerned with this CIA, however a more detailed breakdown known as the Parkerian Hexad also includes the following three additional concerns:

  • Authenticity: Refers to the truthfulness of any claims of origin or authorship of information. This is a major concern of public key encryption and the trustworthiness of information systems.
  • Possession or control: Think back to the lost USB device - while a breach may or may not occur due to the loss of the thumb drive, it is no longer under active control, making it impossible to manage risk of breach of confidentiality.
  • Utility: Information which has lost its usefulness has lost utility. This is a concern when implementing security controls as they can degrade information utility if not properly implemented.
    Other information security adjacent concepts (such as information assurance) will also mention the following items when discussing information security:
  • Non-repudiation: A concept that closely ties to Authenticity, Non-Repudiation ensures that a statements author can not dispute its authorship or the validity of an associated contract. It is used in public key cryptography to ensure a sender of a message can be validated, and the recipient of a message can be enforced.
  • Authentication: Ensures users are who they say they are, and that only they can complete specific actions.

Cyber Security

In the context of this article and many parts of the Australian industry landscape, cyber security is often a term used to encompass broader concerns than information security such as computers and endpoints, networks, information and devices. Cyber Security and Information Security are often used interchangeably, and the term usage differs from industry to industry and country to country. In industry, cyber is often used to refer to the set of capabilities an organisation maintains to protect information security as well as its broader cyber footprint from malicious or accidental incidents that can affect organisations.

All of the following frameworks underpin meeting your cyber obligations in some way, shape or form, and all of them can be used together to create a holistic cyber program.

I have broken down different frameworks and the strengths and weaknesses of them for different use cases. They are broadly ranked from easiest to implement to hardest to implement, keeping in mind each has different goals which underpin how it is structured.

A key point to internalise before jumping into frameworks is that cyber maturity is a journey, not a destination. Guidance around best practices evolve along with sophistication of attacks, changing threat landscapes, and organisational risk profile. A reasonable security posture takes ongoing effort to achieve, maintain and evolve with an organisations' own growth and risk profile.

Frameworks

Frameworks worth investigating in my experience include:

  • ASD Essential 8
  • ISO/IEC 27001:2022
  • NIST CSF
  • COBIT 2019

ASD Essential 8 (and other Australian Cyber Security Centre resources)

Link: https://www.cyber.gov.au/acsc/view-all-content/essential-eight

The ASD Essential 8 is a prioritised list of eight key mitigation strategies taken from the broader Strategies to Mitigate Cyber Security Incidents list published by the Australian Cyber Security Centre (ACSC), the working body of the Australian Signals Directorate (ASD) for industry. The controls outlined are 'Application Control', 'Patch Applications', 'Configure Microsoft Office macro settings', 'User application hardening', 'Restrict administrative privileges', 'Patch operating systems', 'Multi-factor authentication' and 'Regular backups'.

The Strategies to Mitigate Cyber Security Incidentst guidance is worth a read as it provides no nonsense recommendations on key controls to put in place to mitigate common attack paths cyber criminals utilise, and has excellent guidance to inform quick wins, with each control covering effectiveness rating, potential user resistance, upfront cost an ongoing maintenance costs, allowing a risk vs reward assessment to prioritising what controls to deploy out first.

The Essential 8 subset of these strategies is great because it provides a a small, concentrated and achievable list of actions for organisations wanting to improve their security posture. While it lacks the depth of some other frameworks, the ACSC have created an incredibly lean but effective framework, and guidance is tiered against maturity models, allowing an incremental deployment as your maturity improves or your risk posture increases.

The cyber security principles that underpin the ACSC methodology are:

  • Govern: Identifying and managing security risks.
  • Protect: Implementing controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events to identify cyber security incidents.
  • Respond: Responding to and recovering from cyber security incidents.

Key links for Essential 8 and ACSC:

ISO 27001:2022

ISO/IEC 27001:2022 is the latest version of the ISO 2700 Information Security, Cybersecurity and Privacy Protection standard, a global certification based standard for cyber security. The ISO 27001 standard is popular because it provides a certification target that is universally recognised, and very straight forward guidance for implementation of an 'ISMS', or Information Security Management System, a comprehensive list of policies and control guidance to underpin a cyber program.

For organisations wanting external assurance against a specific set of bench marks, it provides a good litmus test that your cyber framework is fit for purpose. Some disadvantages of ISO 27001 is that it is reasonably narrow in scope and needs to be supported by a number of additional ISO standards that make up the 27000 family. For smaller organisations, there are also cost barriers. As the standards themselves are not free, they need to be purchased and then interpreted before you can put them to use, and due to the complexity of the recommendations additional standards such as ISO 27002:2002 are recommended.

Having run a number of ISO27001 projects, I would recommend other high quality, free frameworks such as NIST or ACSC as a starting point unless certification is an important outcome, as while the guidance and recommendations are high quality and support a comprehensive ISMS system, there is very little in the standards that you can't find elsewhere if budget and accessibility are higher order concerns than certification.

The ISO 27001 framework has four key control groups (known as themes) with 93 underpinning controls. These are:

  • People Controls: Controls related to managing cyber security from a human context (8 controls)
  • Physical Controls: Controls related to managing cyber security from a physical access and physical handling perspective. (14 controls)
  • Technological Controls: Controls related to managing cyber security from a technical perspective (think application, network, software, data, end point) (34 controls)
  • Organisational Controls: Controls that do not fit into the above categories, such as threat and risk management, data labelling, access rights, incident response and the like. (37 controls)

A key advantage of ISO27001 and its associated policies if you wish to pay the price of entry is that the control guidance is prescriptive and provides useful mapping information to tie concepts and capabilities to controls nicely, allowing granular reporting on capabilities and a good reference guide for a number of controls. ISO27001 is also of benefit for organisations where external assurance is important. If you work in a high risk industry, deal with large amounts of or particularly sensitive personally identifiable data, or have a product or service which processes customer data as part of your core offering, an ISO27001 certification can be an effective way to establish and maintain a strong baseline security posture.

ISO 27002 uses the same cybersecurity concepts as the NIST framework, which consist of Identify, Protect, Detect, Respond and Recover.

Key links for ISO 27001:2022:

NIST

NIST normally refers to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) in a cyber context, although it is also used to refer a number of standards that fall under the NIST banner. NIST is an US government standard, currently at version 1.1, with feedback for version 2 currently occurring in industry.

NIST CSF focuses heavily on the concept of five Core Functions, and considers not just cyber security (protection of assets) but also cyber resilience (recovery from a cyber incident) which are:

  • Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
  • Protect: Develop and implement appropriate safeguards to ensure delivery of critical services
  • Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event
  • Respond: – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
  • Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident

Within Australia, NIST CSF has been broadly adopted by organisations, with ASIC reporting on NIST maturity levels as part of their annual reporting on Cyber Resilience .

The key advantage of NIST CSF is that it is widely used, it is comprehensive and considers not just having a good cyber security posture but also what to do when you potentially get breached, and there is a significant amount of additional NIST guidance that covers how and why to do things. If you are an ASIC regulated organisation, it is worth getting familiar with and mapping your maturity level to see if you are meeting your obligations. There are a number of other key NIST guidance documents I also recommend which I have included in the Key Links section for NIS, especially NIST SP800-61, which covers incident handling. If you are an ASIC regulated entity, I highly recommend you implement a NIST CSF aligned cyber security program.

Key links on the NIST framework

COBIT 2019

COBIT (Control Objectives for information Technology) is one of the more venerable frameworks used in cyber security - up to its 6th version, and is still popular in Industry and Government as it provides significantly broader guidance than many cyber security frameworks with a focus on general enterprise technology governance and risk.

COBIT 2019 is expansive but because not all guidance is specific to cyber security, it may be an overwhelming place to start your cyber journey, with 40 distinct and management objectives. COBIT offers a Toolkit for free but most of its publications have to be purchased so there is a cost barrier to entry to being able to assess its suitability for your organisation, but it would certainly be an appropriate framework to consider when assessing enterprise level technology governance, and the

Where COBIT shines is that it is not prescriptive in 'how' to do anything, but provides a sound framework of 'what' you should have in place though the concept of governance and management practices, supported by the concept of cascading goals down from your organisational objectives. These practices are supported by extensive RASCI matrices for organisational roles, related guidance references from other Standards, Frameworks and Compliance Requirements, and key activities you should consider implementing depending on what level of maturity you want to have for these 'practices', supported by example metrics you may want to track as part of defining successful implementation, however a key call out is that the information security related guidance it provides typically references NIST, the ISO2700 series of standards and the Centre for Information Security Standards and in my opinion should be considered primarily when implementing cyber security as part of a broader technology governance program at an enterprise or government level. For SME it will likely be excessive in comparison to an ITIL aligned governance framework supported by a cyber framework, although it does offer paid guidance on tailoring COBIT to smaller organisations available.

Key links on the COBIT framework

Closing Remarks

If you are looking at this as an executive who has low exposure to cyber framework concepts and have been looking through some of the links I have provided, chances are you might be thinking it looks like a lot of work. Unfortunately cyber security isn't easy, and it typically will involve a significant amount of work to achieve and maintain a comfortable cyber security posture in line with your risk appetite.

The above frameworks are industry standard, and there may be other frameworks I haven't covered that may be more applicable to your organisation - so make sure you speak to cyber security advisory services with sector and geographic experience.

Be aware that all of these frameworks will likely take your teams multiple days just to read and understand, as most contain hundreds of controls, and that auditing your current adherence to a framework can take weeks of audit time if not using automated tools. Expect the implementation and maintenance of a cyber security framework to be a multi-month project which will likely require ongoing full time staff to implement, maintain and improve over time.

It would be great to hear your feedback on your own cyber framework experiences, what works, what doesn't and if there are any frameworks you love.

I hope you have found the article useful - Cheers, Adam.

Resources

Further Reading