A presentation given at the 2nd Annual Financial Services Cyber Security Summit in London. Looking at cyber security risk and how it has historically applied to the supply chain.
We present a maturity model, where the best or the rest are on it and how it can be applied.
Advantages of Hiring UIUX Design Service Providers for Your Business
Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains
1. Assuring the Security of the Supply Chain
Designing best practices for cybersecurity in supply chains
Ollie Whitehouse, Technical Director
2. Agenda
Supply Chains and the Cyber Challenge
Regulatory (FCA) Outsourcing Requirements
Historic Approaches
Models for the Future – our maturity model
2
3. 3
Supply chains…
• Software: common-off-the-shelf (COTS) and proprietary
• Equipment: the routers, servers, tablets, phones, storage, multi function
devices, the doors, conditional access devices, building management
system etc.
• Services: business process outsourcing, data processing, IaaS, PaaS,
SaaS, people, other generic terms like data feeds, cloud and managed
service etc.
6. 6
Supplier tiers..
Tiers of suppliers..
.. need to focus on
tier 1 and 2 initially ..
the tier a supplier exists in
will be dictated by the business
criticality of the what they supply
7. 7
Supplier tiers..
Tiers of suppliers
have tiers of suppliers
it is an exponential problem creating
inadvertent centralized hot pockets
of data or function for certain roles
(legal, HR etc.) or sector niches
10. 10
Today it is a challenge for customers
Suppliers today need to show good will in order to support
supply chain cyber maturity programs..
Legacy contractual cover is typically weak beyond compliance
against standards such as ISO27001..
Cost of contract renegotiating is typically high..
If a supplier is unique or niche then commercial leverage evaporates..
11. 11
FCA outsourcing regulatory requirements
• Senior Management Arrangements, Systems and Controls
• SYSC 8.1: General outsourcing requirements
• SYSC 13.7.9: Geographic location considerations
• Threshold Conditions
• COND 2.4: Appropriate resources
• COND 2.5: Suitability..
.. then there is the DPA etc…
Handbook
http://fshandbook.info/FS/
12. 12
FCA outsourcing regulatory reality
At the time of authorisation, a firm’s regulated activities must be supported by
IT services which are effective, resilient and secure and have been
appropriately designed to meet expected future as well as current business
needs so as to avoid risks to our (the FCA’s) objectives.
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
13. 13
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
The firm must have undertaken sufficient preparatory work to provide
reasonable assurance that each OSP will deliver its services effectively,
resiliently and securely.
14. 14
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
The firm has established appropriate arrangements for the on-going oversight
of its OSPs and the management of any associated risks such that the firm
meets all its regulatory requirements.
15. 15
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
Above all, a regulated firm should be clear that it retains full accountability for
discharging all of its regulatory responsibilities. It cannot delegate any part of
its responsibility to a third party.
16. 16
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
17. 17
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
18. 18
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
19. 19
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
20. 20
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014
https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
23. 23
What does cyber resilience mean?
We will have incidents both of internal and external origin
we will contend with accidents and malicious acts
we will face an evolving set of threats requiring agility
We will build services for the business which are appropriately secure and resilient
… which frustrate threat actors and reduce likelihood of accidents
… which minimize the impact of any incident whilst being useable
We will be in a position to detect incidents in a timely fashion
… whilst being able to answer who, what, when and how … and then recover
24. 24
How we deal with risk today
• Elements / Tenants: CIA and Parkerian Hexad etc.
• Models / Indexes: custom or off the shelf.
• Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS,
ISO/IEC 13335-2, SP800-30 etc.
• Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc.
• Maturity Models: recognizing risk isn’t static nor do we need to be perfect
• Audit: tell us the gaps against regulation, standards, taxonomies etc.
25. 25
How we deal with risk today
C AI
this priority is good for your sensitive data
C = confidentiality, I = integrity or A = availability
26. 26
How we deal with risk today
CA I
this priority is good for your buildings management system
27. 27
How we deal with risk today
N I C
this priority is good for high frequency trading
A
N = nonrepudiation
28. 28
Biggest challenges today are still
• Where will my organizations data or the ability to significantly impact my
business end up (logically and physically)?
• Who will have access to it?
• What is my suppliers ability to protect themselves in the first instance?
• What is their ability to detect an incident, respond and notify me?
• How cyber resilient is my supplier?
29. 29
A maturity model for the supply chain
Immature Early Starter Progressive Semi-Mature Mature
Cyber security
strategy
Approach to
risk management
Contractual cover /
supplier relationship
Standards and
validation
Overall cyber
resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer)
driven
Conformance and
audit driven
Minimal cyber security
requirements
Cyber Essentials +
ISO 27001
Ability to defend
against some attacks
Regulatory, customer
and maybe peer driven
Audit and proactive
Allows independent
cyber security review
CE+, ISO plus paper
validation
Ability to defend and
detect common
incidents
Regulatory, customer,
peer & threat driven
Audit, proactive with
dynamic risk models
Independent validation
/ information shared
CE+, ISO, paper &
tech validation
Ability to defend, detect
and respond to most
incidents
Regulatory, peer,
customer, threat and
intelligence driven
.. plus continual
validation of risk
models
… plus requires pro-
active notification of
incidents
CE+, ISO, paper, tech
& end-to-end ongoing
validation
Ability to defend,
detect, respond and
gain intelligence
Implementation
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
30. 30
CBEST in this context
As a critical supplier to the UK economy of an economic function it validates
• Level of threat awareness of the supplier i.e. tier 1 institution
• Their ability to protect their estate in the first instance
• Their ability to detect an incident, respond and notify in the second
• The end-to-end technical and soft defence countermeasure effectiveness
including from vectors such as the Internet and trusted partners etc.
31. 31
So where is the best supply chain today?
Immature Early Starter Progressive Semi-Mature Mature
Cyber security
strategy
Approach to
risk management
Contractual cover /
supplier relationship
Standards and
validation
Overall cyber
resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer)
driven
Conformance and
audit driven
Minimal cyber security
requirements
Cyber Essentials +
ISO 27001
Ability to defend
against some attacks
Regulatory, customer
and maybe peer driven
Audit and proactive
Allows independent
cyber security review
CE+, ISO plus paper
validation
Ability to defend and
detect common
incidents
Regulatory, customer,
peer & threat driven
Audit, proactive with
dynamic risk models
Independent validation
/ information shared
CE+, ISO, paper &
tech validation
Ability to defend, detect
and respond to most
incidents
Regulatory, peer,
customer, threat and
intelligence driven
.. plus continual
validation of risk
models
… plus requires pro-
active notification of
incidents
CE+, ISO, paper, tech
& end-to-end ongoing
validation
Ability to defend,
detect, respond and
gain intelligence
Implementation
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
32. 32
Closing… CBEST is mature
But we can expect it to be trickle down
in terms of what is looked at in the supply chain…
33. 33
Further reading / viewing…
http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chainhttps://www.nccgroup.trust/uk/our-research/cyber-red-
teaming-business-critical-systems-while-managing-
operational-risk/
34. 34
How we help our customers …
Red Team Assessments
STAR and CBEST
Phishing Assessments
Cyber Incident Response
Cyber Defence Operations
Regulatory Advice
Cyber Resilience
Risk & Governance
Supply Chain Assurance
Operational Support
35. 35
Final thought…
Maturity is happening globally in financial services…
Israeli Cyber Defense Management directive , March 2015
Prescriptive in comparison including 24x7x365 SOCs, incident rooms,
mandatory reporting of cyber incidents etc…
http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1
36. 36
Europe
Manchester - Head Office
Amsterdam
Cambridge
Copenhagen
Cheltenham
Edinburgh
Glasgow
Leatherhead
London
Luxembourg
Munich
Zurich
Australia
Sydney
North America
Atlanta
Austin
Chicago
New York
San Francisco
Seattle
Sunnyvale
Ollie Whitehouse
ollie.whitehouse@nccgroup.trust