Communication A7266. Guidelines on Cyber Incident Response and Recovery.
The BCRA has issued Communication A7266 to establish a series of guidelines on cyber incident response and recovery. According to the definition included in the lexicon published in the BCRA’s website, a cyber incident is an event related to an information infrastructure of interactions among persons, processes, data, and information systems that jeopardizes the cyber security or violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not.
These guidelines aim at curtailing financial stability risks and boosting cyber resilience of the ecosystem as a whole in line with the recommendations of the Financial Stability Board (FSB) included in the final report on Effective Practices for Cyber Incident Response and Recovery.
The guidelines provided for in Communication A7266 are the following:
Governance. The aim of governance is to define a decision-making framework for assigning the roles and responsibilities necessary to ensure the engagement of internal and external stakeholders in the presence of a cyber incident. It is also concerned with the setting of a scheme to organize and manage response and recovery activities; and to foster a culture that acknowledges, faces and appropriately handles potential cyber incidents.
Planning and preparation. This section involves preparatory activities before an incident occurs and plays a significant role in the response and recovery effectiveness. This guideline focuses on the establishment and maintenance of planning and preparation capabilities to respond to and recover from cyber incidents, and to restore critical activities, systems and data affected by cyber incidents to resume normal operations. Plans and procedures have a key role in this section as they include the relevant criteria for determining the cases in which measures should be implemented and the way to respond to cyber incidents.
Analysis. This guideline refers to the forensic analysis, and the determination of the severity, impact and root cause of cyber incidents. In this regard, a taxonomy needs to be defined for classifying cyber incidents.
Mitigation. This section focuses on mitigation measures intended to prevent the situation from worsening and to eradicate or eliminate cyber incidents in a timely manner so that the impact on business operations and services is lessened. It contains containment, isolation and eradication measures of significant importance.
Restoration and recovery. This guideline deals with the restoration of systems and assets affected by a cyber incident and the safely recovery of data, operations and services affected to resume their normal status.
Coordination and communication. This section refers to the appropriate coordination of the organization with relevant internal and external stakeholders, including authorities. Across the life cycle of a cyber incident, stakeholders must be given a response and uniform assistance on a coordinated basis, thus enhancing the cyber resilience of the system. It is important to define a communication language and frequency appropriate to the type of audience.Continuous improvement. This guideline refers to the processes that must be implemented to improve response and recovery activities and capabilities through lessons learnt from past cyber incidents and proactive tools, such as exercises, tests, and drills.
These guidelines are aimed at financial institutions, payment service providers that offer payment accounts and financial market infrastructures. However, given the general nature of these guidelines, they may also be adopted by any institution in the financial system, as well as IT and communication service providers, among others.
As regards implementation, the stakeholders that fall under the scope of these guidelines may adopt the practices that are most suitable to the size, complexity or risk exposure of their business model in terms of the financial ecosystem. Financial institutions must keep record of the reasons underlying the implementation criteria adopted and make them available to the Superintendence of Financial and Foreign Exchange Institutions (Superintendencia de Entidades Financieras y Cambiarias, SEFyC) upon request.
TheConsolidated Text on “Minimum Requirements for the Management, Implementation and Control of Risks Related to Information Technology, Information Systems and Associated Resources for Financial Institutions” compiles all updates of the relevant communications from its first release to date.
This regulation lays down organizational, technical and infrastructure measures to be applied by Financial Institutions, as follows:
Section 1. General aspects
Section 2. Functional Organization and IT Management and Systems
Section 4. Continuity of Electronic Data Processing
Section 5. Transactions and Data Processing
Section 6. Electronic Channels
Section 7. Outsourced IT Services
Section 8. Information Application Systems
These guidelines are meant to address current cyber security challenges in strategic planning. Financial institutions are invited to analyze, process and/or adopt them at the governance and managerial level.
Financial services provided through digital channels continue expanding, requiring new technologies and increased interconnection among the participants of the financial system.
This poses challenges to the entire financial ecosystem, irrespective of whether the participants are subject to BCRA regulation or not, such as financial institutions, network operators, clearing houses, third-party service providers, and fintechs. Therefore, planning is essential to face the risks derived from digital expansion.
The following guidelines seek to help organizations to set and include cyber security and cyber resilience into their strategic planning.
BCRA's guidelines on cyber security:
- Cyber security strategy and framework: A strategy and a framework will serve to identify, manage and effectively reduce cyber risks in a comprehensive manner. Financial institutions, third parties and the remaining actors of the financial sector should develop a cyber security strategy and framework tailored to their size, complexity, risk profile and culture in the face of current threats and vulnerabilities.
- Governance: The organization's governing authority is responsible for the strategy. It is necessary to have clearly defined structures, roles, and responsibilities to handle this issue, and to take preventive measures in each project. It is also advisable to encourage communication among business units, IT, risk and fraud areas, and those areas responsible for control according to their missions and responsibilities. - Risk and control assessment: It is necessary to analyze the risk posed by natural persons, processes, technology, and any underlying data of the financial institution itself, and to assess the latter's own risks from its functions, activities, channels, products, and services. Control assessments should consider the cyber risks that the financial institution faces or presents to the ecosystem, such as service providers, government bodies, financial service users and other organizations with which it may interact.
- Monitoring: The monitoring process should help to maintain risks at a level that is acceptable to the organization's governing body, and to enhance efficiency or overcome any weakness. Testing, cyber exercising and auditing protocols are essential. Depending on the nature of an institution or organization, and its risk profile and control environment, control testing and auditing functions should be reasonably independent from those carried out by personnel responsible for implementing the cyber security program.
- Response: As part of the risk and control assessments, financial institutions should implement incident response processes and other controls to streamline timely and appropriate response. These controls should clearly address decision-making responsibilities, define escalation procedures, and establish processes for communicating with the internal and external parties involved. Exercising and protocols within and among financial institutions or organizations belonging to the ecosystem are encouraged. Exercising also enables financial institutions and authorities to pinpoint any situation that may affect participants' ability to maintain acceptable levels of services, critical functions, and activities, and of any other activities that may affect the financial system.
- Recovery: Once operational stability and integrity are assured, prompt and effective recovery of operations should be based on prioritization of critical functions and in accordance with objectives set by the authorities responsible for the financial institution or organization. Trust and confidence in the financial sector improves significantly when financial institutions or organizations and authorities have the ability to assist each other in the resumption and recovery of critical functions, processes, and activities. Establishing and testing contingency plans for essential activities and processes can contribute to a faster and more effective recovery.
- Information sharing: Sharing technical information, such as threat indicators, frauds or how vulnerabilities are being exploited, allows financial institutions to keep their defenses up-to-date, and learn about the most widespread methods used by attackers. This facilitates collective understanding of how attackers may exploit sector-wide vulnerabilities, disrupt critical economic functions, and even endanger financial stability. Given its importance, financial institutions, organizations, and authorities will identify and address impediments to information sharing.
- Continuous learning: Threats and vulnerabilities in the cyber ecosystem change at a fast pace, and so do good practices and technical standards. The composition of the financial sector also changes over time as new products and services emerge, and third-party service providers are trusted to a larger extent. Cyber security strategies and frameworks need to be regularly reviewed and updated to address changes in control environments and threats, enhance users' awareness and allocate resources effectively.
Implementation should rely on the organization's characteristic features, risk profiles and business impact analysis (BIA), as applicable. These guidelines are expected to be adopted by all institutions subject to BCRA's regulation in order to build a financial ecosystem committed to cyber security.
In addition to these principles, the BCRA has uploaded the Cyber Lexicon, a document containing definitions so that everyone involved in the cyber security process may share the same language.
The following questionnaire is aimed at contributing to identify to which extent your organization implements Cyber Security Guidelines.
Any organization may make a self-diagnosis on their implementation of principles by answering these questions.
1. Does your organization take into account Cyber Security and Cyber Resilience Guidelines?
1.1. Does your organization have a cyber security strategy tailored to its characteristic features, risk profile and business impact analysis?
1.2. Does your organization use a cyber security and cyber resilience management framework?
1.3. Does your organization have appropriate organizational structures, roles, and functions to implement the Guidelines?
1.4. Does cyber security participate in all the projects of your organization from the beginning?
1.5. Is your organization’s cyber risks management methodology integrated into corporate risk that includes all the relevant controls already implemented?
1.6 Is it intended to implement ongoing cyber risk monitoring?
1.7 Has your organization appropriately defined, implemented, and tested a response plan for cyber incidents that may cause a disruptive event?
1.8 Has your organization discussed or assessed the advantages and disadvantages of information-sharing in respect of cyber incidents and cyber threats or frauds? Has your organization taken any actions towards information-sharing?
2. Does your organization take into account cyber security criteria in the decision-making process?
2.1. Does your organization include cyber risk management right from the design of new products and services?
2.2. Does your organization assess the effectiveness of business operations and the existing infrastructure on the basis of cybersecurity? Does your organization further assess third-party infrastructures or IT services?
2.3. Are the design, implementation, and effectiveness of cyber security programs supervised at senior management or strategic level?
2.4. Does the board or senior management regularly receive reports on serious threats or cyber incidents affecting the industry so that they may make informed decisions in the short- and medium-term?
2.5. Do reports on threats and vulnerabilities have a bearing on the definition of the organization’s risk appetite?
3. Is your organization aware that disruptions are highly likely?
3.1. Does your organization implement layered security? (Considering that the implementation of preventive and layered detection controls reduces the likelihood of incidents)
3.2. At present, a safe environment cannot be guaranteed for sure; therefore, some incidents are expected to happen. Do decision makers in your organization know that resource allocation must be aligned with a cyber security strategy?
3.3. Does your organization make comprehensive testing of the cyber incident response plan?
3.4. Are cyber incident response plans integrated with business continuity plans?
3.5. Is the business continuity plan aligned with the priorities set out in the business impact analysis?
4.Does your organization adapt itself to the vulnerabilities and threats that may arise at any time? Does your organization take a cyber security adaptive approach?
4.1. Are cyber exercises promoted within your organization, at industrial level or among sectors?
4.2. Does your organization prepare for crises (unexpected events) by constructing potential scenarios and devising containment and recovery plans?
4.3. Does your organization promote a learning and continuous improvement approach as part of the cyber security strategy?
5. Does your organization support a culture of cyber security?
5.1. Does your organization develop an ongoing program so that all the staff may acquire cyber security skills and capabilities, and adopt a responsible attitude?
5.2. Are staff awareness and cyber security in processes deemed to be at the same level as technological solutions? Is this reflected in investment decisions?
5.3. Are cyber security training and awareness programs equally addressed to users, employees, and senior managers?
5.4. Considering that effective cyber security involves staff engagement and training: Does your company carry out all necessary campaigns? Is progress measured?
5.5. Is the cyber security training and awareness strategy aimed at turning the paradigm according to which “individuals are the weakest link” into that in which “individuals are the most valuable asset”?
This document contains definitions that are meant to be shared by everyone involved in the cyber security process. It is aimed at unifying criteria and definitions among cyber security experts from different jurisdictions and maximizing the result of interdisciplinary work aimed at protecting the financial system as a whole.
In an interconnected society of increasingly digital service consumption, the interaction between different disciplines and other jurisdictions is intrinsically necessary. Therefore, a set of common terminology contributes to tackle cyber security problems. The terms and definitions contained in the lexicon have been developed only for use within the financial services sector. Indeed, the lexicon is not intended to be used as ground for legal interpretation of any international arrangement or agreement or any private contract.
Original Text: https://www.fsb.org/2018/11/cyber-lexicon/
Notes
Source citations below are abbreviated. Full source citations appear at the end of the Glossary.
Terms defined in the lexicon are italicized when used in definitions within the lexicon.
As used in the lexicon, “entity” includes a natural person where the context requires.
Asset
Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.
Source: ISACA Fundamentals. Threat Actor
An individual, a group or an organization believed to be operating with malicious intent.
Source: Adapted from STIX.
Advanced Persistent Threat (APT)
A threat actor that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple threat vectors. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to execute its objectives.
Source: Adapted from NIST.
Vulnerability Assessment
Systematic examination of an information system, and its controls and processes, to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures and confirm the adequacy of such measures after implementation.
Source: Adapted from NIST.
Multi-Factor Authentication
Use of two or more of the following factors to verify a user's identity: knowledge factor, “something an individual knows”; possession factor, “something an individual has”; biometric factor, “something that is a biological and behavioral characteristic of an individual”.
Source: Adapted from ISO/IEC 27040:2015 and ISO/IEC 283237:2017 (definition of “biometric characteristic”).
Authenticity
Property that an entity is what it claims to be.
Source: ISO/IEC 27000:2018.
Cyber Advisory
Notification of new trends or developments regarding a cyber threat to, or vulnerability of, information systems. This notification may include analytical insights into trends, intentions, technologies or tactics used to target information systems. Source: Adapted from NIST.
Campaign
A grouping of coordinated adversarial behaviors that describes a set of malicious activities that occur over a period of time against one or more specific targets. Source: Adapted from STIX.
Cyber
Relating to, within, or through the medium of the interconnected information infrastructure of interactions among persons, processes, data, and information systems.
Source: Adapted from CPMI-IOSCO (citing NICCS).
Cyber Alert Notification that a specific cyber incident has occurred or a cyber threat has been directed at an organization's information systems.
Source: Adapted from NIST.
Cyber Threat
A circumstance with the potential to exploit one or more vulnerabilities that adversely affects cyber security. Source: Adapted from CPMI-IOSCO.
Cyber Incident
A cyber event: i. jeopardizes the cyber security of an information system or the information the system processes, stores or transmits; or ii. breaches security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not.
Source: Adapted from NIST (definition of “Incident”).
Cyber Resilience
The ability of an organization to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.
Source: Adapted from CERT Glossary (definition of “Operational resilience”), CPMI-IOSCO and NIST (definition of “Resilience”).
Cyber Security
Preservation of confidentiality, integrity and availability of information and/or information systems through the cyber medium. In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Source: Adapted from ISO/IEC 27032:2012.
Compromise
Violation of the security of an information system.
Source: Adapted from ISO 21188:2018.
Reliability
Property of consistent intended behavior and results.
Source: ISO/IEC 27000:2018.
Confidentiality
Property according to which information is neither made available nor disclosed to unauthorized individuals, entities, processes or systems.
Source: Adapted from ISO/IEC 27000:2018.
Access Control
Means to ensure that access to assets is authorized and restricted based on business and security requirements.
Source: ISO/IEC 27000:2018.
Course of Action (CoA)
An action or actions taken to either prevent or respond to a cyber incident. It may describe technical, automatable responses but it can also describe other actions such as employee training or policy changes.
Source: Adapted from STIX.
Defense-in-Depth
Security strategy integrating people, processes and technology to establish a variety of barriers across multiple layers and dimensions of the organization.
Source: Adapted from NIST and FFIEC.
Denial of Service (DoS)
Prevention of authorized access to information or information systems; or the delaying of information system operations and functions, with resultant loss of availability to authorized users.
Source: Adapted from ISO/IEC 27033-1:2015.
Distributed Denial of Service (DDoS)
A denial of service that is carried out using numerous sources simultaneously.
Source: Adapted from NICCS.
Detect (function)
Develop and implement the appropriate activities to identify the occurrence of a cyber event.
Source: Adapted from NIST Framework.
Availability
Property of being accessible and usable on demand by an authorized entity. Source: ISO/IEC 27000:2018.
Incident Response Team (IRT) [also known as CERT or CSIRT]
Team of appropriately skilled and trusted members of the organization that handles incidents during their life cycle.
Source: ISO/IEC 27035-1:2016.
Threat Assessment
Process of formally evaluating the degree of threat to an organization and describing the nature of the threat.
Source: Adapted from NIST.
Cyber Event
Any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring.
Source: Adapted from NIST (definition of “Event”)
Exploit
Defined way to breach the security of information systems through vulnerability.
Source: ISO/IEC 27039:2015.
Identity and Access Management (IAM)
It encapsulates people, processes and technology to identify and manage the data used in an information system to authenticate users and grant or deny access rights to data and system resources.
Source: Adapted from ISACA Full Glossary.
Patch Management
The systematic notification, identification, deployment, installation and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes and service packs.
Source: NIST.
Identify (function)
Developing the organizational understanding to manage cyber risk to assets and capabilities.
Source: Adapted from NIST Framework.
Data Breach
Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to data transmitted, stored or otherwise processed.
Source: Adapted from ISO/IEC 27040:2015.
Indicators of Compromise (IoCs)
Identifying signs that a cyber incident may have occurred or may be currently occurring.
Source: Adapted from NIST (definition of “Indicator”).
Social Engineering
A general term for trying to deceive people into revealing information or performing certain actions.
Source: Adapted from FFIEC.
Integrity
Property of accuracy and completeness.
Source: ISO/IEC 27000:2018.
Threat Intelligence
Threat information that has been aggregated, transformed, analyzed, interpreted or enriched to provide the necessary context for decision-making processes.
Source: NIST 800-150.
Information Sharing
An exchange of data, information and/or knowledge that can be used to manage risks or respond to events.
Source: Adapted from NICCS.
Malware
Software designed with malicious intent containing features or capabilities that can potentially cause harm directly or indirectly to entities or their information systems.
Source: Adapted from ISO/IEC 27032:2012.
Non-repudiation
Ability to prove the occurrence of a claimed event or action and its originating entities.
Source: ISO 27000:2018.
Cyber Incident Response Plan
The documentation of a predetermined set of instructions or procedures to respond to and limit consequences of a cyber incident.
Source: Adapted from NIST (definition of “Incident Response Plan”) and NICCS. Protect (function)
Developing and implementing the appropriate safeguards to ensure delivery of services and to limit or contain the impact of cyber incidents.
Source: Adapted from NIST Framework.
Traffic Light Protocol (TLP)
A set of designations used to ensure that information is shared only with the appropriate audience. It employs a pre-established color code to indicate expected sharing boundaries to be applied by the recipient.
Source: Adapted from FIRST.
Recover (function)
Developing and implementing the appropriate activities to maintain plans for cyber resilience and to restore any capabilities or services that were impaired due to a cyber incident.
Source: Adapted from NIST Framework.
Respond (function)
Developing and implementing the appropriate activities to take effective actions in the face of a detected cyber event. Source: Adapted from NIST Framework.
Cyber Risk
The combination of the probability of cyber incidents occurring and their impact. Source: Adapted from CPMI-IOSCO, ISACA
Fundamentals (definition of “Risk”) and ISACA Full Glossary (definition of “Risk”).
Information System
Set of applications, services, information technology assets or other information-handling components, which includes the operating environment.
Source: Adapted from ISO/IEC 27000:2018.
Tactics, Techniques and Procedures (TTPs)
The behavior of a threat actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.
Source: Adapted from NIST 800-150.
Penetration Testing
A test methodology in which assessors, using all available documentation (e.g. system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.
Source: NIST.
Threat-Led Penetration Testing [also known as Red Team Testing]
A controlled attempt to compromise the cyber resilience of an entity by simulating the tactics, techniques and procedures of real-life threat actors. It is based on targeted threat intelligence and focuses on an entity's people, processes and technology, with minimal foreknowledge and impact on operations.
Source: G-7
Fundamental Elements
Accountability Property that ensures that the actions of an entity may be traced uniquely to that entity.
Source: ISO/IEC 2382:2015.
Threat Vector
A path or route used by the threat actor to gain access to the target. Source: Adapted from ISACA Fundamentals. Verification: Confirmation, through objective evidence, that specified requirements have been fulfilled.
Source: ISO/IEC 27042:2015.
Vulnerability
A weakness, susceptibility or flaw of an asset or control that can be exploited by one or more threats. Source: Adapted from CPMI-IOSCO and ISO/IEC 27000:2018.