Critical Controls for Effective Cyber Defense – Converging Standards?
Earlier this year the SANS Institute issued a document titled “Critical Controls for Effective Cyber Defense“. Although not specific to financial institutions, it provides a useful prescriptive framework for any institution looking to defend their networks and systems from internal and external threats. The document lists the top 20 controls institutions should use to prevent and detect cyber attacks.
This document actually preceded the announcement by the FFIEC in June that they were forming a working group to “promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues”. I mentioned this announcement here in relation to its possible effect on future regulatory guidance. So I was particularly interested in any overlap, any common thread, between the this initiative and the SANS document. If there was any overlap between the organizations contributing to the SANS list and the FFIEC Cybersecurity working group, we might have the basis for a common, consistent set of prescriptive guidance. Could a single “check-list” type information security standard be in the works?
For example, the Information Security Handbook requires financial institutions to have “…numerous controls to safeguard and limits access to key information system assets at all layers in the network stack.” They then go on to suggest general best practices in various categories for achieving that goal, leaving the specifics up to the institution.
Contrast that to the much more specific SANS Critical Control list. Here are the first 5:
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Critical Control 4: Continuous Vulnerability Assessment and Remediation
- Critical Control 5: Malware Defenses
As you can see, although the goal of protecting information assets is the same in each case, the SANS list is much more specific. Could we possibly see a converging of the general guidance of the FFIEC with the more specific control requirements of SANS, with cybersecurity as the common goal? Again, a look at the common contributors to each group might provide a clue.
The SANS group credits input from multiple agencies of the U.S. government; the Department of Defense, Homeland Security, NIST, FBI, NSA, Department of Energy, and others. The FFIEC working group coordinates with groups such as the FFIEC’s Information Technology Subcommittee of the Task Force on Supervision, the Financial and Banking Information Infrastructure Committee, the Financial Services Sector Coordinating Council, and the Financial Services Information Sharing and Analysis Center (FS-ISAC). SO no direct common thread there, unfortunately. However the FS-ISAC group does share many partners with the SANS group, including the Departments of Defense, Energy, and Homeland Security, so we may yet see the FFIEC Information Security guidance evolve. Particularly since the Handbook was published back in 2006, and is overdue for a major update. In the meantime, financial institutions would be well advised to use the SANS Critical Controls as a de-facto checklist to measure their own security posture.*
By the way, the document also lists 5 critical tenets of an effective cyber defense system, 2 of which are ‘Continuous Monitoring’ and ‘Automation’. More on those in a future post (although I already addressed the advantages of automation here).
* There is nothing in the SANS list that is inconsistent with FFIEC requirements, in fact we’ve already seen at least one company servicing the Credit Union industry adopt this list as their framework. However, keep in mind that although the controls listed are necessary for cyber defense, they are not sufficient. A fully compliant information security program must also address management and oversight…an area conspicuously absent on the SANS list.