report on the recommendations of leading standards …

REPORT ON THE RECOMMENDATIONS

OF LEADING STANDARDS ON

DIGITAL SECURITY POLICIES FOR

REGULATORY PURPOSES

REPORT 1 OF SECURING THE PHILIPPINES’

DIGITAL PAYMENTS SYSTEM

Prepared for the United States Agency for International Development by Chemonics International

Inc. under “E-PESO” Contract No. AID-492-C-15-0001. The author’s views expressed in this

publication do not necessarily reflect the views of the United States Agency for International

Development or the United States Government

Implemented by:

Chemonics International Inc.

1717 H Street NW

Washington, DC 20006

Phone: +1 202-995-3300

Fax: +1 202-995-3400

www.chemonics.com

CONTENTS

INTRODUCTION 1

DIGITAL SECURITY STANDARDS 2

ISO / IEC 27001 - INFORMATION SECURITY MANAGEMENT SYSTEM 2

BACKGROUND OF THE STANDARD 2

REASON FOR SELECTION 4

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD 5



GUIDANCE ON CYBER RESILIENCE FOR FINANCIAL MARKET INFRASTRUCTURES BY

COMMITTEE ON PAYMENTS AND MARKET INFRASTRUCTURES 8



NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FRAMEWORK FOR

IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 17



CONCLUSION 19

REFERENCES / SOURCES 20

1 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES

INTRODUCTION

This report highlights the leading standards on digital security policies that will aid in reducing the

risks electronic or digital payments usage in the financial market of the Philippines. Essentially, the

report recommends the following standards for consideration when formulating or updating

regulatory policies that seek to improve the security posture of participants in a digital payments

ecosystem.

The report recommends the following standards and details the justification of each

• ISO / IEC 27001 - Information Security Management System (referred to in this report as

ISO 27001)

• Guidance on cyber resilience for financial market infrastructures by Committee on Payments

and Market Infrastructures, Board of the International Organization of Securities

Commissions (referred to in this report as CRF-CPMI)

• National Institute of Standards and Technology Framework for Improving Critical

Infrastructure Cybersecurity (referred to in this report as NIST-CSF)

• Payment Card Industry Data Security Standard (referred to in this report as PCI DSS)

The authors of the report are aware of other digital security standards, frameworks and guidance

available, but the security controls that are asked on those standards are similar to the standards

mentioned above. The order of which the standards are presented does not signify importance or

priority of adoption.

The report does not include policies, processes and procedure related to the treatment of the

cryptocurrency that is observed to bring new waves of disruptive behavior into the marketplace.

RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 2

DIGITAL SECURITY STANDARDS

ISO / IEC 27001 - INFORMATION SECURITY MANAGEMENT SYSTEM

BACKGROUND OF THE STANDARD

The Standard that is established for Information Security Management System (ISO/IEC 27001) takes

a holistic approach. It is viewed according to the organization’s information risks using suitable set of

controls that include policies, processes, and procedures of the organization’s structure. The internal

and external processes that use hardware and software functions are also examined accordingly. The

ISO/IEC 27001 International Standard aids the organization to implement a comprehensive suite of

information security controls under the overall framework of a coherent management systems

(ISO/IEC 27002, 2013 Edition) which becomes the blueprint of the organization.

As a business enabler, an effective Information Security Management System (ISMS) assures the

management and its stakeholders that the organization’s assets are reasonably safe1 and protected

against harm (ISO/IEC 27002, 2013 Edition). Any changes that takes place in an organization such as

business processes and systems or other external changes, new laws or regulations, create new

information security risks. A successfully implemented information security management system

helps reduce risks by protecting the organization against threats and vulnerabilities and in doing so,

minimizing also the impact of these risks to its assets.

The latest version of the Standard’s normative requirements to establish ISMS have 114 security

controls (Annex A, ISO/IEC 27001, 2013 Edition) and covers 14 domains as indicated below:

1. Information Security Policies (A.5)

2. Organization of Information Security (A.6)

3. Human Resource Security (A.7)

4. Asset Management (A.8)

5. Asset Control (A.9)

6. Cryptography (A.10)

7. Physical and Environmental Security (A.11)

8. Operations Security (A.12)

9. Communications Security (A.13)

10. System Acquisition, Development and Maintenance (A.14)

11. Supplier Relationship (A.15)

12. Information Security Incident Management (A.16)

13. Information Security Aspects of Business Continuity Management (A.17)

14. Compliance (A.18)

In the 2017 report of the worldwide ISO Survey of Certifications conducted annually by the

International Organization for Standardization (ISO) stated that the number of organizations

certified to ISO 27001 posted at 33,290 for year 2016 from 27,536 in 2015. The survey covers only

1 The author italicized the word “reasonably” to give emphasis that constant vigilance plays a significant role to

ensure that the information asset of the organization is protected and secured on top of maintaining the

effectiveness, currency and relevance of its Information Security Management System.


the number of valid certificates as of 31 December 2016 and this information was provided by

certification bodies* since ISO does not perform certification. According to the report, ISO and

IEC’s standard for information security, experienced the same growth of 21% annual increase

worldwide (The ISO Survey of Management System Standard Certifications 2016, September 2017). Table

1 below illustrates the comprehensive overview of certifications to the standards currently available

during the survey:

Table 1 - Summary of ISO Survey of Management System Standard Certifications 2016

Standard

Number of

Certificates in

2016

Number of

Certificates in

2015

Change Change

in %

ISO 9001** 1,106,356 1,034180 72,176 +7

ISO 14001*** 346,189 319,496 26,693 +8

ISO 50001 20,216 11,985 8,231 +69

ISO 27001 33,290 27,536 5,754 +21

ISO 22000 32,139 32,061 78 0

ISO/TS 16949 67,358 62,944 4,414 +7

ISO 13485 29,585 26,255 3,330 +13

ISO 22301 3,853 3,133 720 +23

ISO 20000-1 4,537 2,778 1,759 +63

ISO 28000 356

ISO 39001 478

TOTAL 1,644,357 1,520,368 +8

*Accredited certification bodies are those that have been independently evaluated by accreditation members of the IAF, the world association of conformity assessment accreditation bodies.

**ISO 9001:2008 (=1,025,761) + ISO 9001:2015 (=80,596) ***ISO 14001:2004 (=323,023) + ISO 14001:2015 (=23,165)


This steady growth despite the fluctuations of the number of participating certification bodies year

to year and the number of certificates reported indicates that there is now an increased maturity on

awareness and appreciation in the importance of an effective information security management

system.

REASON FOR SELECTION

In the Philippines, the Bureau of Philippine Standards (BPS) has adopted the use of the International

Standards on ISO/IEC 27001 as a National Standard. This Standard which uses the PDCA (Plan-Do-

Check-Act) Model forces the organization to establish, implement, monitor and review continuously

the security controls that have been put in place.

The Data Privacy Act of 2012 (R.A. 10173) amplifies further the need of every and all organization

that will be affected in the enforcement of the provisions under the law to consider the adoption of

ISO/IEC 27001 into their information security management system. The Standard is an enabling

mechanism that will help the organization to adhere to the requirements of the law. On the same

note, the Government being cognizant to the significance of the Standard in protecting information

asset has adopted this into its cybersecurity strategic plan (The National Cybersecurity Plan 2022).

Following the rollout of the NCSP 2022, which started at the beginning of 2017 by the Department

of Information and Communications Technology (DICT) under its Cybersecurity Bureau, three

memorandum circulars have been formulated and published related to the implementation of NCSP

2022. One of the MCs, the Memorandum Circular No. 005 on prescribing the policies, rules and

regulations on the protection of Critical Infostructure (CII), have four salient features, to wit:

a) Section IV, A, adoption of PNS ISO/IEC 27000 Family of Standards and other relevant

International Standards for Mandatory Compliance;

b) Section IV, B, conduct of Annual Risk and Vulnerability Assessment (based on ISO/IEC 27001

and ISO/IEC 31000);

c) Section IV, C, conduct of Security Assessment; and

d) Section IV, D, creation of the Computer Emergency Response Team

Selecting and adopting ISO/IEC 27001 as one of the standards can pave the way for ease of

implementation significantly since the Banking and Finance Sector have been identified as one of the

12 priority sectors classified as Critical Information Infrastructure (CII) of the country. In the

protection of CII of the NCSP Implementation Plan, risk management approach and strategies are

among the core activities of the National Government. Although the management approach of

ISO/IEC 27001 has its limitations versus other more extensive Risk Management Framework, it still

provides a good baseline for the financial institutions (FIs) and financial market infrastructures (FMIs)

that are constantly exposed to varying degrees of risks. This Standard works in complementary with

other standards identified by the authors.


PAYMENT CARD INDUSTRY DATA SECURITY STANDARD


PCI Security Standards are technical and operational requirements set by the PCI Security Standards

Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process

or transmit cardholder data – with requirements for software developers and manufacturers of

applications and devices used in those transactions. The Council is responsible for managing the

security standards, while compliance with the PCI set of standards is enforced by the founding

members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa

Inc. Normally recognized by their card brands of AMEX, Discovery, JCB, MasterCard and VISA

respectively.

PCI Data Security Standard (PCI DSS)

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers

technical and operational system components included in or connected to cardholder data. If an

organization accept or process payment cards, PCI DSS applies to that organization. (from PCI DSS

Quick Reference Guide - 2016)

Currently at version 3.2, PCI DSS is the global data security standard adopted by the payment card

brands for all entities that process, store or transmit cardholder data and/or sensitive authentication

data. It consists of steps that mirror security best practices.

Table 2 - PCI DSS Requirements

Goals PCI DSS Requirements

Build and Maintain a

Secure Network and

Systems

1. Install and maintain a firewall configuration to protect cardholder

data

2. Do not use vendor-supplied defaults for system passwords and

other security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public

networks

Maintain a Vulnerability

Management Program

5. Protect all systems against malware and regularly update anti-virus

software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access

Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data


Goals PCI DSS Requirements

Regularly Monitor and

Test Networks

10. Track and monitor all access to network resources and

cardholder data

11. Regularly test security systems and processes

Maintain and Information

Security Policy

12. Maintain a policy that addresses information security for all

personnel


Payment cards (and by extension payment card brands) dominate the digital payment ecosystem.

They are entrenched in banks and other financial institutions due to the trust of consumers in their

brands. The card brands have clout in the card payment supply chain in enforcing their security

requirements.

Below is the 2015 worldwide purchase volume of all the card brands and the projection of increase

in 10 years.


Below is the share of each of the major card brands in the 2016 Purchase transactions

Although exact number of PCI DSS certificates and adopters in the Philippines cannot be

ascertained, the dominant card brands of MasterCard and Visa do enforce compliance of the security

requirements as entry to the supply chain of their ecosystem.

Acknowledging the specific controls required by PCI DSS would be helpful in adoption of

organizations under the card brands’ supply chain organizations.


GUIDANCE ON CYBER RESILIENCE FOR FINANCIAL MARKET INFRASTRUCTURES BY

COMMITTEE ON PAYMENTS AND MARKET INFRASTRUCTURES


This Standard contains specific cyber resiliency controls for Financial Market Infrastructure (FMIs).

When the operations of FMIs

become compromised, it create

shocks across domestic and

international financial market with

varying degrees of negative impact.

These adverse impacts may occur in

the form of liquidity dislocations and

credit losses. The level of cyber

resilience of a financial system

contributes to the operational

resiliency of FMIs which is a decisive

factor in the overall resilience of FMIs

and the broader economy.

The Cyber Resilience Framework for

Financial Market Infrastructure (CRF-

CPMI) is clearly articulated by

examining the five primary category of risk management: Governance, Identification, Protection,

Detection, Response and Recovery over three

overarching components/activities: Testing,

Situational Awareness and Learning and

Evolving (See Figure 1 Cyber resilience

guidance component). These have been drawn out from the Principles for Financial Market

Infrastructures (PFMI) which was published in 2012 by the Committee on Payment and Settlement

Systems (CPSS) now known as CPMI.

This Standard can be applied to other types of infrastructure that have not been formally covered by

the report. The FMIs that have been defined under the PFMI include but not limited to systemically

important payment systems, central securities depositories (CSDs), securities settlement systems

(SSSs), central counterparties (CCPs) and trade repositories (TRs). The cyber resilience of an FMI is

dependent on the interconnections with other FMIs. The extensive interconnections in the financial

systems necessitate collaboration between FMIs and their stakeholders to promote understanding

and support of resilience objectives and their implementation (Guidance on Cyber Resilience for

Financial Market Infrastructures, BIS - IOSCO 2016). Thus, cyber resiliency of the financial systems have

broader relevance across all interconnected FMIs.

Table 3-1 and Table 3-2 provide the general overview of these controls from CRF-CPMI. These are

controls can also be supplemented with controls from other Standards.

Figure 1 Cyber resilience guidance component


Table 3-1 Risk Management Categories and Subcategories

Risk

Management

Sub-Category Elements

Governance Cyber resilience

framework

❏ Cyber resilience framework that determines and clearly

articulates its cyber resilience objectives and cyber risk

tolerance

❏ Cyber is more than just ICT but covers people and processes

❏ Enterprise risk management should be consistent with its

enterprise operational risk management framework

❏ FMIs ecosystem takes an integrated approach and

comprehensive views of potential threats that it faces.

❏ International and national standards are for benchmarking the

designs of a cyber resilient framework of an FMI

❏ Risk management governance defines the roles and

responsibilities including accountability for decision-making

which includes managing cyber risk including emergencies and

in crises

❏ Audits and compliance enables the FMI to determine the

adequacy and measure the effectiveness of its cyber resilience

framework using relevant metrics and maturity models as well

as the results of its testing programs.

Role of the board and

senior management

❏ Board and senior management have ultimate responsibilities for

setting the cyber resilience framework and ensure that cyber

risk is effectively managed

❏ Culture that is cultivated by the FMIs board and senior

management results to a strong level of awareness and of

commitment to cyber resilience

❏ Skills that are appropriate to the effective oversight of the FMIs

cyber resilience framework and cyber risk profile are developed

for the board and senior management

❏ Accountability and responsibility are given to a senior executive

designated for executing the cyber resilience framework within

the organization and must posses the requisite expertise and

knowledge to competently plan and execute the cyber resilience

initiative. This role should have sufficient authority,

independence, resources and access to the board

Identification Identification and

classification

❏ Identification of business functions and processes are identified

and risk assessment are conducted

❏ Identification of information assets and related access are

conducted to maintain current inventory of information assets,

system configurations, interconnections with other internal

systems and external systems. A log of both individual and

system credentials are maintained and are kept up to date.

❏ Regular review and update of the list of critical business

processes, functions, individual system credential and inventory

of its assets through the integration of identification efforts

Interconnections ❏ Impact from and on an FMI’s ecosystem that are directly and

indirectly interconnected with the systems and processes of the

entities within its ecosystem are identified and risk assessment

conducted to design and implement a cyber resilient ecosystem


Risk

Management


Protection Protection of

processes and assets

❏ Controls that are appropriate, suitable, and in line with leading

practice cyber resilience standards minimize the likelihood and

impact of a successful cyber attack against FMIs and on its

identified critical business functions, information assets and data.

These protective controls should be proportionate to the FMI’s

threat landscape and systemic role in the financial system and

consistent with its risk tolerance

❏ Resilience by design considers rigorous testing against related

security standards that begin from the ground up during system

process and product design as one of the best practices. It

ensures that attack surfaces are limited to the extent practicable

and that common information security principles relating to

confidentiality, integrity and availability are adhered.

❏ Strong ICT controls are maintained consistently since these are

a fundamental and critical component of an FMI’s overall cyber

resilience. These include but not limited to protecting

information, change management, security settings consistent

with levels of protection, etc.

❏ Layered protection that facilitates response and recovery are

enabled to monitor and detect any anomalous activity across

multiple layers of the FMI’s infrastructure and this requires a

baseline profile of system activity. Also segmenting network in a

manner that segregates systems and data of varying criticality

have multiple benefits, both by helping the FMI to insulate

systems in one segmentation from a security compromise in

other segments, and by facilitating more efficient recovery of

services.

Interconnections ❏ Risks from interconnections require the implementation of

protective measures to mitigate risks arising from the entities

within its ecosystem. Appropriate controls for each entity

depends on the risks that arises from the connected entity and

the nature of the relationship with the entity. The systemic

importance and unique position in the financial system dictate

that FMIs ensure that suitable measures are implemented to

mitigate effectively the risks arising from its connected entities

including:

a) Participation requirements of an FMI’s are designed to

ensure that they adequately support its cyber resilience

framework

b) The FMI’s framework designed to address and mitigate

cyber risks. These cyber considerations are integral part of

the FMI’s arrangements for managing vendors and vendor

products in the areas of contracts, performance,

relationships and risks.

Insider Threats ❏ Security analytics are used to implement measures to capture

and analyze anomalous behavior by persons with access to its

systems. Data loss identification and prevention techniques are

deployed to protect against the removal of confidential data

from the FMI’s network

❏ Changes in the employment status are conducted including the

screening of new employees. Similar checks are done on all staff


Risk

Management


at regular intervals throughout their employment,

commensurate to their access to critical systems

❏ Access control for both the physical and logical access to

systems are permitted only for individuals who are authorized,

and authorization are limited to individuals who are

appropriately trained and monitored. Strong controls are

instituted that reliably restrict such access to systems and over

privileged systems.

Training ❏ All staff of an FMI that are either permanent or temporary

receive training to develop and maintain appropriate awareness

of and competencies for detecting and addressing cyber-related

risks. They are also trained on how to report any unusual

activity and incidents

❏ High-risks groups with access to privileged systems or are in

sensitive business functions are identified and receive target

information security training

Detection Detecting a cyber

attack

❏ Continuous monitoring enables the ability to detect anomalous

activities and events

❏ Comprehensive scope of monitoring relevant internal and

external factors

❏ Layered detection provide the ability for early detection of

intrusion and critical to the swift containment and recovery.

Effective intrusion detection capability assists FMIs in identifying

deficiencies in their protective measures for early remediation

❏ Incident response of an FMI is largely dependent on its

monitoring and detection capabilities

❏ Security analytics implement measures that capture and analyze

anomalous behavior by persons with access to the corporate

network

Response and

Recovery

Incident response,

resumption and

recovery

❏ Incident response planning include thorough investigation to

determine the nature and extent as well as the damage inflicted.

From detection to damage containment until recovery depend

on response planning

❏ Resumption within two hours are planned and tested against the

goals and objectives of the sound functioning of the financial

systems when operations resume

❏ Contingency planning includes planning of scenario with suitable

and appropriate activities when objectives that have been set

are not met accordingly

❏ Planning and preparation are developed and response tested to

determine its suitability and safe resumption of critical functions

and operations of the FMIs after containment

Design elements ❏ Design and business integration of process and control for

critical functions and operations support incident response

activities. The FMIs incident response, resumption and recovery

processes are closely integrated with crisis management,

business continuity, and disaster recovery planning and recovery

operations, and coordinated with relevant internal and external

operations

❏ Data integrity are safeguarded by stringent protective and

detective controls. Cyber resilience framework of an FMI


Risk

Management


include data recovery measures. Recovery point objectives

(RPO) support integrity that are consistent with the FMI’s

resumption time objectives (RTO) for critical operations

through diverse approach that achieve the objectives.

Interconnections ❏ Data-sharing agreements are mechanisms that are set up in

advance with relevant parties or participants to enable

uncorrupted data to be retrieved and received in a timely

manner once a successful cyber attack has been identified

❏ Contagion risk are inherent to an interconnected and

interdependent internal and external systems of FMIs

❏ Crisis communication plan are developed in advance through an

adaptive process informed by scenario-based planning and

analysis as well as prior experiences. The FMIs are consciously

aware that rapid escalation of cyber incidents are dynamic in

nature. Therefore, decision making responsibilities for incident

response are determined in advance and a clearly defined

escalation and decision making procedures are implemented

❏ Responsible disclosure policy and procedure enable the

responsible disclosure of potential vulnerabilities. These

disclosures are prioritized to facilitate early response and risk

mitigation by stakeholders

❏ Forensic readiness of FMIs to assist in or conduct forensic

investigations of cyber incidents and engineer protective and

detective controls to facilitate the investigative process are

established. Relevant system logging policies are maintained

along with the corresponding retention period. Appropriate

steps are also taken so that investigations can be performed

during post event to the extent possible i.e. through

preservation of necessary system logs and evidence


Table 3-2 Overarching Activities and Sub-Activities

Overarching

Activities

Sub-Activities Elements

Testing Comprehensive testing

programmes

❏ Testing program are established and these comprehensive

testing program are used to validate the effectiveness of its

cyber resilience framework on a regular and frequent basis.

Appropriate cyber threat intelligence to inform its testing

methods are employed. Results of these testing programs are

used by the FMI to support ongoing improvement of its cyber

resilience. These include but not limited to: business continuity,

incident and crisis response teams and the relevant entities in

its ecosystem. The board and senior management are involved

in this process as may be appropriate and they are informed of

the test results

❏ Methodologies and practices of FMIs employ various effective

testing methodologies and practices, including the following

which may partly overlap or can be combined:

a) Vulnerability assessment

b) Scenario based testing

c) Penetration testing

d) Red team tests

Coordination ❏ Coordination are planned and promoted to the extent

applicable and organize and manage exercises designed to test

its response, resumption and recovery plans and processes.

These exercises include FMI participants, critical service

providers and linked FMIs. To achieve market-wide timely

recovery of operations calls for an added dimension to testing

exercises. Also, testing include scenarios that cover breaches

affecting multiple portions of the FMI’s ecosystem


Overarching

Activities


Situational

awareness

Cyber threat

intelligence

❏ Identification of potential cyber threats are conducted that

materially affect its ability to perform or to provide services as

expected or have a significant impact on its ability to meet its

own obligations or have knock-out effects within its ecosystem.

Threats to the confidentiality, integrity and availability of the

FMI’s business processes and to its reputation can arise from

internal and external source. Threat analysis are also included

based from the threats that can trigger extreme but plausible

cyber events, even if it is considered unlikely to occur or have

never occurred in the past. Regular review and update of the

analysis are conducted by FMIs

❏ Threat intelligence process are established as a process to

gather and analyse relevant cyber threat information. The

analysis are in conjunction with other sources of internal and

external business and system information so as to provide

business-specific context, turning the information into usable

threat intelligence that provides timely insights and informs

enhance decision-making. This is done by enabling FMI to

anticipate a cyber attacker’s capabilities, intentions and modus

operandi

❏ Scope of cyber threat intelligence gathering includes the

capability to gather and interpret information about relevant

cyber threats arising from the FMI’s participants, service and

utility providers and other FMIs and to interpret this

information in ways that allow the FMI to identify, assess and

manage security threats and vulnerabilities for the purpose of

implementing appropriate safeguards in its systems. Relevant

information within this context include information on

geopolitical developments that may trigger cyber attacks on any

entity within the FMI’s ecosystem

❏ Effective use of information is based on making cyber threat

intelligence available to appropriate staff with responsibility for

the mitigation of cyber risks at the strategic, tactical and

operational levels within the FMI. Cyber threat intelligence are

used to ensure that the implementation of any cyber resilience

measures is threat-informed. It enables an FMI to validate and

inform the prioritization of resources, risk mitigation strategies

and training programs


Overarching

Activities


Information sharing ❏ Planning ahead enables to facilitate sector-wide response to

large-scale incidents. Information sharing are planned

accordingly through trusted channels in the event of an incident,

collecting and exchanging timely information that can facilitate

the detection, response, resumption and recovery of its own

systems and those of other sector participants during and

following a cyber attacks. The reporting requirements and

capabilities are consistent with information-sharing

arrangements within the FMI’s communities and the financial

sector

❏ Information-sharing groups and its collectives are actively

participating together with the FMIs including cross-industry,

cross-government and cross-border groups to gather, distribute

and assess information about cyber practices, cyber threats, and

early warning indicators relating to cyber threats.Multilateral

information arrangements are designed to facilitate a sector-

wide response to large-scale incidents

Learning and

Evolving

Ongoing learning ❏ Lessons from cyber events are systematically identified and key

lessons are distilled from cyber events that have occurred

within and outside the organization in order to advance its

resilience capabilities. These include useful learning points that

are often gleaned from successful cyber intrusions and near

misses in terms of the methods used and vulnerabilities

exploited by cyber attackers

❏ Acquiring new knowledge and capabilities are actively

conducted including monitoring of technological developments

by keeping abreast of new cyber risk management processes

that can effectively counter existing and newly developed forms

of cyber attack. Technology and know-how to maintain its

cyber resilience are acquired by an FMI

❏ Predictive capacity takes precedence over reactive controls.

This include the proactive protection against future cyber

events. Predictive capabilities and anticipation of future cyber

events are based on analyzing activity that deviates from the

baseline. To achieve predictive capabilities, data captured from

multiple internal and external sources are conducted and

baseline are conducted for behavioral and system activity

Cyber resilience

benchmarking

❏ Metrics and maturity models allows an FMI to assess its cyber

resilience maturity against a set of predefined criteria, typically

its operational reliability objectives. This benchmarking requires

an FMI to analyze and correlate findings from audits,

management reviews, incidents, near misses, test and exercises

as well as internal and external intelligence gathered. The use of

metrics enables an FMI to identify gaps in its cyber resilience

framework for remediation, and allow an FMI to systematically

evolve and achieve more mature states of cyber resilience



The digital transformation has two technological pillars, digitization and interconnection and is

complemented by a growing ecosystem of interrelated technologies (OECD Digital Economic Outlook,

2017). The disruptive business brought about by the digital social and economic landscape has been

transformed to greater heights and made the stakes higher. The proliferation of the mobile

technology, the digitization of financial services and the global interconnectivity drive E-commerce

and social commerce worldwide, and in part enabled by digital payments (PAYPAL, APAC Research

Report, 2017). The CRF-CPMI prescribes the controls suitable for financial systems and FMIs to

develop a robust and resilient cyber framework. Similarly, the Standard addresses some of the areas

for consideration:

❏ Convergence of different communication technologies

❏ Internet of Things (IoT)

❏ Consumer trust

❏ Digital innovation stimulates economic activities across the cyber ecosystem

This Standard works in tandem with the NIST Cybersecurity Framework.


NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FRAMEWORK FOR

IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY


The national and economic security of the United States depends on the reliable functioning of

critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued

Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity,” on February 12,

2013. This Executive Order calls for the development of a voluntary Cybersecurity Framework

(“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-

effective approach” to manage cybersecurity risk for those processes, information, and systems

directly involved in the delivery of critical infrastructure services. The Framework, developed in

collaboration with industry, provides guidance to an organization on managing cybersecurity risk.

Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so

vital to the United States that the incapacity or destruction of such systems and assets would have a

debilitating impact on security, national economic security, national public health or safety, or any

combination of those matters.

With that the National Institute of Standards and Technology Framework for Improving Critical

Infrastructure Cybersecurity (NIST-CSF) was established. Currently at version 1.0 but has an

existing exposure draft version 1.1 (dated January 10, 2017).

Overview of the framework

The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three

parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.

Each Framework component reinforces the connection between business drivers and cybersecurity

activities

The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable

references that are common across critical infrastructure sectors. The Core presents industry

standards, guidelines, and practices in a manner that allows for communication of cybersecurity

activities and outcomes across the organization from the executive level to the

implementation/operations level. The Framework Core consists of five concurrent and continuous

Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions

provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity

risk.


Framework Implementation Tiers (“Tiers”) provide context on how an organization views

cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which

an organization’s cybersecurity risk management practices exhibit the characteristics defined in the

Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an

organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a

progression from informal, reactive responses to approaches that are agile and risk-informed. During

the Tier selection process, an organization should consider its current risk management practices,

threat environment, legal and regulatory requirements, business/mission objectives, and

organizational constraints.

A Framework Profile (“Profile”) represents the outcomes based on business needs that an

organization has selected from the Framework Categories and Subcategories. The Profile can be

characterized as the alignment of standards, guidelines, and practices to the Framework Core in a

particular implementation scenario. Profiles can be used to identify opportunities for improving

cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile

(the “to be” state). To develop a Profile, an organization can review all of the Categories and

Subcategories and, based on business drivers and a risk assessment, determine which are most

important; they can add Categories and Subcategories as needed to address the organization’s risks.

The Current Profile can then be used to support prioritization and measurement of progress toward

the Target Profile, while factoring in other business needs including cost-effectiveness and

innovation. Profiles can be used to conduct self-assessments and communicate within an organization

or between organizations.


The advantage of the framework is it fits all organizations regardless of size or industry. It’s flexible

and easily adoptable to existing programs. It’s also cost-effective. Outside of maybe a few

technological upgrades, the Framework is a concept and not a product. It’s a business strategy that

measures the bottom line of security efforts and identifies desired outcomes by utilizing three

primary components: the Core, Implementation Tiers, and Profiles. Each component works together


in creating an overall strategy that includes things like risk-assessment, asset management, access

control, employee training, policies, and incident response.

(https://www.thesecurityawarenesscompany.com/2017/08/03/5-reasons-organization-adopt-nist-

cybersecurity-framework/ )

This framework together with ISO 27001 can aid larger organizations in creating a customized

implementation plan for cyber security. This framework has more prescriptive steps/activities in

establishing an acceptable cyber security posture.

CONCLUSION

All the standards that have been selected have similarities. Although the statements may have been

framed quite differently but the intents and objectives are the same, and that is to achieve the state

of cyber resiliency. We have summarized these requirements into three main points as follows:

○ Required from management

■ Leadership and commitment

■ Risk Awareness

■ Clear Assignment to specific persons information security responsibilities

■ Financial investment in security

■ Awareness to critical assets, information and processes

■ Treatment of information as an asset, just like land/labor/capital, and thus

require appropriate risk management approach

■ Firm and defined information security/cyber resiliency risk appetite and

threshold setting

○ Required for successful implementation

■ Risk Management and proper prioritization of mitigation measures

■ Policies and procedures

■ Risk and Security culture versus security awareness

■ Acceptance by all levels of the organization of their responsibility for

information security

■ Mature skills development system for the people behind IT systems

■ Established MIS to generate appropriate information security/cyber

resiliency reports to Management

■ Periodic testing of information security/cyber resiliency processes toward

continuing improvement

○ Required readiness and capability

■ To expect the unexpected, and prepare for disruptive technologies that may

radically change how we understand how things work, like how

cryptocurrency and blockchain systems demand different implementation of

Confidentiality/Integrity/Availability/Privacy

■ The development and emerging use of quantum computing which will

potentially break all known cryptographic protections of today

■ Ability to adapt to upcoming standards for digital evidence that will require

for financial transactions, fraud disputes, or criminal case proceedings.

■ Industry wide information sharing and collaboration.


For the successful implementation of any controls and corresponding activities to achieve this, the

management’s commitment is an indicator of the level of commitment as well as the degree of

success it can be accomplished. It is therefore prudent that any regulation that is developed must

contain these requirements including the methods to achieve what is required.

REFERENCES / SOURCES

The ISO Survey of Management System Standard Certifications 2016, September 2017

http://siteresources.worldbank.org/FINANCIALSECTOR/Resources/282044-

1323805522895/121534_text_corrections_3-15.pdf

http://www.treasuryalliance.com/assets/publications/payments/Fundamentals_of_Payment_Systems.p

df

http://www.oecd.org/competition/PaymentSystems2012.pdf

http://www.cardrates.com/news/credit-card-companies/

http://www.barrons.com/articles/good-news-for-visa-and-mastercard-as-card-spending-grows-

1478628528

http://knowledge.ckgsb.edu.cn/2015/03/31/finance-and-investment/wholl-win-visa-and-mastercard-

versus-unionpay/

https://www.nilsonreport.com/publication_chart_and_graphs_archive.php?1=1&year=2017

https://www.usaid.gov/philippines/partnership-growth-pfg/e-peso-activity

http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2017/

https://www.thesecurityawarenesscompany.com/2017/08/03/5-reasons-organization-adopt-nist-

cybersecurity-framework/

https://www.nist.gov/cyberframework

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

https://www.bis.org/cpmi/publ/d146.pdf [Guidance on cyber resilience for financial market

infrastructures]

ISO/IEC 27001:2013 [Requirements for an Information Security Management System]

http://www.dict.gov.ph/national-cybersecurity-plan-2022/

http://www.dict.gov.ph/inventory-of-published-policies/

report on the recommendations of leading standards …

Documents