A healthy financial sector is essential for economic stability and security. Cybersecurity frameworks can help financial organizations meet the requirements of financial regulations and ensure that the financial system operates safely and securely while protecting the rights and privacy of consumers.
Non-compliance with financial regulations can lead to big fines and loss of reputation for critical organizations such as banks and financial service providers. Cybersecurity frameworks can help banks and the financial services industry achieve compliance with relevant financial regulations and, more importantly, establish strong security practices to better protect sensitive company data from phishing, hackers, ransomware attacks, and other cyber threats for financial services.
This article will focus on the top cybersecurity frameworks financial firms can follow and implement to adhere to industry regulations and lower the risk of a potential cyber attack.
What is the Difference Between Cyber Regulations and Frameworks?
The main difference between cybersecurity regulations and cybersecurity frameworks is one is mandatory and must be adhered to by organizations, while the other is a set of guidelines that are suggested (highly recommended) to follow. They are distinct from each other and should not be confused.
What is a Cybersecurity Regulation?
Cybersecurity regulations are security laws enforced by a government. Regulations will include the rules that relevant organizations must follow to ensure they are implementing at least the minimum cybersecurity practices or requirements as defined within the regulation.
Examples of cybersecurity regulations include the following:
- Payment Card Industry Data Security Standard (PCI DSS)
- The Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX) Act 2002
- Gramm-Leach-Bliley-Act (GLBA)
What is a Cybersecurity Framework?
Cybersecurity frameworks are a set of guidelines or best practices to help organizations improve their cybersecurity posture and meet regulatory compliance requirements. Sometimes they are aligned with a specific regulation to help businesses attain the required level of cybersecurity proficiency. Although they are typically not laws and, therefore, not mandatory, the government may strongly recommend one or more frameworks to follow because they may be mapped closely to a regulation.
In many cases, organizations can use one or more cybersecurity frameworks to meet those regulations. Whether or not a framework has a specific regulation in mind, organizations can use them so they don’t have to design cybersecurity programs from scratch.
Some of the most popular cybersecurity frameworks are the following:
- NIST Cybersecurity Framework (NIST CSF)
- Higher Education Community Vendor Assessment Tool (HECVAT)
- ISO/IEC 27001
- Control Objectives for Information Technology (COBIT)
Learn more about regulatory compliance vs. cybersecurity frameworks >
Top Cybersecurity Frameworks for Financial Institutions
Here are the top cybersecurity frameworks for financial institutions or entities:
1. NIST Cybersecurity Framework (NIST CSF)
The NIST Cybersecurity Framework was developed by NIST, the US Department of Commerce’s National Institute of Standards and Technology, which supports US innovation through industrial competitiveness via several strategies, including developing measurable cybersecurity standards to protect critical infrastructure and enhance information security and data protection activities.
NIST CSF is a popular cybersecurity framework containing a set of standards, guidelines, and best practices to help businesses get their basic cybersecurity processes up to speed and have a baseline to develop their IT infrastructure. NIST frequently updates the framework, keeping it relevant as the number of cyber attacks and types of cybersecurity threats evolve.
The NIST framework is not industry-specific and can be implemented by companies in all industries. The main focus of the NIST CSF is that it is completely performance and outcome-based and does not provide a specific checklist of actions to take. It focuses on specific goals for organizations to accomplish and allows them to tailor the framework and customize it to their needs.
The five main pillars of the NIST CSF are:
The framework can be used by both small firms with no existing cybersecurity programs and enterprise-level businesses with extensive information security management systems. At any stage of an organization’s cybersecurity maturity, NIST can enhance its internal policy to meet regulatory requirements and industry standards. Many large, global organizations use NIST CSF in their security programs, including major corporations like Microsoft, JP Morgan & Chase, and Intel.
Another advantage of this framework is that it fosters communication about risk management, cyber awareness, and incident response, both internally and externally. It encourages communication between executive leadership, business partners, suppliers, stakeholders, and employees. Furthermore, some firms may need to use this framework to meet the needs of their customers or organizations within their supply chain.
To learn more about NIST compliance, check out our guide here >
2. Center for Internet Security (CIS) Critical Security Controls
CIS is a nonprofit organization that aims to make the Internet safer for people, businesses, and governments. They developed the CIS Critical Security Controls and CIS Benchmarks, which provide best practices for IT system security and data protection.
CIS Benchmarks focuses on securing the configuration of operating systems, software, middleware, and network devices, which is referenced throughout CIS Controls.
CIS Controls, also known as CIS Critical Security Controls, are recommendations of actions organizations can take to prevent the most common cybersecurity incidents. The recommendations were developed through a collaboration of government agencies, companies, and individual expert volunteers, including auditors, policymakers, solution providers, and cyber analysts.
The primary advantage of using CIS Controls is that it provides a list of 18 high-priority and highly-effective recommendations that organizations can use to get a security program off the ground and protect sensitive data quickly.
It may not be as comprehensive or robust as other frameworks, but it provides effective control baselines for organizations that need to rapidly improve how they protect sensitive information from cybercriminals and other security risks.
The controls are updated frequently via discussion within the CIS community, which comprises a wide range of useful disciplines across various industries, government, and academia. This ensures the controls are focused on the most effective defenses against the most common cyber attacks and risks.
The CIS Controls can also map to most major compliance frameworks, including NIST CSF and the ISO 27000 series, as well as specific regulations, including PCI DSS and HIPAA.
- Fast payoff
Learn more about CIS Controls here >
3. ISO 27001/27002
ISO is the International Organization for Standardization, while IEC refers to the International Electrotechnical Commission. The ISO 27000 series are internationally recognized and the global standard for information security management. The ISO/IEC 27000 family comprises more than a dozen sets of cybersecurity standards for information security management systems (ISMS).
ISO 27001 is the primary component of the ISO 27000 series, each concerning an aspect of information security management. This part of the series could be described as an overview of the implementation requirements for an ISMS, listing primary security controls.
This cybersecurity framework is ideal for organizations that cannot yet commit to a full-scale implementation but want to start an information security project. It provides a framework to help organizations achieve the following outcomes with respect to improving information security:
- Creating a project team
- Gap analysis
- Understanding the scale or scope of the ISMS
- Policy development
- Conducting risk assessments
- Applying relevant controls
- Preparation of risk documentation
- Cybersecurity training for staff
- Internal auditing and review
Organizations can achieve an ISO 27001 certification if they choose or are required to do so, demonstrating that they have taken the necessary actions to create an ISMS.
ISO 27001 is supplementary to ISO 27001. It expands on each of the information security controls listed in ISO 27001, explaining how each control works, its goals, and how organizations can implement them. It provides best practice recommendations for those responsible for initiating, implementing, or maintaining an ISMS, with in-depth chapters on compliance with legal requirements, access control, authentication, and supplier relationships to help manage risk from third-party service providers.
A major benefit of using ISO 27002 is that it is a well-respected international standard. It is also comprehensive enough to cover most information security controls most organizations would use. Furthermore, it can be used to avoid coverage gaps and ensure that an organization has safeguards in place for all areas.
- Flexible, providing a good starting point but facilitating profundity when required
- Certification to ISO 27001 is possible to demonstrate commitment to information security
4. Cybersecurity Capability Maturity Model (C2M2)
Created in 2012, C2M2 was originally part of the US Department of Energy and cybersecurity experts’ response to a White House initiative to assess the energy industry’s security posture.
However, today, the framework helps organizations of all sizes and types, and especially financial institutions, evaluate their cybersecurity postures and maturity to optimize investments in cyber defense systems and procedures, focusing on solutions relating to information technology and operations technology.
Cyber maturity is measured by how prepared an organization is in its current state to defend against cyber threats. Over time, organizations can only achieve full maturity when they can consistently improve year over year on their security programs and have a clear understanding of industry compliance and cybersecurity performance.
C2M2 comprises 350 recommended cybersecurity practices in the following ten categories:
- Asset - Asset, Change, and Configuration Management
- Threat - Threat and Vulnerability Management
- Risk - Risk Management
- Access - Identity and Access Management
- Situation - Situational Awareness
- Response - Event and Incident Response, Continuity of Operations
- Third Parties - Third-Party Risk Management (TRPM)
- Workforce - Workforce Management
- Architecture - Cybersecurity Architecture
- Program - Cybersecurity Program Management
Each practice recommendation within the ten domains includes a brief description of the cybersecurity activity and the objectives that can be achieved through its implementation. C2M2 can also be mapped to NIST CSF controls to measure the organization’s maturity level.
One of the advantages of C2M2 tools over other frameworks is that a user can complete a self-evaluation tool in a single day. In turn, firms can quickly understand their cybersecurity risk and what kind of controls they should implement to defend against data breaches and other cyber threats.
Organizations that choose this cybersecurity framework also benefit from its ability to measure their cybersecurity maturity in relation to each cybersecurity recommendation, define their target maturity levels, and prioritize the actions that will achieve these objectives most quickly and effectively. Organizations can consider whether each practice has been initiated, performed, or managed.
- Quick self-evaluation
- Organizations can consistently measure their cybersecurity maturity level for individual cybersecurity practices
5. Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT)
The FFIEC is a formal body that aims to standardize the reporting systems and supervision of federally supervised financial institutions. As such, the FFIEC makes recommendations to:
- The Board of Governors of the Federal Reserve System (FRB)
- The Office of the Comptroller of the Currency (OCC)
- The Federal Deposit Insurance Corporation (FDIC)
- The National Credit Union Administration (NCUA)
- The Consumer Financial Protection Bureau (CFPB)
FFIEC’s members note that financial institutions are increasingly reliant on information technology and communications technology and that this makes them vulnerable to cyber threats that can undermine their core business processes.
To ensure that financial institutions are maintaining strong cybersecurity practices, the FFIEC created the Cybersecurity Assessment Tool (CAT) in response to the increasing frequency and sophistication of cyber attacks. The CAT tailors the NIST Cybersecurity Framework for banks and credit unions, so this assessment tool can help financial services organizations understand their cyber risk postures using an agreed method of measuring their cybersecurity preparedness. It also works for non-depository institutions.
The CAT comprises resources intended for managers and directors of financial institutions to increase awareness of cyber risks, perform cyber risk assessments, and mitigate issues. The tool is divided into two parts: Inherent Risk Profile and Cybersecurity Maturity.
Inherent Risk Profile
The CAT helps firms classify their inherent risk after examining potential risks from the following sources:
- Organization and structure
- Mobile devices
- Third-party cloud services
- Delivery channels
- Connection types
- External sources
This stage of the CAT facilitates the measurement of a financial establishment’s cyber risk level and cybersecurity controls.
Measurement, which ranges from baseline to innovative, occurs across the following five domains:
- Cybersecurity Controls
- Management of Cyber Incidents and Resilience
- Threat Intelligence and Collaboration
- Cyber Risk Management and Oversight
- Management of External Dependency
- Tailored to financial institutions
- Created by the FFIEC
6. The Open Web Application Security Project (OWASP)
OWASP is a nonprofit foundation aiming to strengthen software security by providing tools, resources, and networking opportunities for developers. It is focused on community and information-sharing through activities like open-source software projects and webinars to raise application security awareness and remediate software vulnerabilities.
The security of web applications varies, which can pose significant problems for organizations adopting or considering using software in the daily course of business. The OWASP Application Security Verification Standard (ASVS) cybersecurity framework facilitates the testing of web application technical security controls and standardizes web application security.
The standard is open and functional for commercial enterprises. Organizations can use them to verify the functionality of security controls against such threats as SQL Injection and Cross-Site Scripting (XSS).
Financial organizations can use the standards for the following activities:
- To aid procurement activities - Organizations can specify measurable application security requirements in their contracts.
- As a metric - Application owners and developers can use standardized web application security measures to consider the security of their web applications.
- As guidance - ASVS can help make minimum levels of web application security clear to those responsible for developing security controls.
Each requirement in ASVS is categorized by version, chapter, section, and requirement to help users perform a comprehensive and systematic verification of web application security.
By the end of the process, organizations should appreciate the security level of their authentication, access controls, and session management and identify software vulnerabilities affecting them.
- Focus on web applications
- Community focus encourages information sharing and adaptation to emerging threats
7. Information Technology Infrastructure Library (ITIL)
The ITIL is a set of best practices relating to managing IT services and enhancing the quality of IT support. Its primary objective is to ensure that an organization’s IT services adapt to the evolving objectives of the business.
This framework has its roots in the 1980s British government, stemming from the Central Computer Telecommunications Agency’s (CCTA) creation of a physical library of IT service management best practices. What started as several dozen documents grew into many volumes covering IT management, applications, and services. Some of the latest expansions include cloud computing, DevOps, and artificial intelligence.
Using ITIL principles helps organizations get to the heart of IT environment issues quickly and can help prevent future issues. The framework comprises 26 processes, divided into five primary stages.
- Service Strategy - including assessing and measuring IT strategy.
- Service Design - including creating, managing, and assessing Information Security services.
- Service Transition - including risk management related to change.
- Service Operation - including access management.
- Continual Service Improvement - which helps organizations keep IT services aligned with evolving businesses.
Using ITIL in the context of cybersecurity helps organizations create solid, stable structures on which to build effective, reliable cybersecurity programs. By following the best practice approaches in ITIL, businesses can improve the ease with which they achieve or maintain cybersecurity compliance.
Following ITIL is ideal for businesses that want to take a holistic approach to cybersecurity. It guides organizations on how they should implement cybersecurity best practices, considering information security management essential to all planning and improvement activities to avoid creating vulnerabilities and to ensure stakeholders understand the importance of information security.
Finally, the framework emphasizes the need to detect and correct security incidents.
- Lays the foundations for a lasting cybersecurity program
- Focuses on a holistic approach to cybersecurity rather than relatively isolated activities
4. Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR)
The CSA is the world leader in raising awareness of best practices relating to cloud computing environments. The alliance provides membership, certification, and a significant database of strategies and research organizations can use to achieve robust cloud security.
The CSA’s STAR Registry is open to the public. Anyone can see the security and privacy controls provided by popular cloud computing service providers. Cloud computing organizations that publish to the registry demonstrate their compliance and security postures, including information on the regulations, standards, and frameworks with which they are aligned.
Organizations can take proving their cybersecurity posture further by becoming CSA Corporate Members. The advantage to this is that they are listed as CSA Trusted Cloud Providers, having fulfilled additional training and requirements that demonstrate commitment to cloud security not only for them and their customers but for the industry.
Working to achieve STAR certifications can help firms develop and enhance their cybersecurity programs while also providing transparency to present and future customers about the strength of their response to cybersecurity risk.
The differences between the two levels of STAR are as follows:
STAR Level One - Self Assessment
Organizations can use STAR’s Cloud Controls Matrix to perform a self-assessment of the efficacy of their security controls. They can also self-evaluate their privacy levels using a STAR assessment based on the European Union’s General Data Protection Regulation (GDPR) Code of Conduct.
Level One is suitable for low-risk operations that want to increase transparency about their security controls without a significant financial investment. The results of the questionnaire are published on the site, and future customers decide if they are willing to partner with the organization.
STAR Level Two - Third-Party Audit
Measured by third-party assessment firms, achieving this level allows organizations to align other industry standards and certifications with the needs of cloud computing environments. In this case, an organization would use one or more security and privacy certifications and audits according to its location and required regulations and standards.
Level Two is best for organizations that operate in medium to high-risk environments, that already use ISO 27001, GDPR, or GB/T 22080-2008, and wish to increase assurance for cloud security and privacy.
- Adapts other standards to the needs of organizations in a cloud computing environment
- Increases transparency and reassures customers
9. National Institute of Standards and Technology (NIST) Special Publication 800-53
NIST Special Publication 800-53 and its revisions respond to the ongoing need to strengthen information systems in critical infrastructure sectors to protect the US’s economic and national security interests. NIST 800-53 is mandatory for federal organizations and voluntary for private sector organizations.
Organizations can use NIST 800-53 to enhance security and privacy controls to make information systems more resilient, improving the protection of sensitive information from cyber attacks and data breaches.
NIST 800-53 was created in 2005 but has focused on adapting to the ever-evolving cyber threat landscape and being as usable as possible by as many groups as possible. As well as streamlining the standards to make them clearer, the latest iteration of NIST 800-53 has made the following improvements:
- Integration of information security and privacy controls
- Development of a supply chain risk management control family
- Use of recent threat intelligence and data on cyber-attacks to incorporate new controls
This cybersecurity framework includes 18 areas, including business continuity, incident response, disaster recovery, and access control. These categories help government agencies and their third-party service providers comply with the Federal Information Security Modernization Act (FISMA) but can also be useful for a financial services firm or any organization wishing to enhance cybersecurity.
NIST 800-53 can help with the following actions:
- Identifying and categorizing information and data in need of protection
- Developing baseline information security controls
- Performing risk assessments with which to modify minimum control requirements
- Producing a written information security plan
- Implementing designed security controls
- Continuous monitoring of the security controls and re-assessing risk levels
- Well-respected among federal agencies;
- Governs compliance with Federal Information Processing Standard Publication 200 (FIPS 200);
- Effective for federal agencies and the private sector.
Learn more about NIST SP 800-53 here >
10. Australian Government Information Security Manual (ISM)
The Australian Government’s ISM is produced by the Australian Cyber Security Centre (ACSC). Its aim is to establish a cybersecurity framework that organizations can align with their risk management frameworks.
This voluntary framework, drawing from NIST Special Publication 800-37 rev. 1, is intended to be used by:
- Chief Information Security Officers (CISOs)
- Chief Information Officers (CIOs)
- Cybersecurity professionals
- Information technology (IT) managers
The framework is built on a risk management framework of six steps.
- Define the system — Work out the organization’s security objectives based on a risk assessment to determine the potential impact of system compromise
- Select controls — The ACSC provides controls it believes are effective and efficient for mitigating risks depending on an organization’s information security objectives.
- Implement controls — The ACSC appreciates that planning and implementation are not always aligned as intended and encourages firms to record differences in a security plan annex.
- Assess controls — ISM facilitates a security assessment to identify the system’s strengths and weaknesses before vulnerability remediation actions where necessary.
- Authorize the system — Organizations must gather the necessary information — including an incident response plan, continuous monitoring plan, and security assessment — to judge the acceptability of any security risks associated with the system.
- Monitor the system — The final step on which the ISM is based sees that organizations continue ongoing, real-time monitoring of the system for cyber threats and security risks to maintain their cybersecurity posture.
It briefly covers how legislation may apply to organizations using the framework but recommends that organizations perform their own compliance requirement research.
When implementing its four cybersecurity principles — Govern, Protect, Detect, and Respond — each of which breaks down into multiple outcomes, organizations can use ISM’s five-level maturity model to assess their progress.
- A business can build its cybersecurity program on its risk management framework
- Comprehensive controls
How UpGuard Helps Financial Institutions Implement Cybersecurity Frameworks
UpGuard helps financial institutions and their third parties map out and implement cybersecurity frameworks through prebuilt and customizable questionnaires. Additionally, UpGuard helps all organizations measure their security postures through its comprehensive, industry-leading attack surface management and vendor risk management platform.
Through the platform, financial institutions can ensure they meet all industry regulation standards and compliance requirements to avoid costly fines and data breaches. Find out how UpGuard helps below!