Closing the CIP Technology Gap in the Banking and Finance Sector Treasury Department Office of Critical Infrastructure Protection and Compliance Policy.

Slides:



Advertisements
Similar presentations
Capacity Building Mandate We, the participants…recognize the need to support: …A coordinated effort to involve and assist developing countries in improving.
Advertisements

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.
AFCEA DC Cyber Security Symposium Military Joint Cyber Command Panel Harry Raduege Lieutenant General, USAF (Ret) Chairman, Center for Network Innovation.
Opening Doors: Federal Strategic Plan to Prevent and End Homelessness
Homeland Security at the FCC July 10, FCCs Homeland Security Focus Interagency Partnerships Industry Partnerships Infrastructure Protection Communications.
Course: e-Governance Project Lifecycle Day 1
1 USA PATRIOT ACT 9 th Annual Factoring Conference Grand America Hotel – Salt Lake City, UT Brian J. Peretti, Esq. US Department of the Treasury Office.
SL21 Information Security Board Mission, Goals and Guiding Principles.
David A. Brown Chief Information Security Officer State of Ohio
Energy crisis and climate change; a challenge for policy makers and economy in Southeast Europe International conference; Southeast Europe Association.
National Infrastructure Protection Plan
DHS, National Cyber Security Division Overview
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.
Building an Enterprise Operating Framework
PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.
James Ennis, Department of State, USA ITU-D Question 22/1 Rapporteur.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.
Business Continuity and You! The Ohio State University Business & Finance Enterprise Continuity Program Quarterly Update October 2008Business and Finance.
Introduction to Network Defense
National Health Information Infrastructure “Person(al)” Health This presentation does not necessarily reflect the view of the U.S. Government or the Institution.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Food and Agriculture Sector Coordinating Councils John L. Williams, DVM U.S. Department of Agriculture AFDO Annual Conference Kansas City, MO June 7, 2005.
Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Lessons Learned in Smart Grid Cyber Security
US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
Homeland Security. Learning Topics Purpose Introduction History Homeland Security Act Homeland Defense Terrorism Advisory System Keeping yourself safe.
BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
© BITS BITS and FSSCC R&D Efforts John Carlson Senior Vice President of BITS Panel on Data Breaches in Payments Systems-- Roles and Best Practices.
NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework” Scenario for Discussion.
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Cybersecurity: Think Globally, Act Locally Dr. Peter Freeman NSF Assistant Director for CISE Educause Net2003 April 30, 2003.
Information Security: It’s Everyone’s Business September 16, 2003 Greg Garcia, Vice President, Information Security ITAA.
The information supply chain FDIC XBRL International Conference Mr. Inscoe.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
1 State Homeland Security: Priorities and Funding R. Chris McIlroy Homeland Security and Technology Division National Governors Association.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.
Digital Agenda Unleashing the Potential of Cloud Computing in Europe Ken Ducatel Head of Unit DG Connect, Software and Services, Cloud 05 December 2012.
What is “national security”?  No longer defined only by threat of arms  It really is the economy  Infrastructure not controlled by the government.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Latest Strategies for IT Security Margaret Myers Principal Director, Deputy CIO United States Department of Defense North American Day 2006.
Foresight Planning & Strategy Dr. Sameh Aboul Enein.
Responsive Innovation for Disaster Mitigation Gordon A. Gow University of Alberta.
1 Benefits and Challenges of the Regulatory Reforms in Georgia Zaal Lomtadze, Deputy Minister of Environment 11 October 2007, Belgrade.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Security and Resilience Pat Looney Brookhaven National Laboratory April 2016.
November 19, 2002 – Congress passed the Homeland Security Act of 2002, creating a new cabinet-level agency DHS activated in early 2003 Original Mission.
Business Continuity Planning 101
6/24/2016Financial Services Sector Coordinating Council For Critical Infrastructure Protection R&D Committee 1 Financial Cybersecurity in Complex, Heterogeneous.
Cook Children’s 1 Theresa Meadows, RN, MS, CHCIO Senior Vice President and CIO Co-Chair HHS Health Care Cyber Security Task Force July 2016 Cybersecurity:
Society for Maintenance and Reliability Professionals (SMRP)
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
BruinTech Vendor Meet & Greet December 3, 2015
Information Security Program
INFORMATION SECURITY IN ARMENIA: PRESENT STATUS AND TASKS
Critical Infrastructure Protection Policy Priorities
John Carlson Senior Director, BITS
Data and Interoperability:
Partnership: Making Common Cause in a Common Effort
Presentation transcript:

Closing the CIP Technology Gap in the Banking and Finance Sector Treasury Department Office of Critical Infrastructure Protection and Compliance Policy March 2005

Long-term Policy Mandate to Expand CIP R&D for Banking and Finance Presidential Decision Directive 63 (May 1998) –“Department of the Treasury and the financial sector are expected to … Recommend a program of research and development to keep the industry at the cutting edge of information systems security…”

…Expanded in the National Strategy to Secure Cyberspace “Action Recommendation” Action Recommendation 3-6: “ A public-private partnership should continue work in helping to secure the Nation’s cyber infrastructure through participation in, as appropriate and feasible,  a technology and R&D gap analysis to provide input into the federal cybersecurity research agenda,  coordination on the conduct of associated research, and the development and dissemination of best practices for cybersecurity.”

The Banking and Finance Sector Is A Significant Factor in Cyberspace 9% of the U.S. Gross Domestic Product 12% consumer of IT sector products and services Large provider of e-commerce services Heavily dependent on telecom and IT sectors

Closing the CIP Technology GAP in the Banking and Finance Sector There is a significant difference between “state-of- the-practice” vs. “state-of-the-art” in CIP protection This is driven by a variety of factors including: –Cost vs. perceived benefits –Dissemination of information about state-of-the-art –Creation of “best practices” –Adoption time (“early-mid-late adopter” curve) Closing the gap must be a priority for government and industry

State-of-the-Practice vs. State-of-the-Art N.B. Hypothetical data

The Treasury CIP R&D Agenda Project Goals –Advance BOTH the state-of-the-art and the state-of-the- practice in the banking and finance sector. –Facilitate “closing the gap” between state-of-the-art and state-of-the-practice in CIP. Strategy –Encourage public-private partnerships to engage in R&D that will develop technology and business practices of near term as well as longer term value to the banking and finance sector.

Approach Analyzed existing R&D agendas for applicability to goals of project Augment with topics based on industry needs Vet with industry experts and organizations Develop funding and governance model Work with public and private sector to create funding sources Manage RFP process Organize information sharing

Multiple Frameworks for R&D Projects “CIP Life-cycle:”  Policy and Strategy  Awareness and Assessment  Preparation and Prevention  Detection and Restoration  Risk Management Business/Tech Impact: Business Continuity Authentication and Access Control Information Security Network and Communications Operations Center Management Best Practices

Example Projects Enterprise security management Integration of physical and cyber security Securing software environments including COTSSecuring software environments including COTS Access control language standards Defending against “insider” attacksDefending against “insider” attacks Biometric identification systemsBiometric identification systems Wide-scale identify theftWide-scale identify theft Asset movement pattern recognitionAsset movement pattern recognition Business continuity strategies Data replication technologyData replication technology Data decontamination approaches Clearing system interoperability Best practices repository Life-cycle costing Creating public policy to promote business continuity best practices

Securing Software Environments Including COTS The issue: –Banks and financial institutions use and integrate software they develop themselves and from dozens of different vendors, each with (or without) appropriate security. How can they create a secure environment with that architecture? Life-cycle: –Awareness and Assessment, Preparation and Prevention, Detection and Reaction Business/technology impact: –Improved security of integrated systems environments Time frame: –Mid-term

Defending Against Insider Attacks The issue: –Although financial institutions vet their employees, by the nature of their jobs they have access to large amounts of sensitive information. In addition, IT personnel have access to sensitive systems. What technology can be developed to reduce vulnerabilities in this type of environment? Life-cycle: –Awareness and Assessment, Preparation and Prevention, Detection and Reaction Business/technology impact: –Information Security, Business Continuity, Authentication and Access Control Time frame: –Mid-term

High-reliability Biometric Identification Systems The issue: –The public is very sensitive to use of biometric identification, particularly when reliability is less than perfect. How can systems be improved to a level of reliability that will be accepted in the financial environment? Life-cycle: –Awareness and Assessment, Preparation and Prevention Business/technology impact: –Authentication and Access Control Time frame: –Mid-term

Wide-spread Identity Theft The issue: –Credit and related information is stored in databases where the theft of millions of identifies is possible (cf. NYTimes report 2/24 on theft of 145,000 identities from ChoicePoint) Life-cycle: –Preparation and Prevention, Detection and Reaction, Recovery and Restoration Business/technology impact: –Information Security, Business Continuity, Authentication and Access Control Time frame: –Mid-term

Asset Movement Pattern Recognition The issue: –It is relatively easy to track small number of large value transactions. In today’s world, terrorists are more likely to be funding operations with large numbers of small value transactions. How do we find them? Life-cycle: –Detection and Reaction Business/technology impact: –Authentication and Access Control Time frame: –Near term

Data Replication Technology The issue: –To continue operating in the face of potential wide-scale disruptions, FIs are locating secondary and tertiary sites hundreds of miles apart. The need for “aggressive” recovery time and recovery point objectives implies the need for new types of data replication approaches. Life-cycle: –Preparation and Prevention, Recovery and Restoration Business/technology impact: –Business Continuity Time frame: –Near term

Selection Criteria Program will seek diversity in: –CIP “life-cycle phases” –Business process and technology impact areas –Time frame –Research risk (exploratory to developmental)

Current Activities Analyzed existing R&D agendas for applicability to goals of project Augment with topics based on industry needs Vet with industry experts and organizations Develop funding and governance model Work with public and private sector to create funding sources Manage RFP process Organize information sharing

Closing the CIP Technology Gap State-of-the-Art (Proven Technology) State-of-the-Practice Time Technological Advance The State-of-the-Practice must improve at an average rate faster than improvements in the State-of-the-Art, and must deal with the uneven progress of improvements in the State-of-the-Art. Variation among organizations can be large at any point in time. Goal is also to reduce the variation among organizations.

For more information, contact: –Scott Parsons, Deputy Assistant Secretary –Brian Peretti, Program Manager

The Treasury CIP R&D Agenda Project: “Close the Gap”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.