Follow this guide to benchmark your organisation against the FCA Cyber and Technology Resilience Survey.
A few months back we covered the FCA Cyber and Technology Resilience Survey results for 2017/18 published in March 2019. The results highlighted areas in cyber security resilience in which financial services organisations need to focus.
The FCA report itself outlines key areas where financial services firms need to pay particular attention and looked at the following practices and experiences: –
- Put good governance in place
- Identify what you need to protect
- Protect your assets appropriately
- Use good detection systems
- Be aware of emerging threats and issues
- Be ready to respond and recover
- Test and refine your defences
For ease of use, this GAP Analysis template will follow the framework of the FCA Cybersecurity – industry insights report.
If anything is missing or needs further clarification, we suggest highlighting it in red for immediate investigation/fix.
For areas where you comply but could be further improved, we suggest marking in orange as an advisory.
For areas where you go above and beyond the requirement, we suggest marking in green and monitoring.
|REQUIREMENT||AREA||LEVEL OF PROTECTION|
|1.||Put good governance in place||Policies, procedures and user training.||Outline all your internal policies you have in terms of IT use, training, how to report security incidents and potential data breaches.|
|2.||Identify what you need to protect||Data (Personal and Restricted)||Outline what measures you take to ensure that personal and restricted data is kept safe and secure. Who can access the data? Where do you store the data? How often do you review the access granted to employees?|
|3.||Protect your assets appropriately||Do you have any applications that scan email to identify spoofing, phishing, impersonation, malware and spam.|
|Perimeter protection (external and internal)||Do you have any firewalls to protect all points of ingress, any Intrusion Protection Systems (IPS), malware protection, URL filtering, etc?|
|Hardware and Software||How do you protect machines on your network? Do you install the latest patches?|
|Wi-Fi||Is your Wi-Fi network secure with passwords and separate VLANs?
VPN encrypted and secure?
|Mobile Devices||Do you use a Mobile Device Management (MDM) solution to manage your mobile devices? Are these devices encrypted? Do you deploy two factor authentication (2FA)?|
|Desktop PCs||Are these encrypted?|
|Remote Access/Working from Home||How do you restrict this? Do you use 2FA to log into systems? Is your VPN encrypted and secure?|
|4.||Use good detection systems||Security Event Monitoring||Do you use a virtual SOC to identify and mitigate risks from security events that occur?|
|5.||Be aware of emerging threats and issues||Support
|Do you have an IT support helpdesk? If this available during working hours or out of hours?|
|Third-Party Risks||The resilience of dependant third parties, such as brokers, payroll providers, suppliers and partners should be periodically audited. What information do they process, how is it stored, what controls to they have to mitigate risk, who has access, if sensitive data is processed, etc.?|
|6.||Be ready to respond and recover||Systems and Data||Do you separate internal traffic with VLANs? Are systems replicated between data centres? Are emails and other systems backed up daily?|
|7.||Test and refine your defences||Disaster Recovery and Penetration Testing||How often do you test your disaster recovery processes? Do you carryout regular pen testing?|
Depending on your IT infrastructure and whether you manage your IT internally or through a managed service provider will determine how you collate the information to identify strengths and weaknesses.
If you manage your IT internally and need assistance MMRIT can help.
If your IT infrastructure is managed through a managed service provider, they will be able to help you.