Central Bank shall revisit Baseline Security Standard
Regulator's role in Banking and Financial Sector is critical in Cyber Security. Baseline Security Standard by Central Bank of Sri Lanka is designed to regulate security across the Industry. Does it really serve the purpose?
In the era of customer experience, digital banking and FinTechs are at their pinnacle thus making security in banking and financial sector a top priority. According to PwC Global FinTech Executive Summary 82% incumbents expects make partnerships with FinTechs within 3-5 years and 54% of incumbents see data storage, privacy and protection as the main regulatory barrier to innovation. This reflects an extremely fast growing market demand in digital banking and this introduce a new world of threat factors and a greater universe of risk. Introducing risk and management and Security governance requires a framework guidance for successful implementation and operation.
In the meantime Central Bank of Sri Lanka (CBSL) introduced Banking Act Directions No 4 of 2014 Amendment to Directions on Integrated Risk Management Framework for Licensed Banks. This introduced Baseline Security Standard for Information Security Management for all licensed bank to be implemented with effect from 01 July 2015. It was a bold and a positive move from the regulators however here are 5 facts why we need to rethink on this.
Half cooked risk management framework
Baseline Security Standard (BSS) requires the bank to analyse and treat risks within the guideline of ISO 27005:2011. Further it guides the organisation to pick BSS controls which would mitigate IS risks. (4.2, 4.3 BSS) If BSS is a mandate by CBSL it directs the banks to implement it within a year of 01 July 2015, there is no pick and choose from controls. Banks must identify risks related to all controls of BSS, where bank decides to treat by implementing BSS controls, otherwise bank will not comply to BSS. Where as opposing to most leading risk practices where the risk analysis takes place, risk exposure is decided and the acceptance, mitigation or transfer happens according to the organisation risk appetite. Ideally regulators would have just picked the controls to implement based on their risk analysis or let organisation adopt leading risk management practices or extend Enterprise Risk Management to BSS Scope.
Shortcomings in defining roles and responsibilities
Section 1.6 speaks of allocation of IS responsibilities where as it provides conflicting directions by allowing the information security policy to decide on this and at the same time providing guidance for assigning Information Security asset related ownership protection and control. This posts serious doubt in the minds of the interpreters is that all? How about the accountability and roles related to risk management, internal controls, avoiding conflict of interest within the implementation. Since the Board of Directors were kept accountable for the Amendment, it is believed that decisions related to own governance structure to implement BSS can be built. but why the asset related responsibilities specific then? It needs to allow organisations to define roles and responsibilities and make these controls work.Asset Management is anyway covered in section 4.
How can the board know where the bank stand?
Any framework or set of controls shall make clear sense to the ultimate owners. This requires the reporting of it's effectiveness to the stakeholders. So this shall introduce the requirement of Key Performance Indicators (KPI) to be introduced which enables the Board to review a dashboard against the effectiveness of controls with reference to the BSS. This significantly improves the maturity of the controls rather than the conventional auditing mechanisms. This further requires responding to the current threat landscape by the board as Information Security Risk Management is part of the mandate. And it would be extremely effective if Balanced Scorecards can be produced to evaluate and align the security posture of the organisation to its business strategy. Internal Audit report shall be presented to Board Audit Committee under compliance whereas the maturity shall be improved by KPI dashboard discussed at the board making security a Board room function.
Requirement for Clear Definitions
BSS requires revisits in some areas to clear out definitions. E.g., 4,2 Asset Classification requests the information across the organisation to be classified where as the toal BSS scope implementation if regarding all information systems within the bank. 1.3 IS Risk Assessment requires the bank to define the risk assessment scope where as it poses the serious questions does this allow the increment approach to banks to cover entire organisation within a define road map period. Regulators need to think what needs to be defined and what the organisation shall define in order to cater the maximum alignment to a more secure banking environment.
Its time that CBSL looks back at the standard and what should actually be the regulators role in creating a more secure environment for banking and financial sector. First clear discussion shall be mandating of a redefined standard or Industry tested Standards (ISO 27001, COBIT, NIST 800 53 etc) shall be the solution. Reinventing the wheel is not required and it need to be kept in mind that threat landscape is not local, there fore locally regulated framework it self poses serious questions around maturity of the standard.