Re:
Explanatory notes to the 2017 Assessment Framework for Information Security
1. Introduction
The quality of information security in the financial sector has been one of DNB's supervisory themes for many years. It includes regular self-assessments by banks, insurance companies and pension funds. For the purpose of these assessments, we developed an Assessment Framework for Information Security, which comprises 54 COBIT[1] controls. In the context of sound operational management, we have asserted that institutions must achieve a maturity level of at least "3" for these controls, (i.e. the 54 controls must be demonstrably effective). In addition, we expect institutions to raise the minimum maturity level of three specific controls in the "Assess and manage (IT) risks" category to a maturity level of at least "4". We expect institutions to perform risk analyses to verify for which implemented controls they consider a maturity level of "4” to be necessary.
The content of DNB's 2017 Assessment Framework for Information Security has remained unchanged relative to the version published in 2014. However, some small textual changes were made and the explanatory notes (this document) were updated.
In 2017, we will perform risk-based examinations of the above at a selection of institutions, who will be informed accordingly by letter in April 2017. The letter asks the selected institutions to fill in the assessment framework and substantiate the answers, and to return the documents within 10 weeks.
Our 2017 examination will expressly include the institutions' approach to cyber security risks. We will look at the risk analysis performed by the financial institutions, including any actions for improvement. In making our assessment, we will take the maturity of all measures included in the model into account. We also expect risk analyses and estimates of residual risks to present an accurate picture and to have been verified by an internal or external auditor.
We would advise the institutions who have not been selected for this examination to verify the adequacy of their information security levels themselves. We expect institutions to implement additional measures if necessary in order to arrive at an acceptable residual risk level.
2. Explanatory notes to the Assessment Framework
2.1 Maturity level definitions
We want to align our maturity level definitions to COBIT 4.1[2] as much as possible. This is why we have used the English terminology.
The second column in the table below contains the definitions in place since 2014. The third column lists the criteria clarifying the various maturity levels.
Maturity level "3” requires that in conformity with the COBIT definitions, the relevant control has been implemented and that it has proven design, existence and effectiveness.
Level / Current definition of the control / Explanatory criteria /0 / Non-existent - No documentation. There is no awareness of or attention for a specific control.
1 / Initial/ad hoc - the control has been defined or partly defined, but is performed inconsistently. Exercise of control depends on individuals.
2 / Repeatable but intuitive - the control is in place and exercised in a structured and consistent but informal way. / The control is exercised based on an informal, unwritten though standard practice.
3 / Defined - the control is documented, exercised in a structured and formalised way. Execercise of controls can be demonstrated. / * Formal controls are in place for all critical processes.
* Critical processes and controls are identified by means of risk assessments.
* There is evidence of the control's implementation.
* Formal "test of design effectiveness" constitutes evidence for a level "3" score.
* Formal 'test of operating effectiveness' constitutes evidence for a level "3"score.
* The test of operating effectiveness should cover an appropriate period that is consistent with the risk profile.
4 / Managed and measurable - effectiveness of control is periodically assessed and improved where necessary. This assessment is documented. / Level "3" criteria plus the following
* Regular evaluations of the control are documented, including any identified actions for improvement.
* The frequency of regular evaluations is aligned with the risk profile.
* This assessment is performed out at least annually.
5 / Optimised - a company-wide risk and control programme ensures continuous and effective control and resolution of risk issues. Internal control and risk management are integrated with company practices, supported with digital real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Controls are constantly evaluated, based on self-assessments and gap and root cause analyses. Staff is pro-actively involved in control improvements. / Distinguishing criteria
* Improvements are made on an ongoing basis.
* The performance of the control is compared with market data of other businesses.
* Advanced IT support is in place including workflow processing and integration.
2.2 Structure of the Assessment Framework
The 2017 amended Assessment Framework for information security is split up into two documents.
1) Document 1 (Questionnaire IB 2017) includes the 54 COBIT controls that institutions must assess. This document holds the description of control and the mapping to COBIT V5 and ISO27000 standards. These versions of standards and best practices are often used in the financial sector. Institutions must fill in this document and return it to DNB. The document can be downloaded on the general pages, via http://www.toezicht.dnb.nl/en/3/51-203304.jsp, under the heading "Related downloads", "Questionnaire IB 2017".
2) Document 2 (Points to consider) contains the points to consider for all controls and is intended as guidance for institutions. These points have not been extended relative to the previous 2014 version of the Assessment Framework. They include elements from SANS Top 20 Critical Security Controls for Effective Cyber Defense (www.sans.org) en ISO 27032:2012 Guidelines for Cyber Security (www.iso.org). You will find document 2 on the same page as document 1 under the heading "Related downloads", "Self assessment IB – Points to Consider".
3. Selection of controls for maturity level “4”
Increased cyber threats such as Advanced Persistent Threats (APTs) underline the importance of effective information security and continuous monitoring of these threats. This is widely recognised in the financial sector. This issue is addressed by IT risk management. IT risk assessments play an important role and form the basis for implementing controls and for determining their minimum maturity level requirements.
We want to emphasise that institutions themselves are responsible for setting up an adequate (IT) risk management structure. In the context of the Assessment Framework for information security, we have translated this into elevated maturity level requirements for three controls in the "Assess and manage (IT) risks" category, to a maturity level of "4". These controls are:
· 4.1 IT risk management framework;
· 4.2 Risk assessment;
· 4.3 Maintenance and monitoring of a risk action plan.
We expect the institution to be able to indicate by means of a risk analysis the controls for which it considers a maturity level of “4” to be necessary. These changes aim to strengthen institutions' risk management of current threats including those related to cyber crime.
Date11 april 2017 / Reference
T039-209982499-11 / Page
4 of 4
[1] COBIT (Control Objectives for Information and related Technology) is an open international IT governance standard developed by ISACA –www.isaca.org.
[2] However, COBIT 4.1 does not always use definitions consistently. DNB's definitions are based on the definitions on page 175 of Appendix III (Maturity Model for Internal Control) to COBIT 4.1.