Closing the CIP Technology Gap in the Banking and Finance Sector

1
Closing the CIP Technology Gap in the Banking and
Finance Sector

• Treasury Department
• Office of Critical Infrastructure Protection and
  Compliance Policy

March 2005
2
Long-term Policy Mandate to Expand CIP RD for
Banking and Finance

• Presidential Decision Directive 63 (May 1998)
• Department of the Treasury and the financial
  sector are expected to Recommend a program of
  research and development to keep the industry at
  the cutting edge of information systems
  security

3
Expanded in the National Strategy to Secure
Cyberspace Action Recommendation

• Action Recommendation 3-6
• A public-private partnership should continue
  work in helping to secure the Nations cyber
  infrastructure through participation in, as
  appropriate and feasible,
• a technology and RD gap analysis to provide
  input into the federal cybersecurity research
  agenda,
• coordination on the conduct of associated
  research, and the development and dissemination
  of best practices for cybersecurity.

4
The Banking and Finance Sector Is A Significant
Factor in Cyberspace

• 9 of the U.S. Gross Domestic Product
• 12 consumer of IT sector products and services
• Large provider of e-commerce services
• Heavily dependent on telecom and IT sectors

5
Closing the CIP Technology GAP in the Banking and
Finance Sector

• There is a significant difference between
  state-of-the-practice vs. state-of-the-art in
  CIP protection
• This is driven by a variety of factors including
• Cost vs. perceived benefits
• Dissemination of information about
  state-of-the-art
• Creation of best practices
• Adoption time (early-mid-late adopter curve)
• Closing the gap must be a priority for government
  and industry

6
State-of-the-Practice vs. State-of-the-Art
7
The Treasury CIP RD Agenda Project

• Goals
• Advance BOTH the state-of-the-art and the
  state-of-the-practice in the banking and finance
  sector.
• Facilitate closing the gap between
  state-of-the-art and state-of-the-practice in
  CIP.
• Strategy
• Encourage public-private partnerships to engage
  in RD that will develop technology and business
  practices of near term as well as longer term
  value to the banking and finance sector.

8
Approach

• Analyzed existing RD agendas for applicability
  to goals of project
• Augment with topics based on industry needs
• Vet with industry experts and organizations
• Develop funding and governance model
• Work with public and private sector to create
  funding sources
• Manage RFP process
• Organize information sharing

9
Multiple Frameworks for RD Projects

• CIP Life-cycle
• Policy and Strategy
• Awareness and Assessment
• Preparation and Prevention
• Detection and Restoration
• Risk Management

• Business/Tech Impact
• Business Continuity
• Authentication and Access Control
• Information Security
• Network and Communications
• Operations Center Management
• Best Practices

10
Example Projects

• Enterprise security management
• Integration of physical and cyber security
• Securing software environments including COTS
• Access control language standards
• Defending against insider attacks
• Biometric identification systems
• Wide-scale identify theft

• Asset movement pattern recognition
• Business continuity strategies
• Data replication technology
• Data decontamination approaches
• Clearing system interoperability
• Best practices repository
• Life-cycle costing
• Creating public policy to promote business
  continuity best practices

11
Securing Software Environments Including COTS

• The issue
• Banks and financial institutions use and
  integrate software they develop themselves and
  from dozens of different vendors, each with (or
  without) appropriate security. How can they
  create a secure environment with that
  architecture?
• Life-cycle
• Awareness and Assessment, Preparation and
  Prevention, Detection and Reaction
• Business/technology impact
• Improved security of integrated systems
  environments
• Time frame
• Mid-term

12
Defending Against Insider Attacks

• The issue
• Although financial institutions vet their
  employees, by the nature of their jobs they have
  access to large amounts of sensitive information.
  In addition, IT personnel have access to
  sensitive systems. What technology can be
  developed to reduce vulnerabilities in this type
  of environment?
• Life-cycle
• Awareness and Assessment, Preparation and
  Prevention, Detection and Reaction
• Business/technology impact
• Information Security, Business Continuity,
  Authentication and Access Control
• Time frame
• Mid-term

13
High-reliability Biometric Identification Systems

• The issue
• The public is very sensitive to use of biometric
  identification, particularly when reliability is
  less than perfect. How can systems be improved
  to a level of reliability that will be accepted
  in the financial environment?
• Life-cycle
• Awareness and Assessment, Preparation and
  Prevention
• Business/technology impact
• Authentication and Access Control
• Time frame
• Mid-term

14
Wide-spread Identity Theft

• The issue
• Credit and related information is stored in
  databases where the theft of millions of
  identifies is possible (cf. NYTimes report 2/24
  on theft of 145,000 identities from ChoicePoint)
• Life-cycle
• Preparation and Prevention, Detection and
  Reaction, Recovery and Restoration
• Business/technology impact
• Information Security, Business Continuity,
  Authentication and Access Control
• Time frame
• Mid-term

15
Asset Movement Pattern Recognition

• The issue
• It is relatively easy to track small number of
  large value transactions. In todays world,
  terrorists are more likely to be funding
  operations with large numbers of small value
  transactions. How do we find them?
• Life-cycle
• Detection and Reaction
• Business/technology impact
• Authentication and Access Control
• Time frame
• Near term

16
Data Replication Technology

• The issue
• To continue operating in the face of potential
  wide-scale disruptions, FIs are locating
  secondary and tertiary sites hundreds of miles
  apart. The need for aggressive recovery time
  and recovery point objectives implies the need
  for new types of data replication approaches.
• Life-cycle
• Preparation and Prevention, Recovery and
  Restoration
• Business/technology impact
• Business Continuity
• Time frame
• Near term

17
Selection Criteria

• Program will seek diversity in
• CIP life-cycle phases
• Business process and technology impact areas
• Time frame
• Research risk (exploratory to developmental)

18
Current Activities

• Analyzed existing RD agendas for applicability
  to goals of project
• Augment with topics based on industry needs
• Vet with industry experts and organizations
• Develop funding and governance model
• Work with public and private sector to create
  funding sources
• Manage RFP process
• Organize information sharing

19
Closing the CIP Technology Gap
State-of-the-Art (Proven Technology)
Technological Advance
State-of-the-Practice
Goal is also to reduce the variation among
organizations.
Variation among organizations can be large at any
point in time.
Time
The State-of-the-Practice must improve at an
average rate faster than improvements in the
State-of-the-Art, and must deal with the uneven
progress of improvements in the State-of-the-Art.
20
For more information, contact

• Scott Parsons, Deputy Assistant Secretary
  scott.parsons_at_do.treas.gov
• Brian Peretti, Program Manager
  brian.peretti_at_do.treas.gov

21
The Treasury CIP RD Agenda Project Close the
Gap