Title: Closing the CIP Technology Gap in the Banking and Finance Sector
1Closing the CIP Technology Gap in the Banking and
Finance Sector
- Treasury Department
- Office of Critical Infrastructure Protection and
Compliance Policy
March 2005
2Long-term Policy Mandate to Expand CIP RD for
Banking and Finance
- Presidential Decision Directive 63 (May 1998)
- Department of the Treasury and the financial
sector are expected to Recommend a program of
research and development to keep the industry at
the cutting edge of information systems
security
3Expanded in the National Strategy to Secure
Cyberspace Action Recommendation
- Action Recommendation 3-6
- A public-private partnership should continue
work in helping to secure the Nations cyber
infrastructure through participation in, as
appropriate and feasible, - a technology and RD gap analysis to provide
input into the federal cybersecurity research
agenda, - coordination on the conduct of associated
research, and the development and dissemination
of best practices for cybersecurity.
4The Banking and Finance Sector Is A Significant
Factor in Cyberspace
- 9 of the U.S. Gross Domestic Product
- 12 consumer of IT sector products and services
- Large provider of e-commerce services
- Heavily dependent on telecom and IT sectors
5Closing the CIP Technology GAP in the Banking and
Finance Sector
- There is a significant difference between
state-of-the-practice vs. state-of-the-art in
CIP protection - This is driven by a variety of factors including
- Cost vs. perceived benefits
- Dissemination of information about
state-of-the-art - Creation of best practices
- Adoption time (early-mid-late adopter curve)
- Closing the gap must be a priority for government
and industry
6State-of-the-Practice vs. State-of-the-Art
7The Treasury CIP RD Agenda Project
- Goals
- Advance BOTH the state-of-the-art and the
state-of-the-practice in the banking and finance
sector. - Facilitate closing the gap between
state-of-the-art and state-of-the-practice in
CIP. - Strategy
- Encourage public-private partnerships to engage
in RD that will develop technology and business
practices of near term as well as longer term
value to the banking and finance sector.
8Approach
- Analyzed existing RD agendas for applicability
to goals of project - Augment with topics based on industry needs
- Vet with industry experts and organizations
- Develop funding and governance model
- Work with public and private sector to create
funding sources - Manage RFP process
- Organize information sharing
9Multiple Frameworks for RD Projects
- CIP Life-cycle
- Policy and Strategy
- Awareness and Assessment
- Preparation and Prevention
- Detection and Restoration
- Risk Management
- Business/Tech Impact
- Business Continuity
- Authentication and Access Control
- Information Security
- Network and Communications
- Operations Center Management
- Best Practices
10Example Projects
- Enterprise security management
- Integration of physical and cyber security
- Securing software environments including COTS
- Access control language standards
- Defending against insider attacks
- Biometric identification systems
- Wide-scale identify theft
- Asset movement pattern recognition
- Business continuity strategies
- Data replication technology
- Data decontamination approaches
- Clearing system interoperability
- Best practices repository
- Life-cycle costing
- Creating public policy to promote business
continuity best practices
11Securing Software Environments Including COTS
- The issue
- Banks and financial institutions use and
integrate software they develop themselves and
from dozens of different vendors, each with (or
without) appropriate security. How can they
create a secure environment with that
architecture? - Life-cycle
- Awareness and Assessment, Preparation and
Prevention, Detection and Reaction - Business/technology impact
- Improved security of integrated systems
environments - Time frame
- Mid-term
12Defending Against Insider Attacks
- The issue
- Although financial institutions vet their
employees, by the nature of their jobs they have
access to large amounts of sensitive information.
In addition, IT personnel have access to
sensitive systems. What technology can be
developed to reduce vulnerabilities in this type
of environment? - Life-cycle
- Awareness and Assessment, Preparation and
Prevention, Detection and Reaction - Business/technology impact
- Information Security, Business Continuity,
Authentication and Access Control - Time frame
- Mid-term
13High-reliability Biometric Identification Systems
- The issue
- The public is very sensitive to use of biometric
identification, particularly when reliability is
less than perfect. How can systems be improved
to a level of reliability that will be accepted
in the financial environment? - Life-cycle
- Awareness and Assessment, Preparation and
Prevention - Business/technology impact
- Authentication and Access Control
- Time frame
- Mid-term
14Wide-spread Identity Theft
- The issue
- Credit and related information is stored in
databases where the theft of millions of
identifies is possible (cf. NYTimes report 2/24
on theft of 145,000 identities from ChoicePoint) - Life-cycle
- Preparation and Prevention, Detection and
Reaction, Recovery and Restoration - Business/technology impact
- Information Security, Business Continuity,
Authentication and Access Control - Time frame
- Mid-term
15Asset Movement Pattern Recognition
- The issue
- It is relatively easy to track small number of
large value transactions. In todays world,
terrorists are more likely to be funding
operations with large numbers of small value
transactions. How do we find them? - Life-cycle
- Detection and Reaction
- Business/technology impact
- Authentication and Access Control
- Time frame
- Near term
16Data Replication Technology
- The issue
- To continue operating in the face of potential
wide-scale disruptions, FIs are locating
secondary and tertiary sites hundreds of miles
apart. The need for aggressive recovery time
and recovery point objectives implies the need
for new types of data replication approaches. - Life-cycle
- Preparation and Prevention, Recovery and
Restoration - Business/technology impact
- Business Continuity
- Time frame
- Near term
17Selection Criteria
- Program will seek diversity in
- CIP life-cycle phases
- Business process and technology impact areas
- Time frame
- Research risk (exploratory to developmental)
18Current Activities
- Analyzed existing RD agendas for applicability
to goals of project - Augment with topics based on industry needs
- Vet with industry experts and organizations
- Develop funding and governance model
- Work with public and private sector to create
funding sources - Manage RFP process
- Organize information sharing
19Closing the CIP Technology Gap
State-of-the-Art (Proven Technology)
Technological Advance
State-of-the-Practice
Goal is also to reduce the variation among
organizations.
Variation among organizations can be large at any
point in time.
Time
The State-of-the-Practice must improve at an
average rate faster than improvements in the
State-of-the-Art, and must deal with the uneven
progress of improvements in the State-of-the-Art.
20For more information, contact
- Scott Parsons, Deputy Assistant Secretary
scott.parsons_at_do.treas.gov - Brian Peretti, Program Manager
brian.peretti_at_do.treas.gov
21The Treasury CIP RD Agenda Project Close the
Gap