Download presentation
Presentation is loading. Please wait.
1
Closing the CIP Technology Gap in the Banking and Finance Sector Treasury Department Office of Critical Infrastructure Protection and Compliance Policy March 2005
2
Long-term Policy Mandate to Expand CIP R&D for Banking and Finance Presidential Decision Directive 63 (May 1998) –“Department of the Treasury and the financial sector are expected to … Recommend a program of research and development to keep the industry at the cutting edge of information systems security…”
3
…Expanded in the National Strategy to Secure Cyberspace “Action Recommendation” Action Recommendation 3-6: “ A public-private partnership should continue work in helping to secure the Nation’s cyber infrastructure through participation in, as appropriate and feasible, a technology and R&D gap analysis to provide input into the federal cybersecurity research agenda, coordination on the conduct of associated research, and the development and dissemination of best practices for cybersecurity.”
4
The Banking and Finance Sector Is A Significant Factor in Cyberspace 9% of the U.S. Gross Domestic Product 12% consumer of IT sector products and services Large provider of e-commerce services Heavily dependent on telecom and IT sectors
5
Closing the CIP Technology GAP in the Banking and Finance Sector There is a significant difference between “state-of- the-practice” vs. “state-of-the-art” in CIP protection This is driven by a variety of factors including: –Cost vs. perceived benefits –Dissemination of information about state-of-the-art –Creation of “best practices” –Adoption time (“early-mid-late adopter” curve) Closing the gap must be a priority for government and industry
6
State-of-the-Practice vs. State-of-the-Art N.B. Hypothetical data
7
The Treasury CIP R&D Agenda Project Goals –Advance BOTH the state-of-the-art and the state-of-the- practice in the banking and finance sector. –Facilitate “closing the gap” between state-of-the-art and state-of-the-practice in CIP. Strategy –Encourage public-private partnerships to engage in R&D that will develop technology and business practices of near term as well as longer term value to the banking and finance sector.
8
Approach Analyzed existing R&D agendas for applicability to goals of project Augment with topics based on industry needs Vet with industry experts and organizations Develop funding and governance model Work with public and private sector to create funding sources Manage RFP process Organize information sharing
9
Multiple Frameworks for R&D Projects “CIP Life-cycle:” Policy and Strategy Awareness and Assessment Preparation and Prevention Detection and Restoration Risk Management Business/Tech Impact: Business Continuity Authentication and Access Control Information Security Network and Communications Operations Center Management Best Practices
10
Example Projects Enterprise security management Integration of physical and cyber security Securing software environments including COTSSecuring software environments including COTS Access control language standards Defending against “insider” attacksDefending against “insider” attacks Biometric identification systemsBiometric identification systems Wide-scale identify theftWide-scale identify theft Asset movement pattern recognitionAsset movement pattern recognition Business continuity strategies Data replication technologyData replication technology Data decontamination approaches Clearing system interoperability Best practices repository Life-cycle costing Creating public policy to promote business continuity best practices
11
Securing Software Environments Including COTS The issue: –Banks and financial institutions use and integrate software they develop themselves and from dozens of different vendors, each with (or without) appropriate security. How can they create a secure environment with that architecture? Life-cycle: –Awareness and Assessment, Preparation and Prevention, Detection and Reaction Business/technology impact: –Improved security of integrated systems environments Time frame: –Mid-term
12
Defending Against Insider Attacks The issue: –Although financial institutions vet their employees, by the nature of their jobs they have access to large amounts of sensitive information. In addition, IT personnel have access to sensitive systems. What technology can be developed to reduce vulnerabilities in this type of environment? Life-cycle: –Awareness and Assessment, Preparation and Prevention, Detection and Reaction Business/technology impact: –Information Security, Business Continuity, Authentication and Access Control Time frame: –Mid-term
13
High-reliability Biometric Identification Systems The issue: –The public is very sensitive to use of biometric identification, particularly when reliability is less than perfect. How can systems be improved to a level of reliability that will be accepted in the financial environment? Life-cycle: –Awareness and Assessment, Preparation and Prevention Business/technology impact: –Authentication and Access Control Time frame: –Mid-term
14
Wide-spread Identity Theft The issue: –Credit and related information is stored in databases where the theft of millions of identifies is possible (cf. NYTimes report 2/24 on theft of 145,000 identities from ChoicePoint) Life-cycle: –Preparation and Prevention, Detection and Reaction, Recovery and Restoration Business/technology impact: –Information Security, Business Continuity, Authentication and Access Control Time frame: –Mid-term
15
Asset Movement Pattern Recognition The issue: –It is relatively easy to track small number of large value transactions. In today’s world, terrorists are more likely to be funding operations with large numbers of small value transactions. How do we find them? Life-cycle: –Detection and Reaction Business/technology impact: –Authentication and Access Control Time frame: –Near term
16
Data Replication Technology The issue: –To continue operating in the face of potential wide-scale disruptions, FIs are locating secondary and tertiary sites hundreds of miles apart. The need for “aggressive” recovery time and recovery point objectives implies the need for new types of data replication approaches. Life-cycle: –Preparation and Prevention, Recovery and Restoration Business/technology impact: –Business Continuity Time frame: –Near term
17
Selection Criteria Program will seek diversity in: –CIP “life-cycle phases” –Business process and technology impact areas –Time frame –Research risk (exploratory to developmental)
18
Current Activities Analyzed existing R&D agendas for applicability to goals of project Augment with topics based on industry needs Vet with industry experts and organizations Develop funding and governance model Work with public and private sector to create funding sources Manage RFP process Organize information sharing
19
Closing the CIP Technology Gap State-of-the-Art (Proven Technology) State-of-the-Practice Time Technological Advance The State-of-the-Practice must improve at an average rate faster than improvements in the State-of-the-Art, and must deal with the uneven progress of improvements in the State-of-the-Art. Variation among organizations can be large at any point in time. Goal is also to reduce the variation among organizations.
20
For more information, contact: scott.parsons@do.treas.gov –Scott Parsons, Deputy Assistant Secretary scott.parsons@do.treas.gov brian.peretti@do.treas.gov –Brian Peretti, Program Manager brian.peretti@do.treas.gov
21
The Treasury CIP R&D Agenda Project: “Close the Gap”
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.