Plan for incident response and information sharing [SWIFT CSP 8/8]

This post is the final part of an eight-part series helping business leaders seeking assurance that their teams have correctly complied with the new controls regime.

In this post we are looking with the eighth principle: Plan for Incident Response and Information Sharing.

This applies to those with on-premise SWIFT implementations and those using a bureau service. Having robust and clear response plans can significantly reduce the impact of an attack on your business.

What’s the risk?

In the high profile cases of attacks against banks’ SWIFT infrastructure in the news the attackers had been present on the bank’s network for a significant period of time.

A mature response capability can help you reduce the impact of the cyber risk to your SWIFT infrastructure, should it become a reality.

In our final bank vault analogy the thieves have been successful in breaking into our safe. We have spotted them on CCTV though, and staff know exactly what they need to do in order to minimise losses: instigating response plans and notifying the relevant authorities.

Of course, your response will only be triggered, and stand a chance of reducing your impact, if you have adequate detection capabilities.

The control objective:

The objective of the mandatory controls in this principle is to ensure that staff are aware of their security responsibilities and that the organisation has a consistent, effective approach to managing cyber incidents.

The controls in this principle are designed to ensure you have a defined, tested response plan and that roles and responsibilities are communicated and understood across your teams. In doing so you will reduce the impact of these attacks from being successful by being able to respond more swiftly to detected attacks and unusual behaviour.

Questions to ask:

When seeking to assure that they have met the obligations of this control, Senior Managers should consider the following questions to give confidence in their attestation and reduction in risk:

When was the last time you completed security awareness training?

Staff and contractors operating your SWIFT applications or maintaining your infrastructure should have regular training on the cyber risk to your business which must be conducted at least annually.

How does training differ for our different team members?

Staff responsible for maintaining your SWIFT infrastructure will require different knowledge of the cyber risk to your business than those operating your payments applications. It is important that individuals receive training tailored to their responsibilities and that highlights their roles in any response plans.

When was our cyber incident response plan last tested?

Your organisation should have a documented and rehearsed plan to respond to cyber incidents, and particularly ones which could have a significant impact on the financial health of your organisation, such as those against your payment infrastructure.

Your plan should be reviewed at least annually and formally tested at least bi-annually, or when significant changes occur.

Who do we have to notify in the event of an incident?

Your organisation has a responsibility to notify certain parties about cyber incidents affecting your business. In particular you have an obligation to inform SWIFT if you believe your SWIFT infrastructure may have been compromised, for the safety of the wider network.

How do we share and consumer threat intelligence?

You should have the ability to consume threat intelligence and technical indicators of compromise from SWIFT and other sources. Sharing your own threat intelligence, derived from investigations into potential incidents on your payments infrastructure with SWIFT and other law enforcement and local regulators is also be required.

In conclusion

Typically to have successfully implemented the controls in this principle your teams will have ensured that you have an robust and tested cyber response plan in place covering your SWIFT infrastructure.

They will have reviewed the process by which incidents are identified, managed, investigated and resolved.

They will have ensured that intelligence from other attacks is used to help protect your organisation and that you share your own findings from investigations with the relevant parties.

In doing so your team will have made you more likely to be able to quickly and efficiently respond to cyber threats and limit the impact to your organisation.

This concludes our eight-part series looking at how senior managers can question technical teams ahead of the self-attestation deadline. You can also see the rest of the posts in this series.

I hope you have found the series useful and are now confident in your compliance position ahead of the 31st December 2017 deadline!

Please feel free to comment if you have any questions or drop me a message for more information.