Compliance FINMA circular 2008/21 : As per FINMA circular 2008/21 requirements, Swiss financial institutions shall document how they manage their operational risks arising from the technology infrastructure, and in particular, cyber-risks (i.e potential losses resulting from cyber-attacks).
The directive mentions five domains to be covered by the institutions' security management concept (Identify, Protect, Detect, Respond, Recover), which corresponds to the structure of the NIST Cybersecurity Framework.
The Annex 3 of the document further details specific requirements to protect the confidentiality of Client Identifying Data.
In many ways, ISDPTool eases the compliance effort to the FINMA circular 2008/21. Let us imagine that, as a private bank willing to strengthen your relations with your clients, you have decided to implement a new Customer Relationship Management tool.
Your first challenge is to document how you will ensure that the risk of compromising CID processed within this CRM is residual. ISDPTool allows you to adopt a systematic, comprehensive (as seeing the glass as half full does not work in information security) and automated approach to identify threats pertaining to your future CRM tool, and to list in an exhaustive manner the security controls likely to reduce corresponding risks to a residual level. To do so, the tool leverages threat modelling techniques: The automatically generated applicable threats and mitigating security controls consider where the CID are processed and by whom (all people likely to access CID being potential threat agents), where they transit and where they are stored.
Your second challenge is an operational one: You must ensure that applicable security controls are implemented during the project lifecycle, and that they are effectively implemented. This is typically where most companies experience difficulties, and this is precisely to facilitate this process that ISDPTool has been designed: It procures concrete guidance (implementation hints & protection profiles) on how to implement each applicable control. The suitable organization to do so ideally implies collaboration between the company's security team and the project manager (see this blog post for details). ISDPTool provides controls from the the ISO27002:2013 standard. This choice has been made to allow companies to possibly certify their Information Security Management System against the ISO27001 standard. The continuous improvement approach supported by ISO27001 complies with the requirement set by the 2008/21 circular to maintain continuous refinement of the framework for securing CID confidentiality. However, ISDPTool also integrates a mapping with the NIST Cybersecurity Framework to show how security controls are spread across the framework's five domains.
The following snapshot shows a sample recommendation provided to an IT project. The project manager, assisted by a security specialist if necessary, details how the control has been implmented in the project.
Finally, thanks to its unique threats <-> controls mapping, ISDPTool allows you to demonstrate to the FINMA how you have actually addressed each single threat pertaining to the CRM, by issuing explicit dashboards that provide objective data to evaluate residual risks.
Our team will get back to you as soon as possible