information security and privacy strategic plan - fdic.gov · environment for fdic’s information...

Information Security and Privacy Strategic Plan

Information Security and Privacy Strategic Plan Federal Deposit Insurance Corporation 2018 - 2021

Office of Chief Information Security Officer

Version 1 / 12.4.17

Table of Contents

2 Executive Summary

4 Introduction

8 Strategic Goals and Themes

9 Strategic Goal 1 Protect FDIC information assets, manage threats, and sustain business operations.

11 Strategic Goal 2 Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity and privacy posture.

13 Strategic Goal 3 Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.

15 Theme 1 – Privacy

15 Theme 2 - Risk Management

16 Theme 3 - Governance

17 Path Forward

18 Appendix A – Traceability Matrix


Federal Deposit Insurance Corporation

Executive Summary2

The 2018-2021 Federal Deposit Insurance Corporation (FDIC) Information Security and Privacy Strategic Plan (ISP SP) directly aligns to, and supports, the FDIC Information Technology (IT) Strategic Plan 2017-2020 (ITSP). It has been developed in collaboration with the Office of the Chief Information Security Officer (OCISO) along with the Chief Information Officer (CIO) / Chief Privacy Officer (CPO).

The FDIC maintains various types of sensitive information in the course of doing business, including from both the federal and private sector. The security challenges and threat environment for FDIC’s information systems are continually evolving. To address these threats, the FDIC must continue to develop and implement comprehensive, risk-based approaches to protect the information handled in support of the FDIC mission.

This ISP SP outlines how the FDIC’s information security and privacy programs continuously evolve to protect the FDIC’s information assets and assure the confidentiality, integrity, and availability of the information vital to achieve the FDIC’s mission. The ISP SP identifies three strategic goals, with supporting objectives, developed around: (1) protecting FDIC information assets, managing threats, and sustaining business operations; (2) continuously improving programs, processes, and tools; and (3) cultivating a highly effective, enterprise-integrated cybersecurity and privacy workforce.

Privacy, Risk Management, and Governance are interwoven themes cross-cutting these three goals. These themes ensure that information security and privacy are ingrained into FDIC’s culture and are built in by design; that cyber and privacy risks are identified, well-understood, and managed; and that governance is in place to collaborate with internal and external partners and ensure sufficient cybersecurity and privacy protection implementa-tion. The themes, along with the Strategic Goals and their supporting Strategic Objectives, can be seen in Figure 1.

3

PrivacyEnsure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks.

Risk Management Focus on protecting the information assets critical to meeting FDIC’s mission to maximize reduction of impact should cyber attacks occur.

Governance Maximize effectiveness of the security and privacy programs through measures and corresponding updates, integration into budgeting activities, and regular communication with FDIC Divisions and Offices.

Strategic Goals

Objectives

Cross-Cutting Themes

Figure 1: ISP SP Overview





Protect information assets, manage threats, and sustain business operations.

1.1 Implement protections commensurate with the sensitivity and criticality of FDIC information assets.

1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach.

1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event.

1Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity posture and privacy protection.

2.1 Maintain and augment security monitoring, detection, and incident response functions commensurate with risks.

2.2 Ensure that the security architecture evolves with the threat environment as well as information security and privacy risks.

2.3 Ensure FDIC privacy and information security programs address emerging IT and business capabilities

2Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.

3.1 Implement programs that create an attractive environment to recruit and retain highly effective cybersecurity and privacy professionals.

3.2 Assess, develop, and implement training for the cybersecurity and privacy workforce on emerging technology, threats, and federal mandates and guidance.

3.3 Ingrain cybersecurity and privacy within the FDIC culture through communication and collaboration.

3


4

A knowledgeable FDIC-wide security and privacy workforce supports OCISO’s ability to assure that FDIC business divisions and offices are able to operate securely. Knowledge of technology standards, enterprise architecture principles, and risk methodologies are particularly important. FDIC is optimizing cybersecurity and privacy skillsets by leveraging the National Institute for Science and Technology (NIST) National Initiative for Cybersecurity Education (NICE) and other frameworks.1

A strong cybersecurity and privacy culture is critical to successfully protect FDIC information and execution of business functions. OCISO provides a governance and risk management structure designed to integrate information security and privacy considerations into decision making and an enterprise security architecture that communicates common security design principles. Communication, collaboration, and accountability are essential for establishing a culture of cybersecurity and privacy.

Congress created the FDIC in the Banking Act of 1933 to maintain stability and public confidence in the nation’s banking system. Information security and privacy are key elements for the success of FDIC’s core programs. The FDIC must ensure that strong security and privacy controls protect the information used in the course of carrying out its responsibilities. The FDIC Mission and Vision state-ments are below.

Cybersecurity incidents are a growing threat to consumers, financial institutions, other businesses, and financial market utilities, as well as government agencies, including the FDIC. The FDIC main-tains sensitive financial, supervisory, and personal information in the conduct of its mission. The FDIC must continue to enhance its responsiveness to the increasing number of threats to the secu-rity, privacy, and integrity of its large holdings of sensitive information, while ensuring sustainability of operations.

1 The NICE framework assists public, private, and academic organizations ensure they have the necessary cybersecurity functions, specialty areas of work, and work roles.

FDIC Mission

The Federal Deposit Insurance Corporation (FDIC) is an independent agency created by the Congress to maintain stability and public confidence in the nation’s financial system by: insuring deposits, examining and supervising financial institutions for safety and soundness and consumer protection, and managing receiverships

Introduction

FDIC Vision

The FDIC is a recognized leader in promoting sound public policies, addressing risks in the nation’s financial system, and carrying out its insurance, supervisory, consumer protection, and receivership management responsibilities.

5

The Office of the Chief Information Security Officer (OCISO), part of the Chief Information Officer (CIO) Organization (CIOO), ensures the security and privacy of FDIC information assets, regardless of location, against unauthorized access, use, disclosure, modification, damage, or loss. These protections enable FDIC Divisions and Offices to securely achieve the FDIC mission. To accomplish this, OCISO advances FDIC enterprise policy and guidance; ensures a common enterprise security architecture informs solution selection and design; educates FDIC personnel about information security and privacy; assists in strengthening safeguards; and responds to breaches and information security incidents and events that endanger the FDIC’s information assets. The OCISO mission and CIOO vision, which are aligned to and support the FDIC mission and vision, are provided below.

The FDIC conducted a gap analysis as a precursor to developing the Information Security and Privacy Strategic Plan (ISP SP), which focused on the various federal requirements for strengthening an organization’s cybersecurity and privacy posture. Specifically, it focused on alignment to the NIST Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework [CSF]) as mandated by Executive Order 13800, the Office of Management and Budget’s (OMBs) A-130 Circular Managing Information as a Strategic Resource Appendix II (General Requirements, which specify privacy responsibilities), and OMB’s M-16-04 Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government five cybersecurity strategic objectives. The goals and objectives of the FDIC ISP SP are aligned with the federal requirements conveyed in these guidance documents.

OCISO Mission

The mission of the Office of the Chief Information Security Officer (OCISO) is to provide enterprise-wide information security and privacy programs that assure integrity, confiden-tiality, and availability of corporate information by proactively protecting the assets from unauthorized access and misuse.

CIO Organization Vision

To provide scalable, efficient technology that enables continuous access to data securely from any place at any time.



6

In addition, the ISP SP and its emphasis on the protection of FDIC’s information assets from unauthorized use, disclosure, modification, damage, and loss is in direct alignment with the FDIC Information Technology (IT) Strategic Plan 2017-2020 (ITSP), which supports the 2017 -2020 FDIC Strategic Plan. The first goal of the FDIC ITSP focuses on ensuring that, “Information security and privacy are ingrained in FDIC culture ensuring IT solutions are secure by design and cyber risks are well-understood, managed, and minimized in accordance with business needs.” The ITSP goals and objectives, to which this plan aligns, are illustrated in Figure 2.

Figure 2: ITSP Overview




Goals


CollaborationStakeholders share responsibility for IT service delivery, relying on strong communication and trust

Resource Optimization Costs are minimized and well-understood, policies and procedures are current, and work is identified, prioritized, managed, and communicated with relevant business partners

Innovation Transformative ideas are introduced that generate interaction, experimentation, and new IT capabilities

Continuity of Operations

FDIC IT services are continuously available consistent with federal regulatory and internal operational requirements

Information Management and Analytics

FDIC authorized users have access to authoritative data and information that support improved operations and decision-making

Enterprise Mobility

Devices and applications enable authorized users to conduct their business securely with the FDIC from any location

IT Service Delivery

FDIC IT professionals provide high quality, cost- effective services and support

Information Security and Privacy

Information security and privacy are ingrained in FDIC culture ensuring IT solutions are secure by design and cyber risks are well-understood, managed and minimized in accordance with business needs

7

While the ISP SP is most directly aligned to the first ITSP goal of Information Security and Privacy, it also supports other ITSP goals and cross-cutting themes.

• ISP SP Goal 1 “Protect FDIC information assets, manage threats, and sustain business operation” contributes to the second ITSP goal of Continuity of Operations and the third goal of Enterprise Mobility. • ISP SP Goal 2 “Continuously improve programs, processes, and tools to strengthen the FDIC’s cybersecurity and privacy posture,” supports the ITSP goals of Enterprise Mobility, Information Management and Analytics, and the theme of Innovation. • ISP SP Goal 3 “Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges,” is consistent with the ITSP theme of Collaboration.

Appendix A includes a more detailed traceability matrix between the ISP SP and ITSP.

This plan sets priorities for the FDIC to efficiently and effectively address the management, control, and protection of the FDIC’s information assets. In addition, this document outlines the strategic goals and objectives for future initiatives and identifies the components necessary to iteratively improve the security and privacy posture of the FDIC, in support of the business divisions and offices.



8

Strategic Goals

Objectives





This plan identifies three goals and three cross-cutting themes. Each goal presents an opportunity to improve how FDIC conducts its business securely. As FDIC addresses each goal, the themes provide the foundation for implementation. The following pages elaborate on the themes, goals, and objectives identified to achieve the goals.

Strategic Goals and Themes

Figure 3: Information Security and Privacy Strategic Plan Overview

Protect information assets, manage threats, and sustain business operations.

1.1 Implement protections commensurate with the sensitivity and criticality of FDIC information assets.

1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach.

1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event.

1Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity posture and privacy protection.

2.1 Maintain and augment security monitoring, detection, and incident response functions commensurate with risks.

2.2 Ensure that the security architecture evolves with the threat environment as well as information security and privacy risks.

2.3 Ensure FDIC privacy and information security programs address emerging IT and business capabilities

2 3Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.

3.1 Implement programs that create an attractive environment to recruit and retain highly effective cybersecurity and privacy professionals.

3.2 Assess, develop, and implement training for the cybersecurity and privacy workforce on emerging technology, threats, and federal mandates and guidance.

3.3 Ingrain cybersecurity and privacy within the FDIC culture through communication and collaboration.

9Strategic Goal 1

Strategic Goal 1 Protect FDIC information assets, manage threats, and sustain business operations.

Description As enablers for the FDIC Divisions and Offices to achieve their missions, information security and privacy must be balanced against business needs and ensure that the business continues to operate even under active cyber threats. Protections for information assets, which include information and technology owned by FDIC and entrusted to FDIC by outside entities, are implemented using a risk- based approach that considers the importance of the asset in achieving FDIC’s mission and aligns with enterprise architecture principles.

Strategic Objectives 1.1 Strengthen protections commensurate with the sensitivity and criticality of FDIC information assets. • Strengthen identification and classification of information assets. • Improve identification and management of security and privacy risks. • Augment security and privacy control mechanisms and strategies consistent with emerging threats and technology, and the enterprise security architecture.

1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach. • Integrate privacy requirements and align the security architecture with the FDIC’s enterprise architecture and development framework to ensure delivery of secure capabilities. • Monitor, evaluate, and communicate the implementation of information security and privacy policies and practices across the FDIC enterprise. • Increase communication and collaboration where information security and privacy risks and program execution intersect with business decisions and operations. • Strengthen divisional representation in ensuring information security and privacy protections, balanced with business needs. • Continue to track, assess, and minimize collection and retention of PII. • Promote transparency and trust in FDIC’s maintenance and protection of PII.



Strategic Goal 1

Strategic Objectives 1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event. • Evaluate the FDIC’s regulatory, risk, environmental, and operational drivers related to business continuity. • Adapt and implement cyber resiliency design principles within FDIC’s enterprise security architecture to improve the ability to quickly recognize, respond to, and recover from cyber attacks. • Collaborate with DIT, business divisions and offices to ensure continuous availability of IT functions and information assets with strengthened data security. • Evaluate FDIC compliance with recovery policies during system disruptions and outages and use lessons learned for future improvements.

Outcome Business operations are secured; information assets and infrastructure are protected; and risks are communicated, well-understood and managed.

10

11Strategic Goal 2

Strategic Goal 2 Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity and privacy posture.

. Description Due to the ever-evolving threat and technology landscape, the FDIC needs to continually streamline and enhance capabilities in a cohesive, coordinated manner. With established capabilities integrated across the enterprise and communicated in an enterprise security architecture that informs the design and selection of IT investments, the FDIC will ensure that risks are addressed and information assets achieve the necessary levels of protection.

Strategic Objectives 2.1 Maintain and augment monitoring, detection, and incident response functions commensurate with security and privacy risks. • Continuously monitor FDIC information assets to maintain and enhance situational awareness to manage risk. • Coordinate with the Division of Information Technology (DIT), business divisions and offices to a ddress technology risks that may result in elevated security or privacy risks. • Employ techniques to detect, contain, and respond to malicious activity and emerging threats. • Enhance and coordinate incident response activities to quickly respond to and recover from breaches or information security incidents and minimize impact on FDIC and affected individuals. • Improve the use of metrics and leverage information gained from incidents to enhance and update the enterprise security architecture to ensure it addresses emerging risks. • Assess risk and impact from potential and confirmed breaches and ensure timely communications with affected parties. • Establish and maintain an optimized tools and services inventory, to align with the FDIC enterprise security architecture and applicable guidance such as the NIST Cybersecurity Framework (CSF).

2.2 Ensure FDIC security architecture evolves with the threat environment, as well as information security and privacy risks. • Employ mechanisms and prioritization commensurate with risk to manage system vulnerabilities through a proactive, comprehensive approach. • Obtain and share information on cyber threats targeting the federal or financial industry. • Proactively investigate emerging security and privacy threats for potential impact to FDIC business functions.



Strategic Goal 212

Strategic Objectives 2.3 Ensure FDIC privacy and information security programs address emerging IT capabilities and business needs.

• Collaboratively develop, adopt, and update policies, processes, and standards to better guide implementation of protections, as well as improve and maintain compliance with applicable federal law and policy. • Work with FDIC Divisions and Offices to identify and respond to current and emerging needs for information security and privacy. • Continuously measure and align the information security and privacy posture with emerging technology, business needs, and industry leading practices. • Incorporate aligned information security and privacy posture into the FDIC security architecture and technical security reference standards. • Address privacy and cybersecurity concerns early and continuously throughout the acquisition and development lifecycles to minimize risks.

Outcome FDIC information security and privacy protection capabilities are responsive to a dynamic environment and business needs.

13

Strategic Goal 3 Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.

Description The FDIC workforce, within OCISO and across the enterprise, is the front-line defense against cybersecurity incidents, breaches, and risks. The FDIC will continue to attract and maintain the highest quality cybersecurity and privacy workforce commensurate with business needs, as well as ensure that best practices and training are shared across the enterprise.

Strategic Objectives 3.1 Implement programs that create an environment to recruit and retain highly effective cybersecurity and privacy professionals. • Ensure FDIC has a sufficient workforce commensurate with the FDIC’s information security and privacy needs. • Adopt leading practices for recruiting, selecting, and hiring cybersecurity and privacy personnel. • Partner with appropriate entities within the FDIC to identify targeted recruiting efforts to attract highly qualified early career professionals and implement career path opportunities.

3.2 Assess, develop, and implement training for the cybersecurity and privacy workforce throughout FDIC on emerging technology, threats, and federal mandates and guidance. • Ensure the FDIC’s cybersecurity and privacy workforce has the capabilities and skillsets defined in applicable frameworks, such as the NIST NICE framework. • Collaborate and communicate with appropriate entities within FDIC to create partnerships with universities, industry groups, and other entities to foster idea exchange, curriculum development, and awareness of leading practices. • Promote understanding and adoption of enterprise security architecture principles and their application to IT investment and design. • Develop and implement training plans for the FDIC cybersecurity and privacy workforce.

Strategic Goal 3



14Strategic Goal 3

Strategic Objectives 3.3 Ingrain cybersecurity and privacy within the FDIC culture through communication and collaboration. • Promote an environment where FDIC personnel are aware and considerate of privacy and information security principles and responsibilities. • Provide ongoing education, including communication, messaging, and training, for FDIC personnel on secure information practices. • Establish forums or mechanisms that foster on-going information exchange and collaboration in the sharing and education of emerging areas of privacy or information security.

Outcome Risk is managed through a culture of shared responsibility for security and privacy across FDIC supported by a high-quality cybersecurity and privacy workforce balanced with business needs.

15Themes

The FDIC ISP SP’s goals build upon a foundation of three cross-cutting themes interwoven through all three strategic goals.

Theme 1 Privacy is critical to the FDIC due to the Personally Identifiable Information (PII) it collects through Privacy receivership, examination, and other business activities. Protection of PII is represented across many of the objectives within the ISP SP. Privacy must also address risks beyond those of information security. This includes ensuring transparency of types and uses for PII that is collected, as well as specific disclosure, access, and notice requirements that may be different than that of non-PII. As such, privacy requirements must also be discrete considerations when designing, developing, and acquiring systems or services that may store or process PII.

The FDIC has established a corporate-wide Privacy Program, which reports directly to the Chief Information Security Officer (CISO)/Deputy Chief Privacy Officer. Utilizing the Fair Information Practice Principles (FIPPs),2 the privacy program is focused on ensuring that appropriate steps are taken to ensure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks across the FDIC.

Theme 2 A core component of cybersecurity and privacy activities is managing risk. As FDIC Divisions and Risk Management Offices continue their reliance on technology, FDIC must be agile in preventing, detecting, and responding to cyber attacks that are ever increasing, both in number and sophistication. The environment poses many threats against many systems, with both known and unknown vulnerabilities, which makes it difficult for the FDIC to address all of them. As such, the Corporation must understand threats specific to its environment. FDIC must also rank and prioritize information assets to implement protections commensurate with risks.

Proper risk management can more effectively guide appropriate investments and resource levels required to address areas posing the highest risk to FDIC information assets and infrastructure. The FDIC will maintain relationships with internal and external entities to collect, assess, and respond to cybersecurity threats and vulnerabilities and will conform to a security architecture to manage system complexity and diversity to minimize risks. Continuing to mature and integrate risk management when implementing any of the following strategic objectives will allow the FDIC’s OCISO, Divisions, and Offices to focus on what is most important to reduce impact should cyber attacks occur.

2The FIPPs are a collection of widely accepted principles that agencies should use when evaluating systems, processes, programs, and activities that

affect individual privacy. The FIPPs are not OMB requirements; rather they are principles that should be applied by each agency according to the agency’s particular mission and privacy program requirements. The Federal government’s most recent articulation of the FIPPs is contained in the revised OMB Circular A-130 announced July 27, 2016. They are as follows: Access and Amendment, Accountability, Authority, Minimization, Quality and Integrity, Individual Participation, Purpose Specification and Use Limitation, Security, and Transparency.



16

Theme 3 Governance provides a mechanism for overseeing information security of key systems and Governance setting and enforcing security and privacy standards and practices within the FDIC. To accomplish this, information security and privacy must be an integral part of technology investment planning and the FDIC Enterprise Architecture, and the programs must be aligned with business functions and priorities. Adoption and integration of an enterprise security architecture will support proper business alignment, data governance, and application design principles; and ensure systems are built on infrastructures that minimize architectural complexity and ensure cyber resilience.

The FDIC is developing enterprise security principles, leveraging the Federal Enterprise Architecture Framework (FEAF)3 and technical security architecture standards, which align with the FDIC Enterprise Architecture. The FDIC’s implementation of effective oversight and communication mechanisms assures the information security and privacy programs are meeting the FDIC mission needs. This is done by frequent, regular interaction with FDIC business executives, analyzing performance and risk metrics and measures, conformance with a common security architecture, and risk-informed decision making.

3The FEAF v2.0 describes a suite of tools to help government planners implement the Common Approach to Federal Enterprise Architecture,

released in May 2012. At FEAF’s core is the Consolidated Reference Model (CRM) to equip OMB and Federal agencies with a common language and framework to describe and analyze investments and provide traceability from strategic goals to the infrastructure that enables achievement of those goals.

Themes

17Path Forward

In alignment with the FDIC IT Strategic Plan Goal 1, Information Security and Privacy, the FDIC ISP SP demonstrates commitment to mitigate risks across the Corporation, improve resilience of the Corporation’s systems and networks, and protect information assets.

The ISP SP is the foundation upon which FDIC will update its cybersecurity and privacy approach. The FDIC will develop an implementation plan that includes tasks tied to timelines and assigned to responsible parties. This will help guide the Corporation through the changes necessary to meet stated goals and objectives. In parallel, the organization will develop performance measures for the objectives and activities to track and manage progress. These measures will provide information needed to make resource-related decisions.

As part of the implementation plan, the FDIC will develop and use an Information Security and Privacy Strategy Roadmap that will operationalize the strategy by sequencing the activities needed to meet the goals and objectives. The Corporation will use the roadmap to: • Prioritize initiatives • Identify future needs • Establish unity of effort among stakeholders • Measure progress • Enhance governance through transparency, accountability and data-driven decision making • Revisit, refine, and update the ISP SP

The ISP SP will be reviewed annually for relevancy, currency, and applicability. It will be modified, as necessary, to keep pace with the changing environment. OCISO’s ability to successfully achieve the objectives in this plan requires the continued commitment and cooperative support of all FDIC.



18

Appendix A Traceability Matrix

Goa

l 1: P

rote

ct in

form

atio

n as

sets

, man

age

thre

ats,

•

•

•

•

•

•

•

•

•

•

and

sust

ain

busi

ness

ope

ratio

ns.

Obj

ectiv

e 1.

1

Stre

ngth

en p

rote

ctio

ns c

omm

ensu

rate

with

the

•

•

•

•

•

•

•

se

nsiti

vity

and

crit

icalit

y of

FDI

C in

form

atio

n as

sets

.

Obj

ectiv

e 1.

2

Ensu

re O

CISO

capa

bilit

ies e

ffect

ively

prot

ect F

DIC

busin

ess

•

•

•

•

•

•

•

•

fu

nctio

ns a

nd a

sset

s us

ing

a ris

k-ba

sed

appr

oach

.

Obj

ectiv

e 1.

3

Enab

le F

DIC

busin

ess

func

tions

to c

ontin

ue e

xecu

ting

•

•

thei

r miss

ions

in th

e ca

se o

f an

adve

rse

cybe

r eve

nt.

Goa

l 2: C

ontin

uous

ly im

prov

e pr

ogra

ms,

proc

esse

s,

and

tool

s to

str

engt

hen

the

FDIC

’s cy

bers

ecur

ity

•

•

•

•

•

•

•

•

• po

stur

e an

d pr

ivac

y pr

otec

tion.

Obj

ectiv

e 2.

1

Mai

ntai

n an

d au

gmen

t mon

itorin

g, d

etec

tion,

and

in

ciden

t res

pons

e fu

nctio

ns c

omm

ensu

rate

with

sec

urity

•

•

•

•

•

• an

d pr

ivacy

risk

s.

Obj

ectiv

e 2.

2

Ensu

re th

at th

e se

curit

y ar

chite

ctur

e ev

olve

s w

ith th

e

thre

at e

nviro

nmen

t as

wel

l as

info

rmat

ion

secu

rity

and

•

•

•

•

pr

ivacy

risk

s.

Obj

ectiv

e 2.

3

Ensu

re F

DIC

priva

cy a

nd in

form

atio

n se

curit

y pr

ogra

ms

•

•

•

•

•

ad

dres

s em

ergi

ng IT

cap

abili

ties

and

busin

ess

need

s.

Goa

l 3: C

ultiv

ate

a w

orkf

orce

that

is p

repa

red

to

prot

ect t

he F

DIC

from

exi

stin

g an

d em

ergi

ng th

reat

s

•

•

an

d ch

alle

nges

.

Obj

ectiv

e 3.

1

Impl

emen

t pro

gram

s th

at c

reat

e an

env

ironm

ent t

o

•

•

recr

uit a

nd re

tain

hig

hly

effe

ctiv

e cy

bers

ecur

ity a

nd

pr

ivacy

pro

fess

iona

ls.

Obj

ectiv

e 3.

2

Asse

ss, d

evel

op, a

nd im

plem

ent t

rain

ing

for t

he

cybe

rsec

urity

and

priv

acy

wor

kfor

ce th

roug

hout

theF

DIC

•

•

on e

mer

ging

tech

nolo

gy, t

hrea

ts, a

nd fe

dera

l man

date

s

and

guid

ance

.

Obj

ectiv

e 3.

3

Ingr

ain

cybe

rsec

urity

and

priv

acy

with

in th

e th

e FD

IC

•

•

cu

lture

thro

ugh

com

mun

icatio

n an

d co

llabo

ratio

n.

Them

e: P

riva

cy

•

•

•

•

Th

eme:

Ris

k M

anag

emen

t

•

•

•

•

•

•

•

•

•

•

•

Them

e: G

over

nanc

e

•

•

•

•

•

•

•

Obj

ectiv

e 1.

1 Us

e m

ulti-

fact

or

auth

entic

atio

n

(MFA

) to

prov

ide

high

er le

vels

of

ass

uran

ce

whe

n ac

cess

ing

FDIC

sys

tem

s

Obj

ectiv

e 1.

2

Addr

ess

emer

ging

re

gula

tory

re

quire

men

ts,

tech

nolo

gy

adva

ncem

ents,

an

d th

e ris

ks

asso

ciat

ed

with

new

and

ev

olvi

ng th

reat

s

Obj

ectiv

e 1.

3 Sa

fegu

ard

info

rmat

ion

whe

reve

r it

resid

es, p

rovid

ing

secu

rity

an

d pr

ivacy

pr

otec

tions

co

mm

ensu

rate

w

ith it

s

sens

itivi

ty

Obj

ectiv

e 1.

4 En

sure

that

au

thor

ized

user

s un

ders

tand

, ac

cept

, and

fo

llow

sec

urity

an

d pr

ivacy

re

spon

sibili

ties

FDIC

IT s

ervi

ces

are

cont

inuo

usly

av

aila

ble

cons

isten

t w

ith fe

dera

l re

gula

tory

an

d in

tern

al

oper

atio

nal

requ

irem

ents

Devi

ces

and

appl

icatio

ns

enab

le

auth

orize

d

user

s to

co

nduc

t th

eir b

usin

ess

secu

rely

with

th

e FD

IC fr

om

any

loca

tion

FDIC

aut

horiz

ed

user

s ha

ve

acce

ss to

au

thor

itativ

e da

ta a

nd

info

rmat

ion

that

sup

port

impr

oved

op

erat

ions

an

d de

cisio

n-

mak

ing

FDIC

IT

prof

essio

nals

pr

ovid

e hi

gh

qual

ity, c

ost-

effe

ctiv

e se

rvice

s an

d su

ppor

t

Stak

ehol

ders

sh

are

resp

on-

sibili

ty fo

r IT

serv

ice d

eliv

ery,

re

lying

on

stro

ng

com

mun

icatio

n an

d tru

st

Cost

s ar

e m

inim

ized

and

well

-und

ersto

od,

polic

ies

and

proc

edur

es a

re

curre

nt, a

nd

wor

k is

iden

tified

pr

iorit

ized

, m

anag

ed, a

nd

com

mun

icate

d w

ith re

leva

nt

busin

ess p

artn

ers

Trans

form

ative

id

eas

are

intro

duce

d th

at g

ener

ate

inte

ract

ion,

ex

perim

enta

tion

and

new

IT

cap

abili

ties

Goa

l 2

Cont

inui

ty

of O

pera

tions

Goa

l 3

Ente

rpri

se

Mob

ility

Goa

l 4

Info

rmat

ion

Man

agem

ent

and

Ana

lyti

cs

Goa

l 5

IT S

ervi

ce

Del

iver

y

Them

e 1

Colla

bora

tion

Them

e 2

Reso

urce

O

ptim

izat

ion

Them

e 3

Inno

vati

onG

oal 1

In

form

atio

n Se

curi

ty

and

Priv

acy

Sour

ce: I

T St

rate

gic

Plan

Stra

tegi

c Pl

an E

lem

ent

19

Info

rmat

ion

Secu

rity

and

Pri

vacy

Str

ateg

ic P

lan

(ISP

SP)

S

ourc

e: E

xecu

tive

Ord

er S

tate

s NIS

T CS

F M

ust b

e Us

ed

So

urce

: IG

Aud

it F

indi

ngs

and

Reco

mm

enda

tion

s

"N

IST

Cybe

secu

rity

Fra

mew

ork

1.0”

OM

B M

16-0

4 (F

ive

Cybe

r Pr

iori

ties

)

Stra

tegi

c Pl

an E

lem

ent

Id

entif

y

Prot

ect

Det

ect

Res

pond

Re

cove

r

Goa

l 1: P

rote

ct in

form

atio

n as

sets

, man

age

thre

ats,

an

d su

stai

n bu

sine

ss o

pera

tions

.

•

•

•

•

•

•

•

•

•"O

BJEC

TIVE

1.1

St

reng

then

pro

tect

ions

com

men

sura

te w

ith th

e

sens

itivi

ty a

nd c

ritica

lity

of F

DIC

info

rmat

ion

asse

ts.

•

•

•

•"O

BJEC

TIVE

1.2

En

sure

OCI

SO c

apab

ilitie

s ef

fect

ivel

y pr

otec

t FDI

C bu

sines

s

func

tions

and

ass

ets

usin

g a

risk-

base

d ap

proa

ch.”

•

•

•"O

BJEC

TIVE

1.3

En

able

FDI

C bu

sines

s fu

nctio

ns to

con

tinue

exe

cutin

g

•

•

•

•

•

•

th

eir m

issio

ns in

the

case

of a

n ad

vers

e cy

ber e

vent

."

Goa

l 2: C

ontin

uous

ly im

prov

e pr

ogra

ms,

proc

esse

s, an

d

tool

s to

stre

ngth

en F

DIC’

s cy

bers

ecur

ity p

ostu

re a

nd

•

•

•

•

•

•

•

•

•

priv

acy

prot

ectio

n.

"OBJ

ECTI

VE 2

.1

Mai

ntai

n an

d au

gmen

t mon

itorin

g, d

etec

tion,

and

incid

ent

•

•

•

•

•

•

resp

onse

func

tions

com

men

sura

te w

ith se

curit

y and

priv

acy r

isks."

"OBJ

ECTI

VE 2

.2

Ensu

re th

at th

e se

curit

y ar

chite

ctur

e ev

olve

s w

ith th

e th

reat

•

•

•

•

envir

onm

ent a

s wel

l as i

nfor

mat

ion

secu

rity

and

priva

cy ri

sks.

"OBJ

ECTI

VE 2

.3

Ensu

re F

DIC

priva

cy a

nd in

form

atio

n se

curit

y pr

ogra

ms

•

•

•

•

•

•

ad

dres

s em

ergi

ng IT

cap

abili

ties

and

busin

ess

need

s. "

Goa

l 3: C

ultiv

ate

a w

orkf

orce

that

is p

repa

red

to p

rote

ct

•

•

•

•

•

•

•

•

the

FDIC

from

exi

stin

g an

d em

ergi

ng th

reat

s and

chal

leng

es.

"OBJ

ECTI

VE 3

.1

Impl

emen

t pro

gram

s tha

t cre

ate

an e

nviro

nmen

t to

recr

uit a

nd

•

re

tain

hig

hly e

ffect

ive cy

bers

ecur

ity a

nd p

rivac

y pro

fess

iona

ls."

"OBJ

ECTI

VE 3

.2

Asse

ss, d

evel

op, a

nd im

plem

ent t

rain

ing

for t

he c

yber

secu

rity

an

d pr

ivacy

wor

kfor

ce th

roug

hout

FDI

C on

em

ergi

ng

•

•

•

•

•

•

•

•

te

chno

logy

, thr

eats

, and

fede

ral m

anda

tes

and

guid

ance

."

"OBJ

ECTI

VE 3

.3

Ingr

ain

cybe

rsec

urity

and

priv

acy

with

in th

e FD

IC c

ultu

re

•

•

• •

•

•

•

th

roug

h co

mm

unica

tion

and

colla

bora

tion.

"

Them

e: P

riva

cy

Them

e: R

isk

Man

agem

ent

•

Them

e: G

over

nanc

e

•

“Prio

ritize

d Id

entifi

catio

n

and

Prot

ectio

n of

hig

h

valu

e in

form

atio

n an

d

asse

ts”

“Tim

ely

Dete

ctio

n of

and

Ra

pid

Resp

onse

to c

yber

in

ciden

ts

Rapi

d Re

cove

ry fr

om

inci

dent

s w

hen

they

oc

cur a

nd A

ccel

erat

ed

Adop

tion

of le

sson

s le

arne

d fro

m th

e Sp

rint

asse

ssm

ent

Recr

uitm

ent a

nd R

eten

tion

of th

e m

ost h

ighl

y-

qual

ified

Cyb

erse

curit

y W

orkf

orce

tale

nt th

e Fe

dera

l Gov

ernm

ent

can

brin

g to

bea

r

Effic

ient

and

Effe

ctiv

e

Acqu

isitio

n an

d De

ploy

men

t of

Exi

stin

g an

d Em

ergi

ng

Tech

nolo

gy


Des

ign:

DO

A/F

DIC

/CS

B/D

esig

n an

d P

rintin

g U

nit

information security and privacy strategic plan - fdic.gov · environment for fdic’s information...

Documents