information security and privacy strategic plan - fdic.gov · environment for fdic’s information...
TRANSCRIPT
Information Security and Privacy Strategic Plan
Information Security and Privacy Strategic Plan Federal Deposit Insurance Corporation 2018 - 2021
Office of Chief Information Security Officer
Version 1 / 12.4.17
Table of Contents
2 Executive Summary
4 Introduction
8 Strategic Goals and Themes
9 Strategic Goal 1 Protect FDIC information assets, manage threats, and sustain business operations.
11 Strategic Goal 2 Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity and privacy posture.
13 Strategic Goal 3 Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.
15 Theme 1 – Privacy
15 Theme 2 - Risk Management
16 Theme 3 - Governance
17 Path Forward
18 Appendix A – Traceability Matrix
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
Executive Summary2
The 2018-2021 Federal Deposit Insurance Corporation (FDIC) Information Security and Privacy Strategic Plan (ISP SP) directly aligns to, and supports, the FDIC Information Technology (IT) Strategic Plan 2017-2020 (ITSP). It has been developed in collaboration with the Office of the Chief Information Security Officer (OCISO) along with the Chief Information Officer (CIO) / Chief Privacy Officer (CPO).
The FDIC maintains various types of sensitive information in the course of doing business, including from both the federal and private sector. The security challenges and threat environment for FDIC’s information systems are continually evolving. To address these threats, the FDIC must continue to develop and implement comprehensive, risk-based approaches to protect the information handled in support of the FDIC mission.
This ISP SP outlines how the FDIC’s information security and privacy programs continuously evolve to protect the FDIC’s information assets and assure the confidentiality, integrity, and availability of the information vital to achieve the FDIC’s mission. The ISP SP identifies three strategic goals, with supporting objectives, developed around: (1) protecting FDIC information assets, managing threats, and sustaining business operations; (2) continuously improving programs, processes, and tools; and (3) cultivating a highly effective, enterprise-integrated cybersecurity and privacy workforce.
Privacy, Risk Management, and Governance are interwoven themes cross-cutting these three goals. These themes ensure that information security and privacy are ingrained into FDIC’s culture and are built in by design; that cyber and privacy risks are identified, well-understood, and managed; and that governance is in place to collaborate with internal and external partners and ensure sufficient cybersecurity and privacy protection implementa-tion. The themes, along with the Strategic Goals and their supporting Strategic Objectives, can be seen in Figure 1.
3
PrivacyEnsure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks.
Risk Management Focus on protecting the information assets critical to meeting FDIC’s mission to maximize reduction of impact should cyber attacks occur.
Governance Maximize effectiveness of the security and privacy programs through measures and corresponding updates, integration into budgeting activities, and regular communication with FDIC Divisions and Offices.
Strategic Goals
Objectives
Cross-Cutting Themes
Figure 1: ISP SP Overview
PrivacyEnsure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks.
Risk Management Focus on protecting the information assets critical to meeting FDIC’s mission to maximize reduction of impact should cyber attacks occur.
Governance Maximize effectiveness of the security and privacy programs through measures and corresponding updates, integration into budgeting activities, and regular communication with FDIC Divisions and Offices.
Information Security and Privacy Strategic Plan
Protect information assets, manage threats, and sustain business operations.
1.1 Implement protections commensurate with the sensitivity and criticality of FDIC information assets.
1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach.
1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event.
1Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity posture and privacy protection.
2.1 Maintain and augment security monitoring, detection, and incident response functions commensurate with risks.
2.2 Ensure that the security architecture evolves with the threat environment as well as information security and privacy risks.
2.3 Ensure FDIC privacy and information security programs address emerging IT and business capabilities
2Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.
3.1 Implement programs that create an attractive environment to recruit and retain highly effective cybersecurity and privacy professionals.
3.2 Assess, develop, and implement training for the cybersecurity and privacy workforce on emerging technology, threats, and federal mandates and guidance.
3.3 Ingrain cybersecurity and privacy within the FDIC culture through communication and collaboration.
3
Federal Deposit Insurance Corporation
4
A knowledgeable FDIC-wide security and privacy workforce supports OCISO’s ability to assure that FDIC business divisions and offices are able to operate securely. Knowledge of technology standards, enterprise architecture principles, and risk methodologies are particularly important. FDIC is optimizing cybersecurity and privacy skillsets by leveraging the National Institute for Science and Technology (NIST) National Initiative for Cybersecurity Education (NICE) and other frameworks.1
A strong cybersecurity and privacy culture is critical to successfully protect FDIC information and execution of business functions. OCISO provides a governance and risk management structure designed to integrate information security and privacy considerations into decision making and an enterprise security architecture that communicates common security design principles. Communication, collaboration, and accountability are essential for establishing a culture of cybersecurity and privacy.
Congress created the FDIC in the Banking Act of 1933 to maintain stability and public confidence in the nation’s banking system. Information security and privacy are key elements for the success of FDIC’s core programs. The FDIC must ensure that strong security and privacy controls protect the information used in the course of carrying out its responsibilities. The FDIC Mission and Vision state-ments are below.
Cybersecurity incidents are a growing threat to consumers, financial institutions, other businesses, and financial market utilities, as well as government agencies, including the FDIC. The FDIC main-tains sensitive financial, supervisory, and personal information in the conduct of its mission. The FDIC must continue to enhance its responsiveness to the increasing number of threats to the secu-rity, privacy, and integrity of its large holdings of sensitive information, while ensuring sustainability of operations.
1 The NICE framework assists public, private, and academic organizations ensure they have the necessary cybersecurity functions, specialty areas of work, and work roles.
FDIC Mission
The Federal Deposit Insurance Corporation (FDIC) is an independent agency created by the Congress to maintain stability and public confidence in the nation’s financial system by: insuring deposits, examining and supervising financial institutions for safety and soundness and consumer protection, and managing receiverships
Introduction
FDIC Vision
The FDIC is a recognized leader in promoting sound public policies, addressing risks in the nation’s financial system, and carrying out its insurance, supervisory, consumer protection, and receivership management responsibilities.
5
The Office of the Chief Information Security Officer (OCISO), part of the Chief Information Officer (CIO) Organization (CIOO), ensures the security and privacy of FDIC information assets, regardless of location, against unauthorized access, use, disclosure, modification, damage, or loss. These protections enable FDIC Divisions and Offices to securely achieve the FDIC mission. To accomplish this, OCISO advances FDIC enterprise policy and guidance; ensures a common enterprise security architecture informs solution selection and design; educates FDIC personnel about information security and privacy; assists in strengthening safeguards; and responds to breaches and information security incidents and events that endanger the FDIC’s information assets. The OCISO mission and CIOO vision, which are aligned to and support the FDIC mission and vision, are provided below.
The FDIC conducted a gap analysis as a precursor to developing the Information Security and Privacy Strategic Plan (ISP SP), which focused on the various federal requirements for strengthening an organization’s cybersecurity and privacy posture. Specifically, it focused on alignment to the NIST Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework [CSF]) as mandated by Executive Order 13800, the Office of Management and Budget’s (OMBs) A-130 Circular Managing Information as a Strategic Resource Appendix II (General Requirements, which specify privacy responsibilities), and OMB’s M-16-04 Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government five cybersecurity strategic objectives. The goals and objectives of the FDIC ISP SP are aligned with the federal requirements conveyed in these guidance documents.
OCISO Mission
The mission of the Office of the Chief Information Security Officer (OCISO) is to provide enterprise-wide information security and privacy programs that assure integrity, confiden-tiality, and availability of corporate information by proactively protecting the assets from unauthorized access and misuse.
CIO Organization Vision
To provide scalable, efficient technology that enables continuous access to data securely from any place at any time.
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
6
In addition, the ISP SP and its emphasis on the protection of FDIC’s information assets from unauthorized use, disclosure, modification, damage, and loss is in direct alignment with the FDIC Information Technology (IT) Strategic Plan 2017-2020 (ITSP), which supports the 2017 -2020 FDIC Strategic Plan. The first goal of the FDIC ITSP focuses on ensuring that, “Information security and privacy are ingrained in FDIC culture ensuring IT solutions are secure by design and cyber risks are well-understood, managed, and minimized in accordance with business needs.” The ITSP goals and objectives, to which this plan aligns, are illustrated in Figure 2.
Figure 2: ITSP Overview
PrivacyEnsure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks.
Risk Management Focus on protecting the information assets critical to meeting FDIC’s mission to maximize reduction of impact should cyber attacks occur.
Governance Maximize effectiveness of the security and privacy programs through measures and corresponding updates, integration into budgeting activities, and regular communication with FDIC Divisions and Offices.
Goals
Cross-Cutting Themes
CollaborationStakeholders share responsibility for IT service delivery, relying on strong communication and trust
Resource Optimization Costs are minimized and well-understood, policies and procedures are current, and work is identified, prioritized, managed, and communicated with relevant business partners
Innovation Transformative ideas are introduced that generate interaction, experimentation, and new IT capabilities
Continuity of Operations
FDIC IT services are continuously available consistent with federal regulatory and internal operational requirements
Information Management and Analytics
FDIC authorized users have access to authoritative data and information that support improved operations and decision-making
Enterprise Mobility
Devices and applications enable authorized users to conduct their business securely with the FDIC from any location
IT Service Delivery
FDIC IT professionals provide high quality, cost- effective services and support
Information Security and Privacy
Information security and privacy are ingrained in FDIC culture ensuring IT solutions are secure by design and cyber risks are well-understood, managed and minimized in accordance with business needs
7
While the ISP SP is most directly aligned to the first ITSP goal of Information Security and Privacy, it also supports other ITSP goals and cross-cutting themes.
• ISP SP Goal 1 “Protect FDIC information assets, manage threats, and sustain business operation” contributes to the second ITSP goal of Continuity of Operations and the third goal of Enterprise Mobility. • ISP SP Goal 2 “Continuously improve programs, processes, and tools to strengthen the FDIC’s cybersecurity and privacy posture,” supports the ITSP goals of Enterprise Mobility, Information Management and Analytics, and the theme of Innovation. • ISP SP Goal 3 “Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges,” is consistent with the ITSP theme of Collaboration.
Appendix A includes a more detailed traceability matrix between the ISP SP and ITSP.
This plan sets priorities for the FDIC to efficiently and effectively address the management, control, and protection of the FDIC’s information assets. In addition, this document outlines the strategic goals and objectives for future initiatives and identifies the components necessary to iteratively improve the security and privacy posture of the FDIC, in support of the business divisions and offices.
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
8
Strategic Goals
Objectives
Cross-Cutting Themes
PrivacyEnsure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks.
Risk Management Focus on protecting the information assets critical to meeting FDIC’s mission to maximize reduction of impact should cyber attacks occur.
Governance Maximize effectiveness of the security and privacy programs through measures and corresponding updates, integration into budgeting activities, and regular communication with FDIC Divisions and Offices.
This plan identifies three goals and three cross-cutting themes. Each goal presents an opportunity to improve how FDIC conducts its business securely. As FDIC addresses each goal, the themes provide the foundation for implementation. The following pages elaborate on the themes, goals, and objectives identified to achieve the goals.
Strategic Goals and Themes
Figure 3: Information Security and Privacy Strategic Plan Overview
Protect information assets, manage threats, and sustain business operations.
1.1 Implement protections commensurate with the sensitivity and criticality of FDIC information assets.
1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach.
1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event.
1Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity posture and privacy protection.
2.1 Maintain and augment security monitoring, detection, and incident response functions commensurate with risks.
2.2 Ensure that the security architecture evolves with the threat environment as well as information security and privacy risks.
2.3 Ensure FDIC privacy and information security programs address emerging IT and business capabilities
2 3Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.
3.1 Implement programs that create an attractive environment to recruit and retain highly effective cybersecurity and privacy professionals.
3.2 Assess, develop, and implement training for the cybersecurity and privacy workforce on emerging technology, threats, and federal mandates and guidance.
3.3 Ingrain cybersecurity and privacy within the FDIC culture through communication and collaboration.
9Strategic Goal 1
Strategic Goal 1 Protect FDIC information assets, manage threats, and sustain business operations.
Description As enablers for the FDIC Divisions and Offices to achieve their missions, information security and privacy must be balanced against business needs and ensure that the business continues to operate even under active cyber threats. Protections for information assets, which include information and technology owned by FDIC and entrusted to FDIC by outside entities, are implemented using a risk- based approach that considers the importance of the asset in achieving FDIC’s mission and aligns with enterprise architecture principles.
Strategic Objectives 1.1 Strengthen protections commensurate with the sensitivity and criticality of FDIC information assets. • Strengthen identification and classification of information assets. • Improve identification and management of security and privacy risks. • Augment security and privacy control mechanisms and strategies consistent with emerging threats and technology, and the enterprise security architecture.
1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach. • Integrate privacy requirements and align the security architecture with the FDIC’s enterprise architecture and development framework to ensure delivery of secure capabilities. • Monitor, evaluate, and communicate the implementation of information security and privacy policies and practices across the FDIC enterprise. • Increase communication and collaboration where information security and privacy risks and program execution intersect with business decisions and operations. • Strengthen divisional representation in ensuring information security and privacy protections, balanced with business needs. • Continue to track, assess, and minimize collection and retention of PII. • Promote transparency and trust in FDIC’s maintenance and protection of PII.
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
Strategic Goal 1
Strategic Objectives 1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event. • Evaluate the FDIC’s regulatory, risk, environmental, and operational drivers related to business continuity. • Adapt and implement cyber resiliency design principles within FDIC’s enterprise security architecture to improve the ability to quickly recognize, respond to, and recover from cyber attacks. • Collaborate with DIT, business divisions and offices to ensure continuous availability of IT functions and information assets with strengthened data security. • Evaluate FDIC compliance with recovery policies during system disruptions and outages and use lessons learned for future improvements.
Outcome Business operations are secured; information assets and infrastructure are protected; and risks are communicated, well-understood and managed.
10
11Strategic Goal 2
Strategic Goal 2 Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity and privacy posture.
. Description Due to the ever-evolving threat and technology landscape, the FDIC needs to continually streamline and enhance capabilities in a cohesive, coordinated manner. With established capabilities integrated across the enterprise and communicated in an enterprise security architecture that informs the design and selection of IT investments, the FDIC will ensure that risks are addressed and information assets achieve the necessary levels of protection.
Strategic Objectives 2.1 Maintain and augment monitoring, detection, and incident response functions commensurate with security and privacy risks. • Continuously monitor FDIC information assets to maintain and enhance situational awareness to manage risk. • Coordinate with the Division of Information Technology (DIT), business divisions and offices to a ddress technology risks that may result in elevated security or privacy risks. • Employ techniques to detect, contain, and respond to malicious activity and emerging threats. • Enhance and coordinate incident response activities to quickly respond to and recover from breaches or information security incidents and minimize impact on FDIC and affected individuals. • Improve the use of metrics and leverage information gained from incidents to enhance and update the enterprise security architecture to ensure it addresses emerging risks. • Assess risk and impact from potential and confirmed breaches and ensure timely communications with affected parties. • Establish and maintain an optimized tools and services inventory, to align with the FDIC enterprise security architecture and applicable guidance such as the NIST Cybersecurity Framework (CSF).
2.2 Ensure FDIC security architecture evolves with the threat environment, as well as information security and privacy risks. • Employ mechanisms and prioritization commensurate with risk to manage system vulnerabilities through a proactive, comprehensive approach. • Obtain and share information on cyber threats targeting the federal or financial industry. • Proactively investigate emerging security and privacy threats for potential impact to FDIC business functions.
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
Strategic Goal 212
Strategic Objectives 2.3 Ensure FDIC privacy and information security programs address emerging IT capabilities and business needs.
• Collaboratively develop, adopt, and update policies, processes, and standards to better guide implementation of protections, as well as improve and maintain compliance with applicable federal law and policy. • Work with FDIC Divisions and Offices to identify and respond to current and emerging needs for information security and privacy. • Continuously measure and align the information security and privacy posture with emerging technology, business needs, and industry leading practices. • Incorporate aligned information security and privacy posture into the FDIC security architecture and technical security reference standards. • Address privacy and cybersecurity concerns early and continuously throughout the acquisition and development lifecycles to minimize risks.
Outcome FDIC information security and privacy protection capabilities are responsive to a dynamic environment and business needs.
13
Strategic Goal 3 Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.
Description The FDIC workforce, within OCISO and across the enterprise, is the front-line defense against cybersecurity incidents, breaches, and risks. The FDIC will continue to attract and maintain the highest quality cybersecurity and privacy workforce commensurate with business needs, as well as ensure that best practices and training are shared across the enterprise.
Strategic Objectives 3.1 Implement programs that create an environment to recruit and retain highly effective cybersecurity and privacy professionals. • Ensure FDIC has a sufficient workforce commensurate with the FDIC’s information security and privacy needs. • Adopt leading practices for recruiting, selecting, and hiring cybersecurity and privacy personnel. • Partner with appropriate entities within the FDIC to identify targeted recruiting efforts to attract highly qualified early career professionals and implement career path opportunities.
3.2 Assess, develop, and implement training for the cybersecurity and privacy workforce throughout FDIC on emerging technology, threats, and federal mandates and guidance. • Ensure the FDIC’s cybersecurity and privacy workforce has the capabilities and skillsets defined in applicable frameworks, such as the NIST NICE framework. • Collaborate and communicate with appropriate entities within FDIC to create partnerships with universities, industry groups, and other entities to foster idea exchange, curriculum development, and awareness of leading practices. • Promote understanding and adoption of enterprise security architecture principles and their application to IT investment and design. • Develop and implement training plans for the FDIC cybersecurity and privacy workforce.
Strategic Goal 3
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
14Strategic Goal 3
Strategic Objectives 3.3 Ingrain cybersecurity and privacy within the FDIC culture through communication and collaboration. • Promote an environment where FDIC personnel are aware and considerate of privacy and information security principles and responsibilities. • Provide ongoing education, including communication, messaging, and training, for FDIC personnel on secure information practices. • Establish forums or mechanisms that foster on-going information exchange and collaboration in the sharing and education of emerging areas of privacy or information security.
Outcome Risk is managed through a culture of shared responsibility for security and privacy across FDIC supported by a high-quality cybersecurity and privacy workforce balanced with business needs.
15Themes
The FDIC ISP SP’s goals build upon a foundation of three cross-cutting themes interwoven through all three strategic goals.
Theme 1 Privacy is critical to the FDIC due to the Personally Identifiable Information (PII) it collects through Privacy receivership, examination, and other business activities. Protection of PII is represented across many of the objectives within the ISP SP. Privacy must also address risks beyond those of information security. This includes ensuring transparency of types and uses for PII that is collected, as well as specific disclosure, access, and notice requirements that may be different than that of non-PII. As such, privacy requirements must also be discrete considerations when designing, developing, and acquiring systems or services that may store or process PII.
The FDIC has established a corporate-wide Privacy Program, which reports directly to the Chief Information Security Officer (CISO)/Deputy Chief Privacy Officer. Utilizing the Fair Information Practice Principles (FIPPs),2 the privacy program is focused on ensuring that appropriate steps are taken to ensure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy risks across the FDIC.
Theme 2 A core component of cybersecurity and privacy activities is managing risk. As FDIC Divisions and Risk Management Offices continue their reliance on technology, FDIC must be agile in preventing, detecting, and responding to cyber attacks that are ever increasing, both in number and sophistication. The environment poses many threats against many systems, with both known and unknown vulnerabilities, which makes it difficult for the FDIC to address all of them. As such, the Corporation must understand threats specific to its environment. FDIC must also rank and prioritize information assets to implement protections commensurate with risks.
Proper risk management can more effectively guide appropriate investments and resource levels required to address areas posing the highest risk to FDIC information assets and infrastructure. The FDIC will maintain relationships with internal and external entities to collect, assess, and respond to cybersecurity threats and vulnerabilities and will conform to a security architecture to manage system complexity and diversity to minimize risks. Continuing to mature and integrate risk management when implementing any of the following strategic objectives will allow the FDIC’s OCISO, Divisions, and Offices to focus on what is most important to reduce impact should cyber attacks occur.
2The FIPPs are a collection of widely accepted principles that agencies should use when evaluating systems, processes, programs, and activities that
affect individual privacy. The FIPPs are not OMB requirements; rather they are principles that should be applied by each agency according to the agency’s particular mission and privacy program requirements. The Federal government’s most recent articulation of the FIPPs is contained in the revised OMB Circular A-130 announced July 27, 2016. They are as follows: Access and Amendment, Accountability, Authority, Minimization, Quality and Integrity, Individual Participation, Purpose Specification and Use Limitation, Security, and Transparency.
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
16
Theme 3 Governance provides a mechanism for overseeing information security of key systems and Governance setting and enforcing security and privacy standards and practices within the FDIC. To accomplish this, information security and privacy must be an integral part of technology investment planning and the FDIC Enterprise Architecture, and the programs must be aligned with business functions and priorities. Adoption and integration of an enterprise security architecture will support proper business alignment, data governance, and application design principles; and ensure systems are built on infrastructures that minimize architectural complexity and ensure cyber resilience.
The FDIC is developing enterprise security principles, leveraging the Federal Enterprise Architecture Framework (FEAF)3 and technical security architecture standards, which align with the FDIC Enterprise Architecture. The FDIC’s implementation of effective oversight and communication mechanisms assures the information security and privacy programs are meeting the FDIC mission needs. This is done by frequent, regular interaction with FDIC business executives, analyzing performance and risk metrics and measures, conformance with a common security architecture, and risk-informed decision making.
3The FEAF v2.0 describes a suite of tools to help government planners implement the Common Approach to Federal Enterprise Architecture,
released in May 2012. At FEAF’s core is the Consolidated Reference Model (CRM) to equip OMB and Federal agencies with a common language and framework to describe and analyze investments and provide traceability from strategic goals to the infrastructure that enables achievement of those goals.
Themes
17Path Forward
In alignment with the FDIC IT Strategic Plan Goal 1, Information Security and Privacy, the FDIC ISP SP demonstrates commitment to mitigate risks across the Corporation, improve resilience of the Corporation’s systems and networks, and protect information assets.
The ISP SP is the foundation upon which FDIC will update its cybersecurity and privacy approach. The FDIC will develop an implementation plan that includes tasks tied to timelines and assigned to responsible parties. This will help guide the Corporation through the changes necessary to meet stated goals and objectives. In parallel, the organization will develop performance measures for the objectives and activities to track and manage progress. These measures will provide information needed to make resource-related decisions.
As part of the implementation plan, the FDIC will develop and use an Information Security and Privacy Strategy Roadmap that will operationalize the strategy by sequencing the activities needed to meet the goals and objectives. The Corporation will use the roadmap to: • Prioritize initiatives • Identify future needs • Establish unity of effort among stakeholders • Measure progress • Enhance governance through transparency, accountability and data-driven decision making • Revisit, refine, and update the ISP SP
The ISP SP will be reviewed annually for relevancy, currency, and applicability. It will be modified, as necessary, to keep pace with the changing environment. OCISO’s ability to successfully achieve the objectives in this plan requires the continued commitment and cooperative support of all FDIC.
Information Security and Privacy Strategic Plan
Federal Deposit Insurance Corporation
18
Appendix A Traceability Matrix
Goa
l 1: P
rote
ct in
form
atio
n as
sets
, man
age
thre
ats,
•
•
•
•
•
•
•
•
•
•
and
sust
ain
busi
ness
ope
ratio
ns.
Obj
ectiv
e 1.
1
Stre
ngth
en p
rote
ctio
ns c
omm
ensu
rate
with
the
•
•
•
•
•
•
•
se
nsiti
vity
and
crit
icalit
y of
FDI
C in
form
atio
n as
sets
.
Obj
ectiv
e 1.
2
Ensu
re O
CISO
capa
bilit
ies e
ffect
ively
prot
ect F
DIC
busin
ess
•
•
•
•
•
•
•
•
fu
nctio
ns a
nd a
sset
s us
ing
a ris
k-ba
sed
appr
oach
.
Obj
ectiv
e 1.
3
Enab
le F
DIC
busin
ess
func
tions
to c
ontin
ue e
xecu
ting
•
•
thei
r miss
ions
in th
e ca
se o
f an
adve
rse
cybe
r eve
nt.
Goa
l 2: C
ontin
uous
ly im
prov
e pr
ogra
ms,
proc
esse
s,
and
tool
s to
str
engt
hen
the
FDIC
’s cy
bers
ecur
ity
•
•
•
•
•
•
•
•
• po
stur
e an
d pr
ivac
y pr
otec
tion.
Obj
ectiv
e 2.
1
Mai
ntai
n an
d au
gmen
t mon
itorin
g, d
etec
tion,
and
in
ciden
t res
pons
e fu
nctio
ns c
omm
ensu
rate
with
sec
urity
•
•
•
•
•
• an
d pr
ivacy
risk
s.
Obj
ectiv
e 2.
2
Ensu
re th
at th
e se
curit
y ar
chite
ctur
e ev
olve
s w
ith th
e
thre
at e
nviro
nmen
t as
wel
l as
info
rmat
ion
secu
rity
and
•
•
•
•
pr
ivacy
risk
s.
Obj
ectiv
e 2.
3
Ensu
re F
DIC
priva
cy a
nd in
form
atio
n se
curit
y pr
ogra
ms
•
•
•
•
•
ad
dres
s em
ergi
ng IT
cap
abili
ties
and
busin
ess
need
s.
Goa
l 3: C
ultiv
ate
a w
orkf
orce
that
is p
repa
red
to
prot
ect t
he F
DIC
from
exi
stin
g an
d em
ergi
ng th
reat
s
•
•
an
d ch
alle
nges
.
Obj
ectiv
e 3.
1
Impl
emen
t pro
gram
s th
at c
reat
e an
env
ironm
ent t
o
•
•
recr
uit a
nd re
tain
hig
hly
effe
ctiv
e cy
bers
ecur
ity a
nd
pr
ivacy
pro
fess
iona
ls.
Obj
ectiv
e 3.
2
Asse
ss, d
evel
op, a
nd im
plem
ent t
rain
ing
for t
he
cybe
rsec
urity
and
priv
acy
wor
kfor
ce th
roug
hout
theF
DIC
•
•
on e
mer
ging
tech
nolo
gy, t
hrea
ts, a
nd fe
dera
l man
date
s
and
guid
ance
.
Obj
ectiv
e 3.
3
Ingr
ain
cybe
rsec
urity
and
priv
acy
with
in th
e th
e FD
IC
•
•
cu
lture
thro
ugh
com
mun
icatio
n an
d co
llabo
ratio
n.
Them
e: P
riva
cy
•
•
•
•
Th
eme:
Ris
k M
anag
emen
t
•
•
•
•
•
•
•
•
•
•
•
Them
e: G
over
nanc
e
•
•
•
•
•
•
•
Obj
ectiv
e 1.
1 Us
e m
ulti-
fact
or
auth
entic
atio
n
(MFA
) to
prov
ide
high
er le
vels
of
ass
uran
ce
whe
n ac
cess
ing
FDIC
sys
tem
s
Obj
ectiv
e 1.
2
Addr
ess
emer
ging
re
gula
tory
re
quire
men
ts,
tech
nolo
gy
adva
ncem
ents,
an
d th
e ris
ks
asso
ciat
ed
with
new
and
ev
olvi
ng th
reat
s
Obj
ectiv
e 1.
3 Sa
fegu
ard
info
rmat
ion
whe
reve
r it
resid
es, p
rovid
ing
secu
rity
an
d pr
ivacy
pr
otec
tions
co
mm
ensu
rate
w
ith it
s
sens
itivi
ty
Obj
ectiv
e 1.
4 En
sure
that
au
thor
ized
user
s un
ders
tand
, ac
cept
, and
fo
llow
sec
urity
an
d pr
ivacy
re
spon
sibili
ties
FDIC
IT s
ervi
ces
are
cont
inuo
usly
av
aila
ble
cons
isten
t w
ith fe
dera
l re
gula
tory
an
d in
tern
al
oper
atio
nal
requ
irem
ents
Devi
ces
and
appl
icatio
ns
enab
le
auth
orize
d
user
s to
co
nduc
t th
eir b
usin
ess
secu
rely
with
th
e FD
IC fr
om
any
loca
tion
FDIC
aut
horiz
ed
user
s ha
ve
acce
ss to
au
thor
itativ
e da
ta a
nd
info
rmat
ion
that
sup
port
impr
oved
op
erat
ions
an
d de
cisio
n-
mak
ing
FDIC
IT
prof
essio
nals
pr
ovid
e hi
gh
qual
ity, c
ost-
effe
ctiv
e se
rvice
s an
d su
ppor
t
Stak
ehol
ders
sh
are
resp
on-
sibili
ty fo
r IT
serv
ice d
eliv
ery,
re
lying
on
stro
ng
com
mun
icatio
n an
d tru
st
Cost
s ar
e m
inim
ized
and
well
-und
ersto
od,
polic
ies
and
proc
edur
es a
re
curre
nt, a
nd
wor
k is
iden
tified
pr
iorit
ized
, m
anag
ed, a
nd
com
mun
icate
d w
ith re
leva
nt
busin
ess p
artn
ers
Trans
form
ative
id
eas
are
intro
duce
d th
at g
ener
ate
inte
ract
ion,
ex
perim
enta
tion
and
new
IT
cap
abili
ties
Goa
l 2
Cont
inui
ty
of O
pera
tions
Goa
l 3
Ente
rpri
se
Mob
ility
Goa
l 4
Info
rmat
ion
Man
agem
ent
and
Ana
lyti
cs
Goa
l 5
IT S
ervi
ce
Del
iver
y
Them
e 1
Colla
bora
tion
Them
e 2
Reso
urce
O
ptim
izat
ion
Them
e 3
Inno
vati
onG
oal 1
In
form
atio
n Se
curi
ty
and
Priv
acy
Sour
ce: I
T St
rate
gic
Plan
Stra
tegi
c Pl
an E
lem
ent
19
Info
rmat
ion
Secu
rity
and
Pri
vacy
Str
ateg
ic P
lan
(ISP
SP)
S
ourc
e: E
xecu
tive
Ord
er S
tate
s NIS
T CS
F M
ust b
e Us
ed
So
urce
: IG
Aud
it F
indi
ngs
and
Reco
mm
enda
tion
s
"N
IST
Cybe
secu
rity
Fra
mew
ork
1.0”
OM
B M
16-0
4 (F
ive
Cybe
r Pr
iori
ties
)
Stra
tegi
c Pl
an E
lem
ent
Id
entif
y
Prot
ect
Det
ect
Res
pond
Re
cove
r
Goa
l 1: P
rote
ct in
form
atio
n as
sets
, man
age
thre
ats,
an
d su
stai
n bu
sine
ss o
pera
tions
.
•
•
•
•
•
•
•
•
•"O
BJEC
TIVE
1.1
St
reng
then
pro
tect
ions
com
men
sura
te w
ith th
e
sens
itivi
ty a
nd c
ritica
lity
of F
DIC
info
rmat
ion
asse
ts.
•
•
•
•"O
BJEC
TIVE
1.2
En
sure
OCI
SO c
apab
ilitie
s ef
fect
ivel
y pr
otec
t FDI
C bu
sines
s
func
tions
and
ass
ets
usin
g a
risk-
base
d ap
proa
ch.”
•
•
•"O
BJEC
TIVE
1.3
En
able
FDI
C bu
sines
s fu
nctio
ns to
con
tinue
exe
cutin
g
•
•
•
•
•
•
th
eir m
issio
ns in
the
case
of a
n ad
vers
e cy
ber e
vent
."
Goa
l 2: C
ontin
uous
ly im
prov
e pr
ogra
ms,
proc
esse
s, an
d
tool
s to
stre
ngth
en F
DIC’
s cy
bers
ecur
ity p
ostu
re a
nd
•
•
•
•
•
•
•
•
•
priv
acy
prot
ectio
n.
"OBJ
ECTI
VE 2
.1
Mai
ntai
n an
d au
gmen
t mon
itorin
g, d
etec
tion,
and
incid
ent
•
•
•
•
•
•
resp
onse
func
tions
com
men
sura
te w
ith se
curit
y and
priv
acy r
isks."
"OBJ
ECTI
VE 2
.2
Ensu
re th
at th
e se
curit
y ar
chite
ctur
e ev
olve
s w
ith th
e th
reat
•
•
•
•
envir
onm
ent a
s wel
l as i
nfor
mat
ion
secu
rity
and
priva
cy ri
sks.
"OBJ
ECTI
VE 2
.3
Ensu
re F
DIC
priva
cy a
nd in
form
atio
n se
curit
y pr
ogra
ms
•
•
•
•
•
•
ad
dres
s em
ergi
ng IT
cap
abili
ties
and
busin
ess
need
s. "
Goa
l 3: C
ultiv
ate
a w
orkf
orce
that
is p
repa
red
to p
rote
ct
•
•
•
•
•
•
•
•
the
FDIC
from
exi
stin
g an
d em
ergi
ng th
reat
s and
chal
leng
es.
"OBJ
ECTI
VE 3
.1
Impl
emen
t pro
gram
s tha
t cre
ate
an e
nviro
nmen
t to
recr
uit a
nd
•
re
tain
hig
hly e
ffect
ive cy
bers
ecur
ity a
nd p
rivac
y pro
fess
iona
ls."
"OBJ
ECTI
VE 3
.2
Asse
ss, d
evel
op, a
nd im
plem
ent t
rain
ing
for t
he c
yber
secu
rity
an
d pr
ivacy
wor
kfor
ce th
roug
hout
FDI
C on
em
ergi
ng
•
•
•
•
•
•
•
•
te
chno
logy
, thr
eats
, and
fede
ral m
anda
tes
and
guid
ance
."
"OBJ
ECTI
VE 3
.3
Ingr
ain
cybe
rsec
urity
and
priv
acy
with
in th
e FD
IC c
ultu
re
•
•
• •
•
•
•
th
roug
h co
mm
unica
tion
and
colla
bora
tion.
"
Them
e: P
riva
cy
Them
e: R
isk
Man
agem
ent
•
Them
e: G
over
nanc
e
•
“Prio
ritize
d Id
entifi
catio
n
and
Prot
ectio
n of
hig
h
valu
e in
form
atio
n an
d
asse
ts”
“Tim
ely
Dete
ctio
n of
and
Ra
pid
Resp
onse
to c
yber
in
ciden
ts
Rapi
d Re
cove
ry fr
om
inci
dent
s w
hen
they
oc
cur a
nd A
ccel
erat
ed
Adop
tion
of le
sson
s le
arne
d fro
m th
e Sp
rint
asse
ssm
ent
Recr
uitm
ent a
nd R
eten
tion
of th
e m
ost h
ighl
y-
qual
ified
Cyb
erse
curit
y W
orkf
orce
tale
nt th
e Fe
dera
l Gov
ernm
ent
can
brin
g to
bea
r
Effic
ient
and
Effe
ctiv
e
Acqu
isitio
n an
d De
ploy
men
t of
Exi
stin
g an
d Em
ergi
ng
Tech
nolo
gy
Information Security and Privacy Strategic Plan
Des
ign:
DO
A/F
DIC
/CS
B/D
esig
n an
d P
rintin
g U
nit