FDIC’s Enterprise Architecture Framework
Increased threat calls for robust governance
With security threats like ransomware during the COVID-19 pandemic becoming more prevalent, the risk to organizations from information loss and the resulting damage is greater than ever.
To control this risk, it makes sense to establish a governance structure that promotes accountability and responsibility towards the protection of information. This can bring about a paradigm shift in leadership commitment to information security.
As the second part of the strategy, an information security risk management framework can facilitate the management of threats and risk from collecting, processing and storing business critical or personal and sensitive information. Aligning this framework to the enterprise risk management framework will help ensure that protecting information goes hand-in-hand with meeting business objectives.
Once these frameworks are in place, the collection, processing and storing of information can be risk-assessed. This assessment can be used to determine what needs protecting, how it should be protected, and who should be responsible. Then appropriate operational measures can be put in place, including:
Information identification, classification, and labelling
This includes establishing guidelines for technical solutions and administrative controls (processes and operational documentation) that should be used through the information lifecycle, from receipt to storage or destruction. Consider:
- How long you store information (whether for us in analytics or investigating an incident, or as required by law or court order)
- The acceptable ways to store or destroy information
- How you can control leaks while information is being used
- Which controls can help ensure only the authorized people are able to access information stored in your systems
Technical controls to protect critical and sensitive information, including:
- Identity management (multi-factor authentication, single sign on verification and authentication)
- Access to your network environment (unified threat management solutions, network segregation to protect critical and sensitive data from non-critical and sensitive data)
- Supporting incident identification and response (reporting tool)
Audit log and monitoring
This entails the proactive monitoring of activities logged. Proactive monitoring enables you to be alert to potential threats and take action as soon as a possible threat is recognized – instead of acting only once information has been leaked or breached. This requires a balance of technical solutions and threat intelligence which small- and medium-size organizations may prefer to outsource to third-party managed security service providers.
Security threat detection, response and reporting
This includes the possibility of establishing a security incident response team, communication cascade, and retainer service for digital forensics and incident response.
A considered approach can combat risk
In the face of limited resources and capabilities, a responsible approach to data protection requires governance and direction over which security measures should and can be implemented. Prioritizing the implementation of these security measures through a risk-based approach is key, in addition to using an information security management system (ISMS) framework managed by the Board and ELT.
Find out how the team at Lumen can support your organization in establishing your governance framework.
LUMEN CONNECTED SECURITY
Automated threat detection. Built in protection.
See more, Stop more.