from Malware Analysis
In HKMA's Cyber Fortification Initiative (CFI) – Part 1, I have commented that there is NO urgent needs and in appropriate for HKMA to create the Professional Development Programme (PDP) under the CFI. Now, I am going to discuss another component of the CFI - a Cyber Resilience Assessment Framework (C-RAF).
Unlike the iCAST which is incompletely copied from the CBEST (implemented by UK Bank of England), the C-RAF is borrowed from various frameworks of: (a) the Guidance of Cyber Resilience for Financial Market Infrastructures (the “Guidance”), issued by International Organization of Securities Commissions (IOSCO) and Bank for International Settlements (BIS), (b) Cybersecurity Assessment Tool (the “Tool”), issued by Federal Financial Institutions Examination Council (FFIEC, USA) and (c) Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”), issued by National Institute of Standard and Technology (NIST, USA).
It is acceptable to design a cyber resilience framework by aligning to leading standards. However, simply copying and rewriting different parts from selected benchmark frameworks, guidelines or recommendations as our new cyber resilience solution is not a correct approach in managing cyber threats for Hong Kong’s financial industries. The worst and risky scenario will be the case that if we are trying to insert some un-necessary component (like PDP) then pretended it is a tailor-made solution for us.
To help readers to digest the heavy contents of C-RAF and the referenced documents, I complied a table to show the differences between C-RAF and the referred documents. Of course, it is not a perfect way to form judgments to the C-RAF by referring to this table, but it provides a glimpse on how C-RAF is created. To understand C-RAF completely, readers are advised to read all documents thoroughly line by line.
|
HKMA CFI
|
Guidance (BIS)
|
Tool (FFIEC)
|
Framework (NIST)
|
Targets
|
AI
|
Financial market infrastructures
|
Financial Institutions
|
Critical Infrastructure
|
Assessment
|
1.2.1
Independent and qualified personnel
5.1.2, iCAST certified
5.1.3 HKMA is prepared to set up a proper mechanism for determining the equivalent qualifications
|
2.2.8 Audits and compliance … be carried out by qualified individuals
[certification standard not mentioned]
|
|
|
Sign-off
|
1.2.4
CEO and independent assessor to sign-off
|
|
|
|
Inherent risk profile
|
2.2.1
3-risk levels (low, medium, high)
2.3.1
5-Categories (technologies, delivery channels, products, organizational characteristics, tracked records)
|
|
Part 1
5-risk levels (least, minimal, moderate, significant, most)
5-Categories (technologies, delivery channels, online/mobile products, organizational characteristics, external threats)
|
|
Assessment Matrix
|
2.4.1
Matrix (indicators, criteria, risk level, supplementary info)
|
|
|
|
Maturity assessment
|
3.1.2
7 domains (governance, identification, protection, detection, response & recovery, situation awareness, third party risk management)
and
25 components
(Fig. 1)
|
5-categories (governance, identification, protection, detection, recovery)
3-components (testing, situation awareness, learning and evolving)
(Fig. 2)
|
|
|
Maturity matrix
|
3.2.4
Provide each component’s 3-maturity level (baseline, intermediate, advanced) with respective principle
|
|
Part 2
5-domains (Cyber Risk management, Threat Intelligence, CyberSecurity Control, External Dependency, Cyber Incident Management)
5-maturity levels (baseline, evolving, intermediate, advanced, innovative)
|
|
Assessment data entry
|
3.3.5
Option (Y|N|RA|NA), explanation (yes, risk accepted| no| not applicable) , description
3.3.6
% on each area of improvement
|
|
|
Table 1
Function and category unique identifiers: Unique (ID|PR|DE|RS|RC), Identifier, Functions, category)
|
Intelligence-led Cyber Attack Simulation Testing Framework (iCAST)
|
4.1.2
be armed with up-to-date and specific threat intelligence
4.1.5
execute iCAST for “intermediate” or “advanced” maturity level component
|
Nothing
|
Nothing
|
Nothing
|
Traditional penetration testing vs iCAST
|
4.2
Traditional pentesting has limited scope and focuses on technical assessment of a single system but iCAST be run in production environment which include assessement of readiness of human and process elements
|
Nothing
|
Nothing
|
Nothing
|
iCAST scope
|
4.2.4
[Testing] scope Difference
- iCAST test scope is added to Situational Awareness domain
- Traditional penetration testing scope is added to protection domain
|
7.
[Four] testings (Vulnerability assessment, Scenario-based testing, penetration tests and Red Team tests) is mentioned AND no scope defined
8.
Situational awareness refers to the understanding of cyber threat intelligence and making available to staff with responsibility for mitigation of cyber risks.
[iCAST like testing not mentioned]
4. Protection
[no testing method is mentioned]
|
|
|
iCAST Testers
|
5.3.3
iCAST manager
iCAST tester
iCAST supporting member
|
Nothing
|
Nothing
|
Nothing
|
In short, the core development concept for C-RAF is built from the Guidance and we can find out great similarities between 3-Compoents & 5-Categories model from the Guidance (Fig. 1) and the 7-domains model (Fig. 2) from C-RAF.
Fig. 1 - The Guidance 3-Compoents & 5-Categories model |
Fig.2 - C-RAF 7-domain model |
I am surprised to find none of these referred documents (the Guidance, the Tool and the Framework, the Nothing) are recommending any testing frameworks like iCAST.
I also have doubt if the Paper is correctly defining the scope of penetration tests by confining “Traditional Penetration Test(s)” only to the Protection domain but placing high emphasis by stretching their proposed “iCAST” to cover all key domains described by the C-RAF’s Situational Awareness component. (Fig. 3)
Fig. 3 - Scope of iCAST and Traditional Penetration Test |
I have strong impression that the self-contained and complete framework proposed by the Guidance was being chopped off into various parts, then be reassembled with difference terminology and finally force inserted in the iCAST during creation of the C-RAF.
I have been supplied with a Consultation on the PDP circulated by Fin-tech Team of HKMA. This new “consultation” emphasis that the PDP is closely interconnected with C-RAF and because of this reason, PDP must be pushed along with C-RAF. The “consultation” further assumed iCAST is a preferable option for the PDP. Of course, the “consultation” clarifies a bit more on the formation process of the proposed mechanism for recognizing equivalent qualifications. However, in my opinion, it looks like a notification or announcement rather than a consultation.
This “consultation” has not addressed to my key concerns that iCAST Certifications are NOT exact equivalent of CREST Penetration Testing Certifications. It consists of only certifications for penetration testing (called intelligence-led Penetration Testing) but without CREST STAR Intelligence, therefore it is NOT the same CBEST adopted by Bank of England. I am not happy to accept the implementation logic by claiming (1) CREST is used by Bank of England and (2) iCAST will be supported by CREST then (3) iCAST Certifications should be regarded as the preferable choice to be accredited by C-RAF. Actually, the “consultant” did not provide the syllabus for the proposed iCAST.
If HKMA really want to adopt the framework that is used by Bank of England, please implement CBEST (CREST STAR certifications) and don’t try to ask a pity banking professional organization to host examinations for Cyber Security with unknown syllabus iCAST.