News

01:37 PM
Connect Directly
RSS
E-Mail
50%
50%

Resilience You Can Measure

Financial Services Technology Consortium and 15 banks lead effort to establish business continuity standards.

Fifteen top-tier banks and technology companies have teamed with the Financial Services Technology Consortium (FSTC) to take on the task of creating benchmarks for business continuity. The first effort of its kind, the FSTC's Resiliency Model Project will address the need for financial institutions to adequately plan and measure their resiliency activities against a set of industry standards by developing benchmarks for operational resiliency for all areas of a financial enterprise, according to the New York-based trade group.

"One goal is benchmarking," says Charles Wallen, managing executive of the FSTC's Business Continuity Standing Committee and project director. "But in a broader sense, this is a pioneering effort to get banks on the same page in understanding what constitutes resiliency in a secure environment. We are trying to establish a uniform vocabulary and process improvement approach so organizations have a clear road map for raising the bar."

The project is a follow-up to two earlier endeavors conducted in 2005 that clarified global standards for U.S. financial institutions and identified the essential capabilities of operational resiliency. In the newest phase of the effort, participants -- which include JPMorgan Chase, U.S. Bank, Bank of America and KeyBank -- will work together to document goals and practices of vital operational resiliency processes and develop a draft process improvement framework, along with requirements for metrics.

"[The framework] will be a listing of capabilities organizations should have to be resilient," explains Wallen. "It will span core areas -- facilities, technology, data, people, processes. We're laying out capabilities and establishing goals so we can build a model to let organizations assess themselves ... and develop process improvement road maps for themselves."

Wallen adds that an important contributor to the project is Carnegie Mellon University's Software Engineering Institute, which is conducting applied research in the application of process improvement techniques to information security and operational resiliency. "Carnegie Mellon and the FSTC were working in parallel to each other without knowing it," he explains. "We thought this would make a good marriage."

'What,' Not 'How'

Wallen emphasizes this is not a best practices group. "We are defining the 'what,' not the 'how,' of what to do," he relates. "Our scope is broader than business continuity. We want to look at resiliency and operational risk areas holistically so that we see information security, business continuity and IT management together." Wallen says banks have been impeded from achieving uniform resiliency because of their siloed operating environments.

Not only does Wallen hope to break down these silos within banks, he also hopes the project will provide a model for resiliency for other industries as well. "This has to be an industry-agnostic effort," he emphasizes. "If financial services companies are recovering and everyone else is still trying to figure out what to do, that doesn't make sense."

The target to release the resiliency framework is early summer 2006, according to Wallen. Interim materials will be released over the next few months to gather feedback. * --Maria Bruno-Britz

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.