OSFI releases Cyber Security Self-Assessment Guidance
I recently noted the efforts spearheaded by the Bank of England to create a more integrated (across Banks) cyber security strategy.
The Canadian Bank regulator, the Office of the Superintendent of Financial Institutions (OSFI) has developed this template which they will use in future oversight visits. Frankly I find it weak, lacking breadth in its content and approach. It is overly skewed towards black and white automatic shutdown in case of events for example. Rather, art of the reality of cyber security lies in managing greyness and acknowledging such realities as the potential similarity of Denial of Service attacks and a bloated log file.
Looking beyond the individual bank the checklist is silent on the key component of the Bank of England strategy to address threats within the interconnected systems such as payments that sit partly within individual banks, and partly with non bank third parties.
Nevertheless its easy to criticise and a checklist is always a good place to start, and here it is.