Cyber Security Self-Assessment
Type of Publication: Memorandum
Date: August 13, 2021
To: Federally Regulated Financial Institutions
The increasing frequency, severity and sophistication of cyber threats and attacks has resulted in an elevated risk profile for many organizations around the world, including federally regulated financial institutions (FRFIs) in Canada.
In October 2013, the Office of the Superintendent of Financial Institutions (OSFI) published its Cyber Security Self-Assessment to help FRFIs assess their level of cyber preparedness. Since then, this self-assessment has helped FRFIs prepare and improve their cyber security posture. However, digitalization of financial services is broadening the attack surface and introducing new entry points into FRFIs' technology environment, meaning institutions continue to be highly exposed to cyber risk. As a result, OSFI is enhancing its Cyber Security Self-Assessment to reflect the current cyber risk landscape in line with its strategic priorities.
FRFIs are encouraged to use this self-assessment or similar tools to assess their current level of cyber preparedness and to develop and maintain effective cyber security practices. As indicated in its Near-Term Plan of Prudential Policy, OSFI will establish new guidance for the sound management of technology and cyber risk. This self-assessment will supplement forthcoming guidance and will be refreshed regularly to keep abreast with the cyber risk landscape.
Further questions can be directed to Chris Suknundun, Managing Director, Technology Risk Division, at TRD@osfi-bsif.gc.ca.
Chris Suknundun
Managing Director
Rating levels explained
The cyber risk rating levels referred to in this self-assessment are intended to help the FRFI gauge the maturity of individual security controls (in the Column "Controls"). Those control statements address best practices, cyber risk and related processes, documentation, roles and responsibilities, technologies and other cyber security safeguards, all of which are important to robust cyber security operations and for the FRFI's strategic cyber security program development.
The maturity level that the FRFI assigns to each control is intended to estimate the maturity of that control, with reference to the differentiated levels.
Those ratings are then applicable in highlighting controls which are maturing effectively, as well as those which will need more attention (i.e., to address deficiencies). Maturity levels are also informative, in discussions with OSFI, and for future Cyber Security planning within the FRFI.
In this regard, OSFI has identified Cyber Security maturity levels (1-to-5). Level "0" is technically a sixth level but it only indicates a lack of any progress with respect to the assessed control.
Note: for most of the Cyber Security controls listed, there will be inter-dependencies with other controls (e.g., Risk Assessment, implemented by the Cyber Security group, will be related to Risk Management, as addressed by risk managers including senior management). So, in the following statements, the term "controls" is sometimes used, although when the FRFI completes this assessment, and estimates maturity scores, those scores are to be assigned to each individual control, one at a time rather than collectively.
OSFI Cyber Security Self Assessment
| Focus | Number | Category | Control Statement | Rating | FRFI Rating Rationale and Notes | FRFI Provided Supporting References |
|---|---|---|---|---|---|---|
| Governance | 1 | Planning and Strategy | The FRFI has published a cyber risk strategy that is aligned with the technology and business strategies. | blank | blank | blank |
| 2 | blank | The FRFI has an established cyber risk framework (e.g., a complete set of elements including policies, standards, roles and responsibilities, risk management processes, risk taxonomy, risk appetite and emerging threats and technologies) in support of the cyber risk strategy, and ongoing threat, risk and incident management. | blank | blank | blank | |
| 3 | blank | The FRFI conducts regular reviews of the cyber risk strategy and cyber risk framework, to ensure compliance with legal and regulatory requirements. | blank | blank | blank | |
| 4 | blank | The FRFI considers cyber risk compliance requirements, identified risks, current and emerging threats, and potential incident related impacts on operations and services, as inputs to planning and prioritizing cyber risk projects, programs and budgets. | blank | blank | blank | |
| 5 | blank | The FRFI has appointed an executive responsible for the cyber risk strategy, the cyber risk framework and for cyber risk awareness and knowledge at the executive level. | blank | blank | blank | |
| 6 | Policy | The FRFI has documented cyber risk policies to explain staff and contractor roles, responsibilities, rules and constraints as well as possible penalties for non-compliance. | blank | blank | blank | |
| 7 | blank | The roles and responsibilities of each of the three lines of defence and other stakeholders are clearly described within the cyber risk framework. | blank | blank | blank | |
| 8 | Risk Management | Key risk and performance indicators as well as thresholds have been established for the FRFI's key cyber risk and controls. The risk indicators should align with the cyber risk appetite as stated in the cyber risk framework. | blank | blank | blank | |
| 9 | blank | Cyber risks to the organization and its programs or customers are regularly reviewed, prioritized, escalated, explained to the appropriate executives or senior management, and those risks are prioritized for mitigation. | blank | blank | blank | |
| 10 | blank | The second line of defence regularly provides an independent review of the various cyber risk assessments and other control activities conducted by the first line of defence. | blank | blank | blank | |
| 11 | blank | The FRFI ensures that background checks have been implemented for personnel/contractors and at third party providers, commensurate with the sensitivity and cyber risk needs of FRFI assets being managed. | blank | blank | blank | |
| 12 | blank | The FRFI has implemented a formal process for risk acceptance that is measured, tracked and reported. | blank | blank | blank | |
| Identify | 13 | Business Environment | The FRFI has allocated sufficient and skilled resources for the sustainment of cyber risk programs, systems, roles and services. | blank | blank | blank |
| 14 | blank | The FRFI has identified its critical technology assets and has implemented appropriate controls to ensure confidentiality, integrity and availability. The controls are regularly reviewed and tested. | blank | blank | blank | |
| 15 | blank | The FRFI ensures that contracts for outsourcing and external services (e.g., third party providers, Cloud Service Providers) include supplier and service provider responsibilities for the security of the FRFI's information. | blank | blank | blank | |
| 16 | Asset Management | The FRFI maintains a configuration management database (CMDB) or similar utility for documenting and tracking IT component configurations (i.e., hardware, software, network addresses, security systems, dependencies, etc.). | blank | blank | blank | |
| 17 | blank | The FRFI's IT assets and information are classified and managed according to a classification scheme. | blank | blank | blank | |
| 18 | blank | The FRFI has established procedures for the disposal or destruction of IT assets. | blank | blank | blank | |
| 19 | Risk Assessment | The FRFI conducts Threat and Risk Assessments in the early stages of new initiatives/projects or prior to changes in existing systems and data, to identify and prioritize threats, risks and remediation options. | blank | blank | blank | |
| 20 | blank | The FRFI should periodically assess their cyber risks, which will require consideration for and assessment of the robustness, currency and completeness of the cyber risk practices and controls. | blank | blank | blank | |
| 21 | blank | The FRFI conducts regular penetration testing against the network, Cloud environment and all critical IT systems to identify security gaps and deficiencies, and to affirm strengths. | blank | blank | blank | |
| Defend | 22 | Identity Management and Access Control | The FRFI implements a consistent access control model (e.g., Role Based Access Control) across all critical systems. | blank | blank | blank |
| 23 | blank | The FRFI requires that all persons, systems or services be identified, authenticated and authorized prior to granting access to FRFI systems, services or data. | blank | blank | blank | |
| 24 | blank | The FRFI consistently applies the principle of "least privilege", such that the permissions and access granted to an authenticated person, system or service is sufficient to their operational need, and no higher. | blank | blank | blank | |
| 25 | blank | The FRFI ensures that permissions are revoked and accounts or active connections are terminated, when no longer required. | blank | blank | blank | |
| 26 | blank | The FRFI implements Multi-Factor Authentication for access to critical systems and for remote access to the FRFI network. | blank | blank | blank | |
| 27 | blank | The FRFI encrypts and securely stores identity and access control credentials (e.g. passwords), separate from other data. | blank | blank | blank | |
| 28 | blank | Privileged account credentials are managed, monitored and secured. | blank | blank | blank | |
| 29 | Network Security | The FRFI follows a positive security model for network security, allowing only pre-defined and authorized traffic (IP addresses, protocols, ports, etc.). | blank | blank | blank | |
| 30 | blank | The FRFI defines logical network zones, and applies controls to segregate and limit or block traffic between those zones, to help track, manage and secure the assets within those zones. | blank | blank | blank | |
| 31 | blank | The FRFI places all internet facing systems and services in a DMZ or similar, segregated and closely monitored network zone with carefully secured and limited connection into the broader environment. | blank | blank | blank | |
| 32 | blank | The FRFI engages in ongoing Threat Hunting (e.g., using manual techniques and machine learning tools) to proactively identify and isolate advanced threats which may not be detected by automated tools. | blank | blank | blank | |
| 33 | blank | The FRFI implements critical network security and traffic management controls to be fault tolerant, and to fail securely, so that security will not be compromised during any fault, outage or security incident. | blank | blank | blank | |
| 34 | blank | The FRFI limits remote access and connection options to authorized personnel, including third party providers, and secures all remote sessions (e.g., with session encryption, MFA, session timeouts). | blank | blank | blank | |
| 35 | Data Security | The FRFI has implemented data loss prevention (DLP) controls across all technology assets for data at rest, data in use and data in transit to identify attempts at unauthorized data exfiltration, and to automatically limit or stop associated data loss. | blank | blank | blank | |
| 36 | blank | The FRFI assesses all external data interfaces (e.g. APIs) to ascertain if implemented security controls are appropriate to the sensitivity of the FRFI's data. | blank | blank | blank | |
| 37 | blank | The FRFI uses automated tools to examine all data (including source code and configuration data) prior to its introduction into FRFI's systems, to identify and quarantine unauthorized executable code (e.g., malware), and potentially harmful data. | blank | blank | blank | |
| 38 | blank | The FRFI encrypts all data to be physically transported internally or externally (e.g., on portable/removable storage media), and restricts such data transport to authorized individuals only. | blank | blank | blank | |
| 39 | blank | FRFI personnel "work from home" solutions are implemented with strong end-point controls (e.g., in laptops or other mobile devices) to maintain robust security. | blank | blank | blank | |
| 40 | blank | The FRFI conducts regular, automated back-ups of its data. | blank | blank | blank | |
| 41 | Vulnerability Management | The FRFI has published and implemented a Vulnerability and Patch Management Program, providing rules and guidance on roles, responsibilities, the FRFI's vulnerability management life cycle, vulnerability prioritization (e.g., based on risk), remediation timeframes, exception/exemption approvals, monitoring and reporting, and tools to be applied. | blank | blank | blank | |
| 42 | blank | The FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services. | blank | blank | blank | |
| 43 | blank | The FRFI conducts regular vulnerability scanning to identify new vulnerabilities. | blank | blank | blank | |
| 44 | blank | The FRFI prioritizes identified vulnerabilities for resolution, based on the risk and potential impact represented. | blank | blank | blank | |
| 45 | blank | The FRFI has an exception/exemption management process that documents and requires appropriate management approvals, for delays or exceptions to vulnerability remediation (e.g., through application of vendor supplied patches). | blank | blank | blank | |
| 46 | blank | The FRFI verifies and tests vulnerability patches, prior to general deployment within the operational environment. | blank | blank | blank | |
| 47 | blank | The FRFI identifies contingency options for reversing vulnerability resolution measures (e.g., through roll-back of patches), prior to general deployment. | blank | blank | blank | |
| 48 | blank | The FRFI has established timelines for applying patches based on risk. | blank | blank | blank | |
| 49 | Change and Configuration Management | The FRFI has created, documented and implemented standardized, secure configurations for all hardware and software (e.g., Operating Systems, VMs, desktop image). | blank | blank | blank | |
| 50 | blank | The FRFI hardens all critical systems and networks. | blank | blank | blank | |
| 51 | blank | The FRFI enforces security policies through the use of automated tools to identify and block use of unauthorized software and hardware across all of its systems. | blank | blank | blank | |
| 52 | blank | The FRFI has documented and implemented a Change Management process, to formally identify, assess, approve and document configuration changes. | blank | blank | blank | |
| Detect | 53 | Monitoring and Logging | The FRFI monitors all networks, sub-networks, and interfaces to identify information security events such as unauthorized connection attempts, unusual or suspicious traffic patterns or use of unauthorized ports and protocols. | blank | blank | blank |
| 54 | blank | The FRFI has established requirements for log collection and retention across all IT assets. | blank | blank | blank | |
| 55 | blank | The FRFI uses automated tools (e.g., a SIEM or Log Analytics Tool) to collect, aggregate and analyze event data in real time or near to real time (e.g., anomalous activity), and alerts personnel according to established use cases and rules. | blank | blank | blank | |
| 56 | blank | The FRFI's network monitoring and management processes are integrated with Incident Response processes, for rapid and formal escalations, communications and resolution of priority events. | blank | blank | blank | |
| 57 | blank | FRFI and service provider logs and related records pertaining to security events are encrypted, time stamped and archived for later reference as needed. Event logs are maintained in a secure location. | blank | blank | blank | |
| 58 | Benchmarking, Reviews and Assessments | The FRFI conducts ongoing and periodic assessments (e.g., of cyber risk processes), with reference to external security frameworks, best practices, and emerging vulnerabilities to identify control gaps or deficiencies across the FRFI environment, and to identify opportunities and recommendations for improvement. | blank | blank | blank | |
| 59 | blank | The FRFI conducts ongoing reviews to determine policy compliance. | blank | blank | blank | |
| 60 | blank | The FRFI conducts regular, automated reviews of IT infrastructure (e.g., endpoints) to verify that security controls are configured and functioning as expected. | blank | blank | blank | |
| 61 | blank | The FRFI communicates security assessment and audit results to appropriate internal management, and to the executive(s) responsible for the cyber risk framework. | blank | blank | blank | |
| 62 | Secure Software Development | The FRFI treats security and the adoption of security best practices as a priority within the software development life cycle. | blank | blank | blank | |
| 63 | blank | The FRFI deploys all software, including off the shelf products, in a segregated test environment, and executes relevant testing and security scans, prior to general deployment. | blank | blank | blank | |
| 64 | blank | The FRFI verifies the code from external sources is from a reputable and recognized source (e.g., by review of digital signature, or hash function). | blank | blank | blank | |
| Respond | 65 | Incident Management | The FRFI's Incident Management standard is designed to respond rapidly to cyber risk incidents. | blank | blank | blank |
| 66 | blank | The FRFI has established a "whole of organization " response including but not limited to: cyber risk team, IT team, business owner, legal, privacy, and communications (public affairs), and others as required and has developed playbooks and runbooks as needed. | blank | blank | blank | |
| 67 | blank | The FRFI regularly exercises the Incident Management standard. | blank | blank | blank | |
| 68 | blank | The FRFI has an established communication plan that includes, but is not limited to, customers/clients, business partners, provincial or federal regulatory or security agencies, law enforcement, internal staff, and others as appropriate. | blank | blank | blank | |
| 69 | blank | The FRFI conducts post-incident analysis to identify root cause, vulnerabilities, remedies and to document lessons learned for future reference by staff. | blank | blank | blank | |
| Recover | 70 | Testing and Planning | The FRFI regularly tests data back-ups to verify their integrity, and to confirm that restoration of data is feasible in case of need. | blank | blank | blank |
| 71 | blank | The FRFI develops and tests playbooks to ensure timely restoration of data, systems or services impacted by cyber risk incidents. | blank | blank | blank | |
| 72 | blank | The FRFI has a Disaster Recovery Plan and/or Business Continuity Plan to execute in the event of a material cyber risk incident. | blank | blank | blank | |
| Learn | 73 | Continuous Improvement | The FRFI regularly reviews its IT environment and mitigates risks from end of life/support hardware and software. | blank | blank | blank |
| 74 | blank | The FRFI conducts threat modeling to improve cyber resilience. | blank | blank | blank | |
| 75 | blank | The FRFI conducts regular simulation exercises (e.g. ransomware, DDOS) to validate response plans, and familiarize stakeholders with their roles and responsibilities. | blank | blank | blank | |
| 76 | blank | The FRFI subscribes to reputable information sources for understanding of emerging threats, trends, vulnerabilities, and cyber risk best practices. | blank | blank | blank | |
| 77 | blank | The FRFI keeps abreast of new and emerging technologies and their impact on cyber risk. | blank | blank | blank | |
| 78 | Security Education | The FRFI has a cyber risk education and awareness plan for employees, customers and other stakeholders. | blank | blank | blank | |
| 79 | blank | The FRFI provides for necessary and appropriate training for cyber risk personnel, to maintain current knowledge and skills, in support of their roles and responsibilities. | blank | blank | blank | |
| 80 | blank | The FRFI provides all staff with ongoing security awareness education to make them aware of their role and responsibilities with respect to cyber risk, to help them identify threats and to explain cyber risk best practices. | blank | blank | blank | |
| 81 | blank | FRFI executives and senior management are regularly briefed on cyber risk trends, identified risks, incidents, planned cyber risk initiatives and associated, potential impacts on the organization. | blank | blank | blank | |
| Third Party Providers | 82 | Governance and Management | The FRFI has identified and assessed cyber risk arising from its third party providers. The risk assessment is regularly refreshed and drives the frequency and intensity of risk management activities (e.g., due diligence, contract obligations, monitoring, reporting and assurance activities). | blank | blank | blank |
| 83 | blank | The FRFI ensures that cyber risk controls implemented by third party providers are appropriate to the sensitivity of FRFI data, and are as robust and comprehensive as those which the FRFI implements on premise. | blank | blank | blank | |
| 84 | blank | FRFI has developed exit strategies for critical third party providers that outline possible cyber related scenarios, triggers and alternative solutions developed and assessed for viability. | blank | blank | blank | |
| 85 | blank | The FRFI periodically obtains independent assurance of third party controls using various methods such as audit certifications, internal audit reviews, pooled audits etc. | blank | blank | blank | |
| 86 | blank | The FRFI ensures that the third party provider has established incident response playbooks, including procedures as to when and how the FRFI will be informed of any impact on its systems, services or data. | blank | blank | blank | |
| 87 | blank | The FRFI verifies that third party providers completely delete all FRFI data including backups, when no longer required. | blank | blank | blank | |
| 88 | Cloud Service Providers | The FRFI has a documented Cloud exit strategy that defines cyber risk processes, roles and responsibilities to be implemented if the FRFI discontinues CSP services (e.g., to migrate to a different CSP). | blank | blank | blank | |
| 89 | blank | The FRFI ensures that all cyber risk roles and responsibilities (e.g., for implementation and management of controls), are clearly documented and agreed by all parties when implementing Cloud services (IaaS, PaaS, and SaaS). | blank | blank | blank | |
| 90 | blank | Centralized logging and monitoring processes are implemented across all Cloud assets, with the capability to conduct consolidated analysis and reporting on the security posture across all platforms. | blank | blank | blank |