Cyber Security Self-Assessment

Document Properties

  • Type of Publication: Memorandum
  • Date: August 13, 2021
  • To: Federally Regulated Financial Institutions

The increasing frequency, severity and sophistication of cyber threats and attacks has resulted in an elevated risk profile for many organizations around the world, including federally regulated financial institutions (FRFIs) in Canada.

In October 2013, the Office of the Superintendent of Financial Institutions (OSFI) published its Cyber Security Self-Assessment to help FRFIs assess their level of cyber preparedness. Since then, this self-assessment has helped FRFIs prepare and improve their cyber security posture. However, digitalization of financial services is broadening the attack surface and introducing new entry points into FRFIs' technology environment, meaning institutions continue to be highly exposed to cyber risk. As a result, OSFI is enhancing its Cyber Security Self-Assessment to reflect the current cyber risk landscape in line with its strategic priorities.

FRFIs are encouraged to use this self-assessment or similar tools to assess their current level of cyber preparedness and to develop and maintain effective cyber security practices. As indicated in its Near-Term Plan of Prudential Policy, OSFI will establish new guidance for the sound management of technology and cyber risk. This self-assessment will supplement forthcoming guidance and will be refreshed regularly to keep abreast with the cyber risk landscape.

Further questions can be directed to the Managing Director, Technology Risk Division, at TRD@osfi-bsif.gc.ca.

Mohamad Al-Bustami
Managing Director

Rating Levels Explained

The cyber risk rating levels referred to in this self-assessment are intended to help the FRFI gauge the maturity of individual security controls (in the Column "Controls"). Those control statements address best practices, cyber risk and related processes, documentation, roles and responsibilities, technologies and other cyber security safeguards, all of which are important to robust cyber security operations and for the FRFI's strategic cyber security program development.

The maturity level that the FRFI assigns to each control is intended to estimate the maturity of that control, with reference to the differentiated levels.

Those ratings are then applicable in highlighting controls which are maturing effectively, as well as those which will need more attention (i.e., to address deficiencies). Maturity levels are also informative, in discussions with OSFI, and for future Cyber Security planning within the FRFI.

In this regard, OSFI has identified Cyber Security maturity levels (1-to-5). Level "0" is technically a sixth level but it only indicates a lack of any progress with respect to the assessed control.

Note: for most of the Cyber Security controls listed, there will be inter-dependencies with other controls (e.g., Risk Assessment, implemented by the Cyber Security group, will be related to Risk Management, as addressed by risk managers including senior management). So, in the following statements, the term "controls" is sometimes used, although when the FRFI completes this assessment, and estimates maturity scores, those scores are to be assigned to each individual control, one at a time rather than collectively.

OSFI Cyber Security Self Assessment

FocusNumberCategoryControl StatementRatingFRFI Rating Rationale and NotesFRFI Provided Supporting References
Governance1Planning and StrategyThe FRFI has published a cyber risk strategy that is aligned with the technology and business strategies.
2The FRFI has an established cyber risk framework (e.g., a complete set of elements including policies, standards, roles and responsibilities, risk management processes, risk taxonomy, risk appetite and emerging threats and technologies) in support of the cyber risk strategy, and ongoing threat, risk and incident management.
3The FRFI conducts regular reviews of the cyber risk strategy and cyber risk framework, to ensure compliance with legal and regulatory requirements.
4The FRFI considers cyber risk compliance requirements, identified risks, current and emerging threats, and potential incident related impacts on operations and services, as inputs to planning and prioritizing cyber risk projects, programs and budgets.
5The FRFI has appointed an executive responsible for the cyber risk strategy, the cyber risk framework and for cyber risk awareness and knowledge at the executive level.
6PolicyThe FRFI has documented cyber risk policies to explain staff and contractor roles, responsibilities, rules and constraints as well as possible penalties for non-compliance.
7The roles and responsibilities of each of the three lines of defence and other stakeholders are clearly described within the cyber risk framework.
8Risk ManagementKey risk and performance indicators as well as thresholds have been established for the FRFI's key cyber risk and controls. The risk indicators should align with the cyber risk appetite as stated in the cyber risk framework.
9Cyber risks to the organization and its programs or customers are regularly reviewed, prioritized, escalated, explained to the appropriate executives or senior management, and those risks are prioritized for mitigation.
10The second line of defence regularly provides an independent review of the various cyber risk assessments and other control activities conducted by the first line of defence.
11The FRFI ensures that background checks have been implemented for personnel/contractors and at third party providers, commensurate with the sensitivity and cyber risk needs of FRFI assets being managed.
12The FRFI has implemented a formal process for risk acceptance that is measured, tracked and reported.
Identify13Business EnvironmentThe FRFI has allocated sufficient and skilled resources for the sustainment of cyber risk programs, systems, roles and services.
14The FRFI has identified its critical technology assets and has implemented appropriate controls to ensure confidentiality, integrity and availability. The controls are regularly reviewed and tested.
15The FRFI ensures that contracts for outsourcing and external services (e.g., third party providers, Cloud Service Providers) include supplier and service provider responsibilities for the security of the FRFI's information.
16Asset ManagementThe FRFI maintains a configuration management database (CMDB) or similar utility for documenting and tracking IT component configurations (i.e., hardware, software, network addresses, security systems, dependencies, etc.).
17The FRFI's IT assets and information are classified and managed according to a classification scheme.
18The FRFI has established procedures for the disposal or destruction of IT assets.
19Risk AssessmentThe FRFI conducts Threat and Risk Assessments in the early stages of new initiatives/projects or prior to changes in existing systems and data, to identify and prioritize threats, risks and remediation options.
20The FRFI should periodically assess their cyber risks, which will require consideration for and assessment of the robustness, currency and completeness of the cyber risk practices and controls.
21The FRFI conducts regular penetration testing against the network, Cloud environment and all critical IT systems to identify security gaps and deficiencies, and to affirm strengths.
Defend22Identity Management and Access ControlThe FRFI implements a consistent access control model (e.g., Role Based Access Control) across all critical systems.
23The FRFI requires that all persons, systems or services be identified, authenticated and authorized prior to granting access to FRFI systems, services or data.
24The FRFI consistently applies the principle of "least privilege", such that the permissions and access granted to an authenticated person, system or service is sufficient to their operational need, and no higher.
25The FRFI ensures that permissions are revoked and accounts or active connections are terminated, when no longer required.
26The FRFI implements Multi-Factor Authentication for access to critical systems and for remote access to the FRFI network.
27The FRFI encrypts and securely stores identity and access control credentials (e.g. passwords), separate from other data.
28Privileged account credentials are managed, monitored and secured.
29Network SecurityThe FRFI follows a positive security model for network security, allowing only pre-defined and authorized traffic (IP addresses, protocols, ports, etc.).
30The FRFI defines logical network zones, and applies controls to segregate and limit or block traffic between those zones, to help track, manage and secure the assets within those zones.
31The FRFI places all internet facing systems and services in a DMZ or similar, segregated and closely monitored network zone with carefully secured and limited connection into the broader environment.
32The FRFI engages in ongoing Threat Hunting (e.g., using manual techniques and machine learning tools) to proactively identify and isolate advanced threats which may not be detected by automated tools.
33The FRFI implements critical network security and traffic management controls to be fault tolerant, and to fail securely, so that security will not be compromised during any fault, outage or security incident.
34The FRFI limits remote access and connection options to authorized personnel, including third party providers, and secures all remote sessions (e.g., with session encryption, MFA, session timeouts).
35Data SecurityThe FRFI has implemented data loss prevention (DLP) controls across all technology assets for data at rest, data in use and data in transit to identify attempts at unauthorized data exfiltration, and to automatically limit or stop associated data loss.
36The FRFI assesses all external data interfaces (e.g. APIs) to ascertain if implemented security controls are appropriate to the sensitivity of the FRFI's data.
37The FRFI uses automated tools to examine all data (including source code and configuration data) prior to its introduction into FRFI's systems, to identify and quarantine unauthorized executable code (e.g., malware), and potentially harmful data.
38The FRFI encrypts all data to be physically transported internally or externally (e.g., on portable/removable storage media), and restricts such data transport to authorized individuals only.
39FRFI personnel "work from home" solutions are implemented with strong end-point controls (e.g., in laptops or other mobile devices) to maintain robust security.
40The FRFI conducts regular, automated back-ups of its data.
41Vulnerability ManagementThe FRFI has published and implemented a Vulnerability and Patch Management Program, providing rules and guidance on roles, responsibilities, the FRFI's vulnerability management life cycle, vulnerability prioritization (e.g., based on risk), remediation timeframes, exception/exemption approvals, monitoring and reporting, and tools to be applied.
42The FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services.
43The FRFI conducts regular vulnerability scanning to identify new vulnerabilities.
44The FRFI prioritizes identified vulnerabilities for resolution, based on the risk and potential impact represented.
45The FRFI has an exception/exemption management process that documents and requires appropriate management approvals, for delays or exceptions to vulnerability remediation (e.g., through application of vendor supplied patches).
46The FRFI verifies and tests vulnerability patches, prior to general deployment within the operational environment.
47The FRFI identifies contingency options for reversing vulnerability resolution measures (e.g., through roll-back of patches), prior to general deployment.
48The FRFI has established timelines for applying patches based on risk.
49Change and Configuration ManagementThe FRFI has created, documented and implemented standardized, secure configurations for all hardware and software (e.g., Operating Systems, VMs, desktop image).
50The FRFI hardens all critical systems and networks.
51The FRFI enforces security policies through the use of automated tools to identify and block use of unauthorized software and hardware across all of its systems.
52The FRFI has documented and implemented a Change Management process, to formally identify, assess, approve and document configuration changes.
Detect53Monitoring and LoggingThe FRFI monitors all networks, sub-networks, and interfaces to identify information security events such as unauthorized connection attempts, unusual or suspicious traffic patterns or use of unauthorized ports and protocols.
54The FRFI has established requirements for log collection and retention across all IT assets.
55The FRFI uses automated tools (e.g., a SIEM or Log Analytics Tool) to collect, aggregate and analyze event data in real time or near to real time (e.g., anomalous activity), and alerts personnel according to established use cases and rules.
56The FRFI's network monitoring and management processes are integrated with Incident Response processes, for rapid and formal escalations, communications and resolution of priority events.
57FRFI and service provider logs and related records pertaining to security events are encrypted, time stamped and archived for later reference as needed. Event logs are maintained in a secure location.
58Benchmarking, Reviews and AssessmentsThe FRFI conducts ongoing and periodic assessments (e.g., of cyber risk processes), with reference to external security frameworks, best practices, and emerging vulnerabilities to identify control gaps or deficiencies across the FRFI environment, and to identify opportunities and recommendations for improvement.
59The FRFI conducts ongoing reviews to determine policy compliance.
60The FRFI conducts regular, automated reviews of IT infrastructure (e.g., endpoints) to verify that security controls are configured and functioning as expected.
61The FRFI communicates security assessment and audit results to appropriate internal management, and to the executive(s) responsible for the cyber risk framework.
62Secure Software DevelopmentThe FRFI treats security and the adoption of security best practices as a priority within the software development life cycle.
63The FRFI deploys all software, including off the shelf products, in a segregated test environment, and executes relevant testing and security scans, prior to general deployment.
64The FRFI verifies the code from external sources is from a reputable and recognized source (e.g., by review of digital signature, or hash function).
Respond65Incident ManagementThe FRFI's Incident Management standard is designed to respond rapidly to cyber risk incidents.
66The FRFI has established a "whole of organization " response including but not limited to: cyber risk team, IT team, business owner, legal, privacy, and communications (public affairs), and others as required and has developed playbooks and runbooks as needed.
67The FRFI regularly exercises the Incident Management standard.
68The FRFI has an established communication plan that includes, but is not limited to, customers/clients, business partners, provincial or federal regulatory or security agencies, law enforcement, internal staff, and others as appropriate.
69The FRFI conducts post-incident analysis to identify root cause, vulnerabilities, remedies and to document lessons learned for future reference by staff.
Recover70Testing and PlanningThe FRFI regularly tests data back-ups to verify their integrity, and to confirm that restoration of data is feasible in case of need.
71The FRFI develops and tests playbooks to ensure timely restoration of data, systems or services impacted by cyber risk incidents.
72The FRFI has a Disaster Recovery Plan and/or Business Continuity Plan to execute in the event of a material cyber risk incident.
Learn73Continuous ImprovementThe FRFI regularly reviews its IT environment and mitigates risks from end of life/support hardware and software.
74The FRFI conducts threat modeling to improve cyber resilience.
75The FRFI conducts regular simulation exercises (e.g. ransomware, DDOS) to validate response plans, and familiarize stakeholders with their roles and responsibilities.
76The FRFI subscribes to reputable information sources for understanding of emerging threats, trends, vulnerabilities, and cyber risk best practices.
77The FRFI keeps abreast of new and emerging technologies and their impact on cyber risk.
78Security EducationThe FRFI has a cyber risk education and awareness plan for employees, customers and other stakeholders.
79The FRFI provides for necessary and appropriate training for cyber risk personnel, to maintain current knowledge and skills, in support of their roles and responsibilities.
80The FRFI provides all staff with ongoing security awareness education to make them aware of their role and responsibilities with respect to cyber risk, to help them identify threats and to explain cyber risk best practices.
81FRFI executives and senior management are regularly briefed on cyber risk trends, identified risks, incidents, planned cyber risk initiatives and associated, potential impacts on the organization.
Third Party Providers82Governance and ManagementThe FRFI has identified and assessed cyber risk arising from its third party providers. The risk assessment is regularly refreshed and drives the frequency and intensity of risk management activities (e.g., due diligence, contract obligations, monitoring, reporting and assurance activities).
83The FRFI ensures that cyber risk controls implemented by third party providers are appropriate to the sensitivity of FRFI data, and are as robust and comprehensive as those which the FRFI implements on premise.
84FRFI has developed exit strategies for critical third party providers that outline possible cyber related scenarios, triggers and alternative solutions developed and assessed for viability.
85The FRFI periodically obtains independent assurance of third party controls using various methods such as audit certifications, internal audit reviews, pooled audits etc.
86The FRFI ensures that the third party provider has established incident response playbooks, including procedures as to when and how the FRFI will be informed of any impact on its systems, services or data.
87The FRFI verifies that third party providers completely delete all FRFI data including backups, when no longer required.
88Cloud Service ProvidersThe FRFI has a documented Cloud exit strategy that defines cyber risk processes, roles and responsibilities to be implemented if the FRFI discontinues CSP services (e.g., to migrate to a different CSP).
89The FRFI ensures that all cyber risk roles and responsibilities (e.g., for implementation and management of controls), are clearly documented and agreed by all parties when implementing Cloud services (IaaS, PaaS, and SaaS).
90Centralized logging and monitoring processes are implemented across all Cloud assets, with the capability to conduct consolidated analysis and reporting on the security posture across all platforms.