Page 19 - Demo
P. 19

 New approach to combating cybersecurity risks
With a structured implementation timeline starting in mid-2021 and continuing through 2023, to ensure systems remain secure and credentials protected, the enhanced CFI 2.0 scheme reflects the latest trends in technology and incorporates recent developments in global cybersecurity practices. For instance, under
the governance protocols, C-RAF
defines new requirements for key
cybersecurity management roles.
These include separate reporting
lines for key roles to oversee, coordinate and govern enterprise- wide cybersecurity. The C-RAF framework also requires a new structure to cover risk identification; registering, assessment
and treatment of threats; ongoing monitoring; and review and reporting. Given their wider adoption in the industry, to enhance protection, new requirements for infrastructure protection controls including virtualisation security and Internet of Things (IoT) security will need to have DevOps (practices that combines software development and IT operations) activities and processes to align with their System Development Life Cycle (SDLC) – including IT service management processes and agile software development. Testing of Application Programming Interfaces (APIs) against known types of cyberattacks is also a requirement of CFI 2.0. Another enhancement to the C-RAF framework is the introduction of Blue Team requirements for Intelligence-led Cyber Attack Simulation Testing (iCAST) to measure the effectiveness
of detection, response and recovery functions of authorised institutions. LEE explained that flexibility would be allowed for authorised institutions to leverage the results of similar cyber resilience assessments performed by their international banking groups or headquarters.
Designed to establish a secure platform to facilitate sharing of cyber threat intelligence among banks in order to enhance collaboration and improve the industry’s resilience to cyberattacks, CISP will allow banks to make use of intelligence information in order to strengthen cyber resilience and take timely action against any attacks. LEE explained the HKMA would take a leading role in supporting the development of
a Target Operating Model to improve the user-friendliness of CISP by outlining the governance, roles and responsibilities of users. There are also plans to expand the CISP membership to on-board members of the Deposit-taking Companies (DTC) Association and other financial sectors.
「網絡防衛評估框架」亦要求企業建立新系統 以識別風險,包括存錄、評估和處理威脅,以及 進行持續監察、覆審和匯報。由於業界廣泛採用 虛擬安全和物聯網安全功能來加強防護,「網絡 防衛評估框架」要求這類系統基礎設施的防護 控制加入「DevOps開發維運」流程(結合軟件 開發和資訊科技運作的溝通流程),以配合系 統發展生命周期 (SDLC) 中的資訊服務管理和 敏捷軟件開發。另外,「網絡防衛計劃2.0」亦要 求對應用程式介面(API)進行測試,以找出已 知類型的網絡攻擊。為此,「網絡防衛評估框架」 的另一優化方案是為風險資訊主導的「網絡攻 擊模擬測試」(Intelligence-led Cyber Attack Simulation Testing,iCAST)引入「藍隊」(Blue Team)策略,以測量授權機構的偵測、回應和 恢復正常運作的速度。李達志指出,這優化方案 會為授權機構提供彈性,容許他們使用其國際 銀行集團或總部就同類網絡評估所得的結果。
計劃另一支柱「網絡風險資訊共享平台」是要 搭建一個安全平台,讓銀行之間可以分享有關 網絡攻擊的資訊,藉此加強協作,提高業界對 網絡攻擊的防衛能力和採取及時的應對行動。 李達志指出,金管局將在發展「目標運作模式」
 「網絡防衛計劃2.0」由 2021 年年中至 2023 年 有系統地分階段推行,以確保運作系統和專屬 資料同時受到保護。「網絡防衛計劃2.0」強化版 不但反映最新的技術趨勢,並結合全球網絡安 全的最新發展和措施。例如在監管協議下,「網 絡防衛評估框架」為網絡安全管理的主要角色 釐定新要求,包括為統籌、協調和監督全方位 企業網絡安全的主要人員訂下不同的匯報線。
 (Target Operating Model)方面擔當領導角

   17   18   19   20   21